Unfamiliar (to me only) ports behavior

2007-05-09 Thread John Nietzsche

Dear gentleman/madam,

i have just installed openbsd 4.1. I am very happy with it, but
something i was not expecting is happening:

As an ordinary user (belonging to the group wheel) i switched to the
ports collection directory (/usr/ports/x11/openmotif) and issued i
"make fetch".

I got surprised when the tarball started to be dowloaded in
/usr/ports/distfiles although its sticky bit is not on.

May someone here explain me how it is possible?

Thanks in advance.



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Ted Unangst wrote:

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:

I try to stay safe in my choices and comments are welcome, but I have to
point out as well that ALL the values below needs to be changes to that
new value to get working well. If even only one of them is not at the
level below, the results in the tests start to be affected pretty bad at
times.
net.bpf.bufsize=524288
net.inet.ip.redirect=0


never mind the rest, but these two really make no sense.  none.


Make no sense in the test and improving results, or make no sense in 
setting them as such here?


net.inet.ip.redirect=0

Is to disable ICMP routing redirects. Otherwise, your system could have 
its routing table misadjusted by an attacker. Wouldn't be wise to do so? 
May be if PF is turn on, then there is no reason for this, but with PF 
ON, I get drop and need to address that. Didn't pursue it yet as dead 
however.


As for the net.bpf.bufsize, I am looking again in my notes and tests, 
it's use for Berkeley Packet Filter (BPF), to maintains an internal 
kernel buffer for storing packets received off the wire.


Yes in that case it make sense not to have that here. I redid the tests 
with the default value and yes you are right! This one is wrong here. 
May be lack of sleep. (;> Thanks for correcting me!


I also have the revise my statement on the net.inet.ip.portfirst=32768 
effect. In a series of new tests, it doesn't have the impact noted the 
first test runs. So, I would keep it as default value as well now. May 
be it was when PF was enable that I have more of an impact then. But my 
notes are not clear on that specific one.


Anything else you see that may be questionable in what I sent? I am 
doing more tests with different hardware to be sure it's all sane value 
in the end.


Other wise many thanks for having taken the time to look it over and 
give me your feedback on it!


I sure appreciate it big time!

Best

Daniel



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Ted Unangst

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:

I try to stay safe in my choices and comments are welcome, but I have to
point out as well that ALL the values below needs to be changes to that
new value to get working well. If even only one of them is not at the
level below, the results in the tests start to be affected pretty bad at
times.
net.bpf.bufsize=524288
net.inet.ip.redirect=0


never mind the rest, but these two really make no sense.  none.



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Marcos Laufer wrote:

Daniel,

Try the same test with this changes

Timeout 60
KeepAlive Off

If my guess is right, you'll notice big improvement.
Tell me how it goes


Neither apply to the issue that was at hand. Timeout 60, or 300 like in 
this case have nothing to do with the connections rate or limit, but in 
some cases where processing from php scripts takes a long time, doing 
less then timeout 60 will stop the script for finishing. Plus timeout 60 
is the time it will wait for an answer on the client side. The issue 
here is not a lack of reply, or a delay in it. See:


http://httpd.apache.org/docs/1.3/mod/core.html#timeout

For more details.

As for KeepAlive Off, that would simply increase the number of required 
connections to the server with would have the opposite effect of helping.


http://httpd.apache.org/docs/1.3/mod/core.html#keepalive

I appreciate you looking at it, but that really have nothing to do with 
the problem as it was describe and demonstrated as well.


Thanks

Daniel



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Marcos Laufer
Daniel,

Try the same test with this changes

Timeout 60
KeepAlive Off

If my guess is right, you'll notice big improvement.
Tell me how it goes

Marcos Laufer

- Original Message - 
From: "Daniel Ouellet" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 09, 2007 7:41 PM
Subject: Re: Bottleneck in httpd. I need help to address capacity issues on
max parallel and rate connections


Hi,

I am passing my finding around for the configuration of sysctl.conf to
remove bottleneck I found in httpd as I couldn't get more then 300 httpd
process without crapping out badly and above that, the server simply got
out of wack.

All is default install and the tests are done with a server that is an
old one. dmesg at the end in case you are interested. This is on OpenBSD
4.0 and I pick that server just to see what's possible as it's not
really a very powerful one.

You can also see the iostat output and the vmstat as well with the
changes in place.

You sure can see a few page fault as I am really pushing the server
much, but even then I get decent results and the bottleneck was remove,
even with 2000 parallel connections. In that case I had to use two
different clients as the http_load only support up to 1021 parallel
connections, so to test pass that, I use more then one clients to push
the server more.

But in all, the results are much better then a few days ago and now
looks like we get more for the buck and adding more powerful hardware
will be use better now instead of suffering the same limitations.

I put also the value changed in sysctl.conf to come to this final setup.

I am not saying the value are the best possible choice, but they work
well in the test situation and there is many as you will see. Some are
very surprising to me, like the change in net.inet.ip.portfirst. Yes I
know, but if I leave it as default, then I can't get full success in the
test below and get time out, some errors and efficiency is not as good.
May be that's because of the random ports range calculations, I can't
say, but in any case, the effect is there and tested.

I try to stay safe in my choices and comments are welcome, but I have to
point out as well that ALL the values below needs to be changes to that
new value to get working well. If even only one of them is not at the
level below, the results in the tests start to be affected pretty bad at
times.

So, not only one value needs to be changed or address the issues, but
ALL of them below.

I am still working on finding may be more restrictive value to keep the
system as stable and safe and close to the default as possible, but
below is a very good setup in y tests and all the results are below as well.

As for the value in httpd.conf, they are still in progress to make them
more normal, but for this test they are:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 0 (shouldn't stay like this as limits needs to be
in place)
KeepAliveTimeout 5
MinSpareServers 40
MaxSpareServers 80
StartServers 40
MaxClients 2048
MaxRequestsPerChild 0

Also, the httpd use .so module like php and is not compile statically.

For the value above, I think a more reasonable (still in progress as
well) would be for a very busy server:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MinSpareServers 50
MaxSpareServers 100
StartServers 75
MaxClients 768
MaxRequestsPerChild 0

However, I am not settle on them fully yet. I send an earlier email with
explication for why some value should be pick.

http://marc.info/?l=openbsd-misc&m=117874246431437&w=2

Any comments on any parts or caution I have overlooked?

Thanks and hope this help some others that may suffer from the same
problem I did.

Daniel

===
sysctl.conf changes.

kern.seminfo.semmni=1024
kern.seminfo.semmns=4096
kern.shminfo.shmall=16384
kern.maxclusters=12000
kern.maxproc=2048   # Increase for the process limits.
kern.maxfiles=5000
kern.shminfo.shmmax=67108864
kern.somaxconn=2048
net.bpf.bufsize=524288
net.inet.ip.maxqueue=1278
net.inet.ip.portfirst=32768
net.inet.ip.redirect=0
net.inet.tcp.keepinittime=10
net.inet.tcp.keepidle=30
net.inet.tcp.keepintvl=30
net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=65535
net.inet.tcp.rstppslimit=400
net.inet.tcp.sendspace=65535
net.inet.tcp.synbucketlimit=420
net.inet.tcp.syncachelimit=20510



===
Test with multiple parallel connections, from 10 to 1000. As expected,
the results gets better as we go and I was able to go up to 2000, but I
limit the server at 2048 in the recompile version. At 2000, I get close
to 2x the delay, meaning it's start to go back up before that, but still
get full completed without errors in less then the time out of 30
seconds, witch I couldn't do before at 300 parallel connections anyway.


# http_load -parallel 10 -fetches 1500 -timeout 30 /tmp/test
1500 fetches, 10 max parallel, 1.9647e+07 bytes, in 19.8742 seconds
13098 mean bytes/connection
75.4747 fetches/sec, 988568 bytes/sec
msecs/connect: 84.6428

Re: revenge of stupid vlan questions

2007-05-09 Thread Clint Pachl

Jon wrote:

This was very informative.  Thank you very much.  After re-evaluating
the vlan/tagging settings on the 3com switch ports we noticed that
they were all set to "hybrid" mode (so some could be on multiple
vlans) but the connection to the router was set to "trunking" mode
instead of hybrid.  Changing it to hybrid fixed everything.


Ok, that's weird, that has nothing to do with VLAN. I'm still not 
convinced that everything is setup correctly, even though it is working. 
Are you using VLANs for the purpose of creating separate Ethernet 
domains? Do the end-nodes (hosts connected to a VLAN-aware switch port) 
belong to multiple VLANs?




Stuart Henderson wrote:

On 2007/05/09 14:08, Jon wrote:

The switch is vlan aware and the hosts connected to it are plugged
into ports which are assigned to vlans configured on the switch with
the same numbers that I am putting in the /etc/hostname.vlan* vlan
option fields.


Usually you can configure a switch port to have one untagged vlan,
and zero or more tagged vlans.

Tagged vlans simply have the ethernet frame marked with the number
of the vlan, and need support from the connected device. You would use
this on the connection to the router.

Frames sent to untagged vlans have any tags, if present, stripped off
by the switch and passed on. You can connect normal equipment to an
untagged port, it doesn't need to know anything about VLANs. The cheap
fanless managed switch I have at home gives a dropdown list to choose
'PVID', which is the untagged vlan. Procurve and Extreme switches
just use tagged/untagged. $DEITY knows what Cisco use, they like to
make up their own names.


If you are just using VLANs for Ethernet domain segmentation only, the 
end-nodes do not need to speak 802.1Q. You could disable VLAN on your 
hosts if your 3COM switch accepts _only_ untagged frames (as opposed to 
accepting tagged only and both) from hosts in a VLAN. Then, before the 
switch forwards frames to these hosts, it will strip the 802.1Q protocol 
bytes. Also, when the switch receives a VLAN tagged frame from a host on 
an "untagged frames only" configured switch port, it will discard it. 
This can be a security feature because it will make it more difficult 
for a cracker to VLAN hop by injecting spoofed VLAN IDs into frames. 
Such a frame could be forwarded by your switch to a normally unreachable 
segment, thus bypassing your routing firewall.




You can have both types running on a port together.


  Using tcpdump on the vlan parent device DOES show
all kinds of arp requests and such noise marked as 802.1Q coming
from the hosts on the various vlans (mostly unanswered arp requests
for the vlan device which is their gateway) and using tcpdump on the
various vlan devices on the router shows only unanswered arp requests
for the various other hosts.


Run two copies of tcpdump, one on em1, one on a vlan. All the frames
marked for that vlan should be shown twice, one on parent, one on the
vlan. Is that working ok?


* I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf


You did either also set this manually, or reboot to activate it, I take
it? Please check output of 'sysctl net.inet.ip.forwarding' if you are 
not

absolutely certain.


* packetfilter is off


ok ('Status: disabled' in pfctl -si?)

* hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side 
of the router, local to my desktop lan - pings go through this to 
the vlan devices and return just fine)
* hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man 
page seemed to be suggesting I should set it to this)


Which man page seemed to be suggesting that? Maybe the wording needs
some adjustment. You should reset to 1500 and remove the setting from
hostname.em1. MTU is the maximum size of IP packets. Apart from on
extremely crappy nics, vlans do not affect that unless you stack them
on top of each other (e.g. vlandev vlanXXX).


See the diagnostics section of vlan(4).



The 802.1Q protocol will increase the frame by 4 bytes, but if your 
destination cannot interpret the VLAN protocol ID, the packet will 
be dropped.


Not necessarily; there is definitely some kit out there which just
strips the vlan tags and passes them through, I have a pseudowire WAN
circuit which does just that. (neos networks, for those in .uk-land
who are interested in such things: don't know whether it's them or
the modems on the telewest tail that's doing it...)


Well, then that device would be VLAN-aware. VLAN-aware devices can 
transparently forward 802.1Q enhanced frames or strip the protocol 
bytes, recalculate the FCS and forward.


Tag-aware devices manipulate and/or create 802.1Q enhanced frames.




So in this case that isn't just the switch and the firewall?  I'm
confused.  :(   I thought the wrapping and unwrapping of the network
packets in the vlan protocol packets was handled solely by the switch
and firewall.


picking nits: ethernet has frames, IP has packets.


Not if you involve a tag-aware end-node

Keyboard interrupt problem ('lag')

2007-05-09 Thread Jonathan Towne
Hello all;

I asked a while back about a 'lag' in keyboard response on my laptop
(Gateway MT3705) that runs -current.  Someone responded off-list and 
noted that it was an interrupt issue.

I was wondering if there is any known workaround / fix for it; the
machine can be very hard to use for day to day operation with this
happening.

Looking through the dmesg, it doesn't look like an irq sharing problem
necessarily?

I'm currently working on building a new -current and a new xenocara
to test with since this one is a little dated.


dmesg is as follows:


OpenBSD 4.1-current (EXTRO.acpi-mp) #1: Tue Apr 17 09:34:02 EDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/EXTRO.acpi-mp
cpu0: Genuine Intel(R) CPU T2060 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,EST,TM2,xTPR
real mem  = 1004621824 (981076K)
avail mem = 910696448 (889352K)
using 4278 buffers containing 50356224 bytes (49176K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 12/07/06, BIOS32 rev. 0 @ 0xfd5fd, SMBIOS 
rev. 2.4 @ 0xdc010 (41 entries)
bios0: Gateway MT3705
pcibios0 at bios0: rev 2.1 @ 0xfd580/0xa80
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/336 (19 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x1002 product 0x4372
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #8 is the last bus
bios0: ROM list: 0xc/0xd000 0xdc000/0x4000!
acpi0 at mainbus0: rev 0
acpi0: tables DSDT FACP SLIC APIC MCFG SSDT 
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpi device at acpi0 from table DSDT not configured
acpi device at acpi0 from table FACP not configured
acpi device at acpi0 from table SLIC not configured
acpimadt0 at acpi0 table APIC addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133 MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Genuine Intel(R) CPU T2060 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,EST,TM2,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpi device at acpi0 from table MCFG not configured
acpi device at acpi0 from table SSDT not configured
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 0 (PB2_)
acpiprt2 at acpi0: bus 0 (PB3_)
acpiprt3 at acpi0: bus 2 (PB4_)
acpiprt4 at acpi0: bus 5 (PB5_)
acpiprt5 at acpi0: bus 0 (PB6_)
acpiprt6 at acpi0: bus 0 (PB7_)
acpiprt7 at acpi0: bus 8 (P2P_)
acpiprt8 at acpi0: bus 1 (AGP_)
acpiec0 at acpi0: EC__
acpicpu0 at acpi0: CPU0: acpicpu0: C3 not supported
acpicpu1 at acpi0: CPU1: acpicpu1: C3 not supported
acpitz0 at acpi0, critical temperature: 100 degC
acpiac0 at acpi0: AC unit offline
acpibat0 at acpi0: BAT0: model: 6MSB serial:  type: Li   oem: SMP-P
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
vesabios0 at mainbus0: version 2.0, ATI Technologies Inc. MS4
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 vendor "ATI", unknown product 0x5a31 rev 0x01
ppb0 at pci0 dev 1 function 0 "ATI RS480 PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Radeon XPRESS 200M" rev 0x00, vesafb
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 4 function 0 "ATI RS480 PCIE" rev 0x00
pci2 at ppb1 bus 2
mskc0 at pci2 dev 0 function 0 "Marvell Yukon 88E8038" rev 0x14, Yukon-2 FE 
(0x1): apic 2 int 16 (irq 10)
msk0 at mskc0 port A, address 00:03:25:3f:d0:32
eephy0 at msk0 phy 0: Marvell 88E3082 10/100 PHY, rev. 3
ukphy0 at msk0 phy 3: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x121012, model 0x0004
ukphy0: no media present
ukphy1 at msk0 phy 6: Generic IEEE 802.3u media interface, rev. 0: OUI 
0x004c00, model 0x0013
ukphy1: no media present
ppb2 at pci0 dev 5 function 0 "ATI RS480 PCIE" rev 0x00
pci3 at ppb2 bus 5
ohci0 at pci0 dev 19 function 0 "ATI IXP400 USB" rev 0x80: apic 2 int 19 (irq 
11), version 1.0, legacy support
ohci1 at pci0 dev 19 function 1 "ATI IXP400 USB" rev 0x80: apic 2 int 19 (irq 
11), version 1.0, legacy support
ehci0 at pci0 dev 19 function 2 "ATI IXP400 USB2" rev 0x80: apic 2 int 19 (irq 
11)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0
uhub0: ATI EHCI root hub, rev 2.00/1.00, addr 1
uhub0: 8 ports with 8 removable, self powered
"ATI IXP400 SMBus" rev 0x83 at pci0 dev 20 function 0 not configured
pciide0 at pci0 dev 20 function 1 "ATI IXP400 IDE" rev 0x80: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 95396MB, 195371568 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom 
removable
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DM

Re: www.openbsd.org (and vs openbsd.org)

2007-05-09 Thread Chris Smith
On 5/9/07, Theo de Raadt <[EMAIL PROTECTED]> wrote:
>
> > 1. www.openbsd.org replies with "Forbidden" at the moment -- but I guess
> > most people already know.
>
> www.openbsd.org is a mirror on a good network connection.
>
> at the moment it is recovering from having eaten itself.
>
>
Like the snake on the new Rush CD, "Snakes and Arrows"? ;)



Re: revenge of stupid vlan questions

2007-05-09 Thread Jon

Incidentally, it was the vlan(4) man page that gave me the idea to
set the mtu to 1518:

"Some Ethernet chips will either discard or truncate Ethernet frames
that are larger than 1514 bytes.  This causes a problem as 802.1Q
tagged frames can be up to 1518 bytes.  Most controller chips can be
told not to discard large frames and/or to increase the allowed frame
size.  Refer to the hardware manual for your chip to do this."

For some reason I thought that meant it would be a good idea to up
the mtu to 1518.



On 2007/05/09 14:08, Jon wrote:

The switch is vlan aware and the hosts connected to it are plugged
into ports which are assigned to vlans configured on the switch with
the same numbers that I am putting in the /etc/hostname.vlan* vlan
option fields.


Usually you can configure a switch port to have one untagged vlan,
and zero or more tagged vlans.

Tagged vlans simply have the ethernet frame marked with the number
of the vlan, and need support from the connected device. You would use
this on the connection to the router.

Frames sent to untagged vlans have any tags, if present, stripped off
by the switch and passed on. You can connect normal equipment to an
untagged port, it doesn't need to know anything about VLANs. The cheap
fanless managed switch I have at home gives a dropdown list to choose
'PVID', which is the untagged vlan. Procurve and Extreme switches
just use tagged/untagged. $DEITY knows what Cisco use, they like to
make up their own names.

You can have both types running on a port together.


  Using tcpdump on the vlan parent device DOES show
all kinds of arp requests and such noise marked as 802.1Q coming
from the hosts on the various vlans (mostly unanswered arp requests
for the vlan device which is their gateway) and using tcpdump on the
various vlan devices on the router shows only unanswered arp requests
for the various other hosts.


Run two copies of tcpdump, one on em1, one on a vlan. All the frames
marked for that vlan should be shown twice, one on parent, one on the
vlan. Is that working ok?


* I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf


You did either also set this manually, or reboot to activate it, I take
it? Please check output of 'sysctl net.inet.ip.forwarding' if you are not
absolutely certain.


* packetfilter is off


ok ('Status: disabled' in pfctl -si?)

* hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side of the 
router, local to my desktop lan - pings go through this to the vlan 
devices and return just fine)
* hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man page 
seemed to be suggesting I should set it to this)


Which man page seemed to be suggesting that? Maybe the wording needs
some adjustment. You should reset to 1500 and remove the setting from
hostname.em1. MTU is the maximum size of IP packets. Apart from on
extremely crappy nics, vlans do not affect that unless you stack them
on top of each other (e.g. vlandev vlanXXX).

The 802.1Q protocol will increase the frame by 4 bytes, but if your 
destination cannot interpret the VLAN protocol ID, the packet will be 
dropped.


Not necessarily; there is definitely some kit out there which just
strips the vlan tags and passes them through, I have a pseudowire WAN
circuit which does just that. (neos networks, for those in .uk-land
who are interested in such things: don't know whether it's them or
the modems on the telewest tail that's doing it...)


So in this case that isn't just the switch and the firewall?  I'm
confused.  :(   I thought the wrapping and unwrapping of the network
packets in the vlan protocol packets was handled solely by the switch
and firewall.


picking nits: ethernet has frames, IP has packets.


You're telling me this is not the case?


It *is* the case, at least on untagged ports. I think that must be
how you have things configured, or you wouldn't see tags coming in to
the firewall on the parent interface.

From your earlier post,

 "Traffic passes fine to the vlan devices from the external
 side of the router (I can ping them) however traffic does not
 seem to pass bewteen the vlan devices and their parent device
 - I cannot ping stuff connected to the vlans on the switch."

this isn't quite clear. can you try rewriting it more completely?
"I cannot ping stuff" - what stuff, where from? It may be simpler to
just copy-and-paste bits of a terminal session. Also include
arp -an, netstat -rnfinet, ifconfig -A from the firewall.
If you can describe exactly how the switch is configured, that may
help too.




Re: www.openbsd.org (and vs openbsd.org)

2007-05-09 Thread Theo de Raadt
> 1. www.openbsd.org replies with "Forbidden" at the moment -- but I guess
> most people already know.

www.openbsd.org is a mirror on a good network connection.

at the moment it is recovering from having eaten itself.



Re: www.openbsd.org (and vs openbsd.org)

2007-05-09 Thread Bryan

You can still get to the FAQ.  I have a search box setup in FF and I
was able to get to it...

So the whole site ain't down, probably a permissions issue???

On 5/9/07, Martin Toft <[EMAIL PROTECTED]> wrote:

Two small things:

1. www.openbsd.org replies with "Forbidden" at the moment -- but I guess
most people already know.

2. Long time ago I was told that I shouldn't use openbsd.org, as it
wasn't/isn't the official site. I was told to always use the www
subdomain. Maybe this was just some people pulling my chain, however, I
remember having discovered small differences between the two sites (for
more than a year ago, though). The two names point to different
addresses (this may mean nothing or everything). Please enlighten me :)

Sorry for the noise.

Martin

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]




www.openbsd.org (and vs openbsd.org)

2007-05-09 Thread Martin Toft
Two small things:

1. www.openbsd.org replies with "Forbidden" at the moment -- but I guess
most people already know.

2. Long time ago I was told that I shouldn't use openbsd.org, as it
wasn't/isn't the official site. I was told to always use the www
subdomain. Maybe this was just some people pulling my chain, however, I
remember having discovered small differences between the two sites (for
more than a year ago, though). The two names point to different
addresses (this may mean nothing or everything). Please enlighten me :)

Sorry for the noise.

Martin

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]



Re: revenge of stupid vlan questions

2007-05-09 Thread Jon

This was very informative.  Thank you very much.  After re-evaluating
the vlan/tagging settings on the 3com switch ports we noticed that
they were all set to "hybrid" mode (so some could be on multiple
vlans) but the connection to the router was set to "trunking" mode
instead of hybrid.  Changing it to hybrid fixed everything.

Stuart Henderson wrote:

On 2007/05/09 14:08, Jon wrote:

The switch is vlan aware and the hosts connected to it are plugged
into ports which are assigned to vlans configured on the switch with
the same numbers that I am putting in the /etc/hostname.vlan* vlan
option fields.


Usually you can configure a switch port to have one untagged vlan,
and zero or more tagged vlans.

Tagged vlans simply have the ethernet frame marked with the number
of the vlan, and need support from the connected device. You would use
this on the connection to the router.

Frames sent to untagged vlans have any tags, if present, stripped off
by the switch and passed on. You can connect normal equipment to an
untagged port, it doesn't need to know anything about VLANs. The cheap
fanless managed switch I have at home gives a dropdown list to choose
'PVID', which is the untagged vlan. Procurve and Extreme switches
just use tagged/untagged. $DEITY knows what Cisco use, they like to
make up their own names.

You can have both types running on a port together.


  Using tcpdump on the vlan parent device DOES show
all kinds of arp requests and such noise marked as 802.1Q coming
from the hosts on the various vlans (mostly unanswered arp requests
for the vlan device which is their gateway) and using tcpdump on the
various vlan devices on the router shows only unanswered arp requests
for the various other hosts.


Run two copies of tcpdump, one on em1, one on a vlan. All the frames
marked for that vlan should be shown twice, one on parent, one on the
vlan. Is that working ok?


* I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf


You did either also set this manually, or reboot to activate it, I take
it? Please check output of 'sysctl net.inet.ip.forwarding' if you are not
absolutely certain.


* packetfilter is off


ok ('Status: disabled' in pfctl -si?)

* hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side of the 
router, local to my desktop lan - pings go through this to the vlan 
devices and return just fine)
* hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man page 
seemed to be suggesting I should set it to this)


Which man page seemed to be suggesting that? Maybe the wording needs
some adjustment. You should reset to 1500 and remove the setting from
hostname.em1. MTU is the maximum size of IP packets. Apart from on
extremely crappy nics, vlans do not affect that unless you stack them
on top of each other (e.g. vlandev vlanXXX).

The 802.1Q protocol will increase the frame by 4 bytes, but if your 
destination cannot interpret the VLAN protocol ID, the packet will be 
dropped.


Not necessarily; there is definitely some kit out there which just
strips the vlan tags and passes them through, I have a pseudowire WAN
circuit which does just that. (neos networks, for those in .uk-land
who are interested in such things: don't know whether it's them or
the modems on the telewest tail that's doing it...)


So in this case that isn't just the switch and the firewall?  I'm
confused.  :(   I thought the wrapping and unwrapping of the network
packets in the vlan protocol packets was handled solely by the switch
and firewall.


picking nits: ethernet has frames, IP has packets.


You're telling me this is not the case?


It *is* the case, at least on untagged ports. I think that must be
how you have things configured, or you wouldn't see tags coming in to
the firewall on the parent interface.

From your earlier post,

 "Traffic passes fine to the vlan devices from the external
 side of the router (I can ping them) however traffic does not
 seem to pass bewteen the vlan devices and their parent device
 - I cannot ping stuff connected to the vlans on the switch."

this isn't quite clear. can you try rewriting it more completely?
"I cannot ping stuff" - what stuff, where from? It may be simpler to
just copy-and-paste bits of a terminal session. Also include
arp -an, netstat -rnfinet, ifconfig -A from the firewall.
If you can describe exactly how the switch is configured, that may
help too.




Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Hi,

I am passing my finding around for the configuration of sysctl.conf to 
remove bottleneck I found in httpd as I couldn't get more then 300 httpd 
process without crapping out badly and above that, the server simply got 
out of wack.


All is default install and the tests are done with a server that is an 
old one. dmesg at the end in case you are interested. This is on OpenBSD 
4.0 and I pick that server just to see what's possible as it's not 
really a very powerful one.


You can also see the iostat output and the vmstat as well with the 
changes in place.


You sure can see a few page fault as I am really pushing the server 
much, but even then I get decent results and the bottleneck was remove, 
even with 2000 parallel connections. In that case I had to use two 
different clients as the http_load only support up to 1021 parallel 
connections, so to test pass that, I use more then one clients to push 
the server more.


But in all, the results are much better then a few days ago and now 
looks like we get more for the buck and adding more powerful hardware 
will be use better now instead of suffering the same limitations.


I put also the value changed in sysctl.conf to come to this final setup.

I am not saying the value are the best possible choice, but they work 
well in the test situation and there is many as you will see. Some are 
very surprising to me, like the change in net.inet.ip.portfirst. Yes I 
know, but if I leave it as default, then I can't get full success in the 
test below and get time out, some errors and efficiency is not as good. 
May be that's because of the random ports range calculations, I can't 
say, but in any case, the effect is there and tested.


I try to stay safe in my choices and comments are welcome, but I have to 
point out as well that ALL the values below needs to be changes to that 
new value to get working well. If even only one of them is not at the 
level below, the results in the tests start to be affected pretty bad at 
times.


So, not only one value needs to be changed or address the issues, but 
ALL of them below.


I am still working on finding may be more restrictive value to keep the 
system as stable and safe and close to the default as possible, but 
below is a very good setup in y tests and all the results are below as well.


As for the value in httpd.conf, they are still in progress to make them 
more normal, but for this test they are:


Timeout 300
KeepAlive On
MaxKeepAliveRequests 0 (shouldn't stay like this as limits needs to be 
in place)

KeepAliveTimeout 5
MinSpareServers 40
MaxSpareServers 80
StartServers 40
MaxClients 2048
MaxRequestsPerChild 0

Also, the httpd use .so module like php and is not compile statically.

For the value above, I think a more reasonable (still in progress as 
well) would be for a very busy server:


Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
MinSpareServers 50
MaxSpareServers 100
StartServers 75
MaxClients 768
MaxRequestsPerChild 0

However, I am not settle on them fully yet. I send an earlier email with 
explication for why some value should be pick.


http://marc.info/?l=openbsd-misc&m=117874246431437&w=2

Any comments on any parts or caution I have overlooked?

Thanks and hope this help some others that may suffer from the same 
problem I did.


Daniel

===
sysctl.conf changes.

kern.seminfo.semmni=1024
kern.seminfo.semmns=4096
kern.shminfo.shmall=16384
kern.maxclusters=12000
kern.maxproc=2048   # Increase for the process limits.
kern.maxfiles=5000
kern.shminfo.shmmax=67108864
kern.somaxconn=2048
net.bpf.bufsize=524288
net.inet.ip.maxqueue=1278
net.inet.ip.portfirst=32768
net.inet.ip.redirect=0
net.inet.tcp.keepinittime=10
net.inet.tcp.keepidle=30
net.inet.tcp.keepintvl=30
net.inet.tcp.mssdflt=1452
net.inet.tcp.recvspace=65535
net.inet.tcp.rstppslimit=400
net.inet.tcp.sendspace=65535
net.inet.tcp.synbucketlimit=420
net.inet.tcp.syncachelimit=20510



===
Test with multiple parallel connections, from 10 to 1000. As expected, 
the results gets better as we go and I was able to go up to 2000, but I 
limit the server at 2048 in the recompile version. At 2000, I get close 
to 2x the delay, meaning it's start to go back up before that, but still 
get full completed without errors in less then the time out of 30 
seconds, witch I couldn't do before at 300 parallel connections anyway.



# http_load -parallel 10 -fetches 1500 -timeout 30 /tmp/test
1500 fetches, 10 max parallel, 1.9647e+07 bytes, in 19.8742 seconds
13098 mean bytes/connection
75.4747 fetches/sec, 988568 bytes/sec
msecs/connect: 84.6428 mean, 6003.03 max, 0.347 min
msecs/first-response: 17.6985 mean, 1698.64 max, 3.236 min
HTTP response codes:
  code 200 -- 1500
# http_load -parallel 20 -fetches 1500 -timeout 30 /tmp/test
1500 fetches, 20 max parallel, 1.9647e+07 bytes, in 20.824 seconds
13098 mean bytes/connection
72.0324 fetches/sec, 943480 bytes/sec
msecs/connect

Re: revenge of stupid vlan questions

2007-05-09 Thread Stuart Henderson
On 2007/05/09 14:08, Jon wrote:
> The switch is vlan aware and the hosts connected to it are plugged
> into ports which are assigned to vlans configured on the switch with
> the same numbers that I am putting in the /etc/hostname.vlan* vlan
> option fields.

Usually you can configure a switch port to have one untagged vlan,
and zero or more tagged vlans.

Tagged vlans simply have the ethernet frame marked with the number
of the vlan, and need support from the connected device. You would use
this on the connection to the router.

Frames sent to untagged vlans have any tags, if present, stripped off
by the switch and passed on. You can connect normal equipment to an
untagged port, it doesn't need to know anything about VLANs. The cheap
fanless managed switch I have at home gives a dropdown list to choose
'PVID', which is the untagged vlan. Procurve and Extreme switches
just use tagged/untagged. $DEITY knows what Cisco use, they like to
make up their own names.

You can have both types running on a port together.

>>>   Using tcpdump on the vlan parent device DOES show
>>> all kinds of arp requests and such noise marked as 802.1Q coming
>>> from the hosts on the various vlans (mostly unanswered arp requests
>>> for the vlan device which is their gateway) and using tcpdump on the
>>> various vlan devices on the router shows only unanswered arp requests
>>> for the various other hosts.

Run two copies of tcpdump, one on em1, one on a vlan. All the frames
marked for that vlan should be shown twice, one on parent, one on the
vlan. Is that working ok?

>>> * I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf

You did either also set this manually, or reboot to activate it, I take
it? Please check output of 'sysctl net.inet.ip.forwarding' if you are not
absolutely certain.

>>> * packetfilter is off

ok ('Status: disabled' in pfctl -si?)

>>> * hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side of the 
>>> router, local to my desktop lan - pings go through this to the vlan 
>>> devices and return just fine)
>>> * hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man page 
>>> seemed to be suggesting I should set it to this)

Which man page seemed to be suggesting that? Maybe the wording needs
some adjustment. You should reset to 1500 and remove the setting from
hostname.em1. MTU is the maximum size of IP packets. Apart from on
extremely crappy nics, vlans do not affect that unless you stack them
on top of each other (e.g. vlandev vlanXXX).

>> The 802.1Q protocol will increase the frame by 4 bytes, but if your 
>> destination cannot interpret the VLAN protocol ID, the packet will be 
>> dropped.

Not necessarily; there is definitely some kit out there which just
strips the vlan tags and passes them through, I have a pseudowire WAN
circuit which does just that. (neos networks, for those in .uk-land
who are interested in such things: don't know whether it's them or
the modems on the telewest tail that's doing it...)

> So in this case that isn't just the switch and the firewall?  I'm
> confused.  :(   I thought the wrapping and unwrapping of the network
> packets in the vlan protocol packets was handled solely by the switch
> and firewall.

picking nits: ethernet has frames, IP has packets.

> You're telling me this is not the case?

It *is* the case, at least on untagged ports. I think that must be
how you have things configured, or you wouldn't see tags coming in to
the firewall on the parent interface.

>From your earlier post,

 "Traffic passes fine to the vlan devices from the external
 side of the router (I can ping them) however traffic does not
 seem to pass bewteen the vlan devices and their parent device
 - I cannot ping stuff connected to the vlans on the switch."

this isn't quite clear. can you try rewriting it more completely?
"I cannot ping stuff" - what stuff, where from? It may be simpler to
just copy-and-paste bits of a terminal session. Also include
arp -an, netstat -rnfinet, ifconfig -A from the firewall.
If you can describe exactly how the switch is configured, that may
help too.



Re: revenge of stupid vlan questions

2007-05-09 Thread Jacob Yocom-Piatt

Jon wrote:

Clint Pachl wrote:

Jon wrote:

Greetings everybody,

So I've set up what I thought should be a proper vlan configuration
however something is clearly still not correct.  Traffic passes fine
to the vlan devices from the external side of the router (I can ping
them) however traffic does not seem to pass bewteen the vlan devices
and their parent device - I cannot ping stuff connected to the vlans
on the switch.


Is the switch VLAN-aware? Are the end-nodes in each VLAN VLAN- and 
tag-aware?


The switch is vlan aware and the hosts connected to it are plugged
into ports which are assigned to vlans configured on the switch with
the same numbers that I am putting in the /etc/hostname.vlan* vlan
option fields.  I'm not sure what you mean by end-nodes being vlan
and tag-aware though.  Have I made an incorrect assumption that this
vlan thing is something that happens transparently to the individual
hosts in the cluster (excluding the switch and the firewall)?



he might mean other switches connected to the one with vlan tagging 
enabled. if you want to pass tagged packets between several switches you 
need to make sure the vlan setting match across the switches and that 
the ports linking them accept tagged packets. the hosts that are on 
switch ports that are NOT tagged and have a certain vlan assigned to 
them will "transparently" end up in the right vlan.





  Using tcpdump on the vlan parent device DOES show
all kinds of arp requests and such noise marked as 802.1Q coming
from the hosts on the various vlans (mostly unanswered arp requests
for the vlan device which is their gateway) and using tcpdump on the
various vlan devices on the router shows only unanswered arp requests
for the various other hosts.

* I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf
* packetfilter is off
* hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side of 
the router, local to my desktop lan - pings go through this to the 
vlan devices and return just fine)
* hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man 
page seemed to be suggesting I should set it to this)


The 802.1Q protocol will increase the frame by 4 bytes, but if your 
destination cannot interpret the VLAN protocol ID, the packet will be 
dropped.


So in this case that isn't just the switch and the firewall?  I'm
confused.  :(   I thought the wrapping and unwrapping of the network
packets in the vlan protocol packets was handled solely by the switch
and firewall.  You're telling me this is not the case?


see above. the 4 byte tag is only applied when packets need to pass to a 
tagged port on the switch, AFAIK. if you have an untagged port that is 
assigned to a vlan and the traffic passes to a tagged port, the tag will 
be applied to the traffic going out the tagged port.


i am no authority on vlans but i have them setup and working throughout 
the company network at my workplace.


cheers,
jake





* hostname.vlan0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 1 
vlandev em1
* hostname.vlan1: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 2 
vlandev em1
* hostname.vlan2: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 3 
vlandev em1
* hostname.vlan3: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 4 
vlandev em1




Re: Chances of this hardware running OpenBSD?

2007-05-09 Thread Tobias Weingartner
Timo Schoeler wrote:
> 
>  I was disappointed quite often by vaporware in the Amiga universe,

>  However, as this really might become reality


Don't hold your breath.  $1500 for a system that is meant to cator
to the "amiga" crowd.  *shrug*  If you want to start on a port, get
in contact with P.A.Semi, and buy their SDK board.  The amiga board
looks like a 100% knock-off of it.

-- 
 [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax



Re: revenge of stupid vlan questions

2007-05-09 Thread Jon

Clint Pachl wrote:

Jon wrote:

Greetings everybody,

So I've set up what I thought should be a proper vlan configuration
however something is clearly still not correct.  Traffic passes fine
to the vlan devices from the external side of the router (I can ping
them) however traffic does not seem to pass bewteen the vlan devices
and their parent device - I cannot ping stuff connected to the vlans
on the switch.


Is the switch VLAN-aware? Are the end-nodes in each VLAN VLAN- and 
tag-aware?


The switch is vlan aware and the hosts connected to it are plugged
into ports which are assigned to vlans configured on the switch with
the same numbers that I am putting in the /etc/hostname.vlan* vlan
option fields.  I'm not sure what you mean by end-nodes being vlan
and tag-aware though.  Have I made an incorrect assumption that this
vlan thing is something that happens transparently to the individual
hosts in the cluster (excluding the switch and the firewall)?




  Using tcpdump on the vlan parent device DOES show
all kinds of arp requests and such noise marked as 802.1Q coming
from the hosts on the various vlans (mostly unanswered arp requests
for the vlan device which is their gateway) and using tcpdump on the
various vlan devices on the router shows only unanswered arp requests
for the various other hosts.

* I've uncommented net.inet.ip.forwarding=1 in /etc/sysctl.conf
* packetfilter is off
* hostname.em0: inet 172.18.1.2 255.255.255.0 NONE (external side of 
the router, local to my desktop lan - pings go through this to the 
vlan devices and return just fine)
* hostname.em1: up mtu 1518 (the mtu 1518 part is just cause a man 
page seemed to be suggesting I should set it to this)


The 802.1Q protocol will increase the frame by 4 bytes, but if your 
destination cannot interpret the VLAN protocol ID, the packet will be 
dropped.


So in this case that isn't just the switch and the firewall?  I'm
confused.  :(   I thought the wrapping and unwrapping of the network
packets in the vlan protocol packets was handled solely by the switch
and firewall.  You're telling me this is not the case?



* hostname.vlan0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 1 
vlandev em1
* hostname.vlan1: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 2 
vlandev em1
* hostname.vlan2: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 3 
vlandev em1
* hostname.vlan3: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 4 
vlandev em1




Re: Softupdates question

2007-05-09 Thread George C

On 5/9/07, Nick Holland <[EMAIL PROTECTED]> wrote:



If it was not obvious from my comments, I love softdeps.  I have a
siteXX.tgz file which does a few simple things, one of which is to
change all mount points to use softdeps.  One really does have to
hunt a bit for relevant reasons not to use it.  About the only
place I can think of where I deliberately don't use it is on an
e-mail archive system on the filled partitions which are mounted
read-only.

I can't tell you how many times I have forgot to install my siteXX
file, started loading up /usr/src, and realized, "Dang, obviously
no softdeps".  At which point, I stop the checkout, fix the
problem, reboot, and try again.  Yes, the performance difference
is that obvious, and it is faster to reboot than it is to wait it
out.



I'm still curious about the issue of using softdep's when you have a
raid card with write-cache (and battery)... I thought I'd do a simple
test unpacking the ports.tar.gz with softdeps disabled/enabled, to
see for myself.

Without softdep enabled, I have the following:

[EMAIL PROTECTED] time tar xzf ports.tar.gz
0.970u 2.120s 1:00.62 5.0%  0+0k 9821+210784io 6pf+0w
[EMAIL PROTECTED] time rm -r ports
0.160u 1.390s 1:01.65 2.5%  0+0k 14994+126181io 17pf+0w

About a minute to unpack and another minute to remove.


With softdep enabled, I have the following:

[EMAIL PROTECTED] time tar xzf ports.tar.gz
1.270u 2.100s 0:45.62 7.3%  0+0k 9874+66318io 59pf+0w
[EMAIL PROTECTED] time rm -r ports
0.210u 1.230s 0:14.59 9.8%  0+0k 15741+22055io 17pf+0w

45 seconds to unpack and 15 seconds to remove.

(I've repeated this a few times each way, and I always have
roughly the same results.)

With softdep enabled, there was more cpu time, but a noticeable
decrease in total time.

So, fair to say that even with raid+write-cache+battery that
softdep's are beneficial (in terms of less disk time)?
I'm more interested in maintaining disk-consistency, and with
this setup, it looks like softdeps will still help with that also.


Thanks again for all the info!

-George



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Karsten McMinn wrote:

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:

I can now have two clients using 1000 parallel connections to one i386
850MHz server, my old one that I was testing with and I get all that no
problem now. No delay and I can even push it more, but I figure at 2000
parallel connections I should be able to get some breathing time now.


I've spent considerable time with tuning apache on openbsd to
consume all available resources in OpenBSD. Here's the
relevant httpd.conf sections:


Thanks. My configuration is more aggressive them yours and I can tell 
you for a fact that the problem and limitations where not in the httpd 
configuration, but in the OS part in my case anyway.


Some of your value I think would/could crash your system. Specially the:

MaxKeepAliveRequests 5000
MaxClients 5000

I don't think you could reach that high. Why, simply on a memory usage 
stand point. That was my next exploration, but it's possible that one 
apache process could take as much as 11MB


 6035 www20   11M 9392K sleepnetcon   0:56  0.00% httpd

Obviously not all process would use that much. The question is really 
depending on content. If small images and lots of them, then each 
process use less memory. But if it is to serve all big files, then it's 
possible to use a good amount of memory per process. Now I don't have 
that answer here and I am not sure how to come with some logic on that, 
but even if each process was using only 1MB, then 5000 would give you 
5GB or RAM with is more then what OpenBSD was supporting until not so 
long ago, so you will start to swap and god knows what will happen then.


So, I think the these two value are not realistic and safe to us.


Timeout 300
KeepAlive On
MaxKeepAliveRequests 5000
KeepAliveTimeout 15


I use KeepAliveTimeout 5 and I am considering to reduce it.

If you think aboiut your suggestion here, you have KeepAliveTimeout 15 
and then MaxKeepAliveRequests 5000, don't you see the paradox here?


If your server is really busy, and lots of images on one page for 
example, then you would have a lots of process stuck in KeepAliveTimeout 
time out stage, so that's why you most likely increase your MaxClients 
5000 to compensate for that, but that's wrong I believe. It makes your 
server use more resources and be slower to react.


I use a logic here for the value on how to fix it.

MaxKeepAliveRequests I think should be set based on how many possible 
additional requests a URL from a browser that support keep alive and 
multiple requests at once could have. How many, well I think it's based 
on how many elements your web page can have. That's the idea here isn't 
it? Many browsers will call the URL and when images for example are on 
that page they will fire up an additional request to the web server. So, 
in theory the maximum number of requests you should allow should be the 
maximum possible of elements one page could have on it no? Assuming a 
users can click a few pages in a few seconds may be, I think anything 
above 1000 is not good. I could be wrong, but that's how I see it. I use 
250 and it serve me well and allow to protect the server from abuse from 
one source. I have some setup that allow 100 max here for the 
MaxKeepAliveRequests. But I would think that 1000 should be plenty and 
more then that may not be good. Unless my thinking above is wrong?


I can do more tests on that to know more obviously.

For testing reason in my lab I put MaxKeepAliveRequests 0, but I 
wouldn't use that in production for sure.


Your value may be good, I just think not, but that's open to discussion.

One thing for sure having the same number for MaxKeepAliveRequests and 
for MaxClients, I think is wrong as you open yourself to have one 
attacker from one source to bring your server down and huge it all for 
himself. I believe that MaxKeepAliveRequests should definitely be lower 
then your MaxClients, not the same for sure.



MinSpareServers 20
MaxSpareServers 30
StartServers 50


I also thing that if you want to run a so busy server, that you should 
have more StartServers and for sure have a bigger margin between the min 
and max as it will always kill process and start new one where as you 
fork a lots and that's a pretty slow process and costly as well.Again 
here I use some logic and based that on what the traffic is like. If you 
allow multiple requests per connection, wouldn't it make sense for you 
to be sure that you could serve that connection and all it's requests 
without having to fork new process? Meaning if you have 50 elements on 
your page, then it's possible that some browser will send you 50 
requests, so why not make sure you have 50 minimum process to serve 
them? Again, that's logical to me. I have some setup that I keep a 
minimum of 50 spare and maximum of 100 spare. Not always, but some cases 
yes. But it's better then the defautl one for sure. (;>



MaxClients 5000


To high I think based on the above explications. 

backup DNS server for OpenBSD in Europe for free

2007-05-09 Thread Jiří Navrátil
Hi,

I had reported today a wrong DNS record for www.openbsd.org on IRC. Next to
this I had also offered a free backup server for openbsd domain in Europe.
cmihai pointed me to these email addresses.

If this is interesting for you, I'm running a tinydns server on Debian
GNU/Linux in Europe (Czech Republic) and I can set my server as a backup for
your records for free. My machine is in a hosting centre. You can check the
connectivity against b.ns.navratil.cz for for example navratil.cz

Best regards,
Jiri

**--
Jiri Navratil, http://www.navratil.cz,  +420 777 224 245



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Douglas Allan Tutty wrote:

On Wed, May 09, 2007 at 01:30:41AM -0400, Daniel Ouellet wrote:

No swapping is happening, even with 1000 httpd running.

load averages: 123.63, 39.74, 63.3285  01:26:47
1064 processes:1063 idle, 1 on processor
CPU states:  0.8% user,  0.0% nice,  3.1% system,  0.8% interrupt, 95.4% 
idle

Memory: Real: 648M/1293M act/tot  Free: 711M  Swap: 0K/4096M used/tot



How does this server do with 1000 non-httpd processes running?  Perhaps
I need a newer Nemeth et al, but in my 3rd edition, pg 759 middle of the
page says "Modern systems do not deal welll with load averages over
about 6.0".


Be careful when reading these numbers here. Don't forget that I am doing 
this in labs with abuse, etc. I am trying to push the server as much as 
I can here. In production, I do see some server reaching 10, 18 and some 
time I saw up to 25, but all these were in extreme cases, most of the 
time, it's always below 10.


I can't answer this question with proper knowledge here as I don't 
pretend to know that answer. May be someone else can speak knowingly 
about it?



Could your bottleneck be in context-switching between so many processes?
With so many, the memory cache will be faulting during the context
switching and have to be retreived from main memory.  I don't think that
such slow-downs appear in top, and I don't know about vmstat.  I don't
know if there's a tool to measure this on i386.


Wasn't. However yes there is and I can see faulting. I check both the 
vmstat and iostat to see what's up. Obviously the number are higher on 
older hardware as it run out of horse power obviously. But the problem 
was the be able to handle more then 300 parallel connections and why it 
just 3x when only 2 more process were added. So, no, I don't think the 
context-switching had anything to do with it here.


You will see when I post the changes I did and the test I did. Some are 
surprising!



I've never run httpd but it looks to me like a massivly parralized
problem where each connection is trivial to serve (hense low CPU usage,
no disk-io waiting) but there are just so many of them.  


One multi core and multi processor hardware with proper memory, it 
shouldn't be a problem I think, but will know soon!



How does the server do with other connection services, e.g. pop or ftp?


I only run one application per servers, always did and most likely 
always will. So, any mail server is a mail server, and a web server is 
only a web server here anyway. Even DNS are only running DNS as well, etc.




Re: 4.0 locked up over the weekend

2007-05-09 Thread Bruce Bauer

Update:

I've experienced 3 more hard lockups.
No messgaes on the console screen. Nothing unusual in any of the log
file that I've found. Make running in /upr/ports/x11/kde was
interrupted at different tasks each time, (downloading, compiling, and
running a configure script). System recovered each time with no
problems after a powercycle.

Are there some system monitoring tools I should be running to keep
track of various resources?

On 5/8/07, Bruce Bauer <[EMAIL PROTECTED]> wrote:

Initial results:

complied bonnie++ from ports
make is running in ports/x11/kde
2 video streams passsing through VPN tunnel at abou 32 fps total
output from bonnie++:
Version  1.03   --Sequential Output-- --Sequential Input- --Random-
   -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
MachineSize K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
roadrunner.for 300M 50379  46 49432   6  6322   1 25376  41 34974   4 130.7   0
   --Sequential Create-- Random Create
   -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
 files  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
16  2542   5 + +++  5113   8  2898   7 + +++  5478   9
roadrunner.fortechsw.com,300M,50379,46,49432,6,6322,1,25376,41,34974,4,130.7,0,16,2542,5,+,+++,5113,8,2898,7,+,+++,5478,9

ran uptime after bonnie++ finished
11:21AM up 1 day, 2:15, 2 users, load averages: 4.08, 3.15, 2.55

Everything seems to be running smoothly

Bruce

On 5/8/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Tue, May 08, 2007 at 09:05:44AM -0700, Bruce Bauer wrote:
> > Probably a good idea to put some load on the sytem anyway.
> > See how the VPN data transfer holds up.
> > Downloading ports.tar.gz now
> > Running make in ports/www/kde should keep it busy for a while
> > Not familiar with bonnie++, I'll check it out
>
> Bonnie++ just generates a lot of I/O. The 'ghetto' version involves
> running 'tar xzf srf.tar.gz; rm -rf src' in a loop.
>
> Let us know how it goes...
>
>Joachim
>
> --
> TFMotD: tht, thtc (4) - Tehuti Networks 10Gb Ethernet device




Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Karsten McMinn

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:

I can now have two clients using 1000 parallel connections to one i386
850MHz server, my old one that I was testing with and I get all that no
problem now. No delay and I can even push it more, but I figure at 2000
parallel connections I should be able to get some breathing time now.


I've spent considerable time with tuning apache on openbsd to
consume all available resources in OpenBSD. Here's the
relevant httpd.conf sections:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 5000
KeepAliveTimeout 15

MinSpareServers 20
MaxSpareServers 30
StartServers 50
MaxClients 5000
MaxRequestsPerChild 0

I had staticlly compiled php into my httpd binary and obviously
raised HARD_LIMIT to 5000, using OpenBSD's apache.

This netted me an ability to serve about a max of 3000
requests per second on a 1.6ghz athlon with 256MB of memory.

hth.



Re: Performance: OpenVPN vs IPsec

2007-05-09 Thread Matthew R. Dempsky
On Wed, May 09, 2007 at 02:51:35PM +0200, Michael wrote:
> Now, as I understand it, it isn't possible to create an IPsec connection
> from a single host within a NATed network to an external server but
> OpenVPN works great here. Please correct me if I am wrong. (I have no
> access to the NAT router here.)

If the router allows UDP traffic on ports 500 and 4500, isakmpd will
fall back to NAT-traversal automatically if it decides it's necessary.



Re: Softupdates question

2007-05-09 Thread Stephan Andre'
Well, which would you prefer, Peter?  I've had systems that have
had their power yanked from them several times now, and I've
yet to have seen a screwed filesystem. Yes, files created or
deleted with 30(?) seconds of the outage might be inconsisten
or whatever, I'll take that any day over a damaged filesystem.

I think there are bugs in the softdep code.  I know of one really
busy system that has crashed because of softdeps being on,
but only one and I've never been able to pin it down.  I would
say it works well and gets better with each release.

--STeve Andre'

On Wednesday 09 May 2007 12:03:40 Peter Fraser wrote:
> I did read the papers. There is a difference between the file
> system being screwed and data lost. Softupdates hopefully stops
> the files system from being in a bad state, but it is amazing
> how much user data can be lost on a power failure while using
> softupdates.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of mickey
> Sent: Wednesday, May 09, 2007 11:49 AM
> To: Peter Fraser
> Cc: misc@openbsd.org
> Subject: Re: Softupdates question
>
> On Wed, May 09, 2007 at 10:45:15AM -0400, Peter Fraser wrote:
> > I had always assumed the use of softupdates was safe as long
> > as you could have reasonable assurances that the machine would
> > not be shutdown without warning. (i.e. no loss of power or reset
> > being hit).
> >
> > So if you had a UPS, good hardware, and no vandals it's good to use.
>
> actually if you bother to read the papers
> whole idea behind softdeps is to ensure better recoverability
> from crashes/power/etc.
> cu
> --
> paranoic mickey   (my employers have changed but, the name has
> remained)



Re: OpenBSD 4.1 install issue??

2007-05-09 Thread Marcos Laufer
I had the same problem installing OpenBSD 4.1 on an Intel D945GCcr
motherboard
and the snapshot worked just fine!
But i noticed that it is not possible to install gd package due to lack of
libfontconfig.3.0 on xbase41.tgz
of the snapshot.
But the libfontconfig.3.0 is on the xbase41.tgz of the release.
So i installed the xbase41.tgz of the release over the snapshot
installation, and i could install gd smoothly.

Now i just have to move on to stable and i'm ready to go!

Thanks !
Marcos Laufer

- Original Message - 
From: "Rob Waite" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 02, 2007 9:52 AM
Subject: Re: OpenBSD 4.1 install issue??


Yep.. the snapshot worked... I did not get a chance to try 3.9... I spent
all last night making a new release... I was pretty sure that I only needed
cd41.iso and the kernel but I went ahead and did the whole thing anyway.

So now it is up and running and everything seems fine. Thanks for your help!

Rob
- Original Message - 
From: "Tom Cosgrove" <[EMAIL PROTECTED]>
To: "Rob Waite" <[EMAIL PROTECTED]>
Sent: Tuesday, May 01, 2007 11:58 AM
Subject: Re: OpenBSD 4.1 install issue??


> Rob
>
> Can you try a snapshot?  VM_PHYSSEG_MAX was upped from 5 to 16 at
> the end of March; this should help.  (This change was too late for
> 4.1 though.)
>
> I was also serious in asking you to try 3.9: I think you will find
> that this does not work either.  In other words, 4.0 is the only
> recent release that will have worked for you - there were changes
> in 4.0 which were reverted (undone) for 4.1 because they did not
> work for everyone.  However, they did include a higher value for
> VM_PHYSSEG_MAX.
>
> Thanks
>
> Tom
>
 Rob Waite 1-May-07 14:43 >>>
>>
>> Yeah I am sorry about the first hand written dmesg with the
>> "blah blah" in it. Below are two links to images of my screen.. some
>> intermediate messages were lost because they scrolled by too fast.
>>
>> To recap... it works on i386 4.0 (the clock_battery message shows
>> up there too) it works on amd64 4.1 (clock_message also) and the
>> screenshots for i386 4.1 are below. There is a message in the
>> secondScreen image where fxp0 has a fault. If I disable the intel
>> ethernet (it is onboard the motherboard) I get an error at about the
>> same place about the USB having a fault. If I disable the USB...
>> another item has a fault and so on (sorry.. I don't remember the
>> item... if someone thinks that is an important clue I will try again
>> and let you know).
>>
>> It seems like the initial avm_page_physload is a big part of this
>> issue. It seems so strange how the other releases will work.
>>
>> Okay... so here are the links to the screenshots and the dmesg for
>> amd64 was in an earlier post. Thanks again everyone.
>>
>> http://i175.photobucket.com/albums/w132/winstonwaite/firstScreen.jpg
>>
>> http://i175.photobucket.com/albums/w132/winstonwaite/secondScreen.jpg



mpi(4): any way to view WWN?

2007-05-09 Thread Stuart Henderson
I have a remotely located system with an mpi(4) HBA (LSI FC929X)
where it would be useful to display the WWN.

Is there currently a way to retrieve this that's more convenient
than watching for BIOS messages at boot?



Re: Redirected packet from pf is lost

2007-05-09 Thread Stuart Henderson
> >> I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet
> >> interfaces (bge0 and bge1) working as a gateway and firewall
> >for our internal network.
> >>
> >> bge0 is the external connection (with a class B IPv4 address), and
> >> bge1 is the internal connection (private IP network, class C). They
> >> are both part of a bridge, bridge0:

>From the information you gave, I don't see any reason for these to
be bridged, and there are some good reasons not to (it will increase
broadcast traffic on both segments, and makes things more complex,
especially where PF is concerned)

The main reason you might need it is if there are also machines on
bge1 with public addresses (though if that's the case, it would be
cleaner to have them on a separate interface - physical or vlan)



Re: [OT] language tricks (was: creating menu's)

2007-05-09 Thread Douglas Allan Tutty
On Wed, May 09, 2007 at 10:56:57AM +0200, Joachim Schipper wrote:
> On Tue, May 08, 2007 at 09:34:35PM -0400, Douglas Allan Tutty wrote:
> > On Tue, May 08, 2007 at 01:22:10PM -0700, Bryan Irvine wrote:
> >  
> > > I need a fairly simple menu, and have thought about just simple
> > > selects but figured now would also be a good time to learn something
> > > new as well.  It's nothing so complex that I need to go ncurses to do.
> > > Just a basic  then  then 
> > > thing.
> > 
> > My front-ends I do in python.  It doesn't have a case/select.  I just
> > use if/then/elif/
> > 
> > Then there's Fortran with computed gotos; very slick.  I forget the
> > syntax but is something like goto (10+choice)
> > for each choice until one matches.
> 
> Just pointing out: if Python can do the job at all, you almost certainly
> don't need that kind of micro-optimization in Fortran code. Also, this
> is a menu. Efficiency is not exactly a big goal.

I don't do enough programming to want to keep track of multiple
languages.  If I have to read a program in 10 years I want to know what
its trying to do.  C has too much punctuation everywhere.   So I only
program in Python and Fortran.  

> 
> However, and this is where I go completely off-topic, while we're at it,
> you don't need Fortran for this, most languages have equivalent
> constructs (C):
> 
 
> In languages with higher order-functions, this can be written even more
> concisely (Scheme):
 
> However, all of this is massively overkill. Just use a shell script.

Shell is too much like C (punctuation and spacing matter).  (sorry if
this sounds anti-unix).  I use shell if its like a dos bat file,
sequential.  Once I have to test conditions and branch I switch to
python.  Then if something takes a long time (or I know it will before
hand), I use fortran 77.

Unfortunaly, I can't get my head around regex either.  Two hours after
I'v written it I can't understand it.  So I code it in python or
fortran.

Doug.



OpenBSD roadtrip: Ede Netherlands 20070510, Krakow Poland 20070512-13

2007-05-09 Thread Wim Vandeputte
Hey,

I'm happy to announce that all (wel, most) OpenBSD 4.1 orders have been 
shipped out and that we are back on the road attending conferences.

For those in Netherlands, tonight (after 22h :-) and tomorrow, we'll be
in Ede, at the "NLUUG Voorjaarsconferentie 2007"

http://www.nluug.nl/events/vj07/index.html

This weekend, Felix, Henning and I will be in Krakow, Poland for 
"Confidence 2007"

http://2007.confidence.org.pl/

I've been told Jacek is alive and will be giving us info about his
missing books this weekend, so I hope to have that all cleared about
by next week.

Feel free to drop by and say hello

Wim.

-- 
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=   
https://kd85.com/notforsale.html
 --



Re: Redirected packet from pf is lost

2007-05-09 Thread Darrin Chandler
On Wed, May 09, 2007 at 09:08:58AM -0600, Steve Williams wrote:
> Check out a (very) recent thread initiated by myself with the subject 
> "rdr on bridge interface possible? (squid transparent proxy on bridge)".
> 
> There are a few suggestions there, none of which have worked for me.  I 
> have no idea why it's not working for me.
> 
> Let me know if you get it working!

Steve,

I only posted a single rule before. Here are all the relevant parts...


ext_if="de0" # this if has an IP address

rdr on $ext_if inet proto tcp from  to port smtp \
-> 127.0.0.1 port spamd

pass in on $ext_if route-to lo0 inet proto tcp to 127.0.0.1 port spamd


Note that the pass/route-to rule targets the *destination* of the rdr...

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation



Re: Redirected packet from pf is lost

2007-05-09 Thread Andreas Häber
Hi Steve,

Thanks for your reply! I read your thread before I posted this, but since it
applied to a transparent bridge it was a bit hard for me to see if the
solutions applied to my problem.

However, I just fixed my problem by adding a route-to in the firewall rule,
which routes the packet over to the internal interface ($int_if):

FROM:
>> pass in log on {$ext_if $int_if} proto udp from
>> external.sip.proxy.example port sip to internal.sip.proxy.test port
>> 6060 tag VoIP2 keep state

to:

pass in log on {$ext_if $int_if} route-to $int_if proto udp from
external.sip.proxy.example port sip to internal.sip.proxy.test port 6060 tag
VoIP2 keep state

I now see that Mark Pecaut actually wrote the answer for me in his reply to
you, except that I'm routing to $int_if and not lo0.

Best regards,
Andreas


>-Original Message-
>From: Steve Williams [mailto:[EMAIL PROTECTED]
>Sent: 9. mai 2007 17:09
>To: Andreas Hdber
>Cc: misc@openbsd.org
>Subject: Re: Redirected packet from pf is lost
>
>Andreas Hdber wrote:
>> Hi all,
>>
>> I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet
>> interfaces (bge0 and bge1) working as a gateway and firewall
>for our internal network.
>>
>> bge0 is the external connection (with a class B IPv4 address), and
>> bge1 is the internal connection (private IP network, class C). They
>> are both part of a bridge, bridge0:
>> # cat /etc/bridgename.bridge0
>> add bge0
>> add bge1
>> blocknonip bge0
>> blocknonip bge1
>> up
>> #
>>
>> Our pf-config has worked fine for normal Internet access, so
>internal
>> computers can access external hosts fine (through NAT).
>>
>> However, now we need to redirect packets from an external host
>> ("external.sip.proxy.example" below, using a normal class B IPv4
>> address) to one of our internal hosts ("internal.sip.proxy.test"
>> below, which is part of the same private network as bge1 on our
>> gateway). This is the first rdr rule below. I've also used
>"rdr pass"
>> instead of the explicit pass as shown below, obviously with
>no success.
>>
>> The pf-config looks like this (rules related to IPSec, SSH-access are
>> removed):
>> ext_if="bge0"   # External interface
>> int_if="bge1"   # Internal interface
>>
>> set block-policy return
>> set loginterface $ext_if
>>
>> set skip on { lo enc0 }
>>
>> scrub in
>>
>> rdr on $ext_if proto udp from external.sip.proxy.example port sip to
>> any port 6060 \
>> tag VoIP -> internal.sip.proxy.test port 6060
>>
>> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>>
>> nat-anchor "ftp-proxy/*"
>> rdr-anchor "ftp-proxy/*"
>> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
>> 8021
>>
>> block in log all
>>
>> pass out keep state
>>
>> anchor "ftp-proxy/*"
>> antispoof quick for { lo enc0 $int_if }
>>
>> # Does NOT work (see tag on rdr-rule above) pass in log
>tagged VoIP #
>> Does work, according to pflog. Tag is nowhere to be seen, though.
>> pass in log on {$ext_if $int_if} proto udp from
>> external.sip.proxy.example port sip to internal.sip.proxy.test port
>> 6060 tag VoIP2 keep state
>>
>> pass quick on { $int_if, enc0 }
>>
>>
>>
>>
>> # -- end pf.conf --
>>
>>
>> As you can see above, I'm logging blocked packets and also the
>> relevant packets passed in. I've found these two packets in
>pflog0 related to this.
>> The first one is a SIP request sent out from internal.sip.proxy.test
>> to
>> external.sip.proxy.example:
>>
>> Frame 205258 (1458 bytes on wire, 1458 bytes captured)
>> Arrival Time: May  8, 2007 16:58:45.715379000
>> [Time delta from previous packet: 679.119839000 seconds]
>> [Time since reference or first frame: 8590.343581000 seconds]
>> Frame Number: 205258
>> Packet Length: 1458 bytes
>> Capture Length: 1458 bytes
>> [Frame is marked: True]
>> [Protocols in frame: pflog:ip:udp:sip:sdp] PF Log IPv4 passed on
>> bge1 by rule 46
>> Header Length: 61
>> Address Family: IPv4 (2)
>> Action: passed (0)
>> Reason: match (0)
>> Interface: bge1
>> Ruleset:
>> Rule Number: 46
>> Sub Rule Number: -1
>> Direction: Unknown (255)
>> Internet Protocol, Src: internal.sip.proxy.test (192.168.1.7), Dst:
>> external.sip.proxy.example (external.sip.proxy.example)
>> Version: 4
>> Header length: 20 bytes
>> Differentiated Services Field: 0x10 (DSCP 0x04: Unknown
>DSCP; ECN: 0x00)
>> 0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
>>  ..0. = ECN-Capable Transport (ECT): 0
>>  ...0 = ECN-CE: 0
>> Total Length: 1394
>> Identification: 0x (0)
>> Flags: 0x04 (Don't Fragment)
>> 0... = Reserved bit: Not set
>> .1.. = Don't fragment: Set
>> ..0. = More fragments: Not set
>> Fragment offset: 0
>> Time to live: 64
>> Protocol: UDP (0x11)
>> Header checksum: 0x622c [correct]
>> [Good: True]
>> [Bad : False]
>> Source: internal.sip.proxy.tes

Re: Softupdates question

2007-05-09 Thread Peter Fraser
I did read the papers. There is a difference between the file
system being screwed and data lost. Softupdates hopefully stops
the files system from being in a bad state, but it is amazing
how much user data can be lost on a power failure while using
softupdates.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of mickey
Sent: Wednesday, May 09, 2007 11:49 AM
To: Peter Fraser
Cc: misc@openbsd.org
Subject: Re: Softupdates question

On Wed, May 09, 2007 at 10:45:15AM -0400, Peter Fraser wrote:
> I had always assumed the use of softupdates was safe as long
> as you could have reasonable assurances that the machine would
> not be shutdown without warning. (i.e. no loss of power or reset
> being hit).
>
> So if you had a UPS, good hardware, and no vandals it's good to use.

actually if you bother to read the papers
whole idea behind softdeps is to ensure better recoverability
from crashes/power/etc.
cu
--
paranoic mickey   (my employers have changed but, the name has
remained)



Re: Softupdates question

2007-05-09 Thread mickey
On Wed, May 09, 2007 at 10:45:15AM -0400, Peter Fraser wrote:
> I had always assumed the use of softupdates was safe as long
> as you could have reasonable assurances that the machine would
> not be shutdown without warning. (i.e. no loss of power or reset
> being hit).
> 
> So if you had a UPS, good hardware, and no vandals it's good to use.

actually if you bother to read the papers
whole idea behind softdeps is to ensure better recoverability
from crashes/power/etc.
cu
-- 
paranoic mickey   (my employers have changed but, the name has remained)



Re: Performance: OpenVPN vs IPsec

2007-05-09 Thread Steve Williams

Michael wrote:

Hello,

I've got two "networks" connected with OpenVPN right now, the setup is
like this.

{Network_A}-{OpenVPN_Server}--{Network_B}

NetworkA is a real network where the router (with dynamic IP) is
connected directly to a dedicated OpenVPN server with a static IP.

"NetworkB" is just a single host within another network which is
connected to the OpenVPN server to be able to directly access NetworkA
over the central OpenVPN server.

Now, as I understand it, it isn't possible to create an IPsec connection
from a single host within a NATed network to an external server but
OpenVPN works great here. Please correct me if I am wrong. (I have no
access to the NAT router here.)

  

[snip]

Hi,

From MY experience it is possible to use an IPSEC VPN through NAT, with 
some conditions!!


1.  There can only be 1 IPSEC connection through the NAT router UNLESS 
the router supports NAT-T.


2.  The IPSEC connection cannot be doing AH, only ESP.  If you do not 
understand this statement, man(4) ipsec will be our friend.


Someone else may correct me, but these are my empirical findings and my 
understanding from doing LOTS of reading.  I'm very much a beginner at 
this stuff though.


The rest I have no idea about. 


Good Luck,
Steve Williams



Re: Redirected packet from pf is lost

2007-05-09 Thread Steve Williams

Andreas Hdber wrote:

Hi all,

I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet interfaces
(bge0 and bge1) working as a gateway and firewall for our internal network.

bge0 is the external connection (with a class B IPv4 address), and bge1 is
the internal connection (private IP network, class C). They are both part of
a bridge, bridge0:
# cat /etc/bridgename.bridge0
add bge0
add bge1
blocknonip bge0
blocknonip bge1
up
#

Our pf-config has worked fine for normal Internet access, so internal
computers can access external hosts fine (through NAT).

However, now we need to redirect packets from an external host
("external.sip.proxy.example" below, using a normal class B IPv4 address) to
one of our internal hosts ("internal.sip.proxy.test" below, which is part of
the same private network as bge1 on our gateway). This is the first rdr rule
below. I've also used "rdr pass" instead of the explicit pass as shown
below, obviously with no success.

The pf-config looks like this (rules related to IPSec, SSH-access are
removed):
ext_if="bge0"   # External interface
int_if="bge1"   # Internal interface

set block-policy return
set loginterface $ext_if

set skip on { lo enc0 }

scrub in

rdr on $ext_if proto udp from external.sip.proxy.example port sip to any
port 6060 \
tag VoIP -> internal.sip.proxy.test port 6060

nat on $ext_if from !($ext_if) to any -> ($ext_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

block in log all

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { lo enc0 $int_if }

# Does NOT work (see tag on rdr-rule above)
pass in log tagged VoIP
# Does work, according to pflog. Tag is nowhere to be seen, though.
pass in log on {$ext_if $int_if} proto udp from external.sip.proxy.example
port sip to internal.sip.proxy.test port 6060 tag VoIP2 keep state

pass quick on { $int_if, enc0 }




# -- end pf.conf --


As you can see above, I'm logging blocked packets and also the relevant
packets passed in. I've found these two packets in pflog0 related to this.
The first one is a SIP request sent out from internal.sip.proxy.test to
external.sip.proxy.example:

Frame 205258 (1458 bytes on wire, 1458 bytes captured)
Arrival Time: May  8, 2007 16:58:45.715379000
[Time delta from previous packet: 679.119839000 seconds]
[Time since reference or first frame: 8590.343581000 seconds]
Frame Number: 205258
Packet Length: 1458 bytes
Capture Length: 1458 bytes
[Frame is marked: True]
[Protocols in frame: pflog:ip:udp:sip:sdp]
PF Log IPv4 passed on bge1 by rule 46
Header Length: 61
Address Family: IPv4 (2)
Action: passed (0)
Reason: match (0)
Interface: bge1
Ruleset:
Rule Number: 46
Sub Rule Number: -1
Direction: Unknown (255)
Internet Protocol, Src: internal.sip.proxy.test (192.168.1.7), Dst:
external.sip.proxy.example (external.sip.proxy.example)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
 ..0. = ECN-Capable Transport (ECT): 0
 ...0 = ECN-CE: 0
Total Length: 1394
Identification: 0x (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x622c [correct]
[Good: True]
[Bad : False]
Source: internal.sip.proxy.test (192.168.1.7)
Destination: external.sip.proxy.example (external.sip.proxy.example)
User Datagram Protocol, Src Port: 6060 (6060), Dst Port: 5060 (5060)
Source port: 6060 (6060)
Destination port: 5060 (5060)
Length: 1374
Checksum: 0x1eac [correct]
Session Initiation Protocol
Request-Line: INVITE sip:[EMAIL PROTECTED] SIP/2.0
Method: INVITE
[Resent Packet: False]
[Snipped away rest of the SIP-content!]


The external.sip.proxy.example sends the following response back
Frame 205259 (805 bytes on wire, 805 bytes captured)
Arrival Time: May  8, 2007 16:58:45.716547000
[Time delta from previous packet: 0.001168000 seconds]
[Time since reference or first frame: 8590.344749000 seconds]
Frame Number: 205259
Packet Length: 805 bytes
Capture Length: 805 bytes
[Frame is marked: True]
[Protocols in frame: pflog:ip:udp:sip]
PF Log IPv4 passed on bge0 by rule 14
Header Length: 61
Address Family: IPv4 (2)
Action: passed (0)
Reason: match (0)
Interface: bge0
Ruleset:
Rule Number: 14
Sub Rule Number: -1
Direction: Unknown (255)
Internet Protocol, Src: external.sip.proxy.example
(external.sip.proxy.example), Dst: internal.sip.proxy.test (192.168.1.7)
Version: 4
Header length: 20 bytes
Differentiated Services Field

Re: Sun Netra and DAS

2007-05-09 Thread Paul D. Ouderkirk

On 5/8/07, Kevin <[EMAIL PROTECTED]> wrote:

Hello all,

I'm about out of space on a Sun Netra T1 that has been happily running
OpenBSD for some time. I'd rather keep this server in action and add
space to it, but both internal drive slots are occupied, so that means
the only choice (short of reloading on bigger disks, which for a
variety of reasons I'd rather avoid) is adding external storage.

It seems like the logical choice would be a Direct Attached Storage
box like a D1000 plugged into the external SCSI port or a PCI RAID
card. So:

...

3.) Are there better alternatives that I'm just overlooking?


A StorEdge S1 would be a nice alternative, only 1U and will work off
the external SCSI port on your Netra T1.

Paul.

--
Paul D. Ouderkirk
Senior UNIX System Administrator
JadedPixel Technologies
[EMAIL PROTECTED]
--
laughing,
in the mechanism
-- William Gibson



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Douglas Allan Tutty
On Wed, May 09, 2007 at 01:30:41AM -0400, Daniel Ouellet wrote:
> No swapping is happening, even with 1000 httpd running.
> 
> load averages: 123.63, 39.74, 63.3285  01:26:47
> 1064 processes:1063 idle, 1 on processor
> CPU states:  0.8% user,  0.0% nice,  3.1% system,  0.8% interrupt, 95.4% 
> idle
> Memory: Real: 648M/1293M act/tot  Free: 711M  Swap: 0K/4096M used/tot
> 

How does this server do with 1000 non-httpd processes running?  Perhaps
I need a newer Nemeth et al, but in my 3rd edition, pg 759 middle of the
page says "Modern systems do not deal welll with load averages over
about 6.0".

Could your bottleneck be in context-switching between so many processes?
With so many, the memory cache will be faulting during the context
switching and have to be retreived from main memory.  I don't think that
such slow-downs appear in top, and I don't know about vmstat.  I don't
know if there's a tool to measure this on i386.

I've never run httpd but it looks to me like a massivly parralized
problem where each connection is trivial to serve (hense low CPU usage,
no disk-io waiting) but there are just so many of them.  

How does the server do with other connection services, e.g. pop or ftp?

Doug.



Re: Softupdates question

2007-05-09 Thread Peter Fraser
I had always assumed the use of softupdates was safe as long
as you could have reasonable assurances that the machine would
not be shutdown without warning. (i.e. no loss of power or reset
being hit).

So if you had a UPS, good hardware, and no vandals it's good to use.



Re: Wireless NIC questions

2007-05-09 Thread Michael
Hello Bret,

Bret schrieb:
> I was wondering if anyone here had any experience setting up a wireless
> access point. I am running OpenBSD 4.0 with Z-COM WLAN PC Card but can
> not bring up the card in access point mode.
I recently set up an access point using OpenBSD 4.0 and now upgraded it
to 4.1. The ath card (CM9) I had just works in 11b mode as hostap with
OpenBSD though but the other ral card I got works great with 11g.

I would really suggest getting a Ralink card, they just work. You might
want to check out kd85.com if you are from Europe. ral_abg is the one I got.


Michael



Binary upgrade of mozilla-thunderbird fails on OpenBSD 4.1

2007-05-09 Thread jeraklo
Suspected line reads:
"Checking for collisions with
.libs-mozilla-thunderbird-1.5.0.10... some found"

Could anyone explain what to do next ?

Thanks!
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
# pkg_add -uivvv mozilla-thunderbird
Candidates for updating mozilla-thunderbird-1.5.0.9p1 -> 
mozilla-thunderbird-1.5.0.9p1 mozilla-thunderbird-1.5.0.10
Ambiguous: choose package for mozilla-thunderbird-1.5.0.9p1
 0: 
 1: mozilla-thunderbird-1.5.0.10
 2: mozilla-thunderbird-1.5.0.9p1
Your choice: 1
No need to update jpeg-6bp3
No need to update hicolor-icon-theme-0.9
No need to update glib2-2.10.3p0
No need to update png-1.2.14p0
No need to update cairo-1.2.6p0
No need to update expat-2.0.0
No need to update gettext-0.14.6
No need to update nspr-4.6.5p0
No need to update tiff-3.8.2p0
No need to update libiconv-1.9.2p3
No need to update libaudiofile-0.2.6p0
No need to update esound-0.2.34p0
No need to update glitz-0.5.6
No need to update atk-1.10.3p2
No need to update gtk+2-2.8.20p4
No need to update pango-1.12.3p0
Running the equivalent of pkg_add -r mozilla-thunderbird-1.5.0.10
parsing mozilla-thunderbird-1.5.0.10
New package mozilla-thunderbird-1.5.0.10 contains potentially unsafe operations
@exec rm -rf /tmp/.mozilla
@exec cd /usr/local/mozilla-thunderbird && env HOME=/tmp 
LD_LIBRARY_PATH=/usr/local/mozilla-thunderbird ./regxpcom
@exec rm -rf /tmp/.mozilla
proceed with update anyways? [y/N/a] y
Checking for collisions with .libs-mozilla-thunderbird-1.5p2... none found
Checking for collisions with .libs-mozilla-thunderbird-1.5.0.8... none found
Checking for collisions with .libs-mozilla-thunderbird-1.5.0.10... some found
Checking for collisions with .libs-mozilla-thunderbird-1.5.0.7... none found
Checking for collisions with .libs-mozilla-thunderbird-1.5.0.2... none found
Can't update to mozilla-thunderbird-1.5.0.10 because of collision with old libs
/usr/sbin/pkg_add: mozilla-thunderbird-1.5.0.10:Fatal error



Créez votre montre à vos couleurs

2007-05-09 Thread Sylviane Lebert
[IMAGE]

< br/>

Offre riservie exclusivement aux entreprises.

Conformiment ` la Loi Informatique et Libertis parue au Journal Officiel
du 6 janvier 1978, vous disposez d'un droit d'acchs, de rectification, et
d'opposition aux donnies personnelles vous concernant. Pour ne plus
recevoir d'informations de notre part, Cliquez ici



Re: OT: GUI programming languages

2007-05-09 Thread james
Jacob Yocom-Piatt  fixedpointgroup.com> writes:
> have been coding touchscreen-driven applications using visual basic 
> lately and am sick of VB. i would much rather be using openbsd with 
> another programming language that allows me to accomplish the same sort 
> of stuff.

glade (from ports), perl (in base) plus the perl Gtk bindings (from ports).  The
GTK bindings now include support for Glade Designer files.  Glade  should be
easy enough to work with as a (former) VB programmer.  Add the EPIC plugin for
Eclipse (also in ports) to help with the actual coding and you're set.

If you really need compiled language support, C/C++ (with the Gtk+ port) can be
used to write Glade based apps instead.



Re: Softupdates question

2007-05-09 Thread Henning Brauer
* mickey <[EMAIL PROTECTED]> [2007-05-09 15:15]:
> On Wed, May 09, 2007 at 06:46:19AM -0400, Nick Holland wrote:
> > mickey wrote:
> > > On Tue, May 08, 2007 at 07:06:06AM -0400, Nick Holland wrote:
> > >> George C wrote:
> > ...
> > >> > Is it always best to mount /, /tmp, /usr, /var, /home with softdep?
> > >> > Under what curcumstances would it not be appropriate?
> > >> 
> > >> If your app makes assumptions about write ordering, softdeps can negate
> > >> the care the app author took.  For example, some mail programs don't ack
> > >> the receipt of a message until it has been safely written to disk, the
> > >> idea being that if the power goes out or the machine crashes, if the
> > >> message has been acknowledged, IT HAS BEEN RECEIVED and will be there
> > >> when the machine comes back up.  Softdeps promises that what is on your
> > >> disk is coherent, but "coherent" usually means the last few files written
> > >> to disk may be just removed when the system comes back up.  Not desired
> > >> in this case.
> > > 
> > > this is not true. fsync() works as specified.
> > 
> > Apparently, not all apps use fsync, or don't use it properly.
> 
> oh so now you are saying that softdeps are broken because
> applications are not calling fsync() ?

Nick never said softdeps were broken.
he said that using them with certain applications is not a good idea - 
that is different. 
The application is to blame tho.

> > At least qmail advises against the use of softdeps:
> >   http://cr.yp.to/qmail/faq/reliability.html#filesystems
> > I also found a reference to another mail program which had people
> > making similar advisories, but not sure if they are still applicable.
> 
> you whole above statement is wrong and is not based on facts.
> now you are trying to back it up w/ somebody elses opinion
> that is also not based on facts.
> 
> now it is also in the archives and peoples will
> refer to it as some sort of truth. the damage has been done.

the "softdeps are incompatible with qmail" "truth" is as old as 
softdeps, the damage is long done.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam



Re: Wireless NIC questions

2007-05-09 Thread Peter N. M. Hansteen
Bret <[EMAIL PROTECTED]> writes:

> I was wondering if anyone here had any experience setting up a
> wireless access point. I am running OpenBSD 4.0 with Z-COM WLAN PC
> Card but can not bring up the card in access point mode.

Unfortunately not all wireless cards support Host AP mode (that's what
you want to look for in the man page).  I've had good experience with
ath, ral and rum cards myself.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.



Re: creating menu's

2007-05-09 Thread james
Bryan Irvine  gmail.com> writes:

> It's been years (just shy of a decade IIRC) since the last time I
> needed to create a menu-shell type of thing.  But now I need to.  I'm
> wondering what people are using these days.  Is there something neat
> in ports I should be trying out?

/usr/ports/misc/mshell



Re: Softupdates question

2007-05-09 Thread mickey
On Wed, May 09, 2007 at 06:46:19AM -0400, Nick Holland wrote:
> mickey wrote:
> > On Tue, May 08, 2007 at 07:06:06AM -0400, Nick Holland wrote:
> >> George C wrote:
> ...
> >> > Is it always best to mount /, /tmp, /usr, /var, /home with softdep?
> >> > Under what curcumstances would it not be appropriate?
> >> 
> >> If your app makes assumptions about write ordering, softdeps can negate
> >> the care the app author took.  For example, some mail programs don't ack
> >> the receipt of a message until it has been safely written to disk, the
> >> idea being that if the power goes out or the machine crashes, if the
> >> message has been acknowledged, IT HAS BEEN RECEIVED and will be there
> >> when the machine comes back up.  Softdeps promises that what is on your
> >> disk is coherent, but "coherent" usually means the last few files written
> >> to disk may be just removed when the system comes back up.  Not desired
> >> in this case.
> > 
> > this is not true. fsync() works as specified.
> 
> Apparently, not all apps use fsync, or don't use it properly.

oh so now you are saying that softdeps are broken because
applications are not calling fsync() ?

> At least qmail advises against the use of softdeps:
>   http://cr.yp.to/qmail/faq/reliability.html#filesystems
> I also found a reference to another mail program which had people
> making similar advisories, but not sure if they are still applicable.

you whole above statement is wrong and is not based on facts.
now you are trying to back it up w/ somebody elses opinion
that is also not based on facts.

now it is also in the archives and peoples will
refer to it as some sort of truth. the damage has been done.
cu

-- 
paranoic mickey   (my employers have changed but, the name has remained)



Performance: OpenVPN vs IPsec

2007-05-09 Thread Michael
Hello,

I've got two "networks" connected with OpenVPN right now, the setup is
like this.

{Network_A}-{OpenVPN_Server}--{Network_B}

NetworkA is a real network where the router (with dynamic IP) is
connected directly to a dedicated OpenVPN server with a static IP.

"NetworkB" is just a single host within another network which is
connected to the OpenVPN server to be able to directly access NetworkA
over the central OpenVPN server.

Now, as I understand it, it isn't possible to create an IPsec connection
from a single host within a NATed network to an external server but
OpenVPN works great here. Please correct me if I am wrong. (I have no
access to the NAT router here.)

Even though the NetworkA router just got a dynamic IP it would still be
possible to set up the VPN with IPsec. At the moment I use OpenVPN here
but I consider the pros/cons about switching to IPsec at the moment. One
important part would be the overall performance.

The NetworkA router is a Soekris net4801 with vpn1411. Both NetworkA
router, the host in NetworkB and the central server run OpenBSD 4.x-stable.

I now did some speed testing. Both OpenVPN and IPsec use keys of the
same size.

When using the OpenVPN connection I can download a file from the central
server using scp with approx 200kB/s to the Soekris memory file system,
getting around or more than 1000 interrupts on the vpn1411 card when
examining it with "systat vmstat".

When using the IPsec connection I can download the same file at around
the same speed but am only getting around 300 interrupts so it seems to
me the overall performance should be better because the system is
stressed a lot less.

When downloading the file directly to the Soekris mfs without any VPN I
get something like >=400kB/s.

I have no clue about the VPN traffic overhead differences between
OpenVPN and IPsec but I would guess that IPsec would be faster/less
ressource consumning/more performant since it is a protocol extension
and is not running in userspace.

Anyone got more experience on this or got an explanation why there is no
visible gain (ie. transfer speed), except the lesser system and memory
usage which is already nice enough, when using IPsec.


Michael



Wireless NIC questions

2007-05-09 Thread Bret

Greetings

I was wondering if anyone here had any experience setting up a wireless 
access point. I am running OpenBSD 4.0 with Z-COM WLAN PC Card but can 
not bring up the card in access point mode.


Bret



Re: postfix-2.2.8 with sasl2 and ldap support

2007-05-09 Thread Antonis Faragitakis

thank you Pedro

hope it'll work :)

atn

On 09/05/07, Pedro de Oliveira <[EMAIL PROTECTED]> wrote:

1. cd /usr/ports/mail/postfix/snapshot
2. export FLAVOR="sasl2 ldap"
3. make install clean
4. ?
5. PROFIT

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Antonis Faragitakis
Enviada: quarta-feira, 9 de Maio de 2007 12:20
Para: misc@openbsd.org
Assunto: postfix-2.2.8 with sasl2 and ldap support

Hi,


How can i install postfix-2.2.8 with ldap and sasl2 support? I've
searched the web but couldnt find any usefull information. Can you
please guide me?



thanks
atno




Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Srebrenko Sehic wrote:

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:


I increase the number of contiguous connection only by 5, from 305 to
310, and you get 3 times slower response for always the same thing and
repeated all the time. Very consistent and from different clients as 
well.


You can do any variation of 10 to 300 connections and you will always
get the same results, or very close to it. See that at the end as well
for proof.

So, I know I am hitting a hard limit someplace, but can't find where.


You've assumed that Apache is the bottleneck, but perhaps your
benchmark tool could be limited in some way. I suggest you try with
apache benchmark or some other tool just to verify the results.

Apache (especially in the prefork model) is known to have concurrency
issues. I doubt that there are knobs you can twist OpenBSD-wise that
will compensate for Apache and somehow magically make it scale.


Actually I have found a few things that fix it tonight.

I spend the last 24 hours reading like crazy and all night testing and 
reading more.


I can now have two clients using 1000 parallel connections to one i386 
850MHz server, my old one that I was testing with and I get all that no 
problem now. No delay and I can even push it more, but I figure at 2000 
parallel connections I should be able to get some breathing time now.


I will send the results soon.

All only in sysctl.conf

Now, I am still having some drop, not much, but some when I put pf in 
actions. So, that would be the next step I guess, but not now. I need 
some sleep.


Thanks

Daniel



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Srebrenko Sehic

On 5/9/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote:


I increase the number of contiguous connection only by 5, from 305 to
310, and you get 3 times slower response for always the same thing and
repeated all the time. Very consistent and from different clients as well.

You can do any variation of 10 to 300 connections and you will always
get the same results, or very close to it. See that at the end as well
for proof.

So, I know I am hitting a hard limit someplace, but can't find where.


You've assumed that Apache is the bottleneck, but perhaps your
benchmark tool could be limited in some way. I suggest you try with
apache benchmark or some other tool just to verify the results.

Apache (especially in the prefork model) is known to have concurrency
issues. I doubt that there are knobs you can twist OpenBSD-wise that
will compensate for Apache and somehow magically make it scale.



Re: postfix-2.2.8 with sasl2 and ldap support

2007-05-09 Thread Pedro de Oliveira
1. cd /usr/ports/mail/postfix/snapshot
2. export FLAVOR="sasl2 ldap"
3. make install clean
4. ?
5. PROFIT

-Mensagem original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome de
Antonis Faragitakis
Enviada: quarta-feira, 9 de Maio de 2007 12:20
Para: misc@openbsd.org
Assunto: postfix-2.2.8 with sasl2 and ldap support

Hi,


How can i install postfix-2.2.8 with ldap and sasl2 support? I've
searched the web but couldnt find any usefull information. Can you
please guide me?



thanks
atno



Re: Sun Netra and DAS

2007-05-09 Thread admin
Kevin wrote:
> Hello all,
>
> I'm about out of space on a Sun Netra T1 that has been happily running
> OpenBSD for some time. I'd rather keep this server in action and add
> space to it, but both internal drive slots are occupied, so that means
> the only choice (short of reloading on bigger disks, which for a
> variety of reasons I'd rather avoid) is adding external storage.
>
> It seems like the logical choice would be a Direct Attached Storage
> box like a D1000 plugged into the external SCSI port or a PCI RAID
> card. So:
>
> 1.) Is the D1000 supported in 4.1 when attached to a Netra T1 either
> via the external SCSI or via a RAID card?
> (http://www.openbsd.org/sparc64.html#hardware doesn't mention it
> either way)
>
> 2.) Given the various supported RAID cards, is a more generic RAID
> enclosure attached to a 3rd party RAID card a better way to go?
>
> 3.) Are there better alternatives that I'm just overlooking?
>
> As always, many thanks.
> Kevin
>
>
>
>
Kevin,
 I am not sure about the OpenBSD support but, you cannot use the onboard
SCSI port to connect to a D1000. You need an HVD/Differential SCSI card.
These are easy to find, but needed.

James



postfix-2.2.8 with sasl2 and ldap support

2007-05-09 Thread Antonis Faragitakis

Hi,


How can i install postfix-2.2.8 with ldap and sasl2 support? I've
searched the web but couldnt find any usefull information. Can you
please guide me?



thanks
atno



Re: Softupdates question

2007-05-09 Thread Nick Holland
mickey wrote:
> On Tue, May 08, 2007 at 07:06:06AM -0400, Nick Holland wrote:
>> George C wrote:
...
>> > Is it always best to mount /, /tmp, /usr, /var, /home with softdep?
>> > Under what curcumstances would it not be appropriate?
>> 
>> If your app makes assumptions about write ordering, softdeps can negate
>> the care the app author took.  For example, some mail programs don't ack
>> the receipt of a message until it has been safely written to disk, the
>> idea being that if the power goes out or the machine crashes, if the
>> message has been acknowledged, IT HAS BEEN RECEIVED and will be there
>> when the machine comes back up.  Softdeps promises that what is on your
>> disk is coherent, but "coherent" usually means the last few files written
>> to disk may be just removed when the system comes back up.  Not desired
>> in this case.
> 
> this is not true. fsync() works as specified.

Apparently, not all apps use fsync, or don't use it properly.
At least qmail advises against the use of softdeps:
  http://cr.yp.to/qmail/faq/reliability.html#filesystems
I also found a reference to another mail program which had people
making similar advisories, but not sure if they are still applicable.

>> Softdeps don't do anything for you if you are mostly reading from disk,
>> or if the partition is mounted read-only.  It's about writing.
> 
> of course they do. there are still atime updates
> for example that will be handled if not mount read-only.

yeah, no idea why I phrased it in such absolute terms.  duh.

>> Softdeps is much more complex than conventional disk access.  While I
>> have not personally seen a softdep-related bug in some time, and that
>> one was quickly fixed, you HAVE to assume it is more likely to have
>> bugs than the non-softdep systems.
> 
> this is also not exactly true -- there are softdep bugs fixed
> at the rate of ten per year if not more. most of them are
> bugs that been there forever.

I (apparently) phrased this poorly, having seen at least two unintended
interpretations...

I have only *experienced* one softdep bug in many years of using it on
virtually all partitions of virtually all systems I have installed.
After providing the PS and TRACE, I think Pedro had me a patch within
an hour. :)

Yes, certainly, bugs have been spotted, and there are most likely
other bugs that remain.  Some people have apps which expose bugs
better than mine...


If it was not obvious from my comments, I love softdeps.  I have a
siteXX.tgz file which does a few simple things, one of which is to
change all mount points to use softdeps.  One really does have to
hunt a bit for relevant reasons not to use it.  About the only
place I can think of where I deliberately don't use it is on an
e-mail archive system on the filled partitions which are mounted
read-only.

I can't tell you how many times I have forgot to install my siteXX
file, started loading up /usr/src, and realized, "Dang, obviously
no softdeps".  At which point, I stop the checkout, fix the
problem, reboot, and try again.  Yes, the performance difference
is that obvious, and it is faster to reboot than it is to wait it
out.

Nick.



Re: VNC server on OpenBSD (error allocating memory)

2007-05-09 Thread Stuart Henderson
On 2007/05/08 16:17, Daniel Bolgheroni wrote:
> Applied the patch succesfully against 4.1 net/tightvnc, but
> getting the following error:

Sorry, I missed -P when I generated the diff. It's fixed now.

> >> http://spacehopper.org/openbsd/tightvnc-1.3.8-update.txt

I suggest any more discussion on this is moved to ports@



Re: [OT] language tricks (was: creating menu's)

2007-05-09 Thread Joachim Schipper
On Tue, May 08, 2007 at 09:34:35PM -0400, Douglas Allan Tutty wrote:
> On Tue, May 08, 2007 at 01:22:10PM -0700, Bryan Irvine wrote:
>  
> > I need a fairly simple menu, and have thought about just simple
> > selects but figured now would also be a good time to learn something
> > new as well.  It's nothing so complex that I need to go ncurses to do.
> > Just a basic  then  then 
> > thing.
> 
> My front-ends I do in python.  It doesn't have a case/select.  I just
> use if/then/elif/
> 
> Then there's Fortran with computed gotos; very slick.  I forget the
> syntax but is something like goto (10+choice)
>   11  ch1()
>   ...
>   12  ch2()
>   ...
>   13  ch3()
>   ...
> 
> It means that only one computation takes place instead of one comparison
> for each choice until one matches.

Just pointing out: if Python can do the job at all, you almost certainly
don't need that kind of micro-optimization in Fortran code. Also, this
is a menu. Efficiency is not exactly a big goal.

However, and this is where I go completely off-topic, while we're at it,
you don't need Fortran for this, most languages have equivalent
constructs (C):

switch(option) {
case 1:
...
case 2:
...
case 3:
...
default:
/* error! */
...
}

or even

void (*dispatch[])(void) = {
proc_opt1,
proc_opt2,
proc_opt3
}

void
proc_opt1(void)
{
...
}

void
proc_opt2(void)
{
...
}

void
proc_opt3(void)
{
...
}

In languages with higher order-functions, this can be written even more
concisely (Scheme):

(define dispatch
  (vector
(lambda () ...)
(lambda () ...)
(lambda () ...)))

A suiteable make-menu macro could even make something like

(define toplevel-menu
  (make-menu
("opt1" (lambda () ...))
("opt2" (lambda () ...))
("another menu" another-menu)))

(define another-menu
  (make-menu
("opt3" (lambda () ...))
("opt4" (lambda () ...))
("top" toplevel-menu)))

do what it looks like it should do.

However, all of this is massively overkill. Just use a shell script.

Joachim

-- 
TFMotD: mirroring-ports (7) - how to build a mirror for ports distfiles



Re: Softupdates question

2007-05-09 Thread Marco S Hyman
 > Still curious how they would work on, say, /var/mysql or /var/postgresql,
 > but I can play with this on my own.
 > Has anyone already tried?  Care to comment?

FWIW I run softdep on ALL partitions except / and /var and have for
many years.  I exclude /var because on a crash I want the best chance
items logged in /var/log/ to show up.

// marc



Re: Bottleneck in httpd. I need help to address capacity issues on max parallel and rate connections

2007-05-09 Thread Daniel Ouellet

Here is more tests with always repeated results.

I increase the number of contiguous connection only by 5, from 305 to 
310, and you get 3 times slower response for always the same thing and 
repeated all the time. Very consistent and from different clients as well.


You can do any variation of 10 to 300 connections and you will always 
get the same results, or very close to it. See that at the end as well 
for proof.


So, I know I am hitting a hard limit someplace, but can't find where.

Note that I use a difference of 5 here, but I can reproduce the results 
almost all the time, just by increasing the number of connections by 1. 
From 307 to 308 I get 75% of the time the same results as below, 
meaning times it;'s 6.7 seconds for the same transfer and other is 18.1 
seconds.


See below. Always the same transfer size, always the same amount of 
requests, always 100% success, but 3x slower.


Also, if I continue to increase it more, then I start to also get drop 
in replies, etc.


So, far I have played with 26 different sysctl setting that may affect 
that based on various possibility and from the man page and Google, but 
I can improve it some, not to the point of be able to use 500 
connections or more for example.


What is it that really limit the number of connection that badly and 
that hard?


===
305 parallel

# http_load -parallel 305 -fetches 500 -timeout 30 /tmp/test
500 fetches, 305 max parallel, 6.549e+06 bytes, in 6.71609 seconds
13098 mean bytes/connection
74.4481 fetches/sec, 975121 bytes/sec
msecs/connect: 1813.57 mean, 6007.53 max, 0.418 min
msecs/first-response: 509.309 mean, 1685.92 max, 3.606 min
HTTP response codes:
  code 200 -- 500
# http_load -parallel 305 -fetches 500 -timeout 30 /tmp/test
500 fetches, 305 max parallel, 6.549e+06 bytes, in 6.8586 seconds
13098 mean bytes/connection
72.9012 fetches/sec, 954860 bytes/sec
msecs/connect: 1957.35 mean, 6007.17 max, 0.445 min
msecs/first-response: 485.676 mean, 1559.27 max, 3.317 min
HTTP response codes:
  code 200 -- 500
# http_load -parallel 305 -fetches 500 -timeout 30 /tmp/test
500 fetches, 305 max parallel, 6.549e+06 bytes, in 6.81823 seconds
13098 mean bytes/connection
73.3328 fetches/sec, 960513 bytes/sec
msecs/connect: 1825.19 mean, 6007.11 max, 0.484 min
msecs/first-response: 508.281 mean, 1646.53 max, 3.422 min
HTTP response codes:
  code 200 -- 500

=
310 parallel

# http_load -parallel 310 -fetches 500 -timeout 30 /tmp/test
500 fetches, 310 max parallel, 6.549e+06 bytes, in 18.0998 seconds
13098 mean bytes/connection
27.6245 fetches/sec, 361826 bytes/sec
msecs/connect: 2281.39 mean, 18008.3 max, 0.434 min
msecs/first-response: 456.326 mean, 1555.78 max, 3.328 min
HTTP response codes:
  code 200 -- 500
# http_load -parallel 310 -fetches 500 -timeout 30 /tmp/test
500 fetches, 310 max parallel, 6.549e+06 bytes, in 18.1142 seconds
13098 mean bytes/connection
27.6027 fetches/sec, 361540 bytes/sec
msecs/connect: 2245.47 mean, 18011.4 max, 0.565 min
msecs/first-response: 460.068 mean, 1495.42 max, 3.32 min
HTTP response codes:
  code 200 -- 500
# http_load -parallel 310 -fetches 500 -timeout 30 /tmp/test
500 fetches, 310 max parallel, 6.549e+06 bytes, in 18.1635 seconds
13098 mean bytes/connection
27.5278 fetches/sec, 360559 bytes/sec
msecs/connect: 2485.7 mean, 18011.9 max, 0.598 min
msecs/first-response: 455.163 mean, 1573.78 max, 3.471 min
HTTP response codes:
  code 200 -- 500
#

===
10 parallel
# http_load -parallel 10 -fetches 500 -timeout 30 /tmp/test
500 fetches, 10 max parallel, 6.549e+06 bytes, in 6.01266 seconds
13098 mean bytes/connection
83.1579 fetches/sec, 1.0892e+06 bytes/sec
msecs/connect: 24.6605 mean, 6002.47 max, 0.349 min
msecs/first-response: 28.6373 mean, 798.5 max, 3.23 min
HTTP response codes:
  code 200 -- 500

==
20 parallel
# http_load -parallel 20 -fetches 500 -timeout 30 /tmp/test
500 fetches, 20 max parallel, 6.549e+06 bytes, in 7.12896 seconds
13098 mean bytes/connection
70.1365 fetches/sec, 918648 bytes/sec
msecs/connect: 48.676 mean, 6003.58 max, 0.342 min
msecs/first-response: 58.1521 mean, 1249.71 max, 3.216 min
HTTP response codes:
  code 200 -- 500


===
50 parallel
# http_load -parallel 50 -fetches 500 -timeout 30 /tmp/test
500 fetches, 50 max parallel, 6.549e+06 bytes, in 8.00917 seconds
13098 mean bytes/connection
62.4285 fetches/sec, 817688 bytes/sec
msecs/connect: 84.686 mean, 6003.49 max, 0.418 min
msecs/first-response: 174.045 mean, 1950.98 max, 3.349 min
HTTP response codes:
  code 200 -- 500



100 parallel
# http_load -parallel 100 -fetches 500 -timeout 30 /tmp/test
500 fetches, 100 max parallel, 6.549e+06 bytes, in 7.90241 seconds
13098 mean bytes/connection
63.2718 fetches/sec, 828735 bytes/sec
msecs/connect: 72.8683 mean, 6003.78 max, 0.417 min
msecs/first-response: 379.736 mean, 1964.26 max, 3.366 min
HTTP response codes:
  code 200 -- 500



20

Re: Thecus N2100 and RAID 1

2007-05-09 Thread Bryan Vyhmeister

On May 8, 2007, at 6:44 AM, Aaron Poffenberger wrote:

Raidframe is really easy to use.  The man pages for raidctl(8) will  
give

you step-by-step instructions.  In a nutshell, though:

1) enable raidframe in your kernel (search for RAIDframe in GENERIC to
get find the line),
2) create the raidn.conf (where n is a number for the array) following
the man page -- see the examples section,
3) create the raid -- again, see the examples section in the man page,
4) copy the raidn.conf file to /etc if you want auto configuration
during reboots (this part didn't leap out at me from the manpage),
5) enjoy.


Thanks for the feedback. Once the N2100 arrives (which should be  
tomorrow), I will try it.


Bryan