Re: RaiserFS via NFS
Marcel Hicking wrote: --Sunday, April 18, 2004 10:14:22 +0200 Michelle Konzack [EMAIL PROTECTED]: Am I right in that nobody on the list knows whether or not any advantage to running raiserFS is swallowed by NFS? RaiserFs is a realy fast filesystem for very much smal files Well, from bad experience: Reiser seems to have exactly to states: Working and dead. As long as it's working it's very nice. But once you experience problems there's nothing between those two. We had several machines (fortunately no customer systems) just dying with no trace of the source of the problem (RAID5-SCSI- hardware without any faults). They just suddenly died with filesystem error. With all machines we had no luck rebuilding the filesystem. Just out of couriosity I contacted several Linux support company (including SuSE as one of the major supporers of Reiser and the very helpful guys at Bytec) but none could help but most did second our experience with Reiser. But as usual, YMMV. Cheers, Marcel Well, certainly my mileage did vary with reiserfs. The only failiures that have ocurred here, are due to faulty hardware, and they don't happen that often. The last one got a bit nasty, it required a reiserfsck --rebuild-tree, it recovered almost everything (including a fsckd up superblock), and I was most impressed with the results. The rebuild tree process for the 340 G array, took about 2.5 hours. One recomendation is to always use the latest reiserfs-tools from upstream in case of need, as the developers are constantly improving them. José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RaiserFS via NFS
Marcel Hicking wrote: --Sunday, April 18, 2004 10:14:22 +0200 Michelle Konzack [EMAIL PROTECTED]: Am I right in that nobody on the list knows whether or not any advantage to running raiserFS is swallowed by NFS? RaiserFs is a realy fast filesystem for very much smal files Well, from bad experience: Reiser seems to have exactly to states: Working and dead. As long as it's working it's very nice. But once you experience problems there's nothing between those two. We had several machines (fortunately no customer systems) just dying with no trace of the source of the problem (RAID5-SCSI- hardware without any faults). They just suddenly died with filesystem error. With all machines we had no luck rebuilding the filesystem. Just out of couriosity I contacted several Linux support company (including SuSE as one of the major supporers of Reiser and the very helpful guys at Bytec) but none could help but most did second our experience with Reiser. But as usual, YMMV. Cheers, Marcel Well, certainly my mileage did vary with reiserfs. The only failiures that have ocurred here, are due to faulty hardware, and they don't happen that often. The last one got a bit nasty, it required a reiserfsck --rebuild-tree, it recovered almost everything (including a fsckd up superblock), and I was most impressed with the results. The rebuild tree process for the 340 G array, took about 2.5 hours. One recomendation is to always use the latest reiserfs-tools from upstream in case of need, as the developers are constantly improving them
Re: debian on HP proliant
Nathan Eric Norman wrote: On Fri, Jan 16, 2004 at 10:33:09AM -0500, Eric Sproul wrote: On Fri, 2004-01-16 at 10:15, Francis Tyers wrote: The onboard 'scsi' controller appears as a block device and not as a scsi device under linux. 01:03.0 RAID bus controller: Compaq Computer Corporation Smart Array 5i/532 (rev 01) i think it is... there is a driver in linux 2.4.x... The driver is called cciss, and supports the built in SmartArray controller as well as the higher-end optional RAID controllers like the 641/642. Look in /proc/driver/cciss/ccissX (where X is the controller number, usually '0' for the built-in) for some basic info. Devices attached to these controllers appear as /dev/cciss/cXdXpX c=controller # d=logical drive # p=partition # Thus the first partition on the first logical drive on the built-in controller is /dev/cciss/c0d0p1. Is anyone aware of a debian-installer image which supports cciss built in? The existing d-i supports cciss just fine, but as a module. The installer from woody has built-in support for the cciss controller on at least the Proliant DL 580 G2. It works smoothly, but lacks support for the default installed 3com gig-ethernet adapter (tg3 driver), once installed, I usually either copy a recent kernel source and compile whatever I need, or install an eepro100 (or other supported) card to finish. The trick is to install with the bf24 kernel: version 2.4.18. Check the help at the Woody CD install boot prompt. José PS. please reply to the list -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: debian on HP proliant
Nathan Eric Norman wrote: On Fri, Jan 16, 2004 at 10:33:09AM -0500, Eric Sproul wrote: On Fri, 2004-01-16 at 10:15, Francis Tyers wrote: The onboard 'scsi' controller appears as a block device and not as a scsi device under linux. 01:03.0 RAID bus controller: Compaq Computer Corporation Smart Array 5i/532 (rev 01) i think it is... there is a driver in linux 2.4.x... The driver is called cciss, and supports the built in SmartArray controller as well as the higher-end optional RAID controllers like the 641/642. Look in /proc/driver/cciss/ccissX (where X is the controller number, usually '0' for the built-in) for some basic info. Devices attached to these controllers appear as /dev/cciss/cXdXpX c=controller # d=logical drive # p=partition # Thus the first partition on the first logical drive on the built-in controller is /dev/cciss/c0d0p1. Is anyone aware of a debian-installer image which supports cciss built in? The existing d-i supports cciss just fine, but as a module. The installer from woody has built-in support for the cciss controller on at least the Proliant DL 580 G2. It works smoothly, but lacks support for the default installed 3com gig-ethernet adapter (tg3 driver), once installed, I usually either copy a recent kernel source and compile whatever I need, or install an eepro100 (or other supported) card to finish. The trick is to install with the bf24 kernel: version 2.4.18. Check the help at the Woody CD install boot prompt. José PS. please reply to the list
Re: Fixed (hardisk) device names?
Craig Sanders wrote: On Wed, Mar 31, 2004 at 07:54:19AM +0200, Arnd Vehling wrote: does anyone know how to fix the device name on a debian linux system? For example. If i have two IDE hardisks, the devices will be named like this. /dev/hda /dev/hdb If i now must remove the first harddisk (/dev/hda) the second (/dev/hdb) will be renamed to (/dev/hda) after the reboot. As i want /dev/hdb to be a mirror of /dev/hda and used as failover disk _without_ opening the case and tampering with the IDE bus setup, i want linux to keep the name /dev/hdb for the drive no matter what happens. huh? that's EXACTLY what linux does for IDE drives. the slave drive on the primary IDE controller will *always* be /dev/hdb, regardless of whether there is a master drive or not. /dev/hda - master drive on primary IDE controller /dev/hdb - slave drive on primary IDE controller /dev/hdc - master drive on secondary IDE controller /dev/hdd - slave drive on secondary IDE controller Is this possible? it's standard. Another question. How can i copy two identical discs _including_ the boot block? dd if=/dev/hda of=/dev/hdb doesnt do it don't use dd for that. set up a raid-1 mirror instead. it's easy to do, only about 5 minutes work. also, for performance and safety, put your second drive on a separate IDE controller. that way it will still work even if one IDE controller fails. e.g. have /dev/hda (primary IDE master) and /dev/hdc (secondary IDE master) rather than /dev/hda /dev/hdb. and there are no raw devices on linux AFAIK. /dev/hd? ARE the raw devices. craig In the bsdish slang, raw devices are character devices, so /dev/hd? are not exactly raw devices, but block devices. There's support for accessing harddisks as character devices, see: http://www.linuxdocs.org/HOWTOs/SCSI-2.4-HOWTO/rawdev.html José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Fixed (hardisk) device names?
Craig Sanders wrote: On Wed, Mar 31, 2004 at 07:54:19AM +0200, Arnd Vehling wrote: does anyone know how to fix the device name on a debian linux system? For example. If i have two IDE hardisks, the devices will be named like this. /dev/hda /dev/hdb If i now must remove the first harddisk (/dev/hda) the second (/dev/hdb) will be renamed to (/dev/hda) after the reboot. As i want /dev/hdb to be a mirror of /dev/hda and used as failover disk _without_ opening the case and tampering with the IDE bus setup, i want linux to keep the name /dev/hdb for the drive no matter what happens. huh? that's EXACTLY what linux does for IDE drives. the slave drive on the primary IDE controller will *always* be /dev/hdb, regardless of whether there is a master drive or not. /dev/hda - master drive on primary IDE controller /dev/hdb - slave drive on primary IDE controller /dev/hdc - master drive on secondary IDE controller /dev/hdd - slave drive on secondary IDE controller Is this possible? it's standard. Another question. How can i copy two identical discs _including_ the boot block? dd if=/dev/hda of=/dev/hdb doesnt do it don't use dd for that. set up a raid-1 mirror instead. it's easy to do, only about 5 minutes work. also, for performance and safety, put your second drive on a separate IDE controller. that way it will still work even if one IDE controller fails. e.g. have /dev/hda (primary IDE master) and /dev/hdc (secondary IDE master) rather than /dev/hda /dev/hdb. and there are no raw devices on linux AFAIK. /dev/hd? ARE the raw devices. craig In the bsdish slang, raw devices are character devices, so /dev/hd? are not exactly raw devices, but block devices. There's support for accessing harddisks as character devices, see: http://www.linuxdocs.org/HOWTOs/SCSI-2.4-HOWTO/rawdev.html José
Re: Strabge LDAP problem
There's an explanation of this issue and some suggested workarounds on the (upstream) ldap-pam list, basically as finger knows nothing about ldap, it's better to substitute the 'finger' command with some perl/python/shell script that does the same but queries the ldap server directly. http://www.netsys.com/pamldap/2001/09/msg3.html I remember reading about a 'proper' solution to this issue, but can't find the thread on the list, anyway we've been using our own finger substitute for quite a long time with no problems. PS. Please reply to the list Michael Loftis wrote: augh disregard my last...sound slike you got that done. long day over here already. can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are VERY helpful, they log what searches are run--one or both does i can't remember...this way you can find out whats up. --On Tuesday, March 23, 2004 23:06 -0500 Stephen Gran [EMAIL PROTECTED] wrote: Hello all, I am having the strangest LDAP issue. We recently migrated a network from a hodgepdge of system accounts to an all LDAP setup, with the exception of a few administrative accounts. All seems to be working well, except for one thing - finger. id returns the expected values, users can log in, mail gets accepted and delivered, everything I can think of to check works fine, except finger. Even stranger: finger -m $user returns expected results, although finger $user returns 'no such user'. Aha! I said - an indexing problem , or perhaps nscd. Responses coming back too slow for finger. Messed about with different indexing schemes (they are currently this: index gecos,cn,uid pres,eq,sub index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq for an ldif of: dn: uid=$user,ou=People,dc=ccil,dc=org objectClass: top objectClass: ccilAccount objectClass: posixAccount objectClass: ccilAddress objectClass: ccilWorkAddress objectClass: ccilPerson cn: Some Guy uid: $user uidNumber: 11709 gidNumber: 100 homeDirectory: /home/u/$user l: Smalltown st: PA postalCode: 12345 userPassword:: secret loginShell: /bin/bash gecos: Some Guy pppAccess: TRUE emailAccess: TRUE registered: Oct 30 22:23:16 2001 street: 1224 Main St. bday: 01-02-03 telephoneNumber: 215-555-1212 education: College Graduate gender: Blank (names changed to protect the innocent)) Changing indexing options, running slapindex over and over, no help. By accident, I reran finger in my root session that was kept open as an I hope I don't hose something backup plan, and it worked. Now I start to think ACL's, nscd permissions, etc, but I see nothing out of the ordinary. We're using a pretty close to stock Debian config for all of this, with some minor tuning for indexing options and cache size, but that's about it. The ACL's are the stock ones, so I really don't know what's falling over here. Anybody have any ideas what to debug next? TIA, -- - | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`-http://www.debian.org | - -- Michael Loftis Modwest Sr. Systems Administrator Powerful, Affordable Web Hosting GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Strabge LDAP problem
There's an explanation of this issue and some suggested workarounds on the (upstream) ldap-pam list, basically as finger knows nothing about ldap, it's better to substitute the 'finger' command with some perl/python/shell script that does the same but queries the ldap server directly. http://www.netsys.com/pamldap/2001/09/msg3.html I remember reading about a 'proper' solution to this issue, but can't find the thread on the list, anyway we've been using our own finger substitute for quite a long time with no problems. PS. Please reply to the list Michael Loftis wrote: augh disregard my last...sound slike you got that done. long day over here already. can you turn up debugging on your slapd? loglevel 256 or loglevel 512 are VERY helpful, they log what searches are run--one or both does i can't remember...this way you can find out whats up. --On Tuesday, March 23, 2004 23:06 -0500 Stephen Gran [EMAIL PROTECTED] wrote: Hello all, I am having the strangest LDAP issue. We recently migrated a network from a hodgepdge of system accounts to an all LDAP setup, with the exception of a few administrative accounts. All seems to be working well, except for one thing - finger. id returns the expected values, users can log in, mail gets accepted and delivered, everything I can think of to check works fine, except finger. Even stranger: finger -m $user returns expected results, although finger $user returns 'no such user'. Aha! I said - an indexing problem , or perhaps nscd. Responses coming back too slow for finger. Messed about with different indexing schemes (they are currently this: index gecos,cn,uid pres,eq,sub index homeDirectory,objectClass,loginshell,gidnumber,uidnumber pres,eq for an ldif of: dn: uid=$user,ou=People,dc=ccil,dc=org objectClass: top objectClass: ccilAccount objectClass: posixAccount objectClass: ccilAddress objectClass: ccilWorkAddress objectClass: ccilPerson cn: Some Guy uid: $user uidNumber: 11709 gidNumber: 100 homeDirectory: /home/u/$user l: Smalltown st: PA postalCode: 12345 userPassword:: secret loginShell: /bin/bash gecos: Some Guy pppAccess: TRUE emailAccess: TRUE registered: Oct 30 22:23:16 2001 street: 1224 Main St. bday: 01-02-03 telephoneNumber: 215-555-1212 education: College Graduate gender: Blank (names changed to protect the innocent)) Changing indexing options, running slapindex over and over, no help. By accident, I reran finger in my root session that was kept open as an I hope I don't hose something backup plan, and it worked. Now I start to think ACL's, nscd permissions, etc, but I see nothing out of the ordinary. We're using a pretty close to stock Debian config for all of this, with some minor tuning for indexing options and cache size, but that's about it. The ACL's are the stock ones, so I really don't know what's falling over here. Anybody have any ideas what to debug next? TIA, -- - | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`-http://www.debian.org | - -- Michael Loftis Modwest Sr. Systems Administrator Powerful, Affordable Web Hosting GPG/PGP -- 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
lire and it's messages
Hi all, I installed lire in woody, and configured it to report with html plus charts on squid and various other daemons, so far I assume it's working normally, for I receive the daily reports in my mailbox. The problem is, lire sends the images 'inline' and not as mime attachements. I'd rather wish it could generate the reports as actual files on the filesystem instead of mailing them. I've done a quick search on the docs, but couldn't find a way to do this. Any hints? José PS Please reply to the list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
lire and it's messages
Hi all, I installed lire in woody, and configured it to report with html plus charts on squid and various other daemons, so far I assume it's working normally, for I receive the daily reports in my mailbox. The problem is, lire sends the images 'inline' and not as mime attachements. I'd rather wish it could generate the reports as actual files on the filesystem instead of mailing them. I've done a quick search on the docs, but couldn't find a way to do this. Any hints? José PS Please reply to the list.
Re: Best Authentikation and security against WarDriver
Michelle Konzack wrote: Hello Collegues, Now I have 17 Lucent ORINOCO COR/ROR and one Proxim MP.11a (54 MBit) Now my question: How can I block the Netzwork for all and do only allow to my Clients ? I know Win98 has already 'pptp' but Win95 and Macintosh ? In general, the Clients are using PCI/PCMCIA-Adaptors with ORINOCO GoldCards, because others are laking in Performance for this. There was someone which has sugested to install the pptpd... How secure is it ? Setting up pptp or ipsec would definitely be the most elegant solution, but alas it'd also be the most nightmarish to set up with so many different operating systems. The other solution I can think is authenticating users with a login/password in a caged firewalled environment, and after positive auth (via a web page), open up their connection to the network. There's an article discussing this on linux journal september 2003 issue, but it seems it's not available to the public: http://www.linuxjournal.com/modules.php?op=modloadname=NS-lj-issues/issue113file=index However, it deals with setting up software that does this trick, specifically NoCatAuth, which can be downloaded from: www.nocat.com José PS. Please reply to the list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Best Authentikation and security against WarDriver
Michelle Konzack wrote: Hello Collegues, Now I have 17 Lucent ORINOCO COR/ROR and one Proxim MP.11a (54 MBit) Now my question: How can I block the Netzwork for all and do only allow to my Clients ? I know Win98 has already 'pptp' but Win95 and Macintosh ? In general, the Clients are using PCI/PCMCIA-Adaptors with ORINOCO GoldCards, because others are laking in Performance for this. There was someone which has sugested to install the pptpd... How secure is it ? Setting up pptp or ipsec would definitely be the most elegant solution, but alas it'd also be the most nightmarish to set up with so many different operating systems. The other solution I can think is authenticating users with a login/password in a caged firewalled environment, and after positive auth (via a web page), open up their connection to the network. There's an article discussing this on linux journal september 2003 issue, but it seems it's not available to the public: http://www.linuxjournal.com/modules.php?op=modloadname=NS-lj-issues/issue113file=index However, it deals with setting up software that does this trick, specifically NoCatAuth, which can be downloaded from: www.nocat.com José PS. Please reply to the list.
Re: protecting mail server from DOS
Lucas Albers wrote: Just recently I had my mail server swamped by a single virus machine that kept resending a virus message, ignoring my 5xx rejection code. Is it possbile to block this via an iptables smtp max connection throttle code? How do you handle this? Via iptables?, or via qmail/postfix/exim/sendmail internal coding? Does anyone else encounter this problem on a regular basis? How do you solve this? Check out http://www.spamshield.org/ a perl script that monitors the smtp's (like sendmail) logs for unusual events, and on a set amount of mail received from a single IP, takes action and informs via email, usually it sets up an invalid route to the offending spammer, effectively blocking any contact with that machine, but it can be configured to do anything. José PS please reply to the list -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: protecting mail server from DOS
Lucas Albers wrote: Just recently I had my mail server swamped by a single virus machine that kept resending a virus message, ignoring my 5xx rejection code. Is it possbile to block this via an iptables smtp max connection throttle code? How do you handle this? Via iptables?, or via qmail/postfix/exim/sendmail internal coding? Does anyone else encounter this problem on a regular basis? How do you solve this? Check out http://www.spamshield.org/ a perl script that monitors the smtp's (like sendmail) logs for unusual events, and on a set amount of mail received from a single IP, takes action and informs via email, usually it sets up an invalid route to the offending spammer, effectively blocking any contact with that machine, but it can be configured to do anything. José PS please reply to the list
Re: Debian and SAN support
George Georgalis wrote: On Tue, Feb 10, 2004 at 01:32:44PM -0700, Michael Loftis wrote: --On Tuesday, February 10, 2004 21:22 +0100 J.J. van Gorkum [EMAIL PROTECTED] wrote: Yes, a big one : NFS is non-atomic in it's writing... A write action to the (NFS) disk can be interrupted (normal behaviour in the NFS world). So when the software (even the disk driver) reports that the data is written to the disk there is a possibilitiy that this is not true That said we run about ten thousand web sites like this and rarely, if ever, have a problem. We have more problems with the caching of the inode status information and such producing incoherency than actual data incoherency. I'm building a system with 3 nodes across the country on dynamic dsl links (one of which may be intermitent and have 15% packet loss when up). since there is not much likelyhood any two sites will be in use at once (one person, multiple offices) I'm planning a daily rsync; but had wanted to do something more realtime. Any suggestions? // George Have a look at Coda Filesystem. It may come in handy especially with the intermitent node. http://www.coda.cs.cmu.edu/ José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Imap imap-ssl pop3-ssl
Jonathan Matthews wrote: [Sorry for the cross-post - I think it's applicable to both -isp and -user.] I need to offer imap, imapssl and pop3ssl services. FWIW, imap would be localhost only, but -ssl services would be publically accessible. My reading thus far leads me towards Courier-imap with Exim 4 backported to stable so I can interface with ClamAV, but feel free to point out something important that I've missed. Do I need to have a different instance of the server running for each protocol? i.e. one listening on each port that the three services use as standard? Is there a server that would do the job with just one instance listening on all three ports? Would there be any advantages or disadvantages to this? I'm thinking locking/concurrency/that-sorta-thing. How do you deal with this situation? Are there any gotchas I need to know about? I'm guessing that using Maildirs will alleviate many of the problems that mboxes would create ... Any pointers/suggestions/cluebats appreciated! jc What we run here, is standard uw-imap and popa3d, with stunnel. Works like a charm. I know courier could handle everything with a single hand and half the overhead, maybe someday I'll migrate every mbox into maildir and set that up, but in the mean time, it does a pretty job. José PS please reply to debian-isp -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian and SAN support
George Georgalis wrote: On Tue, Feb 10, 2004 at 01:32:44PM -0700, Michael Loftis wrote: --On Tuesday, February 10, 2004 21:22 +0100 J.J. van Gorkum [EMAIL PROTECTED] wrote: Yes, a big one : NFS is non-atomic in it's writing... A write action to the (NFS) disk can be interrupted (normal behaviour in the NFS world). So when the software (even the disk driver) reports that the data is written to the disk there is a possibilitiy that this is not true That said we run about ten thousand web sites like this and rarely, if ever, have a problem. We have more problems with the caching of the inode status information and such producing incoherency than actual data incoherency. I'm building a system with 3 nodes across the country on dynamic dsl links (one of which may be intermitent and have 15% packet loss when up). since there is not much likelyhood any two sites will be in use at once (one person, multiple offices) I'm planning a daily rsync; but had wanted to do something more realtime. Any suggestions? // George Have a look at Coda Filesystem. It may come in handy especially with the intermitent node. http://www.coda.cs.cmu.edu/ José
Re: Imap imap-ssl pop3-ssl
Jonathan Matthews wrote: [Sorry for the cross-post - I think it's applicable to both -isp and -user.] I need to offer imap, imapssl and pop3ssl services. FWIW, imap would be localhost only, but -ssl services would be publically accessible. My reading thus far leads me towards Courier-imap with Exim 4 backported to stable so I can interface with ClamAV, but feel free to point out something important that I've missed. Do I need to have a different instance of the server running for each protocol? i.e. one listening on each port that the three services use as standard? Is there a server that would do the job with just one instance listening on all three ports? Would there be any advantages or disadvantages to this? I'm thinking locking/concurrency/that-sorta-thing. How do you deal with this situation? Are there any gotchas I need to know about? I'm guessing that using Maildirs will alleviate many of the problems that mboxes would create ... Any pointers/suggestions/cluebats appreciated! jc What we run here, is standard uw-imap and popa3d, with stunnel. Works like a charm. I know courier could handle everything with a single hand and half the overhead, maybe someday I'll migrate every mbox into maildir and set that up, but in the mean time, it does a pretty job. José PS please reply to debian-isp
Re: I/O performance issues on 2.4.23 SMP system
Mark Ferlatte wrote: Benjamin Sherman said on Wed, Jan 28, 2004 at 03:16:56PM -0600: I've got some machines in nearly the same configuration. What I ended up doing was to put an `append=mem=1G' in the lilo.conf boot stanza for the kernel I was using, and rebooted the machine in question. This does reduce the available memory in the machine to 1GB, but solves the IO problem. In my case, it was much faster, even though MySQL couldn't buffer nearly as much as with 4GB. Thanks, Mark. I will probably try this with 3GB instead of 1GB. Did you try that? Yes; it didn't work. The problem (bug) is that block device IO has to go through buffers that are below 1GB. The memory manager doesn't know this, so what happens is that the IO layer requests a block of memory below 1GB, and the swapout daemon (kswapd) then runs around like a madman trying to free pages, instead of shuffling pages that don't need to be below 1GB to higher memory addresses. Since many of the pages below 1GB can't be freed (they belong to active programs), the IO starves. With 1GB of memory, both the IO layer and the swapout daemon are working with the same view of memory, so the bug is concealed, and performance is good. I have heard of people trying 2GB, and having it work, but it didn't for me. M Is this problem specific to the 3ware cards? does anyone know of any issues with the Highpoint 1640 SATA RAID cards? Any experience or recomendations with these? Which is the best SATA raid card for linux at the moment? Thanks José PS. please reply to the list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: I/O performance issues on 2.4.23 SMP system
Mark Ferlatte wrote: Benjamin Sherman said on Wed, Jan 28, 2004 at 03:16:56PM -0600: I've got some machines in nearly the same configuration. What I ended up doing was to put an `append=mem=1G' in the lilo.conf boot stanza for the kernel I was using, and rebooted the machine in question. This does reduce the available memory in the machine to 1GB, but solves the IO problem. In my case, it was much faster, even though MySQL couldn't buffer nearly as much as with 4GB. Thanks, Mark. I will probably try this with 3GB instead of 1GB. Did you try that? Yes; it didn't work. The problem (bug) is that block device IO has to go through buffers that are below 1GB. The memory manager doesn't know this, so what happens is that the IO layer requests a block of memory below 1GB, and the swapout daemon (kswapd) then runs around like a madman trying to free pages, instead of shuffling pages that don't need to be below 1GB to higher memory addresses. Since many of the pages below 1GB can't be freed (they belong to active programs), the IO starves. With 1GB of memory, both the IO layer and the swapout daemon are working with the same view of memory, so the bug is concealed, and performance is good. I have heard of people trying 2GB, and having it work, but it didn't for me. M Is this problem specific to the 3ware cards? does anyone know of any issues with the Highpoint 1640 SATA RAID cards? Any experience or recomendations with these? Which is the best SATA raid card for linux at the moment? Thanks José PS. please reply to the list.
Re: FreeBSD/ Redhat / Debian
Peter wrote: On Mon, 19 Jan 2004 21:00:18 +0100, in linux.debian.isp you wrote: I will be new user of Debian. For quick tour I want to learn and I want to get your advise about Comparing other OS with Debian . well, three really bad kernel bugs and now on 2.6 kernel so many new things - in 2004 linux administrators will have to follow security mailing lists very closely. it will be a time consuming job to update kernels every x weeks. It's not only when kernel bugs appear, that admins have to follow security lists very closely, it's just about everytime. As for the time consuming job part, it may be so, if your hardware is something like a pentium mmx, nowadays it takes less than 3 or 4 minutes to recompile a 2.4, and maybe other 3 or 4 mins. from reboot to login prompt. Also you will have to be a security expert to get a secured system, as neither debian nor redhat kernels are hardened out of the box. maybe it´s better to take a look at adamantix.org, that is based on debian. I'd partially disagree on this one. There is no such thing as a 'secured system'. Security is a relative thing, not an absolute one. I believe that if the common debian admins keep their systems up to date with the latest security patches released by debian, they'll deter probably 99% of the available exploits. The remaining 1% would fall on the unpublished exploits or those which are 'work in progress', and thus only targeted and crafted for the high profile sites which should have a security expert in their payroll anyway. On the other hand, it certainly adds comfort to have a buffer-over-underrun-proof kernel running on the server. if freebsd is in your choice, take a deeper look into it. seems to be much more developed. better jail solution, especially interesting for webhosting. Better accounting, better filesystem. What exactly is developed? *BSD is certainly based in a much older code base than linux, but at this point in time, I'd say that most of the cutting edge stuff is happening more on the linux side of the free unixes (hardware support, filesystems, clustering, virtualization, etc), also linux has had for quite a while now, a much broader base of _developers_ (google for the cathedral and the bazaar). Is UFS a better filesystem than ext2 in terms of robustness and speed? *maybe*. Better than Reiserfs?hardly. that´s how it appears to me. i have average admin knowledge and judge only on one thing: how much time does it cost to keep the system running. Linux was to expensive last year. Peter Also, these are just my opinions. We used to serve everything here for ~8k users (email, web hosting, web caching, etc.) on FreeBSD, these were the 2.x-3.x 'make world for update' times. Since some 4 years now we grown to ~11k users, and everything runs on Debian and that's just because of the quality that maintainers put on their packages and the the distro in general, and the consequent ease for updating, securing, and managing debian servers. Jose -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: FreeBSD/ Redhat / Debian
Peter wrote: On Mon, 19 Jan 2004 21:00:18 +0100, in linux.debian.isp you wrote: I will be new user of Debian. For quick tour I want to learn and I want to get your advise about Comparing other OS with Debian . well, three really bad kernel bugs and now on 2.6 kernel so many new things - in 2004 linux administrators will have to follow security mailing lists very closely. it will be a time consuming job to update kernels every x weeks. It's not only when kernel bugs appear, that admins have to follow security lists very closely, it's just about everytime. As for the time consuming job part, it may be so, if your hardware is something like a pentium mmx, nowadays it takes less than 3 or 4 minutes to recompile a 2.4, and maybe other 3 or 4 mins. from reboot to login prompt. Also you will have to be a security expert to get a secured system, as neither debian nor redhat kernels are hardened out of the box. maybe it´s better to take a look at adamantix.org, that is based on debian. I'd partially disagree on this one. There is no such thing as a 'secured system'. Security is a relative thing, not an absolute one. I believe that if the common debian admins keep their systems up to date with the latest security patches released by debian, they'll deter probably 99% of the available exploits. The remaining 1% would fall on the unpublished exploits or those which are 'work in progress', and thus only targeted and crafted for the high profile sites which should have a security expert in their payroll anyway. On the other hand, it certainly adds comfort to have a buffer-over-underrun-proof kernel running on the server. if freebsd is in your choice, take a deeper look into it. seems to be much more developed. better jail solution, especially interesting for webhosting. Better accounting, better filesystem. What exactly is developed? *BSD is certainly based in a much older code base than linux, but at this point in time, I'd say that most of the cutting edge stuff is happening more on the linux side of the free unixes (hardware support, filesystems, clustering, virtualization, etc), also linux has had for quite a while now, a much broader base of _developers_ (google for the cathedral and the bazaar). Is UFS a better filesystem than ext2 in terms of robustness and speed? *maybe*. Better than Reiserfs?hardly. that´s how it appears to me. i have average admin knowledge and judge only on one thing: how much time does it cost to keep the system running. Linux was to expensive last year. Peter Also, these are just my opinions. We used to serve everything here for ~8k users (email, web hosting, web caching, etc.) on FreeBSD, these were the 2.x-3.x 'make world for update' times. Since some 4 years now we grown to ~11k users, and everything runs on Debian and that's just because of the quality that maintainers put on their packages and the the distro in general, and the consequent ease for updating, securing, and managing debian servers. Jose
Re: postfix with SASL over PAM
Hi Rodi, Postfix is not in a chroot jail, and (I forgot to mention this) the user posftix is in the shadow group. Google only has questions on this subject, but not many answers... :( Thanks R.M. Evers wrote: Hi Jose, Maybe your smtpd (smtp/smtps) is chrooted? Check your master.cf for this. And for shadow auth you probably also have to add postfix to the shadow group.. Hope this helps :) Regards, -Rodi On Fri, 2003-08-29 at 00:19, Jose Alberto Guzman wrote: I'm trying to get posfix authenticate (for relaying purposes) users with SASL via PAM on woody. I've installed posftix, posftix-tls, libsasl and it´s modules. Following the READMEs, I can see that postfix does support SASL auth LOGIN and PLAIN mechanisms: 220 mybox.over.here ESMTP Postfix (Debian/GNU) EHLO localhost 250-mybox.over.here 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN 250-XVERP 250 8BITMIME But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf postfix/smtpd[2134]: PAM pam_start: failed to initialize handlers postfix/smtpd[2134]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed I've added the following lines to my working postfix's main.cf: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_relay_domains permit_mynetworks permit_sasl_authenticated And /etc/pam.d/smtp looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so To be on the safe side, I also added the following lines to /etc/pam.conf smtpauth required pam_nologin.so smtpauth required pam_unix.so smtpauth required pam_env.so smtpaccountrequired pam_unix.so smtpsessionrequired pam_unix.so smtpsessionrequired pam_limits.so Both pam files are world readable. Also, the file /etc/postfix/sasl/smtpd.conf contains: pwcheck_method: pam and it's perms are: 0644 With sasl over shadow, it just warns: SASL PLAIN authentication failed. Has anyone managed to get woody's postfix to authenticate with sasl over pam? Thanks in advance José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
postfix with SASL over PAM
I'm trying to get posfix authenticate (for relaying purposes) users with SASL via PAM on woody. I've installed posftix, posftix-tls, libsasl and it´s modules. Following the READMEs, I can see that postfix does support SASL auth LOGIN and PLAIN mechanisms: 220 mybox.over.here ESMTP Postfix (Debian/GNU) EHLO localhost 250-mybox.over.here 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN 250-XVERP 250 8BITMIME But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf postfix/smtpd[2134]: PAM pam_start: failed to initialize handlers postfix/smtpd[2134]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed I've added the following lines to my working postfix's main.cf: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_relay_domains permit_mynetworks permit_sasl_authenticated And /etc/pam.d/smtp looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so To be on the safe side, I also added the following lines to /etc/pam.conf smtpauth required pam_nologin.so smtpauth required pam_unix.so smtpauth required pam_env.so smtpaccountrequired pam_unix.so smtpsessionrequired pam_unix.so smtpsessionrequired pam_limits.so Both pam files are world readable. Also, the file /etc/postfix/sasl/smtpd.conf contains: pwcheck_method: pam and it's perms are: 0644 With sasl over shadow, it just warns: SASL PLAIN authentication failed. Has anyone managed to get woody's postfix to authenticate with sasl over pam? Thanks in advance José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
best socks setup
Hi everyone, I'm in need to implement a socks proxy for a few machines in the LAN, currently we have a somewhat tight firewall and a squid proxy for http/ftp access, and need to reach content from realnetworks protocols in servers that don't stream in http. Searching in dselect, I find the tsocks and socks 4.3 options are available in woody. In your experience, what's the cleanest and most secure way to implement socks in a LAN ? Thanks in advance José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
best socks setup
Hi everyone, I'm in need to implement a socks proxy for a few machines in the LAN, currently we have a somewhat tight firewall and a squid proxy for http/ftp access, and need to reach content from realnetworks protocols in servers that don't stream in http. Searching in dselect, I find the tsocks and socks 4.3 options are available in woody. In your experience, what's the cleanest and most secure way to implement socks in a LAN ? Thanks in advance José
Re: Software VS Hardware Raid
Russell Coker wrote: On Wed, 30 Jan 2002 17:54, [EMAIL PROTECTED] wrote: detected the drive, but during the part that lilo: is supposed to come up, nothing did. The disk kept grinding and grinding, and eventually asked for a floppy. I was hoping that the 2nd, working drive in the raid array would kick in any moment, but that didn't happen. Everything stalled right there. Lilo would have to know about your RAID setup (and of course it doesn't), that's why it's not recommended to use software RAID on the root partition. Who recommends that you don't use software RAID on the root file system? Not me (lilo maintainer and user of this), not the lilo author, not the software RAID kernel maintainer. Sorry, I'm not up to date on the newest features of LILO (it's cool that is supports SW/RAID now, btw), I stated this because of what I read on the Software-RAID-HOWTO. http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Software-RAID-HOWTO.html 'The latest official lilo distribution (Version 21) doesn't handle RAID devices, and thus the kernel cannot be loaded at boot-time from a RAID device. If you use this version, your |/boot| filesystem will have to reside on a non-RAID device. A way to ensure that your system boots no matter what is, to create similar |/boot| partitions on all drives in your RAID, that way the BIOS can always load data from eg. the first drive available. This requires that you do not boot with a failed disk in your system.' It is stated there also that you can boot root RAID filesystems, but it requires some tweaking (applying some RedHat patches to lilo, installing on a spare disk, then copying the installation on the RAID fs...), which is less straightforward than having the / partition on a normal device. Btw, while searching for the howto, I found several of them dealing with the issue: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Root-RAID-HOWTO.html http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Boot+Root+Raid+LILO.html I'd say software RAID should be used on data partitions, and keep a backup of your root partition somewhere, so that when the disk holding it fails, you just swap in a new one and recover your root backup. When a disk holding the data partition (on sw/raid) fails I assume it'd work as advertised. If the primary disk fails and the BIOS and boot loader don't allow booting from the second disk then you just have to physically swap disks (which is much less effort than swapping disks and restoring from backup). You can't be 24x7-high-availability with software raid only, there's always some down time involved with it, or at least a higher risk of downtime than with hardware raid. Actually LinuxBIOS could solve this issue... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tweaking samba and windows
Hi. I'd like to know how (if possible) to 'map' in a 'network drive' a subdirectory in an account's share with samba/windows, for example: H: == \\sambasrvr\account\subdir instead of H: being just \\sambasrvr\account. Also I'd like to know how to tweak the windows smb cache or whatever it is so that when msword is saving a 10KB file it won't take a little pause in the middle and then continue to write. Sometimes it hangs for more than 20 seconds and it's somewhat annoying, notwithstanding netware 4.11 doesn't 'hang' when writing the same file but writes somewhat faster or at least it seems so. Any help is appreciated. José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
tweaking samba and windows
Hi. I'd like to know how (if possible) to 'map' in a 'network drive' a subdirectory in an account's share with samba/windows, for example: H: == \\sambasrvr\account\subdir instead of H: being just \\sambasrvr\account. Also I'd like to know how to tweak the windows smb cache or whatever it is so that when msword is saving a 10KB file it won't take a little pause in the middle and then continue to write. Sometimes it hangs for more than 20 seconds and it's somewhat annoying, notwithstanding netware 4.11 doesn't 'hang' when writing the same file but writes somewhat faster or at least it seems so. Any help is appreciated. José
