Re: SU+J Lost files after a power failure

[Michael Powell]

Charles Swiger wrote:

[snip]
 
> Yes.  Without journalling, you'd normally perform the full timeconsuming
> fsck
> in the foreground.  With journalling, it should be able to do a journal
> replay to restore the filesystem to an OK state, but sometimes that
> doesn't restore consistency, in which case it usually fires off a
> background fsck rather than the foreground fsck.

In my case the journal replay failed, with an error to that effect. All 
partitions other than / failed to mount and after hitting enter at the 
.../bin/sh prompt performed manual fsck on all of them, which found and 
fixed some stuff. Then shutdown -r and everything came up fine (clean) 
afterwards. Net result was no data loss for me.

[snip]

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Reinstall without reformat

[Michael Sierchio]

The brutal and brute-force approach can work - better if you boot from
a USB stick, of course. You can untar base.tzx and kernel.tzx in your
/, with filesystems mounted.  As Polytropon says, do a backup of what
you'll want afterwards.

This approach will leave a lot of cruft (old versions of shared
libraries, etc.), but will certainly work.  Grab the distribution from

(in this case, the example is for 9.2, i386)

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.2-RELEASE
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: SU+J Lost files after a power failure

[Michael Powell]

Michael Powell wrote:
[snip]
> The other box is my first foray into the land of GPT, along with SU+J. It
> was sitting at the 'couldn't mount... Press return for /bin/sh' line.
> There was an error indicating that replaying one or more journals had
> failed. I was able to successfully fsck all the other partitions (besides
> /), then rebooted and system came back up OK.

Meant to include also that I booted from a CD with wddiags and ran the Quick 
test and it found no errors on the disk.

[snip]
> 
> -Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: SU+J Lost files after a power failure

[Michael Powell]

David Demelier wrote:

> Hello there,
> 
> I'm writing because after a power failure I was unable to log in on my
> FreeBSD 9.2-RELEASE. The SU+J journal were executed correctly but some
> files disappeared, including /etc/pwd.db. Thus I was unable to log in.
> 
> I've been able to regenerate the password database with a live cd but
> I'm afraid that more files had disappeared somewhere else...
> 
> I think this is a serious issue, the journal should not truncate files,
> so something should have gone wrong somewhere..
> 
> Any ideas? Should I open a PR?

Not sure there is enough to go on for a PR, but something is weird. 

Friday morning our power went down at home for about three hours after I had 
already left for work. When I came home I found the router/gateway box was 
OK. It is still with the old DOS mbr and disklabel scheme, with softupdates, 
and is a pair of disks gmirrored. 

The other box is my first foray into the land of GPT, along with SU+J. It 
was sitting at the 'couldn't mount... Press return for /bin/sh' line. There 
was an error indicating that replaying one or more journals had failed. I 
was able to successfully fsck all the other partitions (besides /), then 
rebooted and system came back up OK.

Both of these machines were recently updated to 9.2 Release from 9.1. It has 
been approximately 9 months, or so, since I last had a power outage like 
this one. Back then they were still 8.3 I think, did not have SU+J and 
recovered just fine on their own.  

This error about the replay of the journal(s) failing is somewhat 
disconcerting. Beyond that, however, I do not have any other details or 
data. Nothing to flesh out a PR, but thought I'd mention what I saw in 
conjunction with your experience.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: NATD: net.inet.ip.fw.default_to_accept="1" vs firewall_type="OPEN"

[Michael Ross]

On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz  
 wrote:



Hello,

Handbook section 31.9 describes the setup of NAT.

Section 31.9.3 suggests net.inet.ip.fw.default_to_accept="1" "during
the first attempts to setup a firewall and NAT gateway".

Section 31.9.5 suggests I "specify a predefined firewall ruleset that
allows anything in" with firewall_type="OPEN"

Question: What is the difference between these two configurations (or
where can I go to learn the difference between the two)?

Thank you,

Chris


Hello,

ipfw always has one default rule, standard is

65535 deny ip from any to any

If you set net.inet.ip.fw.default_to_accept="1", you get

65535 allow ip from any to any

instead.


Specifing firewall_type="OPEN" gives you an additional rule

65000 allow ip from any to any


Now, if for example you execute ``ipfw flush'', thus deleting all rules,
this deletes rule 65000, but the default rule stays in effect.
With ...default_to_accept="0" ( standard setting ) you now have disabled  
all network connections and locked yourself out if you're working remote.



HTH,
Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: failed to create gmirror with the handbook instructions

[Michael Powell]

Andy Zammy wrote:

> # gpart show ada0s1
> gpart: No such geom: ada0s1
> 
> By the way, this is after a restart of the machine.
> 
> There's nothing to back up, I'm installing a fresh os, so I just install
> on one drive, plug the other in, and start following the handbook
> instructions for this method. So the only thing in loader.conf is
> geom_mirror_load="YES".
> 
[snip]

Since you are beginning to reinstall from scratch, please allow/forgive a 
small interjection from some of my recent experience with this. Warren is 
more knowledgeable on this than I am, and I have followed many of his 
instructions in the past.

With the shift towards GPT and away from the old DOS mbr/partition table stuff 
of the past, the current Handbook pages reflect this. The central point of 
contention arises from the fact that GPT, GEOM (gmirror), and many hardware 
RAID controllers require to claim the very last sector of a drive to store 
their metadata. Obviously, the effect of this collision is a "whoever wrote 
last wrote best" - so you can't use combinations of things that all want 
this sector.

The most simple gmirroring is to slice an entire drive, with partitions 
contained within. The very end of the drive must NOT have any file system on 
it, and this is usually the case by default as most of the time 
slicing/partitioning leaves a little free space at the end anyway. This will 
not work with GPT; only with the old DOS compatible mbr and disklabel 
scheme.

In order to use GPT and gmirror together you gmirror individual partitions 
(as opposed to the slice) , e.g. gmirror will write its metadata at the end 
of each partition leaving the very last sector at the end of the drive for 
GPT. This is what the content on the relevant Handbook pages reflects.   
More complicated, but allows for the demise of the ancient DOS/mbr 
partitioning.

Notice that if you combine GPT and a hardware RAID controller card the same 
collision problem noted previously can still happen. If you utilize the BIOS 
on the controller card for anything it will save its metadata on the last 
drive sector.

When not faced with terabyte sized humongous volumes and the huge amount of 
time an fsck will consume, the old DOS way with disklabel is still an option 
that works. The main reason for the journaling is to sidestep waiting for a 
very long fsck on a huge volume to run to completion before finishing a boot 
into a cleaned up/repaired file system. If your drive volume is small this 
is not so much a problem. Indeed my old gateway/firewall/IDS router box I 
did the old DOS/mbr scheme with gmirror (the old single-slice entire drive 
and mirror the drive) as the pair of drives are ancient 74GB Raptors.

On my web/database test box I did go the GPT and SUJ+journaling route but am 
not using any mirroring here (yet). I have not experienced any problems with 
dump - but I also do not use the -L switch. It will show an error/warning 
about not dumping a live file system this way but I go ahead and do it 
anyway. IIRC the dump problem you may be seeing may be related to drive 
snapshotting. The caveat is I can sort of 'get away' with it as my boxen are 
largely quiescent, but would hesitate to do this on something like a public 
web/database box that was continually being hammered with lots of traffic.

Just tossing out some ideas for your perusal and consideration. The way I 
used the old DOS/mbr and disklabel scheme on my router machine is very 
simple, quick to do, and has survived a few power outages now with no data 
loss (other than the time it takes to rebuild which it does automagically on 
boot). On the 74GB Raptors this rebuild takes about twenty minutes. Your 
situation and needs may force you in a different direction. Hence, the 
proverbial "YMMV" applies. FWIW. Now for to finally get around to purchasing 
a new UPS to replace the old one that went up in smoke and died horribly...

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: NAT: Handbook vs mailing list

[Michael Powell]

Olivier Nicole wrote:

[snip]
>>
>> The mailing list message linked above suggests that the handbook
>> information is the "old way" and that the correct way is to set
>> ipfw_enable and natd_enable in rc.conf.  "Then /etc/rc.d/ipfw will
>> load ipfw.ko, and if natd_enable is set, will invoke /etc/rc.d/natd,
>> which loads ipdivert.ko at the right time."
> 
> From what you copied/explained, natd_enable will load ipdivert.ko and
> the handbook suggests that you load ipdivert.ko, so either way the
> module will be loaded.
> 
> I'd go with the ipfw_enable and natd_enable as it may also do other
> needed things than just loading a kernel module.

+1 on this. It is also present in the /etc/defaults/rc.conf this way as well 
(of course, use /etc/rc.conf for override customization). The original 
situation referred to early in the mailing-list content was a timing related 
problem where the ipdivert module would fail, even after ipfw loading _did_  
succeed.

Most of the 'old way' is a holdover from before the init system brought in 
the rc.subr startup scripts (imported from netbsd if memory serves). There 
have been a couple of hiccups along the way concerning the order things are 
started. For example, it doesn't really work to start a dhcp client prior to 
successful network initiate completion. Over time the rc.subr system has 
evolved and been cleaned up. 

A long time ago I eschewed running mergemaster when doing source-based 
upgrades. Just didn't like it and it never seemed like not doing it hurt 
anything. For quite some time I never experienced any problem with this 
approach. However, this eventually did bite me in the rump in a very bad 
way!  :-)

When running mergemaster while upgrading to a new release you may see these 
scripts being updated. So they are continuing to evolve, and a lot of this 
is to start up and configure things as the system comes up in a 'correct' 
and coherent order. So imho the Handbook is a wee bit outdated.

-Mike
 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Soekris for a Trac server

[Michael]

Hi John,

John Levine wrote:
> Dunno about Soekris, but I'm very happy with one of these
> mini-box systems that cost about $250 with a 60GB SSD disk:
>
> http://www.mini-box.com/MiniPC-Value-Systems
thank you for your detailed answer and useful suggestion, I will
probably look for a similar product!

Regards,
Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Soekris for a Trac server

[Michael]

Hello Bill,

thank you for your answer!

Bill Tillman wrote:
> The way technology has moved on these days I would approach this from a
> completely different manner. Soekris makes some cool little boxes, but the
> last time I looked they still had I486 cpu's...today may be different, 
> probably
> is. My point is that with computers so cheap these days why not just use
> a box, sans the drives and do a diskless boot from one of your FreeBSD
> servers...or better yet, setup another FreeBSD server using VM. It doesn't
> make sense to buy a box with VM technology so freely available.
Of course you are right that virtualisation is the cheapest way to go.
But this my actual setup and I am considering moving it to a physical
support because for my uses, I value some of its features (low-noise™ or
take-away™).

Best regards,
Michael

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Soekris for a Trac server

[Michael]

I am planning to move a jail-hosted service to a physical device and
would like to hear the advices of experts here.


My service runs sshd, apache and trac (the ticket service) and I am
considering getting one of the products by soekris. I know that some
list users have some experience with these products so it would be very
nice for me to ear if this kind of product is suitable for my project
and if FreeBSD is doing well on these platforms.

Also I am bit unsure about the setup I should pick: we are a hand of
users for the service and I would like to know if a 64-MB Ram and a
166Mhz setup could do, or if I definitely should consider a faster CPU
or more RAM. Given my actual jail based setup, is there an easy way to
guess the required RAM — In the jail `top` reports a Size of 111M for
the Python process, but I guess the interpreter is taking things easy
when a lot of RAM is available, doesn't it?

Last, are FreeBSD jails lightweight enough to run in such a constrained
environment? It is not unlikely that the device evolves to run several
other services (like a nfs) and I would appreciate to be able to confine
services appropriately using jails.

Thank you for your comments!
Michael

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cause of reboot

[Michael Powell]

kpn...@pobox.com wrote:
[snip]
> While we're throwing ideas onto the table let me mention power supplies.
> Power supplies and hard drives are in a race to see which one will fail
> first. It may be that the power supply is marginal and added load from
> the drives being hit hard may send it over the edge. How heavily loaded
> is the machine in question?

Absolute and total agreement with this. As they age and the filter caps leak 
and dry out more it will eventually become apparent. But in the meantime the 
output DC can just about meet spec up until really loaded. Then the ripple 
becomes so excessive it's not quite "DC" any longer. You can clearly see it 
using an oscilloscope. 

The 0300 AM periodic does hammer a machine enough to possibly push a 
marginal power supply over the edge. I once had a box where the RAM chips 
would "sing" with a high-pitched whistle only during the 0300 periodic run. 
It sounded just like the horizontal output on a television right before 
destruction.  :-) 
 
[snip]

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: cause of reboot

[Michael Powell]

Patrick Lamaiziere wrote:
[snip]
>> 
>> I looked "last" command,
>> reboot ~ ~   AM 03.15  ~
> 
> The last time It happened (one month ago) to me it was the hard disk
> (periodic scripts read a large part of the disk).
> 
> If the disk is smart capable try a full test with smartctl
> (sysutils/smartmontools)

My gateway/firewall/mail/ids router box at home has 2 GB RAM in it, so 
normally it has enough extra room that nothing ever pushes over into swap 
with one exception: the periodic run at 0300. It is generally never more 
than just a few kilobytes, but I find it slightly surprising nonetheless.

If a sector (or more) on the drive that is backing the swap partition has 
gone bad it might not even be noticeable until something pages out to swap 
(like my 0300 periodic run). 

If the drive is a WD the 'Quick' test using the manufacturers' wddiags 
utility should spot it, and is non-destructive. I have occasionally seen the 
full test not destroy data - but I wouldn't count on it being non-
destructive. However, as long as the remap area isn't full the long test 
will repair the drive by relocating and mapping out the bad spot. When this 
silent fading away of magnetic media occurs wrt to higher-end RAID 
controllers the scrub function in the controller BIOS is where you would 
want to go.

The other problem relative to this that I've run into is the apple before 
the cart syndrome around backups. I have seen dump fail to allow for backing 
up data prior to using the full wddiags to repair a drive so you kinda get 
stuck. If the full test is going to wipe the drive and you can't generate a 
fresh current backup you're stuck only being able to restore whatever is the 
last good backup you have on hand.

Wouldn't surpise me at all if this were to turn out to be the drive just 
recently grew one or more bad spots. A bad spot or few on an old drive that 
gets repaired I might continue to use the drive for a while, maybe even for 
like a year time-frame wise. If 2 months later it starts growing more bad 
spots the drive goes in the rubbish bin.

-Mike




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53

[Michael Sierchio]

On Fri, Sep 27, 2013 at 4:11 PM, Frank Leonhardt  wrote:
> On 27/09/2013 23:08, Terje Elde wrote:
>>
>> On 28. sep. 2013, at 00:03, Frank Leonhardt  wrote:
>>
>>> If I understand the way it works correctly, the resolver pulls a list of
>>> the NS and hard-sets the port number for each to 53 (via a manifest
>>> constant) . See libc/resolv/res_init.c. All you need to do(!) is change this
>>> to a value of your choice and recompile libc
>>
>> Sorry, but this is startin to look a lot like a complicated solution to a
>> problem that isn't really there...
>>
> It was more of an explanation as to /why/ it's not easy to do what asked in
> the original reasonable-sounding question.

Beg to differ.  The question isn't reasonable.  There's no point in
having a dns recursive resolver listening on a port other than the one
that clients will contact it on.

Far better to have the authoritative server listen on 127.53.0.1 and
use the routable address for the cache, which can forward requests for
the authoritative server when appropriate.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: [FreeBSD-Announce] vBSDcon Registrations Only Open For 30 More Days!

[Michael Powell]

Brett Glass wrote:

> All:
> 
> It's good to see corporate support of BSD, but at the same time I
> have mixed feelings about certain corporations -- Verisign among
> them -- hosting BSD-related conferences or becoming involved in the
> development of BSD-based operating systems. Why? Because Verisign,
> based in Reston, Virginia (the city next door to Vienna, VA, home
> of the NSA), has strong ties to this shadowy agency.

No. I used to work right down the street from Network Solutions (now known 
as Verisign) in Herndon. Indeed, I had job offerings from them but felt I was 
better off to stay where I was. The NSA is headquartered at Ft Meade, near 
Columbia in Maryland. I worked there for 8 years? The CIA headquarters is in 
Mclean, Virgina, which is right next door to Vienna. Reston/Herndon is a few 
miles down the Dulles Toll Rd to the west. I've been to all these places, so 
this is not some MapQuest google for me.

> The NSA, in
> turn -- as reported in documents recently leaked by Edward Snowden
> -- has a very strong interest in weakening the security of
> cryptographic algorithms, cryptographic software, and operating
> systems. We may want to look this gift horse very carefully in the
> mouth, or at least monitor very closely "contributions" of code
> that might introduce backdoors or weaknesses.

On some level I agree with this - to a point. Examine how the NSA maneuvered 
the NIST to approve and mandate the FIPS-140 protocols, where deeply 
concealed was a known weak prng. To some of us this is not news - we've 
known it for a long time. Arguments of pro vs con, good vs evil, ad 
infinitum ad nauseum, etc, are better served in a different venue.

It is so much easier to get away with concealing such things inside the 
closed-source paradigm. What I like and admire with open source is the code 
is out there in public for all to examine. These truly arcane crypto stuffs 
operate at such a high level of mathematical complexity that even very 
highly skilled cryptographer/mathematicians argue amongst themselves.

I am just not that smart, or that highly educated. There are some in the 
open source community who do have very large propellers on their beanie 
caps. I defer to them simply because they are smarter then me. I would trust 
them long before I would trust closed source. 

I agree about the 'looking the gift horse in the mouth' concept. Bear in 
mind, however, some of the guys at NIST are pretty smart too. And yet this 
FIPS-140/prng stuff went right by them. My suggestion is for FreeBSD (indeed 
open source in general) to try and engage, include, and attract to the 
community the kinds of elite mathematician who may have the facilities to 
examine the code at a higher level than can dummies like me.  

Whenever The Citadel wants the public to fixate on any one particular 
brouhaha I know they are trying to get everyone looking in a particular 
direction whilst they are pulling something else. Verisign may very well 
have some other obfuscated agenda. Take a step backwards and try to obtain 
some view of the bigger picture (hint). Will not elaborate here, even though 
I do have some crackpot ideas. 

I find it highly ironic:

http://en.wikipedia.org/wiki/Snowden_%28character%29#Snowden

I got no end of amusement from this.  Just my $ 0.02. 

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

this 48-core box...

[Michael Chen]

I'm considering bidding on this 48-core box:

http://www.ebay.com/itm/Supermicro-A-Server-1042G-TF-1U-H8QG6-4-CPUS-48-cores-2-2Ghz-128GB-RAM-/151119828428?pt=COMP_EN_Servers&hash=item232f7195cc

Does anyone have experience with it and can I use all the cores?

Thanks!
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: FreeBSD stuck during the boot process.

[Michael Sierchio]

On Tue, Sep 17, 2013 at 9:47 AM, atar  wrote:
> Polytropon  wrote:
>
>> On Tue, 17 Sep 2013 12:15:58 +0300, Atar wrote:
>>>
>>> When I try to boot FreeBSD from a USB stick, it stuck during the
>>> boot process. But if I boot it in safe mode, it succeeds to boot.

> Yes, you remember correctly, safe mode disable the ACPI support
> automatically.

The problem may also be that USB devices take a long time to settle.
I suggest these in your /boot/loader.conf

hint.acpi.0.disabled="1"
kern.cam.boot_delay="1"
kern.cam.scsi_delay="2000"

The CAM boot delay is needed for USB booting on some of my machines,
esp. Soekris boxes.  10 seconds is safe.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Disappointing dependency introduced in 9.1 (from 8-STABLE)

[Michael Sierchio]

Because I build a lot of embedded devices with serial consoles, I was in
the habit of hacking /boot/loader by commenting out a line in a Makefile
that enables terminal emulation

/sys/boot/i386/libi386/Makefile:

#CFLAGS+= -DTERM_EMU

and then in /sys/boot doing a make clean && make

unfortunately, with 9.X, this breaks the compile.  It seems a dependency
was introduced which requires the videoconsole code.  I find this extremely
irritating.  Of course, there's nothing to stop me (at the moment) from
compiling loader under 8-STABLE and installing it on 9.1 machines, but...

Is there a better way now to stop the cursor from scribbling illegibly
across the screen?

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Network startup with age Ethernet device

[Michael Sierchio]

On Wed, Sep 4, 2013 at 8:49 AM, Lowell Gilbert <
freebsd-questions-lo...@be-well.ilk.org> wrote:

>
> Have you tried using netwait?
> I think that would involve putting enable_netwait in rc.conf, and
>

netwait_enable="YES"  would be it.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pkgng problem

[Michael W. Lucas]

For the archives:

I left the problem alone for a few days, with no changes on my side.

Came back Monday. Tried again. Everything worked on the affected
machines.

==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: ipfw gateway rerouting

[Michael Sierchio]

# my kernel has
# options ROUTETABLES=16

GATEWAY_0="10.3.255.0"
GATEWAY_1="10.3.255.1"

setfib 0 route add default $GATEWAY_0
setfib 1 route add default $GATEWAY_1

ipfw table 1 add $NET_0 0
ipfw table 1 add $NET_1 0
ipfw table 1 add $NET_2 1
ipfw table 1 add $NET_3 0

ipfw add 00500 setfib tablearg ip from any to any in lookup src-ip 1

rule 500 will cause traffic from NET_2 to go out a different gateway (if
it's not destined for a local net - presumably other rules will handle
those cases)

# man setfib
# man ipfw (see the section on the setfib action)




On Sun, Aug 18, 2013 at 3:15 PM, Jos Chrispijn  wrote:

> Can someone please hint me to to good explanatory site that explains how
> to reroute a network server to different/non standard network gateway(s)
> with ipfw?
>
> thanks,
> Jos Chrispijn
> __**_
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**questions
> To unsubscribe, send any mail to "freebsd-questions-**
> unsubscr...@freebsd.org "
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pkgng problem

[Michael W. Lucas]

On Fri, Aug 16, 2013 at 11:23:41AM -0700, Adrian Chadd wrote:
>Have you done a "pkg update" first, just in case you needed to pull in a
>pkgng update?

Yep, tried that.

==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pkgng problem

[Michael W. Lucas]

Matt,

Another data point on this:

Machines converted to pkgng a couple weeks ago can install new
packages just fine despite showing the same error. And it looks like
they download the new repo information:

# pkg install sysrc
Updating repository catalogue
digests.txz 100%  997KB 997.1KB/s 997.1KB/s   00:00
packagesite.txz 100% 5530KB   1.4MB/s   1.9MB/s   00:04
pkg: Invalid manifest format: mapping values are not allowed in this contex
Incremental update completed, 0 packages processed:
8292 packages updated, 1115 removed and 129 added.
pkg: No digest falling back on legacy catalog format
packagesite repository catalogue is up-to-date, no need to fetch fresh copy
The following 1 packages will be installed:

Installing sysrc: 5.2

The installation will require 39 kB more space

15 kB to be downloaded

Proceed with installing packages [y/N]: y
sysrc-5.2.txz 100%   16KB  15.8KB/s  15.8KB/s   
00:00
Checking integrity... done
[1/1] Installing sysrc-5.2... done

Machines upgraded to pkgng this week, using the same script as I used
a couple weeks ago, cannot install packages.

# pkg install sysrc
Updating repository catalogue
digests.txz 100%  997KB 997.1KB/s 997.1KB/s   00:00
packagesite.txz 100% 5530KB   2.7MB/s   1.5MB/s   00:02
pkg: Invalid manifest format: mapping values are not allowed in this context
Incremental update completed, 0 packages processed:
0 packages updated, 0 removed and 22568 added.
pkg: No digest falling back on legacy catalog format
packagesite repository catalogue is up-to-date, no need to fetch fresh copy
pkg: No packages matching 'sysrc' has been found in the repositories

Not sure if this supports the "bad repo" theory, but it's interesting.

Thanks,
==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pkgng problem

[Michael W. Lucas]

Thanks, Matt.

# pkg -vv | sed -ne '/Repositories/,$p'
Repositories:
  packagesite:
 url: http://pkg-test.freebsd.org/pkg-test-freebsd:9:x86:32/latest
 key:
 enabled: yes
 mirror_type: SRV

Also: 

# pkg -v
1.1.4


==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

pkgng problem

[Michael W. Lucas]

Hi,

I'm sure someone has had this before, but I can't find any reference
to it.

# pkg upgrade
Updating repository catalogue
digests.txz 100%  997KB 997.1KB/s 997.1KB/s   00:00
packagesite.txz 100% 5530KB   1.8MB/s   3.2MB/s   00:03
pkg: Invalid manifest format: mapping values are not allowed in this context
Incremental update completed, 0 packages processed:
0 packages updated, 0 removed and 22568 added.
pkg: No digest falling back on legacy catalog format
packagesite repository catalogue is up-to-date, no need to fetch fresh copy
Nothing to do

This is from a machine freshly converted to pkgng.

Any suggestions?

Thanks,
==ml

-- 
Michael W. Lucas  -  mwlu...@michaelwlucas.com, Twitter @mwlauthor 
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Theft in the Clouds

[Michael Sierchio]

Amazon EC2 certainly offers Dedicated Instances, in which the hardware
is dedicated to a single customer.

On Thu, Jul 25, 2013 at 1:15 PM, Jerry  wrote:
> Not really a FreeBSD issue, but I did find this article rather
> fascinating.
>
> http://www.technologyreview.com/news/506976/how-to-steal-data-from-your-neighbor-in-the-cloud/

This is really about side-channel attacks against crypto - not general
data snooping.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: HOWTO monitor changes in installed packages within jails?

[Michael Grimm]

On 20.07.2013, at 18:34, Michael Grimm  wrote:

> On 20.07.2013, at 14:53, Matthew Seaman  
> wrote:
>> On 20/07/2013 12:09, Michael Grimm wrote:
> 
>>> I did migrate to pkgng some month ago, and ever since I am curious
>>> how to monitor changes in installed packages within jails. I am
>>> looking for a functionality/port that works like 490.status-
>>> pkg-changes for my host.
>>> 
>>> Question: is there any functionality within the periodic system or a
>>> port that I might have missed to find?
>> 
>> You can't just run 490.status-pkg-changes directly in your jail?
> 
> Yes, I can ;-) 
> 
> But! I do have a lot of service jails running at my host, thus I would like 
> to omit modifying every jail's /etc/periodic.conf adding:
> 
> | daily_status_pkg_changes_enable="YES"# Show package changes
> | pkg_info="pkg info"  # Use this program
> 
> 
>> Try this patch:
> 
> Thanks for that approach, namely adding "pkg -j jailname info" for every jail 
> running. Due to my amount of jails I might need to add some looping over "jls 
> -N" output instead of adding a lot of $daily_status_pkg_changes_flags.
> 
> I was hoping that I could omit programming that functionality myself, but I 
> might need to do so.

I ended up in adding:
--- snip 
--- /usr/src/etc/periodic/daily/490.status-pkg-changes  2013-04-03 
17:59:35.894705550 +0200
+++ /etc/periodic/daily/490.status-pkg-changes  2013-07-23 20:19:27.833641916 
+0200
@@ -32,6 +32,24 @@
diff -U 0 $bak/pkg_info.bak2 $bak/pkg_info.bak \
| grep '^[-+][^-+]' | sort -k 1.2
fi
+
+# added jail(s) support
+#
+   for jname in `jls -N | grep -v JID | awk '{print $1}'`; do
+   if [ -f $bak/pkg_info_${jname}.bak ]; then
+   mv -f $bak/pkg_info_${jname}.bak 
$bak/pkg_info_${jname}.bak2
+   fi
+   jexec ${jname} ${pkg_info:-/usr/sbin/pkg_info} > 
$bak/pkg_info_${jname}.bak
+
+   cmp -sz $bak/pkg_info_${jname}.bak 
$bak/pkg_info_${jname}.bak2
+   if [ $? -eq 1 ]; then
+   echo ""
+   echo "Changes in installed packages (jail 
${jname}):"
+   diff -U 0 $bak/pkg_info_${jname}.bak2 
$bak/pkg_info_${jname}.bak \
+       | grep '^[-+][^-+]' | sort -k 1.2
+   fi
+   done
+
fi
;;
--- snip 

Not perfect, really, but working at my side.

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Re[3]: vBSDcon Website Update

[Michael Powell]

Fish Kungfu wrote:

>  Weird, now it's up.
> ...Fish
> 

DNS takes time to propagate

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: HOWTO monitor changes in installed packages within jails?

[Michael Grimm]

On 20.07.2013, at 14:53, Matthew Seaman  wrote:
> On 20/07/2013 12:09, Michael Grimm wrote:

>> I did migrate to pkgng some month ago, and ever since I am curious
>> how to monitor changes in installed packages within jails. I am
>> looking for a functionality/port that works like 490.status-
>> pkg-changes for my host.
>> 
>> Question: is there any functionality within the periodic system or a
>> port that I might have missed to find?
> 
> You can't just run 490.status-pkg-changes directly in your jail?

Yes, I can ;-) 

But! I do have a lot of service jails running at my host, thus I would like to 
omit modifying every jail's /etc/periodic.conf adding:

| daily_status_pkg_changes_enable="YES"# Show package changes
| pkg_info="pkg info"  # Use this program


> Try this patch:

Thanks for that approach, namely adding "pkg -j jailname info" for every jail 
running. Due to my amount of jails I might need to add some looping over "jls 
-N" output instead of adding a lot of $daily_status_pkg_changes_flags.

I was hoping that I could omit programming that functionality myself, but I 
might need to do so.

Thanks for your input and with kind regards,
Michael


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

HOWTO monitor changes in installed packages within jails?

[Michael Grimm]

Hi --

I did migrate to pkgng some month ago, and ever since I am curious how to 
monitor changes in installed packages within jails. I am looking for a 
functionality/port that works like 490.status-pkg-changes for my host.

Question: is there any functionality within the periodic system or a port that 
I might have missed to find?

Thanks in advance and with kind regards,
Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: gpart: table 'da0' is corrupt; operation not permitted

[Michael Sierchio]

On Tue, Jul 16, 2013 at 1:44 PM, aurfalien  wrote:

> Upon doing;
>
> gpart destroy da0
>
> I get;
>
> gpart: Device busy

crude but effective:


DISK=da0

offset=`diskinfo $DISK | awk '{ print $4 - 131072 }'`
dd if=/dev/zero of=/dev/$DISK bs=64k count=1
dd if=/dev/zero of=/dev/$DISK bs=64k seek=$offset

gpart create -s gpt ${DISK}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: auth.notice on syslog server

[Michael Sierchio]

On Mon, Jun 24, 2013 at 5:35 AM, SWENNEN Rudi
 wrote:
> Hello FreeBSD-list,
>
> I have the following two freebsd systems/servers: a server and a client. The 
> syslog of the client is send to the server.
> I was wondering why the auth.notice entry on my server is generating a syslog 
> entry (/dev/console) when I change to root on the client:
> Jun 24 12:01:38 SERVER kernel: Jun 24 12:00:32 CLIENT su: rudi to root on 
> /dev/ttyv0
>
> Is there a way to "limit" the auth-facility not to log via syslog if the 
> entry in generated from a remote system?

Yes, on the host that sends the logs.
E.g.,

auth.*,authpriv.*:  /var/log/auth
console.*,cron.*,daemon.*,kern.*,mail.*,ntp.*,security.*,syslog.*,user.*,local.*:
@loghost
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Boot Loader Issue

[Michael Sierchio]

On Sun, Jun 23, 2013 at 4:12 PM, Polytropon  wrote:
> On Sun, 23 Jun 2013 15:47:53 -0700, Doug Hardie wrote:
>> I need to alter mountroot so it tries the right partition/slice.
>> How do I do that?  I couldn't find anything in the handbook on that.
>
> You need to install the GPT boot code, e. g.
>
> # gpart add -t freebsd-boot -l gpboot -b 40 -s 512K ad0

Why the offset?  Why 512k?

> # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ad0

I think it's simpler to make an entry in /boot/loader.conf:

vfs.root.mountfrom="ufs:/dev/ada0s1a"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Re: FreeBSD slice/partiton setup question

[Michael Sierchio]

You can simply newfs the device itself, without a volume label, slice,
or partition.  That's the normal thing to do with malloc devices, or
additional disks.  If the disk doesn't require a boot loader, isn't
the root device, etc. that may be the best thing to do.

Your caution about EXT* is spot-in - adequate tools exist for EXT2FS,
but it's still problematic.


- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: FreeBSD slice/partiton setup question

[Michael Sierchio]

On Tue, Jun 18, 2013 at 10:44 AM, Istvan Gabor  wrote:
> ...
> How can I do this in FreeBSD?
> Can I have slices with only one partition occupying the whole slice?
>
> Can I do something like the following:
>
> /dev/ad0s1a /
> /dev/ad0s2e /home
> /dev/ad0s3e /usr/local
> /dev/ad0s5b swap
> /dev/ad0s6e /home/user1
> /dev/ad0s7e /home/user2
> etc.
>
> where the partitions (a, e, b) occupy the whole slice where they reside on?

Why bother with partitions if you're going to use the whole slice?

Why bother with slices if you won't run out of partitions?

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: FreeBSD maximum password length

[Michael Sierchio]

I know this may seem off-the-wall to some, but I pasted a hashed
password for a user under 9.1 into the /etc/passwd entry for that user
on an 8.3 machine, and auth continues to work properly.  That's nice.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Any BASIC Gurus around?

[Michael Ross]

I'm no BASIC Guru,
but this one line caught my eye while scrolling through your mail:


2010 IF ABS(H>1. THEN GOTO 2040


Missing parenthesis?


Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

pkg-devel problem with incremental update

[Michael Gass]

Installed pkg-devel 1.1.0.b3 and get the following message about incremental
update whenever update is called.

sudo pkg update
Updating repository catalogue
pkg: incremental update is not possible as repo format is inappropriate, trying 
full upgrade
packagesite repository catalogue is up-to-date, no need to fetch fresh copy

What should I do to make incremental updates possible?

-- 
Michael Gass
mg...@csbsju.edu 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Bourne shell "if" syntax

[Michael Sierchio]

On Mon, Jun 10, 2013 at 12:16 PM, Tim Daneliuk  wrote:

> That wasn't really my point.  I use sentinels because in the face of an
> empty string this:
>
>if [ $PTR = "" ]
>
> Actually evaluates to:
>
>if [ = "" ]
>
> Which throws an error.

Right.  Many scripts seem to assume that sh is bash, and that's
certainly not the case here.

if [ "x$BLAH" = "x" ]; then

is the most reliable and portable way of determining if it's a string
of zero length.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: What is the correct CPUTYPE for this machine?

[Michael Gass]

On Sat, Jun 08, 2013 at 10:10:10AM -0400, ill...@gmail.com wrote:
> On 8 June 2013 09:34, Michael Gass  wrote:
> 
> > I have an old laptop:
> >
> > FreeBSD 9.1-RELEASE #0 r243826: Tue Dec  4 06:55:39 UTC 2012
> > r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
> > CPU: Mobile AMD Duron(tm) Processor (1096.23-MHz 686-class CPU)
> > Origin = "AuthenticAMD"  Id = 0x671  Family = 6  Model = 7  Stepping = 1
> >
> > Features=0x383f9ff
> > AMD Features=0xc0480800
> >
> > What is the correct value for CPUTYPE in make.conf?
> >
> >
> Duron was just a low-cost Athlon, da?
> 
OK, checking the internet, looks like I should use
CPUTYPE?=k7
as the mobile amd duron 1.1G is a k7 group,
but the make.conf example only lists values like
k8, k6-3, k6-2, k6, and k5.
Which should I use?

mg
-- 
Michael Gass
mg...@csbsju.edu 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

What is the correct CPUTYPE for this machine?

[Michael Gass]

I have an old laptop:

FreeBSD 9.1-RELEASE #0 r243826: Tue Dec  4 06:55:39 UTC 2012
r...@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
CPU: Mobile AMD Duron(tm) Processor (1096.23-MHz 686-class CPU)
Origin = "AuthenticAMD"  Id = 0x671  Family = 6  Model = 7  Stepping = 1
Features=0x383f9ff
AMD Features=0xc0480800

What is the correct value for CPUTYPE in make.conf?

Thanks,

mg
-- 
Michael Gass
mg...@csbsju.edu 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Error building math/sage

[Michael Gass]

On Thu, Jun 06, 2013 at 09:41:46AM -0500, Michael Gass wrote:
> Trying to build math/sage-5.9_1 from ports.  Everything builds
> except sage itself.  
> 
> Here is the system info.
> 
> FreeBSD dc7800.home.net 9.1-STABLE FreeBSD 9.1-STABLE #0 r251294: Mon Jun  3 
> 17:52:11 CDT 2013 root@:/usr/obj/usr/src/sys/HP20130603  amd64
> 
> Here is /etc/make.conf
> 
> CPUTYPE?=core2
> WITH_PKGNG=yes
> # added by use.perl 2013-06-03 21:30:08
> PERL_VERSION=5.14.2
> TEX_DEFAULT=texlive
> 
> Here is output from the build (sorry for any control chars in script).
> Error is around 120 lines down.
> 
> port_dbdir=/var/db/ports

..removed lines..

> use_pkgng=yes
> ***
> make: illegal option -- -
> usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable]
>   [-d flags] [-E variable] [-f makefile] [-I directory]
>   [-j max_jobs] [-m directory] [-V variable]
>   [variable=value] [target ...]
> 
> real  0m0.001s
> user  0m0.000s
> sys   0m0.001s
> ***
> Error building Sage.
> 
> The following package(s) may have failed to build:
> tail: /usr/ports/math/sage/work/sage-5.9/logs/pkgs/*.log: No such file or 
> directory
> 
> The build directory may contain configuration files and other potentially
> helpful information. WARNING: if you now run 'make' again, the build
> directory will, by default, be deleted. Set the environment variable
> SAGE_KEEP_BUILT_SPKGS to 'yes' to prevent this.
> 
> gmake: *** [build] Error 1
> *** [do-build] Error code 1
> 
> Stop in /usr/ports/math/sage.
> *** [build] Error code 1
> 
> Any suggestions?
> 
> 

Got it to install.  Kept getting the above problem when usning portmaster.
So I did a make clean in the sage directory and then make install clean.
That did it.

Mike Gass

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Error building math/sage

[Michael Gass]

sage-5.9/spkg/bin:/usr/ports/math/sage/work/sage-5.9/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
PM_BUILDING=pmbuildingmain
PM_BUILD_ONLY_LIST=pm_bol
PM_DEL_BUILD_ONLY=pm_dbo
PM_NEEDS_UPDATE= math/sage 
PM_PARENT_PID=65716
PM_PARENT_PORT=math/sage
PM_VERBOSE=vopt
PREFIX=/usr/local
PWD=/usr/ports/math/sage/work/sage-5.9/spkg
PYTHONPATH=/usr/ports/math/sage/work/sage-5.9/local
RANLIB=/usr/local/bin/ranlib
READELF=/usr/local/bin/readelf
SAGE_ATLAS_LIB=/usr/local/lib
SAGE_FAT_BINARY=yes
SAGE_INSTALL_GCC=no
SAGE_LOCAL=/usr/ports/math/sage/work/sage-5.9/local
SAGE_LOGS=/usr/ports/math/sage/work/sage-5.9/logs/pkgs
SAGE_PARALLEL_SPKG_BUILD=
SAGE_PORT=yes
SAGE_ROOT=/usr/ports/math/sage/work/sage-5.9
SAGE_SPKG_INST=/usr/ports/math/sage/work/sage-5.9/spkg/installed
SAVE_SHARED=wopt
SHELL=/bin/sh
SHLVL=2
SIZE=/usr/local/bin/size
STRINGS=/usr/local/bin/strings
SUDO_COMMAND=/usr/local/sbin/portmaster math/sage
SUDO_GID=1001
SUDO_UID=1001
SUDO_USER=mgass
SYSTEMVERSION=
TERM=xterm
TMPDIR=/tmp
UPGRADE_TOOL=portmaster
USER=root
USERNAME=root
_=/usr/bin/env
__MKLVL__=2
build_deps_il=
build_only_dl_g=  
dep_of_deps=0
num_of_deps=0
pbu=/usr/ports/packages/portmaster-backup
pd=/usr/ports
pdb=/var/db/pkg
port_dbdir=/var/db/ports
use_pkgng=yes
***
make: illegal option -- -
usage: make [-BPSXeiknpqrstv] [-C directory] [-D variable]
[-d flags] [-E variable] [-f makefile] [-I directory]
[-j max_jobs] [-m directory] [-V variable]
[variable=value] [target ...]

real0m0.001s
user0m0.000s
sys 0m0.001s
***
Error building Sage.

The following package(s) may have failed to build:
tail: /usr/ports/math/sage/work/sage-5.9/logs/pkgs/*.log: No such file or 
directory

The build directory may contain configuration files and other potentially
helpful information. WARNING: if you now run 'make' again, the build
directory will, by default, be deleted. Set the environment variable
SAGE_KEEP_BUILT_SPKGS to 'yes' to prevent this.

gmake: *** [build] Error 1
*** [do-build] Error code 1

Stop in /usr/ports/math/sage.
*** [build] Error code 1

Any suggestions?


-- 
Michael Gass
mg...@csbsju.edu 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Disable build new pkg format in poudriere

[Michael Powell]

C. L. Martinez wrote:

> HI all,
> 
>  I need to build some packages without using new pkg format. I would
> like to accomplish this using poudriere, but is this possible?? Or do
> I need to use another package builder??
> 
>  I have tried to build rsync, but when I try to install, this error is
>  returned:
> 
> tar: +CONTENTS: Not found in archive
> tar: Error exit delayed from previous errors.
> pkg_add: tar extract of
> /poudriere/data/packages/fbsd91_amd64_legacy-default/All/rsync-3.0.9_3.txz
> failed!
> pkg_add: unable to extract table of contents file from
> '/poudriere/data/packages/fbsd91_amd64_legacy-
default/All/rsync-3.0.9_3.txz'
> - not a package?
> 
>  In make config file:
> 
> WITH_PKGNG=no
> WITHOUT_X11=yes

Try  WITHOUT_PKGNG=yes and see if it helps.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Max top end computer for Freebsd to run on

[Michael Powell]

Al Plant wrote:

> James wrote:
>> Several modest servers applied well will take you further than one big
>> iron—and for less cost.
> 
> James I agree. I have witnessed the benefit of what you say. Putting
> your faith in one big server can be a problem if the box fails,
> especially hardware failure.
> 
> Keeping a spare server in a rack that can be switched in to service
> quickly can save you if one dies. Time (waiting for parts), most
> failures are hardware if your running FreeBSD. Even most Linux boxes.
> 

There are 2 approaches, and applying both together is what I favor. Scale up 
(vertical) is a horsepower per box kind of thing. Scale out (horizontal) 
adds more of the same kind of box(es) in parallel. The resulting redundancy 
will keep you up and online.

Sizing matters somewhat. Having excess horsepower that sits unused is extra 
money spent on one box that could have been applied to scale out redundancy. 
If you can size one machine to match your current and projected workload, 
then if there are two, or more, of these and one fails the remaining can 
shoulder the load while you get the broken one back up.

Where the balance point is struck will depend on workload. Let's say 
(hypothetical) one box as a web/database server can handle 1,000 
connections/users per second within desired latency and response time. If a 
spike in demand suddenly comes that box will slow to a crawl (or even fall 
over) as it tries to keep up, as it is lacking the extra horsepower overhead 
that would otherwise be sitting idle if it did. Scaling out (horizontally) 
by adding more boxes will distribute this spike across multiple machines and 
remain within the desired processing response/latency time so together they 
can handle 2,000 when the need is present. Need another 1,000? Add another 
box, and so on.

So the trick is to understand your workload. Don't go overboard on just one  
huge high-power machine which sits mostly idle and takes you offline if it 
fails. Spend the money on more moderately sized boxen. Me, I like to have at 
least 3 of everything (if I can) such that they are sized so that 2 of them 
together can easily handle the desired load. The third one is for redundancy 
and the 'what-if' spike in demand.

Another advantage here is you can take one offline for updates, then put it 
back online and test it out for problems. If there is no problem then you 
can take one of the other two down and update it. This way you can do 
updates without your service being offline. But the trick is still to 
understand your specific workload first, then spread the money around 
accordingly.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Should I move to amd64 ?

[Michael Gass]

I am currently using a 9.1-RELEASE with an i386 install.
The hardware is a core 2 duo with 2 GB of RAM.  My video card 
is an ati radeon hd 2400 xt. Things work fine.

Would I gain anything by starting over and doing an AMD64 install
or would that be a bad idea?  Would my system perform better, worse, 
or the same after the change? I may eventually bring the memory up
to 4GB, but not anytime soon.

I understand some ports my not work - like WINE - but I do not use
WINE. Would there be other problems?

-- 
Michael Gass
mg...@csbsju.edu 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Should I move to amd64 ?

[Michael Gass]

I am currently using a 9.1-RELEASE with an i386 install.
The hardware is a core 2 duo with 2 GB of RAM.  My video card 
is an ati radeon hd 2400 xt. Things work fine.

Would I gain anything by starting over and doing an AMD64 install
or would that be a bad idea?  Would my system perform better, worse, 
or the same after the change? I may eventually bring the memory up
to 4GB, but not anytime soon.

I understand some ports my not work - like WINE - but I do not use
WINE. Would there be other problems?

-- 
Michael Gass
mg...@csbsju.edu 
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: "swap" partition leads to instability?

[Michael Sierchio]

On Sun, May 26, 2013 at 6:17 PM, Adam Vande More wrote:


>
> Normal dynamic wear leveling on a modern SSD will be better than
> imposing an FS- backed swap for 4GB partion occupying a small fraction
> of total drive space.
>
>
Quite so.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: BSD sleep

[Michael Sierchio]

On Tue, May 28, 2013 at 4:45 PM, Joshua Isom  wrote:


> You think it's trivial until you read this:
>
> http://infiniteundo.com/post/**25326999628/falsehoods-**
> programmers-believe-about-time
>
>
Some days have 86400 seconds, some have 86401.  There is a provision for
two leap seconds to be applied at once, but that hasn't ever happened.
 Still, a truly correct clock, set to UTC, might someday read

23:59:59
23:59:60
23:59:61
00:00:00

How many seconds did that hour have?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Case sensitive usernames and sendmail - mystic voodoo

[Michael Sierchio]

On Sun, May 26, 2013 at 6:17 PM, Polytropon  wrote:
>
> On Sun, 26 May 2013 18:44:41 -0600, Modulok wrote:
> > I know usernames are case-sensitive, I thought emails were
> > too.
>
> If I remember e-mail basics correctly: No. They're not.
> For example, f...@example.com, f...@example.com and f...@example.com
> and all upper/lowercase variations are the same as f...@example.com.
>

You remember incorrectly ;-)

The local part of an address (before the @ sign) is case-sensitive (with
the exception of postmas...@example.com)

Everything to the right of the @ is indeed case insensitive, but everything
to the left might be case sensitive, depending on local policy.  This means
you must preserve the case of everything to the left of the @ sign.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: "swap" partition leads to instability?

[Michael Sierchio]

The Intel SLC mSATA drives I use in embedded devices don't support TRIM,
but - it doesn't seem to matter.  Actually, I'm confident that just using
bare partitions for swap is fine, and I haven't had any of the trouble I
witnessed with MLC devices.  The difference is that the size is limited to
under 32GB.

- M


On Sun, May 26, 2013 at 4:32 PM, Warren Block  wrote:

> On Sun, 26 May 2013, Polytropon wrote:
>
>  On Sun, 26 May 2013 16:09:06 +0700, Erich Dollansky wrote:
>>
>>> Hi,
>>>
>>> On Sun, 26 May 2013 01:58:32 -0700 (PDT)
>>> "M. V."  wrote:
>>>
>>>  I have a 24/7 network server/gateway with FreeBSD-8.2 on a SSD drive.
 it's partitioned as normal (/ , /tmp, /var , /usr and swap) for a
 long time now. But recently I heard from a FreeBSD expert that I
 shouldn't have swap partition for my server, and having swap
 partition could make my server unstable. this was so strange for me,
 and I searched a lot but couldn't find a reason for this claim.

  because it is a false claim. I never ever have had any system with
>>> working hard, that gave a problem because of the swap space.
>>>
>>
>> I think the "problem" here is that he's using a SSD.
>> As soon as the swap partition is being in heavy use,
>> which means it receives many writes, this may lead
>> to the SSD "wearing out", decreasing its lifetime.
>>
>
> Another problem with SSDs is that they can have difficulty with wear
> leveling.  This is even worse with swap because there is no way to use TRIM
> to tell the SSD about blocks that have been freed.
>
> The workaround is a swapfile on UFS with TRIM enabled.  It works fine, and
> even better when you update the rc scripts for shutdown.
>
> Here's an article on setup:
> http://www.wonkity.com/~**wblock/docs/html/ssd.html
>
> And here is the PR with a patch:
> http://www.freebsd.org/cgi/**query-pr.cgi?pr=bin/168544
>
> __**_
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**questions
> To unsubscribe, send any mail to "freebsd-questions-**
> unsubscr...@freebsd.org "
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: file corruption solution (soft-update or ZFS)

[Michael Sierchio]

On Thu, May 23, 2013 at 5:33 AM, Warren Block  wrote:

> ..

>  One thing mentioned earlier is that ZFS wants lots of memory.  4G-8G
> minimum, some might say as much as the server will hold.
>
>
Not necessarily so - deduplication places great demands on memory, but that
can be satisfied with dedicated cache devices (on SSD for performance and
safety reasons).  Without dedup, the requirements are more modest.

Softupdates guarantee metadata consistency, but do nothing to address data
integrity. ZFS has copy-on-write semantics (which solve a problem that even
hardware RAID can't), and end-to-end checksums to detect/prevent data
corruption (large drives will have uncorrectable bit errors over their
lifetime).

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

On Wed, May 22, 2013 at 10:53 PM, s m  wrote:

> thanks Michael for your quick reply:)
> yes, i can boot from usb freebsd flash and use fixit mode.
> i have root, var, tmp, usr and swap on my system. i create an extra swap
> partition to use it as journal provider for root partition.
>
> in fixit mode, first i run two below command in order to abel load
> gjournal:
>
> ln -s /dist/lib /lib
> ls -s /dist/boot/kernel /boot/modules
>
> then
> "gjournal load"
>
> and after that: "gjournal label -f ad3s1a ad3s1g" (ad3s1a is root
> partition and ad3s1g is swap partition for journal provider)
>
> but this error is shown:
> "gjournal cannot clear metadata on ad3s1a: operation not permitted"
> what is wrong here??? i really don't know how to fix it:
>

Try using -v to get more verbose output.  I am at a loss here, too.
 Perhaps you can try

gjournal load
dd if=/dev/zero of=/dev/ad3s1g bs=1m
gjournal clear -v ad3s1a
gjournal label -vf ad3s1a ad3s1g

and see what it says, if anything.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

On Wed, May 22, 2013 at 10:27 PM, s m  wrote:

> thanks Michael, but in all documentation about journaling, tunefs is used
> as below: "tunefs -J enable ad3s1X.journal". ad3s1X.journal is created by
> gjournal command: "gjournal label ad3s1a ad3s1g" that assign ad3s1g as
> journal provider for ad3s1a and create ad3s1a.journal which contains ad3s1a
> as data provider and ad3s1g as journal provider.
>
> my problem is, i can not run gjournal command for root partition in fixit
> mode nor single user mode. you mean, i should just use tunefs command on
> ad3s1X (root partition)? if yes, then where journal provider for root
> partition is located? in root partition?
>
>
Ah, sorry -  lack of careful reading on my part.  Can you boot from
installation media and use the fixit mode?  This still won't work if the
last sector of the partition is in use by the filesystem  You'll need a
spare partition of some size to be the journal provider, as in the example.

The very best approach is to create a gjournal and then newfs.  How is your
disk organized?  One big root partition with everything on it?

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: MySQL hangs server completely

[Michael Ross]

On Wed, 22 May 2013 15:52:45 +0200, Alejandro Imass   
wrote:



Hi,

We've been having this problem with a customer for a while and it
seems that some funky query makes MySQL use 100% of CPU. Nevertheless,
even though you can see in top that it's only 1 CPU in 100% (out of 8)
the server eventually becomes useless and stops responding completely.

So my question is, how does a user process hang the whole server? What
system resources could MySQL be draining to make the server stop
responding completely?



In laymans terms - can't do better - MySQL racing itself to obtain a (  
table | memory | file ) lock?


I know I can death-stall the MySQL server at a customer's site if I give  
it a big enough query ( like, DROPping a table, recreating it and pushing  
backup data inside ) while cron's hourly backup-dump is running on the  
database. Just the MySQL server, the machine itself hasn't stalled yet -  
but I'm sitting at the console while doing this, so I don't know what  
would eventually happen if I'd let it sit for a while.



Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

On Tue, May 21, 2013 at 10:14 PM, s m  wrote:

> thanks guys for your attentions.
>
> i want to setup journaling in FreeBSD 8.2. i compare soft-update and
> journaling and choose journaling (it is more suitable for my goals).
>
> i want to enable journaling for all my partitions. i can do it for all
> partitions except root in single user mode. i can not do it for root
> because i can not unmount root in single user mode.
>
>
No, but you don't need to.  In single user mode, root is mounted read-only.
 You can run tunefs on the root fs device.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

On Tue, May 21, 2013 at 8:20 AM, Warren Block  wrote:

On Tue, 21 May 2013, Arthur Chance wrote:
>
>  On 05/21/13 15:46, Michael Sierchio wrote:
>>
>>> AFAIK Softupdates journaling still breaks snapshot functionality - which
>>> makes it unusable for me. I wouldn't assume that the O.P. doesn't want we
>>> he's asking for.
>>>
>>
>> Good point, I'd forgotten that problem as I don't use UFS snapshots. I
>> can imagine it would be a killer for some people.
>>
>
> It is, especially if you use dump/restore.
>

Or tarsnap (which is what we use for backups here), or... there are many
use cases for snapshots.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

AFAIK Softupdates journaling still breaks snapshot functionality - which
makes it unusable for me. I wouldn't assume that the O.P. doesn't want we
he's asking for.

- M


On Tue, May 21, 2013 at 7:42 AM, Arthur Chance  wrote:

> On 05/21/13 12:43, saeedeh motlagh wrote:
>
>> thanks Julien, but i think it's not true. man page for newfs seys that
>> journaling is done via gjournal and in freebsd handbook it says do
>> journaling with gjournal for UFS file system.
>>
>> you mean i should create a partition and just enable journaling for it
>> with
>> -J flag?
>>
>> i think my problem is, my gjournal can not act correctly in fixit mode
>> because i can load it in single user mode and every thing is ok but in
>> fixit mode, i can not load it and all commands return errors.
>>
>> please help me to make a journal for my root:(((
>>
>
> Look more carefully at the newfs man page. Option -J (upper case) is
> gjournal type journalling, option -j (lower case) is native UFS soft update
> journalling. It's the latter one you want.
>
> This is on RELEASE-9.1 though. What version are you on?
>
> --
> In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a
> new race of servants. Called Uruk-Oh-Hai in the Black Speech, they
> were cruel and delighted in torturing spelling and grammar.
>
> _Lord of the Rings 2.0, the Web Edition_
>
> __**_
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/**mailman/listinfo/freebsd-**questions
> To unsubscribe, send any mail to "freebsd-questions-**
> unsubscr...@freebsd.org "
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: setup journaling for root partition

[Michael Sierchio]

On Mon, May 20, 2013 at 10:59 PM, s m  wrote:

> hello everybody
>
> i want to setup a journal partition for my root partition. but i do not
> know how to do that. in FreeBSD handbook, it is done in single user mode,
> unmount the desired partition and assign the journal partition to it. i
> test this procedure and it is done for /usr partition but for root
> partition, it can not be unmount in single user mode.
>
>
See the man page on gjournal

 To configure journaling on the UFS file system using gjournal, one
should
 first create a gjournal provider using the gjournal utility, then run
 newfs(8) or tunefs(8) on it with the -J flag which instructs UFS to
coop-
 erate with the gjournal provider below.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: How to get kernel source code of free-BSD release 9.1

[Michael Powell]

Chou, David J wrote:

> Hi,
> 
> I  have created a virtual machine of PC-BSD release 9.1 64 bit in VMware
> Player Version 5.0.0 build-812388 based on PCBSD9.1-x64-DVD.iso downloaded
> from ftp://mirrors.isc.org/pub/pcbsd/9.1/amd64/PCBSD9.1-x64-DVD.iso , and
> setup network configuration and installed Firefox 20.0 by AppCafe, and
> configured the network setting in Preference->Advanced of Firefox, and I
> could  access Internet.
> 
> Now I need to build my own customized kernel, but there is no src
> subdirectory in /usr, so here is my question:
> 
>   1.  Is there any way to install kernel source when I create the  virtual
>   machine from PCBSD9.1-x64-DVD.iso ?

Not sure about PCBSD as I haven't used it, but with regular FreeBSD I 
believe you can by selecting the appropriate package distribution group. 
Been a while since I've done an install, but even so the source will be the 
static RELEASE bits and not contain any security updates.

>   2.  Any BKM to get the kernel source after the Virtual Machine already
>   created as my case now?

Yes - install the devel/subversion port. Go ahead and create the src 
directory under /usr. Then do:

svn checkout svn://svn.freebsd.org/base/releng/9.1 /usr/src

Once having checked out you can then issue a svn update /usr/src command to 
pull in security updates as they become available over time.

There are also two US mirrors available such as:

svn checkout svn://svn0.us-east.freebsd.org/base/releng/9.1 /usr/src
svn checkout svn://svn0.us-west.freebsd.org/base/releng/9.1 /usr/src

I have used the us-east one. There is also a project underway to add in to 
base an 'svnup', similar in scope to how csup replaced cvsup to make it 
easier in the future.

I believe freebsd-update is also a possibility but I have no experience with 
it. At any rate, more details can be found in the Handbook.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: problems with port upgrade consistency using portsnap

[Michael Powell]

fddi wrote:

[snip]
> 
> so ther is something wrong in my crontab
> 
> 0 3 * * * /usr/sbin/portsnap -I cron update && pkg_version -vIL=

See man portsnap, section TIPS - it shows example of correct way:

0 3 * * * root /usr/sbin/portsnap cron

The TIPS section contains more details.

[snip]

-Mike 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: List Spam Filtering

[Michael Ross]

On Thu, 09 May 2013 02:26:26 +0200, Julian H. Stacey   
wrote:



Hi questions@ ( spammer not cc'd )

Reference:

From:   Aaron Seligman 
Reply-to:   aselig...@altitudedigitalpartners.com
Date:   Wed, 08 May 2013 18:59:07 + (UTC)
Subject:Re: Display & Video Campaigns-Inventory Needed
Message-id: <1368039547.0568389241738...@mf7.sendgrid.net>



Happy hump-day,

We have an opportunity with an RTB partner to monetize

INT Geo's; UK, CAN, AUS

Video: (Pre-roll, mid-roll and post-roll)



If list write access was changed to Subscribers Only:
  - List could silently discard such spam.
  - Postmaster@  (& webmaster@ weeding web archives) would have less  
work.
  - Less individual need to select spam phrases to copy to personal  
filters
(& less time searching WTF dialect American above meant in English  
;-).


Newbies would be told "subscribe before posting" in all of:
/etc/motd
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
Automatic list bounce response.
Only clueless, lazy, & spammers might be lost. A net gain.

Cheers,
Julian



I'm curious how much spam you get through this list.

Just counted, and I have about 2 Spams per week for the last month,
that's more than usual.


Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

ls(1), rm(1) - No such file or directory even though they are there.

[Michael Bird]

Hi List,

There is a rather curious problem that I have, which I haven't encountered 
before.
I make regular backups of my packages and put them onto an external usb drive,
which is mounted read/write via sysutils/fusefs-ntfs.


Now these backups don't exist no more and at the same time they are there. That 
is to say, upon issuing ls and/or rm on the command line I get rather strange 
results. 
Here are some of my outputs:


mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls
[a long list that has been cut out]
zip-3.0.tbz
mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls zip-3.0.tbz 
ls: zip-3.0.tbz: No such file or directory

Some have files that (don't) exist have i-nodes and some haven't:

mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls -i zip-3.0.tbz 
ls: zip-3.0.tbz: No such file or directory
mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % ls -i 
linux-f10-tiff-3.8.2.tbz 
2469 linux-f10-tiff-3.8.2.tbz

Running rm on the folder I get "No such file or directory" for every single 
entry:

mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % rm *
[a long list that has been cut out]
rm: linux-f10-tiff-3.8.2.tbz: No such file or directory

Yet again some of the files can be test via gzip and some can't:

mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % gzip -t 
linux-f10-tiff-3.8.2.tbz
mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % echo $?
0
mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages % gzip -t zip-3.0.tbz 
gzip: can't stat: zip-3.0.tbz: No such file or directory
mike@machine1:/mnt/Programs/FreeBSD/91binaries/packages %


Looks like the this part of the file system is corrupt. I also booted the drive 
up under 
Windows and got the same result. The files are there, but can't be read, 
overwritten
or deleted.


What does the list say about the above mentioned?

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: enter single user mode from boot menu

[Michael Sierchio]

On Sun, Apr 28, 2013 at 4:04 PM, Polytropon  wrote:


>
> After the BTX loader has started, keep hammering the space
> bar. :-)
>
> At some point, you'll see the
>
> Ok
> _
>
> prompt. This is where you enter the command
>
> boot -s
>
> to go into single-user mode. The kernel will load as you would
> expect, but no further action (rc.d startup) will be taken. Instead
> you have to confirm the shell (/bin/sh by default) by pressing
> enter at the
>
> When prompted Enter full pathname of shell or RETURN for /bin/sh:
>
> prompt; and then you're left at the
>
> # _
>
> prompt, which means you're in single user mode. Type "exit" to
> start into multi-user mode as usual.
>
>
In single user mode, the root filesystem will be the only one mounted, and
it will be mounted read-only.

If you need to make changes (Correcting a fat-fingered edit to /etc/fstab,
for example), you'll need to mount root rw.

mount -u -o rw /

is the minimal command to do that.  You might also find it easier to mount
/tmp and /var if they're separate filesystems... YMMV, etc.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Michael Powell wrote:

> [snip]
>>> Are you saying that any WPA2 key can be cracked or or you simply
>>> referring to weak keys?
>> 
>> I would also like to specifically if it's for weak keys or are all
>> WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
>> as weak also. Could anyone expand on how weak is WPA2 and WPA2
>> Enterprise or is this related to weak PSKs only??
>> 

Oh, and BTW was going to include this in the last and forgot:

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

-Mike




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Arthur Chance wrote:

[snip]
>> What I was pondering is some form of L2TP tunnel, or some other form of
>> IPSEC tunnel to form some kind of VPN like communication between the
>> client and the wifi. Just never have begun to find the time to get
>> anywhere with the idea. But basically it would resemble a VPN that only
>> accepts connection from a tunnel endpoint client and not pass any traffic
>> from any other client lacking this VPN-like endpoint. I think such a
>> thing is very possible and have read some articles by people who have
>> done very similar sounding things. Indeed, this is what SSL-VPN providers
>> do via a subscription service so people surfing at open wifi coffee shops
>> tunnel through the local open wifi and setup an encrypted VPN tunnel.
> 
> A quick note: pfSense (I don't know about m0n0wall) has OpenVPN built in
> to it. Depending on whether all devices which are going to connect
> wirelessly can run the client end of OpenVPN, this might be a quick way
> to get greater security on the WiFi side.
> 

This is along the lines of what I was thinking. I am my own CA and can 
generate certs that no one else has the private keys to. The problem with 
buying certs from a provider is the gov't has access to the private keys on 
demand. This was mandated back during the Clinton administration for the
US. I do things like turn password auth off on my SSH and only auth via 
certs. Extending this to other 'connectivities' is a way to make it harder 
for those with no approved cert to get in.  

The pairing of firewall and OpenVPN together sounds interesting. Will 
definitely check it out. Thanks for the pointer!

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Alejandro Imass wrote:

[snip]
>>> Most consider the answer to use WPA2, which I do use too. Many think
>>> it is 'virtually' unbreakable, but this really is not true; it just
>>> takes longer. I've done WPA2 keys in as little as 2-3 hours before.
>>
>> Are you saying that any WPA2 key can be cracked or or you simply
>> referring to weak keys?
> 
> I would also like to specifically if it's for weak keys or are all
> WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
> as weak also. Could anyone expand on how weak is WPA2 and WPA2
> Enterprise or is this related to weak PSKs only??
> 

I'm just a lowly sysadmin and not any kind of crypto expert.  The problem is 
time and horsepower. While a ridiculously easy key of say 4 characters that 
is not salted may be doable on a PC, once you start to get to 8-9 characters 
or more the time it takes begins to get huge fast. It's a matter of can you 
tie up the resource long enough to wait it out. Throw salting into the mix 
and it gets longer again. 

What I do at home is concatenate 2 ham radio call signs of friends that I 
can remember. Then I sha256 that and select from the end backwards 15 
characters. This won't actually defeat the inherent weakness of using a pre-
shared key, but it will take longer for a simple brute force. You should 
also throw in additional characters from your character set beyond just 
alpha/numerics.

Also, my little tinkertoy i5-3570K overclocked up to 4.5GHz is just that - a 
toy. I can use it to generate a trace file, which I then take to work and 
replay it using a z196 when they occasionally allow me to play for bit.  I 
also have rainbow tables and dictionary word-lists pregenerated for 
cheating. Another thing people are playing with is stuffing 4 high end video 
cards in a box and using them for computation. This enhances the PC platform 
beyond just using the CPU. There are also people doing this "in the cloud". 
And they will rent you compute time for a fee.  :-)

The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA 
is stronger because it is a user account based system which authenticates 
using 802.1x via a Radius server. You can even assign certificates to user 
accounts and if they don't have the cert on the client they are trying to 
connect with, it won't. Throw Kerberos re-ticketing into the mix adds 
another layer to the onion. I seem to think recalling something about 
Kerberos re-ticketing something like every 900 seconds, or something like 
that. Switches and other network equipment that supports 802.1x can also 
filter out traffic that is not authorized.

Bottom line is Enterprise is better than a simple pre-shared key. But it 
involves radius, dns/dhcp, windows domain controllers, active directory, a 
PKI infrastrucure and access points that are designed for use in this 
environment (and they cost more). So while it may be more secure than a 
simple pre-shared key, it is simply not practical for the home user as they 
won't have all the 'other' resources required to utilize it.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Alejandro Imass wrote:

> On Mon, Apr 22, 2013 at 3:45 PM, Michael Powell 
> wrote:
>> Alejandro Imass wrote:
>>
>>> [...]
>>>
>>>> Really these WEP/WPA2 protocols are not providing the level of
>>>> protection that is truly necessary in this modern day. You can keep out
>>>> script kiddies and people who don't have skill, but people who know
>>>> what they are doing are only slowed down.
>>>>
>>>
>>> Thanks for the detailed explanation! So, are there ways to run a
>>> secure WiFi network? It would seem that in my case I have neighbours
>>> that know what they're doing so should I just forget about WiFi go
>>> back to UTP?
>>>
>>
>> We use 802.1x auth on our switch (and other hardwares) ports at work and
>> this utilizes a Radius server. At work we are mostly a $MS WinderZ shop,
>> but with Enterprise grade access points (we have Aruba's), EAP, and
>> Radius we
> [...]
>>
>> This email is already getting a trifle long, so suffice to say if you
>> really need the best security on a home ISP router the best you can do is
>> turn off the radio and use Ethernet and UTP. This returns to the original
>> focus of your question in that the firewall would be the point of
>> contention and not the cracking of WEP/WPA2 auth keys. What I was wanting
>> to point out to you originally is that changing the firewall is a
>> separate issue from the cracking of Wifi auth keys.
>>
> 
> I absolutely got that but I was assuming that a pre-packaged WiFi
> router with pfSense or m0n0wall would have a more secure wireless
> hardware and software as well. Now I see the problem is more complex
> and that the wireless part is vulnerable regardless. So if by cracking
> the wireless part they can spoof the mac addresses of authorized
> equipment, what other methods could a BSD-based firewall use to
> prevent the cracker from penetrating or using the network beyond the
> WiFi layer? From your response it seems very little or nothing
> really...
> 
Yes - unfortunately this is about the state of things. Not a whole lot 
you're going to do to improve the consumer grade home router. There are some 
hardware specific firmware projects that I've never played with such as: 

http://www.dd-wrt.com/site/index  

The pre-packaged home equipment is relatively cheap when compared against 
the top of the line enterprise-grade commercial products. Most are some form 
of embedded Linux. For example, the MI424WR-Rev3 I have here is busybox ( 
http://www.busybox.net/ ). If you turn on remote management and telnet into 
it you get a busybox prompt! With a busybox shell and all busybox commands. 
The firewall many of these embedded Linux things are using is iptables2, the 
standard linux firewall package. 

What I was pondering is some form of L2TP tunnel, or some other form of 
IPSEC tunnel to form some kind of VPN like communication between the client 
and the wifi. Just never have begun to find the time to get anywhere with 
the idea. But basically it would resemble a VPN that only accepts connection 
from a tunnel endpoint client and not pass any traffic from any other client 
lacking this VPN-like endpoint. I think such a thing is very possible and 
have read some articles by people who have done very similar sounding 
things. Indeed, this is what SSL-VPN providers do via a subscription service 
so people surfing at open wifi coffee shops tunnel through the local open 
wifi and setup an encrypted VPN tunnel. 

Just not enough time in the day. I know it's do-able, just never have found 
the time to properly approach it.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Alejandro Imass wrote:

> [...]
> 
>> Really these WEP/WPA2 protocols are not providing the level of protection
>> that is truly necessary in this modern day. You can keep out script
>> kiddies and people who don't have skill, but people who know what they
>> are doing are only slowed down.
>>
> 
> Thanks for the detailed explanation! So, are there ways to run a
> secure WiFi network? It would seem that in my case I have neighbours
> that know what they're doing so should I just forget about WiFi go
> back to UTP?
> 

We use 802.1x auth on our switch (and other hardwares) ports at work and 
this utilizes a Radius server. At work we are mostly a $MS WinderZ shop, but 
with Enterprise grade access points (we have Aruba's), EAP, and Radius we 
can extend our network Kerberos out through the wifi realm. Without going 
into details ( way too much/many for the scope here) I basically have an 
almost completely locked network which just won't allow a device on it that 
it doesn't recognize. It is a pain, and not perfect either by any stretch. I 
have more problems with printers as a result than anything else.  I do have 
to keep an open Internet access for visitors to use, but it is separated 
from our main network with no path between the two.  :-) 

This does provide better security when compared to what consumers are 
running at home. It is much more complex and requires expensive equipment. 
And even still, a really high-grade Uber hacker might still find a way in. 
We hire pen-tester companies about once a year, and while they haven't found 
any glaring holes there are some "grey" areas that we wonder if a really 
motivated Uber hacker spent enough time on...

I have entertained on and off the idea of getting a wifi card for my FreeBSD 
gateway/firewall box at home to see if I could come up with something more 
resembling something like we have at work. It probably wouldn't be as 
involved, but I do think (FreeBSD as a very _capable_ and flexible OS) 
something could be designed that would inherently be somewhat more secure 
than what I see in the basic ISP home router. I have Verizon's FIOS here 
with an Actiontec MI424WR-Rev 3 router and I think I could do better. The 
alternate provider here is Comcast which mostly seems to be using Motorola 
Surfboard routers, but the bottom line is I don't have any problem cracking 
any of them.

This email is already getting a trifle long, so suffice to say if you really 
need the best security on a home ISP router the best you can do is turn off 
the radio and use Ethernet and UTP. This returns to the original focus of 
your question in that the firewall would be the point of contention and not 
the cracking of WEP/WPA2 auth keys. What I was wanting to point out to you 
originally is that changing the firewall is a separate issue from the 
cracking of Wifi auth keys. 

-Mike
 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Alejandro Imass wrote:

> On Sun, Apr 21, 2013 at 9:52 AM, Michael Powell 
> wrote:
>> Alejandro Imass wrote:
>>
>>> Hi,
>>>
>>> I'm looking to replace the piece of crap 2wire WiFi router that gets
>>> crakced every other day for something with pfSense or m0n0wall
>>
>> Not sure what you mean by 'cracked' here. If you are meaning that someone
>> is using aircrack-ng to break your Wifi authentication key a firewall
>> won't do much to stop this.
>>
> 
> I use mac address authentication plus wpa2 psk and yet they are still
> able to connect so it seems that 2Wire's routers are an insecure piece
> of crap and they are full of holes and back-doors. Just google 2wire
> vulnerabilities or take a look at this video
> http://www.youtube.com/watch?v=yTtQGPdSIfM

With Kismet able to place a wifi unit into monitor mode you can quickly get 
a list of everything in the vicinity, including all the MAC addresses of 
devices connecting the various access points.  You can then clone your 
unit's MAC address to match one in the list. Even though I do use it, MAC 
access lists are very easy to get around and will only stop those who do not 
know how to do this.

Even in passive mode, without using active attack to speed things up I can 
crack a WEP key in 45 minutes easily. Doing this passively doesn't expose 
you. The time it takes depends on how busy the access point is. An active 
attack can break WEP in 2-3 minutes, or less. I've seen it done between a 
minute and a minute and a half.

Most consider the answer to use WPA2, which I do use too. Many think it is 
'virtually' unbreakable, but this really is not true; it just takes longer. 
I've done WPA2 keys in as little as 2-3 hours before. 

> Look at how many ISPs world-wide use 2wire. Makes you wonder if ISPs
> use these crappy routers on purpose to get some more revenue from cap
> overruns.
> 

Really these WEP/WPA2 protocols are not providing the level of protection 
that is truly necessary in this modern day. You can keep out script kiddies 
and people who don't have skill, but people who know what they are doing are 
only slowed down.

The ISPs are seemingly more interested and concerned with protecting Big 
Media Content's DRM schemes. They have a monetary stake as they move in the 
direction of deals with 'Big Media', less so the incentive to do more for 
their retail Internet-access customer. And don't even me started on the 
advertising industry run-amok.   :-)

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Home WiFi Router with pfSense or m0n0wall?

[Michael Powell]

Alejandro Imass wrote:

> Hi,
> 
> I'm looking to replace the piece of crap 2wire WiFi router that gets
> crakced every other day for something with pfSense or m0n0wall

Not sure what you mean by 'cracked' here. If you are meaning that someone is 
using aircrack-ng to break your Wifi authentication key a firewall won't do 
much to stop this.


-Mike
[snip]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: pwd.db/spwd.db file corupption when having unsafe system poweroff

[Michael Powell]

Tak Tak wrote:

> hi everyone,
> 
> i wanna know what exactly happens for freebsd files and processes,
> when we shutdown system via pressing hardware power key for 3 seconds?
> 
> here's what has happened to me, recently:
> i've faced a strange problem.. on one of my bsd servers, one of my
> coworkers had defined and edited some system users, and then, instead
> of safe shutdown, he kept pressing power-button for 3 seconds!..
> after next startup, we couldn't login anymore! we had to replace
> pwd.db and spwd.db files, via bootable-freebsd Fixit mode, and then,
> everything was fine!
> 
> we know that we are, for sure, better to use safe shutdown, but i
> can't guarantee it always happens. what if sudden power off makes same
> problem??so i can't leave my servers in such situations..
> 
> My questins are:
> what has happened exactly? just in-used corrupted files ??
> is there any way to prevent this situation? (instead of  having a
> read-only FS.. i can't apply it on this server for now..).
> 
> i'm sorry if my question seems dummish! i'm trying to increase my bsd
> knowledge, but i'm just on my way..
> 
> for sure, i appreciate any ideas or answers :)

At the risk of illustrating what I'm fuzzy on, possibly those with more in-
depth skill can fill in the blanks or tidy up some with more accurate and 
complete details.

Pressing the power button for 4 seconds as described is invoking the ACPI 
layer to stimulate call(s) down to the system BIOS. Whatever is set in the 
BIOS wrt to power control and various power-savings modes are passed through 
the ACPI layer. The problem with this is the acpi module in FreeBSD may, or 
may not, be a perfect implementation for every possible piece of hardware in 
existance. The piece of that which really concerns me are individual 
manufactuer BIOS quirks can be just enough 'off' so as to misbehave even when 
the FreeBSD acpi implentation is basically sound. The jist of this is (IMHO 
here - YMMV) is I consider it a bad procedure to turn off a server as you've 
described. Use the shutdown command properly instead. I would never do what 
your coworker did to any of my servers. Caveat being sometimes you have no 
other choice but to do a hard power-down. A hard power-down is done by using 
the switch on the power supply, and not using the ACPI/BIOS from pressing 
the power switch on the front.

When you do have an 'uh-oh' like this, FreeBSD normally boots back into an 
unclean file system with corresponding whinings and complaints about how the 
file system(s) were not properly dismounted. Normally a background fsck 
ensues after 60 seconds of idle. In your case whatever files were left open 
and not properly closed this background fsck, had it been allowed to run and 
complete, would have cleaned this up. The problem starts when someone 
presses the power off button again, and again, before this process completes. 
Using the power button ACPI/BIOS only compounds this situation.

I have had at one time or another, power failures that occurred almost back 
to back, only with a few minutes in between. So what happened was on first 
boot after power came back the power went down again right in the middle of 
this background fsck. Two more of these and my file system(s) were in pretty 
not-so-good shape. Luckily I was running gmirror and one of the drives was 
consistent. So the mirror got rebuilt from the drive with the consistent 
file system automagically (takes a while), then the system continued to 
boot, and then the background fsck finally kicked in. Gmirror saved my bacon 
here. Journaling is also supposed to provide similar error recovery 
features. I've had this happen twice on 2 different boxen. Needless to say, 2 
broken UPS units were scrapped and replaced as a result.

I would recommend you do NOT use the power button as you described above. 
Period. In any event pay particular attention to that very first boot after 
an 'uh-oh' power off event. Look at top and watch for the background fsck to 
kick off and complete, returning the machine to quiescent state BEFORE you do 
ANYTHING else to it. This includes pressing the button on the front.

Just my $.02 - but I've had a couple of experiences like this and survived 
them successfully by doing things my way.

-Mike
   


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: EC2 Instances Future

[Michael Sierchio]

I have constructed several AMIs.  If I get a sense for which flavor of
instance/OS combos are of interest, I can roll a few and make them
available.

- M

On Wed, Apr 10, 2013 at 8:25 PM, Don O'Neil  wrote:
> Have you made any AMI's based on this method? I would love to deploy a
> medium or large instance that isn't subject to the 'tax', but don't really
> know where to start to build one like this.
>
> -Original Message-
> From: owner-freebsd-questi...@freebsd.org
> [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Michael Sierchio
> Sent: Wednesday, April 10, 2013 1:05 PM
> To: jflowers
> Cc: freebsd-questions@freebsd.org
> Subject: Re: EC2 Instances Future
>
> I still follow Colin's original pattern of using a minimal "Linux"
> grub boot EBS device (1GB), ext2fs, with the root partition being on another
> (ufs2) EBS device.  This works very well, with a couple of caveats -
>
> - Install e2fsprogs (pkg or port) - you will need it, on occasion when
> modifying the boot device (after mounting rw).
>
> - Kernel upgrades are tricky, so be careful
>
> - Edit /etc/freebsd-update.conf intelligently to prevent unintended
> consequences
>
> Apart from that, I have been running i386 and amd64 instances this way, both
> 8.3 and 9.1, without difficulty (apart from some Xen clock weirdness in
> 8.3).
>
> No Windoze Tax. ;-)
>
> - M
>
>
> On Wed, Apr 10, 2013 at 10:05 AM, jflowers  wrote:
>> Is there anything likely to be available in the future (3 months to a
>> year) to avoid the Windows tax on FreeBSD instances for the smaller
>> (t1.micro, m1.small, m1.medium) types?  I understand the problem but
>> don't find anything much online about a possible solution.  Probably
>> because I don't understand as much as I think.
>>
>> Thanks.
>>
>> --
>> Jim Flowers 
>>
>> ___
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: EC2 Instances Future

[Michael Sierchio]

I still follow Colin's original pattern of using a minimal "Linux"
grub boot EBS device (1GB), ext2fs, with the root partition being on
another  (ufs2) EBS device.  This works very well, with a couple of
caveats -

- Install e2fsprogs (pkg or port) - you will need it, on occasion when
modifying the boot device (after mounting rw).

- Kernel upgrades are tricky, so be careful

- Edit /etc/freebsd-update.conf intelligently to prevent unintended consequences

Apart from that, I have been running i386 and amd64 instances this
way, both 8.3 and 9.1, without difficulty (apart from some Xen clock
weirdness in 8.3).

No Windoze Tax. ;-)

- M


On Wed, Apr 10, 2013 at 10:05 AM, jflowers  wrote:
> Is there anything likely to be available in the future (3 months to a year) to
> avoid the Windows tax on FreeBSD instances for the smaller (t1.micro,
> m1.small, m1.medium) types?  I understand the problem but don't find anything
> much online about a possible solution.  Probably because I don't understand as
> much as I think.
>
> Thanks.
>
> --
> Jim Flowers 
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: When will binary packages be back?

[Michael Powell]

Mike. wrote:

[snip]
> 
> 
> Additionally, for me, building from ports for me has tended to pull in
> many, many X-windows support files when they are not needed.
> 
> Specifically, I run a non-windowing system using command line tools.
> When I tried to compile Samba from ports, I finally killed the 'make'
> stage after three hours of compiling X-windows stuff.
> 
> Nowhere had I ever spcified that the system was running X or any other
> windowing system.  Yet, there it was, three hours of wasted time.
> 

In addition to what Jeff has said, for servers where I do not want any X 
related stuff I place WITHOUT_X11= yes in /etc/make.conf. In addition to make 
config option(s), there may also be some default stuff here and there in the 
Mk files. The make.conf line will short circuit these.

IIRC there may be some exceptions where you need some (a handful or less) of 
some X related packages. Seem to think of things like gd, imagemagick, 
freetype, etc., for PHP kind of things. In these cases, the make.conf line 
will blanket cover most of what you don't want and you can choose make 
config options that will pull in only what you absolutely need without 
starting down the line to everything X-related.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Recipie for CPU souffle'

[Michael Powell]

Ronald F. Guilmette wrote:

> 
> [[ Mostly, this posting is just a story.  But it does include one
>question, towards the end.  See below. ]]
> 
> Well, I accidentally found what I believe is most likely the reason
> for the system halts I have been having recently, so I just thought
> that I would share that.  It _is_ a bit humorous.  (The mystery system
> shutdowns have _not_ been due to a power issue, it would appear.)
> 
> I just now experienced another episode in which the machine powered
> itself off, as I was working on it, for no apparently good reason.
> 
> Since it was down anyway, I decided that this would be a good time to
> pull out that *&^%$#@ bleedin' new USB 3.0 PCIe card I had recently
> installed... just in case that was causing the problem.
> 
> As I reached in to begin extracting the PCIe card, the tip of one of
> my fingers accidentally brushed up against my CPU heatsink.  I in-
> stinctively yanked it away immediately.  If I had not done so, I
> would probably have gotten a third degree burn.
> 
> I left the system off for a couple of minutes after that... to let it
> cool down a bit before doing anything else... and then I powered it
> back on, checked that the CPU fan was indeed turning (it was) and then
> I went immediately to the BIOS and the PC Heath Status.
> 
> The CPU temperature was listed as being 63c == 145f !!!  And this was
> _after_ I had allowed the system to be powered down for a couple of
> minutes to cool down!!!
> 
> So anyway, the fan turned and I watched the CPU temp slowly inch down
> to something more normal... like in the vicinity of 24c.
> 
> I don't know what to make of this, except to suspect that some loose
> wires inside my case got in the way of the CPU fan turning.  (I am
> not neat like some folks.  The inside of myu case _is_ really rather
> sloppy, so this could easly have happened.)
> 
> I've now installed mbmon and xmbmon and will be watching the CPU temp
> closely for awhile.
> 
> I really wish that one or the other of those tools allowed setting a
> threshold CPU temp, beyond which the tool would emit an ear piercing
> alarm via the motherboard speaker... you know.. in case the regular
> external stereo speakers are turned off.
> 
> 
> What *is* the best way to achieve the above effect, i.e. to arrange
> for the machine to scream for help in case it is getting too hot?
> 
> I don't want it to just die, like it is doing now.  I want it to scream
> so that I can rush over and at least try to do an orderly shutdown.
> 
> 
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  I am loading the system pretty heavily now, and have been for the
> last 20+ minutes, and xmbmon is showing me a nice constant 31c for the
> CPU temp.  So for the moment at least, all is well.
> 
> P.P.S.  I have a (relatively) monster sized heatsink in this system, and
> it sits atop a quite modest 2.7GHz single-core Athlon, so it is not at
> all surprising that the ``stable'' CPU temp is around 30c (86f).

Many old Athlons from the older generation used a thermal pad for heat 
transfer. It was what looked like a little piece of soft plastic almost 
something like a milimeter thick and an inch or so square that would have 
come preapplied to the OEM heat sink which accompanied the CPU in a retail 
box set.

With these processors you cannot just simply smear a lot of thermal grease 
in there as a replacement. Indeed, doing so (not using a thermal pad) voids 
the warranty. Thermal grease works best when it is applied as a very thin 
but evenly distributed  layer and the heat sink is then clamped down very 
tightly so it is in very close contact with the processor. Doing this (using 
just thermal grease in lieu of the pad) leaves a small void or gap through 
there will be little heat transfer.

You might want to confirm that your processor model requires a thermal pad 
and not grease. Then hunt some down and use it instead of thermal grease. I 
seem to recall they were somewhat difficult to locate a place from which to 
purchase. Also the backing paper was darn near impossible to get off without 
destroying it (why the OEM cooler had it pre-applied). So get a few of them 
so you can tear up a couple before you succeed.

-Mike
 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Sierchio]

Okay, what's your DNS setup?  Are you running a recursive cache that
contacts the root servers directly?  Using your ISP's servers?  Etc.

As a mitigation step, I tried pointing my caches to 8.8.8.8 and
8.8.4.4. - but it turns out that Google is intentionally blocking
(returning NX responses to) many netblocks right now because they
contain hosts known to be part of the botnet in the DDOS DNS
amplification attack.

I'm mirroring the root zone everywhere I have a cache, and it's helping.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Sierchio]

net.inet.ip.fw.dyn_short_lifetime ?
net.inet.ip.fw.dyn_udp_lifetime ?

You might want to increase these, given the current state of things...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Sierchio]

On Sun, Mar 31, 2013 at 9:39 PM, Michael Powell  wrote:

> I'm probably not smart enough to be able to help directly with your problem
> but I'd like to add that there is a snowballing DNS Amplification ddos
> attack against SpamHaus going on which is spilling over

Yes, this is very much true.  The ICANN servers are dropping packets
like mad, and many of the .com servers as well.  I am mirroring the
root zone locally to mitigate.

It works to forward DNS to Google's servers (8.8.8.8, 8.8.4.4.) EXCEPT
- they are blocking some net blocks (issuing spurious negative
responses) because of large numbers of nets with hosts in the botnet
participating in the attack.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Sierchio]

I'll give you a more cogent reply tomorrow - if you use keep-state
rules, you want to be a little more specific - for tcp, you want
"allow tcp from X to Y setup keep-state" - i.e. you start the stateful
rule on packets that have the SYN flag set.  There are some other
oddities here - I'm guessing that the firewall rules are there to
protect this box itself...  in which case your stateful rules really
need only to consider "outbound" traffic, and to allow replies.  Let
me know if that assumption is erroneous.  More later.  Time for 

- M

On Sun, Mar 31, 2013 at 9:33 PM, Don O'Neil  wrote:
> Thanks for the response... here's my full rullset:
>
> # ipfw list
> 00100 check-state
> 00101 allow tcp from any to any established
> 00102 allow ip from any to any out keep-state
> 00103 allow icmp from any to any
> 00201 allow ip from any to any via lo0
> 00202 allow ip from any to 127.0.0.0/8
> 00203 allow ip from 127.0.0.0/8 to any
> 00204 deny tcp from any to any frag
> 00301 deny log logamount 50 ip from any to any ipoptions rr
> 00302 deny log logamount 50 ip from any to any ipoptions ts
> 00303 deny log logamount 50 ip from any to any ipoptions lsrr
> 00304 deny log logamount 50 ip from any to any ipoptions ssrr
> 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin
> 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst
> 01110 allow tcp from any to any dst-port 20 in
> 0 allow tcp from any to any dst-port 20 out
> 01112 allow tcp from any to any dst-port 21 in
> 01113 allow tcp from any to any dst-port 21 out
> 01114 allow tcp from any to any dst-port 990 in
> 01115 allow tcp from any to any dst-port 990 out
> 01116 allow udp from any to any dst-port 990 in
> 01117 allow udp from any to any dst-port 990 out
> 01118 allow tcp from any to any dst-port 989 in
> 01119 allow tcp from any to any dst-port 989 out
> 01120 allow udp from any to any dst-port 989 in
> 01121 allow udp from any to any dst-port 989 out
> 01122 allow tcp from any to any dst-port 1024-65000 keep-state
> 01125 allow tcp from any to any dst-port 22 in
> 01126 allow tcp from any to any dst-port 22 out
> 01130 allow tcp from any to any dst-port 25 in
> 01131 allow tcp from any to any dst-port 25 out
> 01132 allow tcp from any to any dst-port 587 in
> 01133 allow tcp from any to any dst-port 587 out
> 01134 allow tcp from any to any dst-port 2525 in
> 01135 allow tcp from any to any dst-port 2525 out
> 01140 allow tcp from any to any dst-port 110 in
> 01141 allow tcp from any to any dst-port 110 out
> 01142 allow tcp from any to any dst-port 995 in
> 01143 allow tcp from any to any dst-port 995 out
> 01144 allow tcp from any to any dst-port 2110 in
> 01145 allow tcp from any to any dst-port 2110 out
> 01150 allow tcp from any to any dst-port 143 in
> 01151 allow tcp from any to any dst-port 143 out
> 01152 allow tcp from any to any dst-port 993 in
> 01153 allow tcp from any to any dst-port 993 out
> 01160 allow udp from any to any dst-port 53 in keep-state
> 01161 allow tcp from any to any dst-port 53 in keep-state
> 01162 allow udp from any to any dst-port 53 out keep-state
> 01163 allow tcp from any to any dst-port 53 out keep-state
> 01170 allow tcp from any to any dst-port 80 in
> 01171 allow tcp from any to any dst-port 80 out
> 01172 allow tcp from any to any dst-port 443 in
> 01172 allow tcp from any to any dst-port 443 out
> 01180 allow tcp from any to any dst-port  in
> 01181 allow tcp from any to any dst-port  out
> 65535 deny ip from any to any
>
>
> I've tried these rules;
>
> 01160 allow udp from any to any dst-port 53 in
> 01161 allow tcp from any to any dst-port 53 in
> 01162 allow udp from any to any dst-port 53 out
> 01163 allow tcp from any to any dst-port 53 out
>
> Without the keep-state option, and the problem is still persisting...
>
> The weird thing is that I've run these rules for a number of years without
> any issues until just recently. I've checked my interface stats to make sure
> there aren't a bunch of fragmented packets or errors, and there aren't. I'm
> not running NAT, it's a publically accessible IP address.
>
> -Original Message-
> From: Michael Sierchio [mailto:ku...@tenebras.com]
> Sent: Sunday, March 31, 2013 8:58 PM
> To: Don O'Neil
> Cc: freebsd-questions@freebsd.org
> Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
>
> It would be really helpful if you'd post the ruleset.
>
> At first glance, your stateful rules seem rather wrong, unless there's a
> check-state above.  Also, in and out aren't discriminating enough - every
> packet is seen by the ruleset more than once.  You should thi

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Powell]

Don O'Neil wrote:

> Hi everyone. recently my server started having issues with DNS and FTP
> sessions either not resolving or timing out. I've tracked the issue down
> to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go
> away.
> 
[snip]

I'm probably not smart enough to be able to help directly with your problem 
but I'd like to add that there is a snowballing DNS Amplification ddos 
attack against SpamHaus going on which is spilling over. I was looking at 
some weird stuff my Suricata was reporting today when I noticed a large 
majority of it was coming from CloudFlare CDN. They use anycast packet 
traffic to deflect and diffuse such attacks for their customers. 

I'm wondering if your box has just been sitting there doing it's thing and 
you've made zero changes to it so it is essentially 'steady state' and this 
problem just sort of came up seemingly out of nowhere. Consider a 
possibility that the cause may be external and what you're seeing is just 
IPFW's reaction to it.

A friend of mine is on a nearby Verizon subnet and he uses their DNS 
servers. He noticed minimal hiccup while I have my DNS pointed at OpenDNS 
and it took them almost a day to get their situation under control. Once 
they did traffic seemed to return to normal, then I noticed Suricata alerting 
on return traffic in my pf DNS firewall rule. All the traffic Suricata was 
complaining about was coming from the CloudFlare CDN. I've never seen this 
before, so I'm not completely certain what to make of it. My hypothesis is 
OpenDNS subscribed to CloudFlare's "protection", and since it is legit 
return traffic from my DNS server's lookups the firewall never touched it. I 
would never have noticed if it wasn't for Suricata. 

I just don't know enough about it all, just that I was having some flaky DNS 
stalling and hanging and when it seemed like it returned to normal I began 
to see this weird stuff from CloudFlare CDN on my DNS traffic. Just would like 
to point out it may be possible your problem is somehow just a reflection of 
some noise going on outside your box. As for exactly what you might do about 
it is for smarter people than me.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Problems with IPFW causing failed DNS and FTP sessions

[Michael Sierchio]

It would be really helpful if you'd post the ruleset.

At first glance, your stateful rules seem rather wrong, unless there's
a check-state above.  Also, in and out aren't discriminating enough -
every packet is seen by the ruleset more than once.  You should think
in terms of interfaces, direction, etc.

Are you doing NAT?  Stateful rules with NAT are indeed possible, but subtle.

Your problem has nothing to do with server load, and probably
everything to do with not-terribly-well-conceived ruleset.  Please
post yours here.

- M

On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil  wrote:
> Hi everyone. recently my server started having issues with DNS and FTP
> sessions either not resolving or timing out. I've tracked the issue down to
> IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away.
>
>
>
> I have the basic rules like this for dns;
>
>
>
> 01160 allow udp from any to any dst-port 53 in keep-state
>
> 01161 allow tcp from any to any dst-port 53 in keep-state
>
> 01162 allow udp from any to any dst-port 53 out keep-state
>
> 01163 allow tcp from any to any dst-port 53 out keep-state
>
>
>
> When I try an nslookup sometimes they fail, sometimes they get through, even
> if I change my DNS server to google, my ISP, or even OpenDNS. the firewall
> seems to be causing the issue.
>
>
>
> I have about 65 rules in all.
>
>
>
> Any ideas what could be causing this? My server load is low, usually
> hovering around .2
>
>
>
> How can I look at the actual amount of traffic that the IPFW module is
> processing and track down potential performance issues? My server isn't
> pushing much data, only around 4-5 Mbps sustained.
>
>
>
> Thanks!
>
>
>
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: smartd

[Michael Powell]

Polytropon wrote:

> On Sun, 31 Mar 2013 17:25:32 -0500, ajtiM wrote:
>> I installed smartmontools, "start_smartd=yes" I have in rc.conf
> 
> Without further investigation - shouldn't that be
> 
> smartd_enable="YES"
> 
> conforming to the syntax of other service start commands?
> At least that might be the reason why smartd doesn't
> automatically start. Sadly I can't find a reference to
> how to edit rc.conf in "man smartd"; at least the manual
> explains the options well... ;-)

This is correct, as per: 

/usr/ports/sysutils/smartmontools/files/pkg-message.in

Don't know if it's a typo in his email but he was missing a " on the:

daily_status_smart_devices="/dev/ada0" line as well.

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: use of the kernel and licensing

[Michael Ross]

On Sun, 31 Mar 2013 16:31:43 +0200, Polytropon  wrote:


On Sun, 31 Mar 2013 09:39:29 -0400, Joe wrote:

Does one have to file legal paper work with the government to be issued
a copyright on software?


With _which_ government? :-)

Basic understanding of copyright is: The stuff _you_ write
happens "automatically" under _your_ copyright, because you
are the creator. There is nothing you need to do to achieve
the copyright - it's yours by acting. At the moment you
write something like "(C) Joe Sixpack 2012" it's "set in
stone".

There might be other ways to prove (!) copyright, e. g. when
one of your files appears in someone else's work, but now
with the originator line saying "(C) Nick Nosewhite 2013".
In case of a court trial which involves copyright, you can
prove from your CVS "log of creation" (or whatever source
management system or even file system you use) that _you_
have been writing that code, nobody else.




Does any software not having a copyright statement or any license
comments included in the source mean that it's public domain?


I would assume this. Imagine a snippet of code with no author
mentioned in it (or in the source it comes from, or any file
it is accompanied by), how would you be able to conclude
something _else_ than this is public domain with _no_
copyright holder?


I think you are wrong here.

quoting http://en.wikipedia.org/wiki/Public_domain_software:
"Under the Berne Convention, which most countries have signed, an author  
automatically obtains the exclusive copyright to anything they have  
written, and local law may similarly grant copyright, patent, or trademark  
rights by default. The Berne Convention also covers programs. Therefore, a  
program is automatically subject to a copyright, and if it is to be placed  
in the public domain, the author must explicitly disclaim the copyright  
and other rights on it in some way."


Note the wording "explicitly disclaim".

While German law has something like a "triviality threshold" which may  
well apply to very small code snippets,

i'd say "no included license" by default means "all rights reserved".


Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: databases/mysql55 to databases/mariadb

[Michael Powell]

Andrei Brezan wrote:
[snip]
> Also what i've noticed is that 'p' as a suffix is for percona.

Oops! And I was thinking Percona but for some reason PostgreSQL came out my 
fingers! DOH!

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Proper way to update ports with svn

[Michael Powell]

Andre Goree wrote:

> On Fri, 29 Mar 2013 21:52:41 -0400, Damien Fleuriot  wrote:
> 
>> On 29 March 2013 22:29, Andre Goree  wrote:
>>
>>> I seem to have to run 'make index' in /usr/ports after I've run 'svn up
>>>
>>>
>>> /usr/ports' in order to see which ports need to be updated using
>>>
>>> 'portversion'.  This doesn't seem correct...and if so portsnap would
>>>
>>> seem like a much better tool.  Perhaps I should be running 'make
>>>
>>> fetchindex' instead?  I'm sure I've read about the correct way to do so,
>>>
>>> but it doesn't appear to be here:
>>>
>>> https://wiki.freebsd.org/PortsSubversionPrimer
>>>
>>>
>>>
>>> Thanks in advance for any advice.
>>
>> 'make index' looks good to me, it's the right way to do things imo.
>>
>> What bothers you, following 'make index', pkg version output seems dodgy
>> ?
>>
>>
> 
> Mainly, just the amount of time it takes to run "make index", lol.  And
> the fact that I never had to do so with portsnap.  I'm thinking that
> perhaps portsnap runs something similar to 'make fetchindex'  within the
> whole 'portsnap fetch update' process...?
> 

In case you find this of interest, FWIW I changed from the old csup to using 
portsnap. I also still use portupgrade. This is the command I do to check 
for ports in need of update:

# portsnap fetch update && portsdb -u && pkgdb -F && portversion

The portsnap fetch update portion outputs "Building new INDEX files... 
done." at the end of its run. Notice the three subsequent commands are from 
the portupgrade package.

Portsnap will alter or change the INDEX-7, INDEX-8, and INDEX-9 files. As 
pointed out elsewhere portupgrade manages its own index database file 
separately and in parallel, which is the INDEX-9.db file.

At first glance it would seem that running portsdb and pkgdb might appear to 
be semi-superfluos, but doing so will check the package database and ensure 
it is exactly in sync with the ports INDEX-* files. I would rather pkgdb 
dump out an error if something is wrong, and it will if there is something 
not quite right in the package database. As long as everything is good it 
just sails on through and portversion tells me which ports are in need of 
upgrade. Then I read the new UPDATING file prior to doing portupgrade -a, 
following any instructions which may pertain.

I have been doing this for 3-4 months now and it has served me well. I was 
doing something very similar back in the csup days, but I had to work out 
some small changes to the above command line using trial and error. The 
above result is very fast, as compared to just trying to use the same old 
identical CLI switches from csup days.

To start from a clean slate I wiped /usr/ports and followed the Handbook 
commands of portsnap fetch followed by the portsnap extract commands. Once I 
had a new pristine ports tree I update it and check for new ports with the 
above command. It has worked well.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Portsnap gets ports that claim to be out of date

[Michael Powell]

John Levine wrote:

> When I do portsnap update and try building stuff, I get errors like this:
 ^^
 
> "Mk/bsd.port.mk", line 5: warning: You are using a ports file that
> originated from CVS!! "Mk/bsd.port.mk", line 6: warning: The FreeBSD
> project has switched from CVS to SubVersion.
> "Mk/bsd.port.mk", line 7: warning: This CVS repository is NO LONGER
> UPDATED!  If you see this "Mk/bsd.port.mk", line 8: warning: message then
> your tree is STALE and you need to follow "Mk/bsd.port.mk", line 9:
> warning: the update instructions to receive any more updates.
> 
> I'm not using CVS, I'm using portsnap.  Any ideas?  It's a 9.1 system,
> fully up to date as far as I know.
> 

Have you tried doing: portsnap fetch update instead of portsnap update?

-Mike



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: databases/mysql55 to databases/mariadb

[Michael Powell]

Andrei Brezan wrote:

> Hello list,
> 
> Is there a make.conf option that I can use to replace
> mysql55-[server,client] with mariadb55-[server,client] or i need to use
> for example pkg set -o
> databases/mysql55-client:databases/mariadb55-client?
> 
> What happens if I want to use one port with mysql dependency and another
> one with mariadb as dependency? This is just a theoretical question, I
> don't have such a requirement, yet.
> 
> All this is on 9.1-RELEASE but I think applies to different versions too.
> 
 
Look at: /usr/ports/Mk/bsd.database.mk I only perused it briefly, but I 
think you want something such as MYSQL_VER=55m.  The 'm', or 'p' suffix 
switches to either MariaDB or PostgreSQL if I understand correctly.

At any rate, this is the file that controls this. If it doesn't work 
(possibly I've got it wrong), I'd suggest a PR to get it added in.

-Mike




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Client Authentication

[Michael Ross]

On Wed, 27 Mar 2013 01:37:36 +0100, Daniel O'Callaghan  
 wrote:



On 27/03/2013 10:37 AM, Michael Ross wrote:
I'm happy to share a program I wrote which slows down the brute force  
attackers.
It simply counts the SYN packets from a given IP and limits the rate  
per minute by dropping the packet if they are coming too fast.


Uses ipfw divert sockets, so would work if you prefer ipfw over pf.


Me Me Me! ...ahem.
I do prefer IPFW over PF and would very much like to try it out,
so please do share.

OK, here 'tis

https://secure.clari.net.au/ratelimit2.tgz

Danny


Thanks!

I'd like to be able to change the time window:

http://gurder.ross.cx/misc/ratelimit.patch



Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Client Authentication

[Michael Ross]

On Tue, 26 Mar 2013 22:56:37 +0100, Daniel O'Callaghan  
 wrote:



On 27/03/2013 4:18 AM, Joseph Olatt wrote:

Any ideas/suggestions on this will be appreciated.  Thanks,
>
>-- Doug

A little while back I wrote a system to do a simple Two Factor
Authentication and dynamic manipulation of PF (Packet Filter) Tables. I
created it to prevent brute-force attacks on the servers that I have
exposed on the Internet.
I'm happy to share a program I wrote which slows down the brute force  
attackers.
It simply counts the SYN packets from a given IP and limits the rate per  
minute by dropping the packet if they are coming too fast.


Uses ipfw divert sockets, so would work if you prefer ipfw over pf.


Me Me Me! ...ahem.
I do prefer IPFW over PF and would very much like to try it out,
so please do share.

Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: gettext problem in FreeBSD 8.3 system hosed

[Michael Powell]

Antonio Olivares wrote:

[snip]
>> As following /usr/port/UPDATING, I ran into a bit of trouble.  System
>> is hosed and I cannot update any ports.  I tried to follow advice
>> here:
>>
>> 20130316:
>>   AFFECTS: users of converters/libiconv and devel/gettext
>>   AUTHOR: b...@freebsd.org
>>
>>   libiconv now handles the lib/charset.alias file instead of
>>   devel/gettext. If you are using pkgng 'and' upgrading from source with
>>   portupgrade or portmaster, first delete gettext, upgrade libiconv, then
>>   reinstall gettext.
>>
>>   # pkg delete -f devel/gettext
>>   # portmaster converters/libiconv devel/gettext
>> or
>>   # pkg delete -f devel/gettext
>>   # portupgrade converters/libiconv devel/gettext
[snip]
> 
> I have tried to follow the instructions included in
> /usr/ports/UPDATING but I have not succeeded in this machine.  I am
> thinking of moving it to 8.4-BETA1 release and then reworking the
> ports or deleting them and restarting in case of not having replies I
> have gotten myself out of trouble before but it can take days to get
> the machine back in working order :(
> 

Not exactly an answer here, in terms of recovery, but more along the lines 
of trying to figure out how it happened.

Did you previously convert this machine to pkgng? The reason I ask is the 
instructions in UPDATING _only_ apply if you did so. If you did not, then 
you did not need to pay any attention to that section in UPDATING.

I have not yet investigated the changeover to pkgng. I recently just did a 
portupgrade -a without doing as UPDATING suggested and had no difficulty with 
either port.  

So if you have not converted to pkgng then there is/was a misunderstanding 
in the reading of UPDATING. If you did convert to pkgng then you are in new 
territory I have not seen yet, and the point is moot.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Is fdisk broken?

[Michael Sierchio]

On Fri, Mar 22, 2013 at 7:33 AM,   wrote:

> Can fdisk be made happy again?  (At least for a few more years?)

The short answer is: no.  Fdisk comes from a world where even 1G
drives were not yet on the horizon.

Use gpart.

The long answer is readily  available in the forums - google is your friend.

- M
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: How To Get App To Start At Boot?

[Michael Sierchio]

On Tue, Mar 19, 2013 at 2:13 PM, Drew Tomlinson  wrote:
> I installed Splunk which is not part of the ports tree.  It's a proprietary
> app that I downloaded and installed on it's own.  I start it with
> '/usr/local/splunk/bin/splunk start'.  It should also be stopped with
> '/usr/local/splunk/bin/splunk stop'.  In an attempt to automate it, I
> created this symlink in /usr/local/etc/rc.d:

Not the way to do it at all. ;-)

(assuming /opt/splunk*/bin is in your path)

# splunk enable boot-start

This installs the script below as /etc/rc.d/splunk.  You then merely
need to put splunk_enable="YES" in /etc/rc.conf

Questions like this are better answered by searching the splunk FAQs,
etc.  Lots of good info there.


#!/bin/sh

# PROVIDE: splunkd
# REQUIRE: LOGIN
# KEYWORD: shutdown

# /etc/rc.d/splunk
# init script for Splunk.
# generated by 'splunk enable boot-start'.


. /etc/rc.subr

name=splunk
extra_commands="status"
rcvar=`set_rcvar`
eval "${rcvar}=\${${rcvar}:-'NO'}"

splunk_start()
{
"${splunk_home:-/opt/splunkforwarder}/bin/splunk" start
--no-prompt --answer-yes "$@"
}
start_cmd=splunk_start

splunk_stop()
{
"${splunk_home:-/opt/splunkforwarder}/bin/splunk" stop  "$@"
}
stop_cmd=splunk_stop

splunk_restart()
{
"${splunk_home:-/opt/splunkforwarder}/bin/splunk" restart  "$@"
}
restart_cmd=splunk_restart

splunk_status()
{
"${splunk_home:-/opt/splunkforwarder}/bin/splunk" status  "$@"
}
status_cmd=splunk_status

load_rc_config $name
run_rc_command "$@"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No sound with Thinkpad X60

[Michael Ross]

On Sat, 16 Mar 2013 00:28:27 +0100, Peter Harrison  
 wrote:



Friday, 15 March 2013 at 18:48:24 +0100, Michael Ross said:

On Thu, 14 Mar 2013 23:59:09 +0100, Peter Harrison
 wrote:

> Hi list,
>
> I've a problem with sound on a Thinkpad X60, which has an Intel HDA  
chip.

>
> This is what I see in dmesg:
>
> hdac0:  mem 0xee24-0xee243fff irq 17  
at

> device 27.0 on pci0
> hdacc0:  at cad 0 on hdac0
> hdaa0:  at nid 1 on  
hdacc0

> pcm0:  at nid 5 and 25,8 on hdaa0
> hdacc1:  at cad 1 on hdac0
> unknown:  at nid 2  
on

> hdacc1 (no driver attached)
>
> and from sndstat:
>
> FreeBSD Audio Driver (newpcm: 32bit 2009061500/i386)
> Installed devices:
> pcm0:  (play/rec) default
>
> and from mixer:
>
> Mixer vol  is currently set to 100:100
> Mixer pcm  is currently set to 100:100
> Mixer speaker  is currently set to 100:100
> Mixer cd   is currently set to   1:1
> Mixer rec  is currently set to   1:1
> Mixer igainis currently set to  42:42
> Mixer ogainis currently set to 100:100
> Mixer monitor  is currently set to  67:67
> Recording source: cd
>
> But I have no sound. This is using Gnome 2.32 on 9.1-R. I did  
initially

> accidentally install Pulseaudio, but have subsequently deleted it and
> reinstalled everything that depended on it without the Pulseaudio
> dependency.
>
> Any thoughts on what I'm doing wrong?
>
> Thanks in advance.

Possibly not helping a lot:

I have a T510 thinkpad with Intel HDA audio, running Windows 7.
I need to have the audio driver *and* the modem driver installed for any
sound to work.
So possibly the modem part has to be initialised or something.
You have "no driver attached" on your modem, so maybe that's worth  
looking

at.

You could also try if sound works from a terminal without running Gnome  
at

all,
just to be sure it's not some Gnome configuration thing.

Regards,

Michael


Thanks Michael.

Tried turning gnome off. Still no sound from the console. Is there a  
FreeBSD kernel module for the modem?




Don't know.
But stepping back, do you have snd_hda loaded?
( Silly me, should have been the first question. )

Found this:
http://www.bmichelsen.no/blog/2012/01/28/configuring-freebsd-for-x60s/

Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: No sound with Thinkpad X60

[Michael Ross]

On Thu, 14 Mar 2013 23:59:09 +0100, Peter Harrison  
 wrote:



Hi list,

I've a problem with sound on a Thinkpad X60, which has an Intel HDA chip.

This is what I see in dmesg:

hdac0:  mem 0xee24-0xee243fff irq 17 at  
device 27.0 on pci0

hdacc0:  at cad 0 on hdac0
hdaa0:  at nid 1 on hdacc0
pcm0:  at nid 5 and 25,8 on hdaa0
hdacc1:  at cad 1 on hdac0
unknown:  at nid 2 on  
hdacc1 (no driver attached)


and from sndstat:

FreeBSD Audio Driver (newpcm: 32bit 2009061500/i386)
Installed devices:
pcm0:  (play/rec) default

and from mixer:

Mixer vol  is currently set to 100:100
Mixer pcm  is currently set to 100:100
Mixer speaker  is currently set to 100:100
Mixer cd   is currently set to   1:1
Mixer rec  is currently set to   1:1
Mixer igainis currently set to  42:42
Mixer ogainis currently set to 100:100
Mixer monitor  is currently set to  67:67
Recording source: cd

But I have no sound. This is using Gnome 2.32 on 9.1-R. I did initially  
accidentally install Pulseaudio, but have subsequently deleted it and  
reinstalled everything that depended on it without the Pulseaudio  
dependency.


Any thoughts on what I'm doing wrong?

Thanks in advance.


Possibly not helping a lot:

I have a T510 thinkpad with Intel HDA audio, running Windows 7.
I need to have the audio driver *and* the modem driver installed for any  
sound to work.

So possibly the modem part has to be initialised or something.
You have "no driver attached" on your modem, so maybe that's worth looking  
at.


You could also try if sound works from a terminal without running Gnome at  
all,

just to be sure it's not some Gnome configuration thing.

Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: svn & new pkg system

[Michael Ross]

On Sun, 10 Mar 2013 00:57:25 +0100, Giorgos Keramidas  
 wrote:



On Sat, 09 Mar 2013 18:25:22 -0500, Fbsd8  wrote:

Is svn going to become part of the base system in 9.2-RELEASE?


No.


I'd like to reference a thread on the @stable list here:

http://lists.freebsd.org/pipermail/freebsd-stable/2013-March/072765.html

"svnup is a lightweight, dependency-free, BSD licensed program to pull  
source files from a Subversion server."



Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: OpenVPN vm cant connect to other VM's

[Michael Sierchio]

Are you pushing routes in your server.conf file?

(hint - show, don't tell)

- M

On Wed, Mar 6, 2013 at 2:38 AM, Brent Clark  wrote:
> Hi guys
>
> Im struggling with a freebsd vm, that I have that I use for a VPN connection
> too, from my workstation to my home LAN. And I was wondering if someone
> could peer review me and my problem.
>
> OpenVPN is working beautifully. I.e. I can connect to some services (apache
> etc) that I run directly on my FreeBSD / openvpn vm.
>
> What im now trying to achieve is that I can connect to other VMs / machines
> on my home LAN.
>
> Im using tun for my VPN, and my pf.conf looks like so (please see the nat on
> ...)
>
> [root@freebsd /usr/home/bclark]# cat  /etc/pf.conf
> ext_if="re0"
> vpn_if="tun0"
> int_net="10.0.0.0/24"
> vpn_net="192.168.200.0/24"
> set skip on lo0
> set optimization normal
> #set block-policy drop
> set limit { states 2, frags 1, src-nodes 2 }
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in all
> # Translation: specify how addresses are to be mapped or redirected.
> # NAT rules
> # enabling NAT currently breaks policy based routing
> #nat on $ext_if from { $int_net, $vpn_net } to any -> ($ext_if)
> #nat on tun0 from { 192.168.200.0/24 } to any -> (re0)
> nat on re0 from { 192.168.200.0/24 } to any -> (re0)
>
> table  persist
> block in quick on re0 proto tcp from  to any port ssh label "ssh
> brute"
>
> What am I missing?
>
> If anyone could assist, it would be appreciated.
>
> Kind Regards
> Brent Clark
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: FreeBSD 9 and Windows XP

[Michael Ross]

On Sat, 09 Mar 2013 21:27:45 +0100, Polytropon  wrote:

On Sat,  9 Mar 2013 12:07:41 -0800 (PST),  
leeoliveshackelf...@surewest.net wrote:

Good afternoon, FreeBSD enthusiasts.  Can FreeBSD 9.1 be
installed on a computer on which Windows XP currently
resides?


Yes.




If so, how can this installation be done?


First of all, you need a tool to make disk space available;
you can do this by adding an additional hard disk, or by
resizing the "Windows" partition. As "Windows" does not
seem to provide native tools to do this


I may misremember, but Win7 does have a functional "shrink drive" in the  
drive administration console,

and I do think that was there in XP already.


Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Performance Related Question

[Michael Ross]

On Wed, 27 Feb 2013 23:38:34 +0100, Frederico Costa   
wrote:



On 2013-02-27 22:27, Michael Ross wrote:

If I read you right, you didn't ``make -jX buildworld'',
with X being the number of processes to spawn,
so you used just one core on either machine.
 Buildworld does a lot of I/O, so disk speed is relevant.


Yes, i just made "make buildworld".

So i should use make -j2 on the S1(dual core) and -j4 on S2 (2xdualcore)?

And it also makes sense what you say about the I/O.

i will start another to see the results.



Maybe try higher settings.
Handbook ( http://www.freebsd.org/doc/handbook/makeworld.html ) says:


	However, since much of the compiling process is I/O bound rather than CPU  
bound, it is also useful on single CPU machines.


On a typical single-CPU machine, run:
# make -j4 buildworld

	make(1) will then have up to 4 processes running at any one time.  
Empirical evidence posted to the mailing lists shows this generally gives  
the best performance benefit.


	On a multi-CPU machine using an SMP configured kernel, try values between  
6 and 10 and see how they speed things up.






Thanks

fred


On Wed, 27 Feb 2013 23:05:44 +0100, Frederico Costa
  wrote:


Hi everyone...
 I have a kind of interesting question when comes to performance of
FreeBSD in different HW. i am not trying to come up with a scientific
reason for measuring performance. :-)
 It is just a curiosity, and of course to see if i understand it and
improve performance of my systems.
 i am running 2 systems at the moment, lets call them S1 and S2,
running FreeBSD 9.1-RELEASE-p1 amd64:
 S1:
Intel Core2 Duo E6550 @ 2.33GHz
2GB RAM
500GB disk (not important probably just for reference)
 S2:
2x Dual-Core AMD Opteron 2216 2.4GHz
14GB Ram
320GB disk (not important probably just for reference)
 Both the systems are running more or less the same sw, apache, imap
server, postfix, and the needed perl/php/python and running very light
  load. Also both are using a GENERIC kernel and not running X, they  
are

just text based :-)
  From cpubenchmark.net the cpu performance index are for s1: 1501 and
s2: 1518, so very similar.
 As i felt the AMD system seemed slower when comes to compiling, i just
done a "performance test" which was "make buildworld" on both of
systems from scratch and the times are:
 S1: 2h 12m
S2: 2h 59m


 If I read you right, you didn't ``make -jX buildworld'',
with X being the number of processes to spawn,
so you used just one core on either machine.
 Buildworld does a lot of I/O, so disk speed is relevant.
  Regards,
 Michael

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Performance Related Question

[Michael Ross]

On Wed, 27 Feb 2013 23:05:44 +0100, Frederico Costa   
wrote:



Hi everyone...

I have a kind of interesting question when comes to performance of
FreeBSD in different HW. i am not trying to come up with a scientific
reason for measuring performance. :-)

It is just a curiosity, and of course to see if i understand it and
improve performance of my systems.

i am running 2 systems at the moment, lets call them S1 and S2,
running FreeBSD 9.1-RELEASE-p1 amd64:

S1:
Intel Core2 Duo E6550 @ 2.33GHz
2GB RAM
500GB disk (not important probably just for reference)

S2:
2x Dual-Core AMD Opteron 2216 2.4GHz
14GB Ram
320GB disk (not important probably just for reference)

Both the systems are running more or less the same sw, apache, imap
server, postfix, and the needed perl/php/python and running very light
  load. Also both are using a GENERIC kernel and not running X, they are
just text based :-)

 From cpubenchmark.net the cpu performance index are for s1: 1501 and
s2: 1518, so very similar.

As i felt the AMD system seemed slower when comes to compiling, i just
done a "performance test" which was "make buildworld" on both of
systems from scratch and the times are:

S1: 2h 12m
S2: 2h 59m



If I read you right, you didn't ``make -jX buildworld'',
with X being the number of processes to spawn,
so you used just one core on either machine.

Buildworld does a lot of I/O, so disk speed is relevant.


Regards,

Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: dump issue

[Michael Sierchio]

"Snapshots are not yet supported when running with journaled soft
updates: Operation not supported"

:-(

On Mon, Feb 11, 2013 at 7:27 AM, Robert Huff  wrote:
>
> Will someone please confirm or deny that (UFS) journaling and
> "dump -L" continue to be incompatible?
>
> Respectfully,
>
>
> Robert Huff
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"