Re: Two Options: which to choose?
On Thu, Jun 30, 2005 at 05:07:59PM -0400, Matt Juszczak wrote: Hi all, Removing IPF for 5.4-STABLE seems to have made the boxes stable. I switched all the firewalls to PF and they haven't crashed since, its been about 3 days now... (before they were crashing every 12 hours). Of course, the best thing would be to try and identify the cause of the problem and get it fixed. To do this, you need to proceed with the advice and patches previously given. If you really can't stay with 5.4 and try to work this to conclusion, I'd recommend going for something you know will work instead of diving in to a whole new untested environment with its own new set of potential problems to overcome. Kris pgpMVbSDJitT8.pgp Description: PGP signature
Re: Two Options: which to choose?
On Thu, Jun 30, 2005 at 05:07:59PM -0400, Matt Juszczak wrote: Removing IPF for 5.4-STABLE seems to have made the boxes stable. I switched all the firewalls to PF and they haven't crashed since, its been about 3 days now... (before they were crashing every 12 hours). The similar situation: two boxes with SMP (two physical processors each box). GENERIC kernel works. GENERIC kernel with IPF module or IPF compiled into GENERIC works. After adding SMP either to box with GENERIC with IPF module loaded or to box with IPF compiled into the kernel, boxes crashes regularly. After changing to PF I did not notice single crash for month (production servers with, sometimes, heavy load). My conclusion: I do not know what was wrong, but I could not get non-crashing 5.4 box with IPF. 1) If I were to put this machine into production, it could crash at any time for another reason... or maybe the switch to PF hasn't actually stabalized it, and its just playing games with me. 2) If it crashes again, I might lose some responsibilities at work due to trust and/or inabilities. I would try FreeBSD with PF anyway. Works perfectly. -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE VOO1-6BONE * ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two Options: which to choose?
After changing to PF I did not notice single crash for month (production servers with, sometimes, heavy load). I would try FreeBSD with PF anyway. Works perfectly. You say it didn't crash for a month, but then you say to try FreeBSD with PF because it works perfectly. To me, a month of uptime isn't perfectly. Can you elaborate? Is your machine still crashing even though its taking a month instead of a few days like it did previously? Thanks, Matt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two Options: which to choose?
On Thu, Jun 30, 2005 at 05:53:20PM -0400, Matt Juszczak wrote: You say it didn't crash for a month, but then you say to try FreeBSD with PF because it works perfectly. To me, a month of uptime isn't perfectly. It is, comparing to two- or three-day uptime periodic when it crashes. With IPF. :-) Can you elaborate? Is your machine still crashing even though its taking a month instead of a few days like it did previously? What I meant was: after removing IPF I did not get any crash. -- * Maciej Wierzbicki * At paranoia's poison door * * VOO1-RIPE VOO1-6BONE * ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two Options: which to choose?
On Thursday 30 June 2005 23:58, Maciej Wierzbicki wrote: On Thu, Jun 30, 2005 at 05:53:20PM -0400, Matt Juszczak wrote: You say it didn't crash for a month, but then you say to try FreeBSD with PF because it works perfectly. To me, a month of uptime isn't perfectly. It is, comparing to two- or three-day uptime periodic when it crashes. With IPF. :-) Can you elaborate? Is your machine still crashing even though its taking a month instead of a few days like it did previously? What I meant was: after removing IPF I did not get any crash. I have said it before, I'll say it again for the record: IPF's shared lock implementation is *BROKEN* by design. This is caused by a misunderstanding of the sx(9) implementation in FreeBSD - it seems to me. The problem with the current sx(9) implementation is that it *sleeps* (not to confuse with blocks) in the shared case which leads to deadlocks/panics/and other bad things. The only way out of this at the moment is a hand-rolled shared lock implementation (as done for pfil(9) and ipfw) which has to take care of starvation protection somehow. The existing sx(9) ignores this issue by sleeping in the shared case, which is valid in some cases but just not practical here. One might argue that this is hardly IPF's fault and sx(9) should be fixed. The way in which the reworked locking was rushed into RELENG_5, however, was far from professional (IMHO) and is what causes you the headache./rant I hope that PF does it better when we change to a shared lock - which I am certainly planing on. This is a non-trivial task and needs time. Right now there is one issue with PF and SMP which is documented in the pf.conf(5) manpage. In 5.4 there is an additional problem with pfsync that has been fixed in RELENG_5 a couple of days ago. To summarize: Unless you see crashes unrelated to PF or network, you should stay with 5.4+PF as it is in good shape. If you see crashes that hint into the PF/network corner, please let us know. Most of the time debug.mpsafenet = 0 can help to fix things, it's up to you if the performance implication is a problem. -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpZvX5IZWkLF.pgp Description: PGP signature
Re: Two Options: which to choose?
On Thursday 30 June 2005 22:53, Matt Juszczak wrote: After changing to PF I did not notice single crash for month (production servers with, sometimes, heavy load). I would try FreeBSD with PF anyway. Works perfectly. You say it didn't crash for a month, but then you say to try FreeBSD with PF because it works perfectly. To me, a month of uptime isn't perfectly. Can you elaborate? Is your machine still crashing even though its taking a month instead of a few days like it did previously? Could you not use pfsync to mitigate the problem (at least partially)? As for your original question, I think its less work to change your hardware to something you know works than changing operating systems. Why not use single CPU machines for this? Thanks, Matt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- Dominic GoodforBusiness.co.uk I.T. Services for SMEs in the UK. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two Options: which to choose?
Could you not use pfsync to mitigate the problem (at least partially)? As for your original question, I think its less work to change your hardware to something you know works than changing operating systems. Why not use single CPU machines for this? My boss refuses :-( ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Two Options: which to choose?
On Thu, 30 Jun 2005 17:07:59 -0400 (EDT) Matt Juszczak [EMAIL PROTECTED] wrote [...] Therefore, part of me is thinking of switching back to either 4.11 or to OBSD 3.7. Problem is, this switch wouldn't be temporary, it would have to be permanant. I couldn't set things up now and then move them again a month from now. If you're wanting the system to be untouched for two years, set openbsd aside. If you don't understand what I mean, read their FAQ again and hunt up their support policy and read carefully the instructions on security patches and on updates and upgrades. OpenBSD is a great OS, and I recommend learning it and using it, but the pace is pretty stiff, especially until you get used to it. -- Joel Rees [EMAIL PROTECTED] digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** http://www.ddcom.co.jp ** ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
