Can FAQ 6.10 please be fixed?
Hi! It took me a while to figure out that FAQ 6.10: http://wiki.freeradius.org/index.php/FAQ#How_do_I_check_the_configuration_before_sending_a_HUP_to_the_server.3F is simply no longer true. Checked the source: that option is gone. I really really think that option should be there, though. I know there is a shell script that starts a second server on a different port and waits to see if it starts successfully. But that's also broken since the -p Option doesn't seem to work in all cases: ~> strace -e bind freeradius -X -p 32768 2>&1 | grep port main: port = 1812 listen: port = 0 bind(3, {sa_family=AF_INET, sin_port=htons(1812), < sin_addr=inet_addr("130.133.100.66")}, 16) = -1 EADDRINUSE (Address already in use) /etc/freeradius/radiusd.conf[228]: Error binding to port for 130.133.100.66:1812 Also, that approach is somewhat ridiculous considered the importance of the radius server in our case. I tried to change the Wiki entry but apparently I don't have permission to do so. Can someone with write access to the Wiki please remove that entry (or better, add the -C option back to freeradius ;) Thanks, Jens. -- Jens Dreger Freie Universitaet Berlin [EMAIL PROTECTED] Fachbereich Physik - ZEDV Tel: +49 30 83854774 Arnimallee 14 Fax: +49 30 83855902 14195 Berlin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
Jens Dreger wrote: > is simply no longer true. Checked the source: that option is gone. I > really really think that option should be there, though. It's not only hard to do, it can cause problems. i.e. opening *double* the connections to your SQL server. That may be an issue. > I know there > is a shell script that starts a second server on a different port and > waits to see if it starts successfully. But that's also broken since > the -p Option doesn't seem to work in all cases: In CVS head and in 1.1.x, you need to do '-i' and '-p' together. > Also, that approach is somewhat ridiculous considered the importance > of the radius server in our case. Yes. But please understand that this is *not* apache. FreeRADIUS has 1% (or less) of the resources that the apache team has. And, the integration between RADIUS and databases is *much* stronger and more important than Apache. i.e. Apache can handle HUP && reload it's configuration because it doesn't *do* anything. It doesn't cache connections. It doesn't maintain a large number of connections to databases, etc. It can afford to start up a completely brand new instance of itself from scratch, because there are almost no side-effects to doing so. In contrast, FreeRADIUS has to keep packet caches. It usually has large numbers of connections to database, etc. You can update the script to add "-i 127.0.0.1" to it. After that it *should* work, so long as you don't have limits on the number of database connections, etc. > I tried to change the Wiki entry but apparently I don't have permission > to do so. Sign up for an account. It's not open because of the massive volume of spammers who were attacking it. > Can someone with write access to the Wiki please remove that > entry (or better, add the -C option back to freeradius ;) As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
Hi, > > http://wiki.freeradius.org/index.php/FAQ#How_do_I_check_the_configuration_before_sending_a_HUP_to_the_server.3F well, any talking of HUP'ing right now is bad joojoo. I've just checked and you can do something like radiusd -X -p 1890 -i 127.0.0.1 which will work fine - perhaps we should cook up another method of checking the config is sane - using this sort of method for now. several people have requested a 'check the config' option - a new version of the -C option - i'm not sure what exact state the parser is in...or if it would be easier to use another utility - eg radiusd-chkconfig - which is solely primed for running through the config files and checking it all works but then not firing up - it just gives an exit code. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
On Thu, Nov 08, 2007 at 11:24:36AM +0100, Alan DeKok wrote: > Jens Dreger wrote: > > is simply no longer true. Checked the source: that option is gone. I > > really really think that option should be there, though. > > It's not only hard to do, it can cause problems. > > i.e. opening *double* the connections to your SQL server. That may be > an issue. > > > I know there > > is a shell script that starts a second server on a different port and > > waits to see if it starts successfully. But that's also broken since > > the -p Option doesn't seem to work in all cases: > > In CVS head and in 1.1.x, you need to do '-i' and '-p' together. > > > Also, that approach is somewhat ridiculous considered the importance > > of the radius server in our case. > > Yes. But please understand that this is *not* apache. FreeRADIUS has > 1% (or less) of the resources that the apache team has. And, the > integration between RADIUS and databases is *much* stronger and more > important than Apache. > > i.e. Apache can handle HUP && reload it's configuration because it > doesn't *do* anything. It doesn't cache connections. It doesn't > maintain a large number of connections to databases, etc. It can afford > to start up a completely brand new instance of itself from scratch, > because there are almost no side-effects to doing so. > > In contrast, FreeRADIUS has to keep packet caches. It usually has > large numbers of connections to database, etc. Ok, maybe i should rephrase my question: I'm not so much interested in the HUP part, but the check-config part. I'm perfectly happy with stopping and starting the radius-server IF I can make sure it will succeed with the new config. I'm only changing the users file and have no database connections at all so this should be doable. A tool like radiusd-chkconfig (like bind offers) would probably be the right thing. I understand however that in a more complicated setup HUPs might be problematic. > You can update the script to add "-i 127.0.0.1" to it. After that it > *should* work, so long as you don't have limits on the number of > database connections, etc. ...or hit a used port by accident. This script is just no elegant solution. I guess I'll just have to keep two servers running on different IPs and check if the test-server crashes with the new users file before restarting the main server. > > I tried to change the Wiki entry but apparently I don't have permission > > to do so. > > Sign up for an account. It's not open because of the massive volume > of spammers who were attacking it. I tried. 'Create Account' just gives me a login screen with no way to to create an account. Am I missing something? Regards, Jens. -- Jens Dreger Freie Universitaet Berlin [EMAIL PROTECTED] Fachbereich Physik - ZEDV Tel: +49 30 83854774 Arnimallee 14 Fax: +49 30 83855902 14195 Berlin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
Jens Dreger wrote: > Ok, maybe i should rephrase my question: I'm not so much interested in > the HUP part, but the check-config part. I'm perfectly happy with > stopping and starting the radius-server IF I can make sure it will > succeed with the new config. It is easy to do a bad job of that. It is very difficult to do a *good* job. > I'm only changing the users file and > have no database connections at all so this should be doable. A tool > like radiusd-chkconfig (like bind offers) would probably be the right > thing. Yes. > ...or hit a used port by accident. This script is just no elegant > solution. I guess I'll just have to keep two servers running on > different IPs and check if the test-server crashes with the new users > file before restarting the main server. I'll see what I can do. But it will be in CVS head (i.e. 2.0), and not in 1.1.x. >>> I tried to change the Wiki entry but apparently I don't have permission >>> to do so. >> Sign up for an account. It's not open because of the massive volume >> of spammers who were attacking it. > > I tried. 'Create Account' just gives me a login screen with no way to > to create an account. Am I missing something? No idea. Peter Nixon runs that server, so email him. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can FAQ 6.10 please be fixed?
On Thu 08 Nov 2007, Alan DeKok wrote: > > I tried. 'Create Account' just gives me a login screen with no way to > > to create an account. Am I missing something? > > No idea. Peter Nixon runs that server, so email him. I had to disable account creation due to spammers automatically creating large numbers of accounts with scripts. Mail me with a preferred username and I will set one up for you. (As can Alan and several other of the wiki admins on this list) Cheers -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html