interruptions
Hi. I discovered high CPU0 interruptions load (amd64) in various cases. wifi (athn, urtwn): up to 100% at 2 MB/s download. Usually 50%. Grows faster then linear with net load. Sometimes system freezes for about a minute. Web speed tests consume significantly less CPU then wget/firefox/ktorrent download. I don't know why. Dmitrij D. Czarkoff has 6% interruptions load during samba download (1.3 MB/s, urtwn). I sent bug report but by now it's unreplied. SSD write (dd if=/dev/zero of=... bs=1M): 10% unencrypted, 50% encrypted (softraid0). Disk read doesn't load cause interruptions load. USB stick dd: essentially no interruptions load (2 MB/s) 1) What interruptions load should be considered normal? I used to think even 10% is too high. I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters.
Re: interruptions
On Thu, Nov 14, 2013 at 01:16:41PM +0400, Alexander Pakhomov wrote: Hi. I discovered high CPU0 interruptions load (amd64) in various cases. wifi (athn, urtwn): up to 100% at 2 MB/s download. Usually 50%. Grows faster then linear with net load. Sometimes system freezes for about a minute. Web speed tests consume significantly less CPU then wget/firefox/ktorrent download. I don't know why. Dmitrij D. Czarkoff has 6% interruptions load during samba download (1.3 MB/s, urtwn). I sent bug report but by now it's unreplied. SSD write (dd if=/dev/zero of=... bs=1M): 10% unencrypted, 50% encrypted (softraid0). Disk read doesn't load cause interruptions load. USB stick dd: essentially no interruptions load (2 MB/s) 1) What interruptions load should be considered normal? I used to think even 10% is too high. yes, though it depends on the workload I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters. do you observe the same problem with the GENERIC kernel? -- Alexandre
Re: QEMU CPU cores not showing up
Em 13-11-2013 22:40, Jeff Fuhrman escreveu: I'm the tech Bruno has been working with regarding this. QEMU version is 1.5 and the relevant section of the KVM Config file is vcpu4/vcpucputopology sockets='1' cores='4' threads='1'//cpu. We've tried it with 2 sockets, with 4 sockets, with 2 threads, 4 threads, and so on. ACPI and APIC are enabled for the KVM Container. Jeff Fuhrman Level 2 Technician - BlueVM I have the same issue using the same qemu version. Do you guys also experience random lockups? I've seem sometimes the OpenBSD VM sshd will simply stop answering. Also if I try to login directly through the VM's console, when I insert the username it will not prompt me for a password. The strangest thing is, the machine still answer ping packets. I could not debug it yet, since it happens randomly. I have to force a shutdown to be able to access the machine again. To add to the strange thing, I have another bare metal machine, with a different hardware, but using the same qemu version, and I had never experienced any lockups. But it also will not show more cores on OpenBSD. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: QEMU CPU cores not showing up
On Thu, Nov 14, 2013 at 2:33 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 13-11-2013 22:40, Jeff Fuhrman escreveu: I'm the tech Bruno has been working with regarding this. QEMU version is 1.5 and the relevant section of the KVM Config file is vcpu4/vcpucputopology sockets='1' cores='4' threads='1'//cpu. We've tried it with 2 sockets, with 4 sockets, with 2 threads, 4 threads, and so on. ACPI and APIC are enabled for the KVM Container. Jeff Fuhrman Level 2 Technician - BlueVM I have the same issue using the same qemu version. Do you guys also experience random lockups? I've seem sometimes the OpenBSD VM sshd will simply stop answering. Also if I try to login directly through the VM's console, when I insert the username it will not prompt me for a password. The strangest thing is, the machine still answer ping packets. I could not debug it yet, since it happens randomly. I have to force a shutdown to be able to access the machine again. Have you applied the patch for the errata below? for 5.4: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/003_vnode.patch or for 5.3: http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/010_vnode.patch
Re: interruptions
On 11/14/2013 03:19 PM, Alexandre Ratchov wrote: On Thu, Nov 14, 2013 at 01:16:41PM +0400, Alexander Pakhomov wrote: 1) What interruptions load should be considered normal? I used to think even 10% is too high. yes, though it depends on the workload I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters. do you observe the same problem with the GENERIC kernel? it will also be nice to provide vmstat -i output for the cases, so people could see where interrupts are coming from -- With best regards, Gregory Edigarov
Re: QEMU CPU cores not showing up
Em 14-11-2013 11:43, David Coppa escreveu: On Thu, Nov 14, 2013 at 2:33 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 13-11-2013 22:40, Jeff Fuhrman escreveu: I'm the tech Bruno has been working with regarding this. QEMU version is 1.5 and the relevant section of the KVM Config file is vcpu4/vcpucputopology sockets='1' cores='4' threads='1'//cpu. We've tried it with 2 sockets, with 4 sockets, with 2 threads, 4 threads, and so on. ACPI and APIC are enabled for the KVM Container. Jeff Fuhrman Level 2 Technician - BlueVM I have the same issue using the same qemu version. Do you guys also experience random lockups? I've seem sometimes the OpenBSD VM sshd will simply stop answering. Also if I try to login directly through the VM's console, when I insert the username it will not prompt me for a password. The strangest thing is, the machine still answer ping packets. I could not debug it yet, since it happens randomly. I have to force a shutdown to be able to access the machine again. Have you applied the patch for the errata below? for 5.4: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/003_vnode.patch or for 5.3: http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/010_vnode.patch Not yet David, will look into it. I am moving almost all of my infrastructure servers to virtualized ones. Even my firewall is virtualized now. But I am experienced these random lockups now and then. Will apply the patch and test it again. I do have another issue with running an OpenBSD guest in which it wont do interrupt remapping so I have to enable an unsafe behavior on kvm which allows it to do pci passthrough with unsafe interrupts. There are some issues using this in which a privileged user in the guest machine could escalate it's privileges on the host and/or crash it. Anyway, this isn't a problem for me right now, when I do have some time I'll look into it. Thanks, -- Giancarlo Razzolini GPG: 4096R/77B981BC
carp+pfsync+relayd question
Hello misc,
Im doing my final approach to put a production system with
carp+pfsync+relayd on production.
The point is that im facing some trouble setting more than one ip alias
address with different vhid and different passwd.
So, this is the scenario.
Im trying to relayd more or less 15 sites so i have conceptual doubts.
1) is it nesessary to create one carp interface for each one of my
internals VIP address
2) my understanding is that i have to work with pf on my carp interfaces.
I have tried to put two different VIP's on my carp, but whitout lucky.
Here is the homework.
[root@server ~]# uname -a
OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64
[root@server ~]#
[root@server ~]# cat /etc/hostname.em0
inet 172.19.224.180 255.255.255.0
[root@server ~]# cat /etc/hostname.em1
inet 172.19.226.231 255.255.255.0 172.19.226.255
[root@server ~]# cat /etc/hostname.carp0
# inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10
carpdev em0 pass Ahsooqu3
inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10
carpdev em0 pass Meixo9oe
# inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10
carpdev em0 pass av5eG9Gi
# inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10
carpdev em0 pass Rei6thai
# inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10
carpdev em0 pass Toobohz3
# inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10
carpdev em0 pass Quahng6U
[root@server ~]# cat /etc/hostname.pfsync0
up syncdev em1
[root@server ~]# cat /etc/pf.conf
ext_if=carp0
set fingerprints /etc/pf.os
set optimization aggressive
set limit states 9
set limit src-nodes 65000
table bad_ip persist
table internat_net persist file /etc/internal_net
table admitted_net persist file /etc/admitted.txt
# vip1_address = 172.19.224.181
# vip2_address = 172.19.224.16
vip3_address = 172.19.224.131
# vip4_address = 172.19.224.41
# vip5_address = 172.19.224.40
# Dejo de procesar cuando se trata de las redes internas
pass in quick from internat_net to any
# Dejo pasar las ips desde las redes permitidas
# pass in quick from admitted_net to $vip1_address
pass in quick from admitted_net to $vip3_address
# Genero el block
block in quick from bad_ip
block in log quick on $ext_if proto tcp from any os NMAP to any label
ExtNMAPScan
# Proteccion contra nmap y herramientas similares
# block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick from urpf-failed
# Aplico reglas de DoS y Syn Flood en site1
# pass in log on $mob_if proto tcp to $vip1_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 100, max-src-conn-rate
95/2, adaptive .start 6000, adaptive.end 12000, tcp.first
15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15,
tcp.closed 15, tcp.tsdiff 5)
# Aplico reglas de DoS y Syn Flood en site2
# pass in on $ext_if proto tcp to $vip2_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
150/3)
# Aplico reglas para site3
pass in on $ext_if proto tcp to $vip3_address port www keep state (sloppy,
max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate 100/3)
# Aplico reglas de DoS y Syn Flood en site4
# pass in on $ext_if proto tcp to $vip4_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
100/3)
# Aplico reglas de DoS y Syn Flood en site5
# pass in on $ext_if proto tcp to $vip5_address port www keep state
(sloppy, max 1, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
100/3)
# Anchor Para relayd
anchor relayd/*
[root@server ~]# cat /etc/relayd.conf
# Archivo de configuracion de balanceo
## Opciones globales
interval 5
timeout 500
prefork 15
log all
## Direcciones de las vip
# address1=172.19.224.16
# address2=172.19.224.181
address3=172.19.224.131
# address4=172.19.224.41
# address5=172.19.224.40
## Direcciones de los servidores
wsapp1=172.19.224.200
wsapp2=172.19.224.201
webcache01=172.19.224.70
webcache02=172.19.224.71
webcache03=172.19.224.72
webcache04=172.19.224.73
## Definicion de Tablas
table mobileweb { $wsapp1 $wsapp2 }
table webcaches { $webcache01 $webcache02 $webcache03 $webcache04 }
table webcaches1 { $webcache01 }
## Definicion de protocolos (Filtros)
http protocol httpSite1 {
header change Connection to close
header append $REMOTE_ADDR to X-Forwarded-For
cookie hash sessid
}
http protocol httpSite2 {
header change Connection to close
header append $REMOTE_ADDR to X-Forwarded-For
cookie hash sessid
}
http protocol httpSite3 {
header change Connection to close
Re: carp+pfsync+relayd question
15 sites and only 9? Id put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com wrote: set limit states 9
Re: carp+pfsync+relayd question
Put all of those into the same relay { } as they are going to the same
forward table.
relay {
listen on addr1 port 80
listen on addr2 port 80
etc
.
}
or youll end up doing check http several times.
and Id do just simple check tcp - faster.
On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com
wrote:
relay site2 {
listen on $address3 port 80
protocol httpSite2
forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
}
#relay site3 {
#listen on $address1 port 80
#protocol httpSite3
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
#relay site4 {
#listen on $address4 port 80
#protocol httpSite4
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
#relay site5 {
#listen on $address5 port 80
#protocol httpSite5
#forward to webcaches port 80 mode roundrobin check http
/monitoreo/relayd.txt code 200
#}
Re: carp+pfsync+relayd question
Ok, i will modify the config. But i really want to know about the carp configuration. I forget to mention that im doing DSR. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 mxb m...@alumni.chalmers.se 15 sites and only 9? Iâd put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com wrote: set limit states 9
Re: QEMU CPU cores not showing up
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The issue you outlined below is not an openbsd issue, this is a kvm issue. and depends greatly on the version of linux/whatever you are using. The interrupt remapping you are talking about is either a bios issue (likely) or an issue with the hypervisor. it sounds like to me you are using or attempting to use SRIOV. all of the issues that you mentioned are still relevent even with safe interrupts, as well as several you did not mention. RG On 11/14/2013 03:15 PM, Giancarlo Razzolini wrote: Em 14-11-2013 11:43, David Coppa escreveu: On Thu, Nov 14, 2013 at 2:33 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: Em 13-11-2013 22:40, Jeff Fuhrman escreveu: I'm the tech Bruno has been working with regarding this. QEMU version is 1.5 and the relevant section of the KVM Config file is vcpu4/vcpucputopology sockets='1' cores='4' threads='1'//cpu. We've tried it with 2 sockets, with 4 sockets, with 2 threads, 4 threads, and so on. ACPI and APIC are enabled for the KVM Container. Jeff Fuhrman Level 2 Technician - BlueVM I have the same issue using the same qemu version. Do you guys also experience random lockups? I've seem sometimes the OpenBSD VM sshd will simply stop answering. Also if I try to login directly through the VM's console, when I insert the username it will not prompt me for a password. The strangest thing is, the machine still answer ping packets. I could not debug it yet, since it happens randomly. I have to force a shutdown to be able to access the machine again. Have you applied the patch for the errata below? for 5.4: http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/003_vnode.patch or for 5.3: http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/010_vnode.patch Not yet David, will look into it. I am moving almost all of my infrastructure servers to virtualized ones. Even my firewall is virtualized now. But I am experienced these random lockups now and then. Will apply the patch and test it again. I do have another issue with running an OpenBSD guest in which it wont do interrupt remapping so I have to enable an unsafe behavior on kvm which allows it to do pci passthrough with unsafe interrupts. There are some issues using this in which a privileged user in the guest machine could escalate it's privileges on the host and/or crash it. Anyway, this isn't a problem for me right now, when I do have some time I'll look into it. Thanks, Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJShPfBAAoJEMrvovfl62c88fcIAIhs4nW2+Tv/TMlg/+ePvPpD o5twuabaHfim9iYMqyAHQEztR8Nm4eFWilrFE3AZP2zvoPHLvxWuApZe1rr03FIy CUnPlzhde+e38ggC0r5OQkV3tURpEWr3Uk7Yjzr2hxg47/syX15XYSEERtaSAaOY 3vv8Kt3IFXVZFHg+EM9dQCMMrNuXwxp2eg7Gej7S2Gv6mO7yWyniM7uhLTrqGwtP AFx36o6XSMzxqq4ooN8/seMMlnP075o45b8rhKHRRX4BgZ7eRI5z+ZglVJF9wSo7 GNPQZGWqwpfACDREOY/U0rmk4iG+RwBplKhprCZgnsvoQAJfdbFcOPVnzUDbpYQ= =lvPc -END PGP SIGNATURE-
Re: QEMU CPU cores not showing up
Theo, I wonder when will you stop being a condescending prick? I understand you and many of the actually nicer devs here on OpenBSD, have contributed towards computer security. And yet you have been in public and private, called a bully numerous times now. I have a faint recollection of meeting you at CanSec West in Vancouver a decade ago and oddly this arrogance remains. At that time I was younger and OpenBSD was the shit! Sigh...youth Remember when you change IPv6 in OpenBSD also about a decade ago? I had to work with Philip Hazel on Exim to work properly with the new way of thinking that was your way. Or the time when x2 remote root exploit was floating on the internet (even before it went wild)? With IPv6, a decade later neither has the adoption increased as predicted nor has those security problem you claimed affected the other OS's to show your way was better. And I remember your reluctance to deal with x2...or the time you just pulled ipfilter until pf saved your ass.. I mean is your head that up your ass that you think being an incredibly idiotic bully with an OS that barely functions properly to begin with, helps? Quite frankly, I am just annoyed now that I am spending time trying to figure out why this one-man OS is so dumb that all other OS's in the world see four cores except - oh wait, OpenBSD. I am sure the hundreds and hundreds...no, sorry just the hundred of OpenBSD users will benefit. PS - Telling me to stick a screw driver in my ear? Ya seriously eff off...I am not putting up with this bulling shit. :) -- Bruno Delbono | Cognitive Researcher - Human Behavioural Project | Real Sociedad Española De Antropología | ☎: +1 855 253 5436 ☎: +1 424 354 4700 From: Theo de Raadt dera...@cvs.openbsd.org Sent: Wednesday, November 13, 2013 5:29 PM To: Bruno Delbono Cc: misc@openbsd.org; mlar...@azathoth.net Subject: Re: QEMU CPU cores not showing up Sigh, Theo. Seriously I am asking for your help to find out the issue as its unique to OpenBSD. Stop ranting away on the demerits of disabling apm (and now pci - right! wtf?!). Then stop justifying your blind following of what you read on the web. It looks too much like incompetence. Like dude, have you never tried variations of anything except default bsd kernel? Why is tinkering (and not even permanent - just dmesg outputs) considered such an anathema? Hey, stick a screw driver into your ear. Does it help anything? No. And that is why it is discouraged. Don't use boot -c thinking it will fix things for you. It won't. That is not what it is for. boot -c is not a magic tool that solves bugs. From time to time I wonder if we should delete it. It looks like it is only used by people who read web pages.
Re: carp+pfsync+relayd question
On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). OpenBSD_PF_flow # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF block in quick from urpf-failed # Aplico reglas de DoS y Syn Flood en site1 # pass in log on $mob_if proto tcp to $vip1_address port www keep state (sloppy, max 1, max-src-nodes 5000, max-src-conn 100, max-src-conn-rate 95/2, adaptive .start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15, tcp.tsdiff 5) Be careful, Direct
Re: QEMU CPU cores not showing up
Then we'll be not be hearing from you again, I assume. I am not putting up with this bulling shit. :) -- Bruno Delbono | Cognitive Researcher - Human Behavioural Project | Real Sociedad Española De AntropologÃa | â: +1 855 253 5436 â: +1 424 354 4700
Re: interruptions
dmesg?
Re: QEMU CPU cores not showing up
Em 14-11-2013 14:18, InterNetX - Robert Garrett escreveu: The issue you outlined below is not an openbsd issue, this is a kvm issue. and depends greatly on the version of linux/whatever you are using. The interrupt remapping you are talking about is either a bios issue (likely) or an issue with the hypervisor. it sounds like to me you are using or attempting to use SRIOV. all of the issues that you mentioned are still relevent even with safe interrupts, as well as several you did not mention. Robert, I do believe it is a specific issue with OpenBSD, because using the same hypervisor I can do pci passthrough, using the same versions, hardware, etc, to other operating systems using interrupt remapping. I do have indeed SRIOV enabled on my bare metal bios. The thing is that kvm specifically warns me that the guest do not support interrupt remapping, when using openbsd only. As I told before, it is not a problem for me right now, since I enable the unsafe interrupt assignment and the OS works normally. Also, David, thanks for pointing out the patch, because since I applied it, I did not experienced anymore lockups (so far). I am betting it was indeed the problem. -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: QEMU CPU cores not showing up
| -Original Message- | From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On | Behalf Of Bruno Delbono | Sent: Thursday, November 14, 2013 10:48 AM | To: Theo de Raadt | Cc: misc@openbsd.org; mlar...@azathoth.net | Subject: Re: QEMU CPU cores not showing up | Useless crying removed... | PS - Telling me to stick a screw driver in my ear? Ya seriously eff off...I am not | putting up with this bulling shit. :) Good, I for one am glad you are leaving and taking your self-entitled attitude with you. If you want something fixed that no developer cares about, then shut up and code it yourself. Prick, indeed. -Breeno
Re: carp+pfsync+relayd question
Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF block in quick from urpf-failed # Aplico reglas de DoS y Syn Flood en site1 # pass in log on $mob_if proto tcp to $vip1_address port www keep state
Re: carp+pfsync+relayd question
Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to $vip3_address # Genero el block block in quick from bad_ip Your 'block in quick's should be above your 'pass in quick's! quick means stop evaluating and do this action now.. block in log quick on $ext_if proto tcp from any os NMAP to any label ExtNMAPScan # Proteccion contra nmap y herramientas similares # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp
Re: carp+pfsync+relayd question
Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). [image: OpenBSD_PF_flow] # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to $vip1_address pass in quick from admitted_net to
Re: interruptions
14.11.2013, 17:20, Alexandre Ratchov a...@caoua.org: On Thu, Nov 14, 2013 at 01:16:41PM +0400, Alexander Pakhomov wrote: Hi. I discovered high CPU0 interruptions load (amd64) in various cases. wifi (athn, urtwn): up to 100% at 2 MB/s download. Usually 50%. Grows faster then linear with net load. Sometimes system freezes for about a minute. Web speed tests consume significantly less CPU then wget/firefox/ktorrent download. I don't know why. Dmitrij D. Czarkoff has 6% interruptions load during samba download (1.3 MB/s, urtwn). I sent bug report but by now it's unreplied. SSD write (dd if=/dev/zero of=... bs=1M): 10% unencrypted, 50% encrypted (softraid0). Disk read doesn't load cause interruptions load. USB stick dd: essentially no interruptions load (2 MB/s) 1) What interruptions load should be considered normal? I used to think even 10% is too high. yes, though it depends on the workload I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters. do you observe the same problem with the GENERIC kernel? Mostly GENERIC.MP GENERIC.SP has high interrupts load with wifi but OK with disk. Interesting that SP has higher encrypted write speed. Interrupts load for WiFi varies a lot. dd unenc sp: interrupt total rate irq0/clock 17944 102 irq144/acpi0 350 irq96/inteldrm0390 irq96/ehci0470 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 437730 2501 irq145/pckbc0 5873 Total 456409 2608 sys 17% int 9% 164 MB/s dd_unenc_mp interrupt total rate irq0/clock 114430 401 irq0/ipi 6786 23 irq144/acpi0 570 irq96/inteldrm0380 irq96/ehci0 5351 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 274667 963 irq145/pckbc0 6432 Total 397183 1393 30 sys 50 int 200 MB/s dd_enc_sp interrupt total rate irq0/clock 33068 101 irq144/acpi0 670 irq96/inteldrm0550 irq96/ehci0470 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 470959 1440 irq145/pckbc015354 Total 505758 1546 100 sys 0 inter 54 MB/s dd_enc_mp interrupt total rate irq0/clock 176891 400 irq0/ipi29242 66 irq144/acpi0 890 irq96/inteldrm0720 irq96/ehci0 5351 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 515102 1165 irq145/pckbc014963 Total 723454 1636 60x4 sys 80 int 42 MB/s wget_athn_sp interrupt total rate irq0/clock 139244 100 irq144/acpi0 2790 irq96/inteldrm0 1560 irq96/ehci0323243 232 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 475704 342 irq145/pckbc034652 Total 942118 678 40% interrupt total rate irq0/clock 329629 399 irq0/ipi78886 95 irq144/acpi0 1650 irq96/inteldrm0 1340 irq96/ehci0133755 162 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 516208 625 irq145/pckbc026183 Total 1061422 1286 40 int wget_urtwn_sp interrupt total rate irq0/clock 47794 100 irq144/acpi0 950 irq96/inteldrm0870 irq96/ehci0 59300 125 irq176/azalia0 10 irq101/ehci1 260 irq102/ahci0 475109 1002 irq145/pckbc022444 Total 584656 1233 40% wget_urtwn0_mp interrupt
Re: interruptions
By the way boot sync in ddb cause kernel panic (both mp and sp). Will send next bug report in bugs@. Maybe this is connected. I doubt, though. 15.11.2013, 00:37, Alexander Pakhomov ker0...@yandex.ru: 14.11.2013, 17:20, Alexandre Ratchov a...@caoua.org: On Thu, Nov 14, 2013 at 01:16:41PM +0400, Alexander Pakhomov wrote: Hi. I discovered high CPU0 interruptions load (amd64) in various cases. wifi (athn, urtwn): up to 100% at 2 MB/s download. Usually 50%. Grows faster then linear with net load. Sometimes system freezes for about a minute. Web speed tests consume significantly less CPU then wget/firefox/ktorrent download. I don't know why. Dmitrij D. Czarkoff has 6% interruptions load during samba download (1.3 MB/s, urtwn). I sent bug report but by now it's unreplied. SSD write (dd if=/dev/zero of=... bs=1M): 10% unencrypted, 50% encrypted (softraid0). Disk read doesn't load cause interruptions load. USB stick dd: essentially no interruptions load (2 MB/s) 1) What interruptions load should be considered normal? I used to think even 10% is too high. yes, though it depends on the workload I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters. do you observe the same problem with the GENERIC kernel? Mostly GENERIC.MP GENERIC.SP has high interrupts load with wifi but OK with disk. Interesting that SP has higher encrypted write speed. Interrupts load for WiFi varies a lot. dd unenc sp: interrupt total rate irq0/clock 17944 102 irq144/acpi0 35 0 irq96/inteldrm0 39 0 irq96/ehci0 47 0 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 437730 2501 irq145/pckbc0 587 3 Total 456409 2608 sys 17% int 9% 164 MB/s dd_unenc_mp interrupt total rate irq0/clock 114430 401 irq0/ipi 6786 23 irq144/acpi0 57 0 irq96/inteldrm0 38 0 irq96/ehci0 535 1 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 274667 963 irq145/pckbc0 643 2 Total 397183 1393 30 sys 50 int 200 MB/s dd_enc_sp interrupt total rate irq0/clock 33068 101 irq144/acpi0 67 0 irq96/inteldrm0 55 0 irq96/ehci0 47 0 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 470959 1440 irq145/pckbc0 1535 4 Total 505758 1546 100 sys 0 inter 54 MB/s dd_enc_mp interrupt total rate irq0/clock 176891 400 irq0/ipi 29242 66 irq144/acpi0 89 0 irq96/inteldrm0 72 0 irq96/ehci0 535 1 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 515102 1165 irq145/pckbc0 1496 3 Total 723454 1636 60x4 sys 80 int 42 MB/s wget_athn_sp interrupt total rate irq0/clock 139244 100 irq144/acpi0 279 0 irq96/inteldrm0 156 0 irq96/ehci0 323243 232 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 475704 342 irq145/pckbc0 3465 2 Total 942118 678 40% interrupt total rate irq0/clock 329629 399 irq0/ipi 78886 95 irq144/acpi0 165 0 irq96/inteldrm0 134 0 irq96/ehci0 133755 162 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 516208 625 irq145/pckbc0 2618 3 Total 1061422 1286 40 int wget_urtwn_sp interrupt total rate irq0/clock 47794 100 irq144/acpi0 95 0 irq96/inteldrm0 87 0 irq96/ehci0
Re: carp+pfsync+relayd question
Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules. Otherwise I'd suggest investigating some more and post a new question to misc. Good luck. Andy Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as
Firefox 100% cpu usage html5 videos
Hello, On my laptop firefox cpu usage spikes to 100% when trying to play an html5 video on youtube, the situation is slightly better on other sites but still the load never goes under 80%, this is on -current on a GM45 intel chipset if it matters. Generally speaking it has the worst performance when playing html5 videos, I've tried chromium , xombrero and midori and they all work fine while firefox playback is choppy when it's at his best else it just saturates the cpu and freezes the browser. No output or errors are disaplyed when unsing firefox started from a terminal. Claudio
Re: interruptions
I was wrong. Kernel panics with splassert. So bug report I just sent is somehow connected with interruptions. 15.11.2013, 00:44, Alexander Pakhomov ker0...@yandex.ru: By the way boot sync in ddb cause kernel panic (both mp and sp). Will send next bug report in bugs@. Maybe this is connected. I doubt, though. 15.11.2013, 00:37, Alexander Pakhomov ker0...@yandex.ru: 14.11.2013, 17:20, Alexandre Ratchov a...@caoua.org: On Thu, Nov 14, 2013 at 01:16:41PM +0400, Alexander Pakhomov wrote: Hi. I discovered high CPU0 interruptions load (amd64) in various cases. wifi (athn, urtwn): up to 100% at 2 MB/s download. Usually 50%. Grows faster then linear with net load. Sometimes system freezes for about a minute. Web speed tests consume significantly less CPU then wget/firefox/ktorrent download. I don't know why. Dmitrij D. Czarkoff has 6% interruptions load during samba download (1.3 MB/s, urtwn). I sent bug report but by now it's unreplied. SSD write (dd if=/dev/zero of=... bs=1M): 10% unencrypted, 50% encrypted (softraid0). Disk read doesn't load cause interruptions load. USB stick dd: essentially no interruptions load (2 MB/s) 1) What interruptions load should be considered normal? I used to think even 10% is too high. yes, though it depends on the workload I want to investigate the problem and profile interruption handlers. 2) Is there any OpenBSD kernel profiling support? High resolution clocks, tick counters. do you observe the same problem with the GENERIC kernel? Mostly GENERIC.MP GENERIC.SP has high interrupts load with wifi but OK with disk. Interesting that SP has higher encrypted write speed. Interrupts load for WiFi varies a lot. dd unenc sp: interrupt total rate irq0/clock 17944 102 irq144/acpi0 35 0 irq96/inteldrm0 39 0 irq96/ehci0 47 0 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 437730 2501 irq145/pckbc0 587 3 Total 456409 2608 sys 17% int 9% 164 MB/s dd_unenc_mp interrupt total rate irq0/clock 114430 401 irq0/ipi 6786 23 irq144/acpi0 57 0 irq96/inteldrm0 38 0 irq96/ehci0 535 1 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 274667 963 irq145/pckbc0 643 2 Total 397183 1393 30 sys 50 int 200 MB/s dd_enc_sp interrupt total rate irq0/clock 33068 101 irq144/acpi0 67 0 irq96/inteldrm0 55 0 irq96/ehci0 47 0 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 470959 1440 irq145/pckbc0 1535 4 Total 505758 1546 100 sys 0 inter 54 MB/s dd_enc_mp interrupt total rate irq0/clock 176891 400 irq0/ipi 29242 66 irq144/acpi0 89 0 irq96/inteldrm0 72 0 irq96/ehci0 535 1 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 515102 1165 irq145/pckbc0 1496 3 Total 723454 1636 60x4 sys 80 int 42 MB/s wget_athn_sp interrupt total rate irq0/clock 139244 100 irq144/acpi0 279 0 irq96/inteldrm0 156 0 irq96/ehci0 323243 232 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 475704 342 irq145/pckbc0 3465 2 Total 942118 678 40% interrupt total rate irq0/clock 329629 399 irq0/ipi 78886 95 irq144/acpi0 165 0 irq96/inteldrm0 134 0 irq96/ehci0 133755 162 irq176/azalia0 1 0 irq101/ehci1 26 0 irq102/ahci0 516208 625 irq145/pckbc0 2618 3 Total
Re: Firefox 100% cpu usage html5 videos
On Thu, Nov 14, 2013 at 10:20:01PM +0100, ropers wrote: You need to provide a lot more information to get a meaningful response: What exact Firefox version/build/package are you running? On what hardware? dmesg? On what precise version of OpenBSD? -current? If not, is it reproducible in -current? Good luck. On 14 November 2013 22:07, Claudio claudiozu...@gmail.com wrote: Hello, On my laptop firefox cpu usage spikes to 100% when trying to play an html5 video on youtube, the situation is slightly better on other sites but still the load never goes under 80%, this is on -current on a GM45 intel chipset if it matters. Generally speaking it has the worst performance when playing html5 videos, I've tried chromium , xombrero and midori and they all work fine while firefox playback is choppy when it's at his best else it just saturates the cpu and freezes the browser. No output or errors are disaplyed when unsing firefox started from a terminal. Claudio Firefox version is 25.0 and I'm running the latest -current snapshot, here's my dmesg: OpenBSD 5.4-current (GENERIC.MP) #147: Tue Nov 12 16:37:15 MST 2013 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4166717440 (3973MB) avail mem = 4047663104 (3860MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (80 entries) bios0: vendor LENOVO version 7UET94WW (3.24 ) date 10/17/2012 bios0: LENOVO 2768HJ2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) IGBE(S4) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) PCI1(S4) USB0(S3) USB3(S3) USB5(S3) EHC0(S3) EHC1(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU P9500 @ 2.53GHz, 2527.40 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF cpu0: 6MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 265MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU P9500 @ 2.53GHz, 2527.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF cpu1: 6MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 2, remapped to apid 1 acpimcfg0 at acpi0 addr 0xe000, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus -1 (EXP2) acpiprt5 at acpi0: bus 5 (EXP3) acpiprt6 at acpi0: bus 13 (EXP4) acpiprt7 at acpi0: bus 21 (PCI1) acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpipwrres0 at acpi0: PUBS: resource for USB0, USB3, USB5, EHC0, EHC1 acpitz0 at acpi0: critical temperature is 127 degC acpitz1 at acpi0: critical temperature is 100 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 92P1137 serial25 type LION oem SANYO acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0 acpidock0 at acpi0: GDCK not docked (0) cpu0: Enhanced SpeedStep 2527 MHz: speeds: 2534, 2533, 1600, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel GM45 Host rev 0x07 vga1 at pci0 dev 2 function 0 Intel GM45 Video rev 0x07 intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1440x900 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) Intel GM45 Video rev 0x07 at pci0 dev 2 function 1 not configured Intel GM45 HECI rev 0x07 at pci0 dev 3 function 0 not configured puc0 at pci0 dev 3 function 3 Intel GM45 KT rev 0x07: ports: 1 com com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo com4: probed fifo depth: 15 bytes em0 at pci0 dev 25 function 0 Intel ICH9 IGP M AMT rev 0x03: msi, address 00:22:68:12:2d:ef uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x03: apic 1 int 20 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x03: apic 1 int 21 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x03: apic 1 int 22 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x03: apic 1 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801I HD Audio rev 0x03: msi azalia0:
Re: carp+pfsync+relayd question
In fact thinking about it if think that is a relayd issue somewhere and not pf at all.. Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any to $internal_ip1' (private address as dst for inbound). OpenBSD_PF_flow.png # Dejo de procesar cuando se trata de las redes internas pass in quick from internat_net to any # Dejo pasar las ips desde las redes permitidas # pass in quick from admitted_net to
Re: carp+pfsync+relayd question
Ok im not at the office now. But tomorrow we could do more test. Regards and thank you !!! El nov 14, 2013 8:01 p.m., Andy Lemin a...@brandwatch.com escribió: In fact thinking about it if think that is a relayd issue somewhere and not pf at all.. Sent from my iPhone On 14 Nov 2013, at 19:37, Leonardo Santagostini lsantagost...@gmail.com wrote: Well well well there is one thing its ocurring that i cant figure out. im getting some relay site3 session 3370 (502 active), 0, 190.179.249.128 - :0, buffer event timeout And after a couple a minutes (i couldnt take note exactly how many) relayd get restarted Is there any clue where to look into? Thanks in advance Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Ok, just added my second website to both servers like your recommendation. I will post my config before the end of the day just to share it with you. Thank you so much !!! Regards Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Leonardo Santagostini lsantagost...@gmail.com Thanks a lot to all, i will give it a try and gives tou you feedback as soon as it get implemented. Saludos.- Leonardo Santagostini http://ar.linkedin.com/in/santagostini 2013/11/14 Andy a...@brandwatch.com On 14/11/13 15:21, Leonardo Santagostini wrote: Hello misc, Im doing my final approach to put a production system with carp+pfsync+relayd on production. The point is that im facing some trouble setting more than one ip alias address with different vhid and different passwd. So, this is the scenario. Im trying to relayd more or less 15 sites so i have conceptual doubts. 1) is it nesessary to create one carp interface for each one of my internals VIP address 2) my understanding is that i have to work with pf on my carp interfaces. I have tried to put two different VIP's on my carp, but whitout lucky. Here is the homework. [root@server ~]# uname -a OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64 [root@server ~]# [root@server ~]# cat /etc/hostname.em0 inet 172.19.224.180 255.255.255.0 [root@server ~]# cat /etc/hostname.em1 inet 172.19.226.231 255.255.255.0 172.19.226.255 [root@server ~]# cat /etc/hostname.carp0 # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1 advskew 10 carpdev em0 pass Ahsooqu3 inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10 carpdev em0 pass Meixo9oe # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3 advskew 10 carpdev em0 pass av5eG9Gi # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4 advskew 10 carpdev em0 pass Rei6thai # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew 10 carpdev em0 pass Toobohz3 # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6 adskew 10 carpdev em0 pass Quahng6U CARP should look like this (master); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 0 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And (backup); inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass Ahsooqu3 advskew 200 inet alias 172.19.224.131 255.255.255.255 inet alias 172.19.224.41 255.255.255.255 inet alias 172.19.224.40 255.255.255.255 inet alias 172.19.224.181 255.255.255.255 inet alias 172.19.224.182 255.255.255.255 And yes the subnet masks for the alias' should be /32 and you will see a warning in the logs during fail-over. This is fine, the devs just haven't muted the check warning yet. You've done it right if 'netstat -rn' shows; 172.19.224.131 127.0.0.1 UGHS 00 33152 8 lo0 172.19.224.131/32 172.19.224.131 U 00 - 4 carp0 [root@server ~]# cat /etc/hostname.pfsync0 up syncdev em1 [root@server ~]# cat /etc/pf.conf ext_if=carp0 You don't refer to CARP as an interface, it is simply a VRRP watchdog interface (for example you cannot set the MTU on a CARP interface as it is not really an interface. Use the physical.. ext_if=em0 set fingerprints /etc/pf.os set optimization aggressive set limit states 9 Definitely needs to be higher! try 1 million.. set limit src-nodes 65000 table bad_ip persist table internat_net persist file /etc/internal_net table admitted_net persist file /etc/admitted.txt # vip1_address = 172.19.224.181 # vip2_address = 172.19.224.16 vip3_address = 172.19.224.131 # vip4_address = 172.19.224.41 # vip5_address = 172.19.224.40 Just to keep you sane remember these rules; # (SNAT) NATing is done before filtering, 'pass out on $if_ext from $external_carp_ip1' (public address as src for outbound). # (DNAT) RDRing is done before filtering,
Re: carp+pfsync+relayd question
No, it is number of currently active sessions for this particular relay. Eg. 502 users. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules.
Re: carp+pfsync+relayd question
Hello Andy. Actually i proved flushing pf rules, tables and counters with no luck. But after restart relayd things come to work as expected. Thanks, Leonardo El nov 14, 2013 8:15 p.m., mxb m...@alumni.chalmers.se escribió: No, it is number of currently active sessions for this particular relay. Eg. 502 âusers. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server return issue causing the TCP three way handshake to not be completing properly between the endpoints, even though a 502 is usually server side issue.. I'd try removing the 'in' or 'out' direction from the rules.
hotplug-diskmount does not support ntfs auto mount?
hotplug-diskmount does not support ntfs auto mount?
but mount_ntfs can do it
btw ,
1. when hotplug-diskmount does not support any file system, the flash disk led
light is blinking for ever except unplug it.
2. readme.OpenBSD not sync with man Example
man 8 hotplug-diskmount says
-
EXAMPLES
Create directory set which will be used for storing mount points:
/usr/local/libexec/hotplug-diskmount init
Sample attach script:
#!/bin/sh
DEVCLASS=$1
DEVNAME=$2
case $DEVCLASS in
2)
/usr/local/libexec/hotplug-diskmount attach $DEVNAME
;;
esac
-
/usr/local/share/doc/pkg-readmes/hotplug-diskmount-0.8 said
--
#!/bin/sh
DEVCLASS=${1}
DEVNAME=${2}
LOGIN=joeuser
case ${DEVCLASS} in
2)
/usr/local/libexec/hotplug-diskmount attach -u ${LOGIN} -m 700
${DEVNAME}
;;
esac
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
Dual booting OpenBSD and Windows 8.1
Hi I was thinking of dual booting OpenBSd and Windows 8.1. Has anyone managed to do that? I suppose I would have to install Windows first, and then OpenBSD. Does the OpenBSD installation include a boot manager such as GRUB? I have experience setting up dual booting with GRUB, when installing Linux. Is it ok if I follow the same procedure with OpenBSD? If not, how would you advise me to go about it? Thanks Zaf
Re: Dual booting OpenBSD and Windows 8.1
On 2013-11-15 00:01, za...@gmx.com wrote: Hi I was thinking of dual booting OpenBSd and Windows 8.1. Has anyone managed to do that? I suppose I would have to install Windows first, and then OpenBSD. Does the OpenBSD installation include a boot manager such as GRUB? I have experience setting up dual booting with GRUB, when installing Linux. Is it ok if I follow the same procedure with OpenBSD? If not, how would you advise me to go about it? Thanks Zaf I've dual booted 1 OpenBSD machine with Windows 8, not sure if 8.1 is much different. But, I used the Windows bootloader and configured it with a program(for windows) called easybcd.
Re: Dual booting OpenBSD and Windows 8.1
On Fri, Nov 15, 2013 at 06:01:30AM +0100, za...@gmx.com wrote: I was thinking of dual booting OpenBSd and Windows 8.1. Has anyone managed to do that? I suppose I would have to install Windows first, and then OpenBSD. Does the OpenBSD installation include a boot manager such as GRUB? I have experience setting up dual booting with GRUB, when installing Linux. Is it ok if I follow the same procedure with OpenBSD? If not, how would you advise me to go about it? Get something called EasyBCD for windows. Use that to install their neogrub boot loader, in the configuration of that do something like: root (hd0,1) chainloader +1 the hd for root may be different depending on your machine configuration. This will set up a boot selection for you using the windows boot loader - you will get a chance to select what OS you want to boot, if you select the non-windows option then the machine will reboot into the OS you selected. Microsoft are sneaky and pre-load the windows while the timeout is counting down so it looks like windows boots instantly if you select that. Neogrub is just a port of grub for dos/windows, you can put standard grub commands in there including setting up a grub boot menu if you have more than one OS to boot. -- Brett Lymn Warning: The information contained in this email and any attached files is confidential to BAE Systems Australia. If you are not the intended recipient, any use, disclosure or copying of this email or any attachments is expressly prohibited. If you have received this email in error, please notify us immediately. VIRUS: Every care has been taken to ensure this email and its attachments are virus free, however, any loss or damage incurred in using this email is not the sender's responsibility. It is your responsibility to ensure virus checks are completed before installing any data sent in this email to your computer.
Re: Documentation for Realtek 8188* devices
On Nov 14, 2013 7:30 PM, Dmitrij D. Czarkoff czark...@gmail.com wrote: Hello! I'm strugling to find any documentation for RTL8188* wireless devices (including those already supported in urtwn driver). I wrote to Realtek, but no responce followed. My problem is that I have a MiniPCI RTL8188CE device in my ThinkPad, and I want to try writing a driver for it. AFAIK RTL8188CE-VAU (supported in urtwn) is essencially RTL8188CE with USB bridge, so having access to documentation urtwn driver was based on would be very helpful. So, if anyone knows where these docs can be found, I would be very greatful. -- Dmitrij D. Czarkoff Hi Dmitrij, Wishing you the best finding documentation and receiving a response from Realtek. It is safe to say the latter has become my hobby... Not of preference but of perseverance. Anyway, I've picked up FreeBSD Device Drivers (Kong) which seems like an okay, albeit rough, place to start understanding drivers for OpenBSD (only real driver reference out there besides the tree), though adding support for the PCIe Mini routine of your device shouldn't be the most difficult feat ever, the cousin chip is already supported. Check out how other cards (iwn(4)) attach. I've an RTL8723AS-VAU which is reportedly a non-mass production analog to the 8192CU (also urtwn), except with a BT function. There is even a `urtwn-rtl8723fw' that comes with urtwn but no documentation on those magic numbers `8723'. We're on similar boats/rafts. Please post back your findings. Would be interested in helping you so as to help myself and others. Cheers.
Re: Dual booting OpenBSD and Windows 8.1
On Fri, Nov 15, 2013 at 6:01 AM, za...@gmx.com wrote: Hi I was thinking of dual booting OpenBSd and Windows 8.1. Has anyone managed to do that? I suppose I would have to install Windows first, and then OpenBSD. Does the OpenBSD installation include a boot manager such as GRUB? I have experience setting up dual booting with GRUB, when installing Linux. Is it ok if I follow the same procedure with OpenBSD? If not, how would you advise me to go about it? Why don't you follow official guide mentioned zillion of times everywhere around here? http://www.openbsd.org/faq/faq4.html#Multibooting As well your question about boot manager is answered here http://www.openbsd.org/faq/faq8.html#Bootloader plus much more details for every architecture in man pages, here for i386/amd64 http://www.openbsd.org/cgi-bin/man.cgi?query=boot_i386apropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Simply this is not OS where devs provide crappy or no documentation at all. There's everything you need so best is to start with FAQ, then dive in to man pages (like man afterboot will be pointed to you after install anyway). Nearly everything you want to ask is answered here in fine form. And yes, for multiboot if you will go step by step it will work, but be careful to not wipe out your disk ;-) Thanks Zaf
