gpg2 and dirmngr

[tobias]

I have gnugp-2.1.9p0 package installed. Was
able to create public and secret key, revocation
in case needed later, and export public key to
binary and ascii format. Tried uploading my
public key to a keyserver:

gpg2 --send-keys --keyserver hkp://keys.gnupg.net mykeyhere

and I get this:

gpg: sending key mykeyhere to hkp server keys.gnupg.net
gpg: removing stale lockfile (created by 73004)
gpg: connecting dirmngr at '/home/myhomedir/.gnupg/S.dirmngr' failed: IPC 
connect call failed
gpg: keyserver send failed: No dirmngr
gpg: keyserver send failed: No dirmngr

I also ran it with the --debug switch and saved
the output and it's humongous but I can supply
it if wanted/needed. Tried running dirmngr as
myself but that dog don't hunt. Ran it as root
with --server and also with --daemon, then ran
my original gpg2 command to send keys and got
the same result as shown above. Any help I can
get on this will be greatly appreciated. Anything
I could've done and didn't, any other info I can
supply and didn't, etc., please let me know. Thx


-- 

The older I get, the more questions I have
and the less answers. If things keep up this
way, I think by the time I die I won't know
a damned thing! 

Re: Hardware recommendations for compact 1U firewall

[Claer]

On Sat, Dec 17 2016 at 08:13, Damian McGuckin wrote:
> While everybody is talking about hardware, I noticed that some of you
> have flicked your Soekris Net 5501 boards.
> 
> We are upgrading from 20Mbps links to 100Mbps links and as a result of this
> discussion, I am wondering whether it would be a wise move on or part to
> consider replacing them. Rock solid little units.
> 
> What is the max throughput people have seen on these?

In my $job[n-2], I had the chance to test the alix pcengines, wich is quite
simmilar in terms of performance.  With 4.5 on it, it started to drop packets
around 70Mbps with the IMIX test.
Consult https://en.wikipedia.org/wiki/Internet_Mix to know more.
 
> Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501
> board sustain 100Mbps?
It will be "good enougth" if you are transferring big files, not for
common web browsing (usually smaller packets).

Best regards,

Claer

Re: Looking for Xen blkfront driver xbf(4) tests

[mabi]

Hi Mike,

Thanks for your explanations. So far I did not have any troubles with this 
specific domU with xbf enabled. I tried to run your shell script in order to 
found out the num-ring-pages property but somehow there must be a small issue 
with it as I get the following output (after having removed the "#" comment out 
on the first line with the for loop:

hostctl: ioctl: No such file or directory
sd0 32







Regards,
M.



 Original Message 
Subject: Re: Looking for Xen blkfront driver xbf(4) tests
Local Time: December 13, 2016 8:46 PM
UTC Time: December 13, 2016 7:46 PM
From: m...@belopuhov.com
To: mabi 
misc@openbsd.org 

On Sun, Dec 11, 2016 at 05:09 -0500, mabi wrote:
> Hi,
>
> Thanks for your efforts and making OpenBSD work even better on
> Xen. I use Xen for all types of virtualization and started only
> recently using OpenBSD 6.0 as domU. My current test setup is a 2
> node redundant cluster with Xen 4.4.1 and Debian 8 with DRBD for
> sync-replication and ZFS (RAIDZ-1) as storage with 3 Seagate
> enterprise 7.2k SATA (ST5000NM0024) disks on each nodes.
>
> So far so good I managed to re-configure the current kernel and
> re-compiled it with xbf enabled and at reboot it immediately used
> the xbf driver and switched using sd instead of wd. You will find
> the output of my dmesg below.
>
> For now the only thing a tried out is a quick "dd" as I was
> wondering how much more write throughput I could get on my guests
> disk using xbf. As you can see below I get around 81 MB/s and I
> remember before using xbf I would get around 25 MB/s. The read
> throughput didn't change much, if I remember correctly I had in both
> cases with and without xbf around 60 MB/s.
>
> $ dd if=/dev/zero of=file2.xbf bs=1M count=1000
> 1000+0 records in
> 1000+0 records out
> 1048576000 bytes transferred in 12.277 secs (85405965 bytes/sec)
>
> Now is there anything else you would like to know/test or benchmarks
> you would like me to run? Keep in mind I am no dev but I am happy to
> help if it can make things progress with running OpenBSD even better
> on Xen.
>
> Cheers,
> Mabi
>

Hi,

Thanks for taking your time to test and report. There's nothing
special to test, just using the disk in a normal way is enough.
After a few reports from Nathanael Rensen several bugs have been
fixed.

I've looked through a bunch of Xen disk subsystem documents and
noted that one of the ways to improve performance is to use
persistent grants. However it would be nice to establish a
baseline, i.e. what kind of performance do NetBSD, FreeBSD and
Linux guests get out of Blkfront in the VM with the same
configuration on the same host compared to OpenBSD.

It's worth noting that MAXPHYS value limiting the size of an
individual I/O transfer is different on other systems.
Furthermore currently xbf(4) driver limits it further to 11
page segments (44k) since we don't support indirect requests
that potentially can get us extra 20k (MAXPHYS is 64k on
OpenBSD) but would add additional tax on grant table entries.

The other point of interest is the number of outstanding
requests configured by the driver. If not limited by the
host system, xbf(4) attempts to use 256 requests, but smaller
EC2 instances limit that to just 32 requests which can result
is large performance difference. To learn the amount of
configured outstanding requests a num-ring-pages property
must be queried:

# for xbf in $(hostctl device/vbd); do
dev=$(dmesg | grep $xbf | cut -f 1 -d ' ')
npages=$(hostctl device/vbd/$xbf/num-ring-pages)
if [ $? -eq 0 ]; then
echo $dev $((npages * 32))
else
echo $dev 32
fi
done

Output would look like so:

sd0 256
sd1 256
cd0 256

Cheers,
Mike

Re: Hardware recommendations for compact 1U firewall

[Darren Tucker]

On Sat, Dec 17, 2016 at 1:08 PM, Damian McGuckin  wrote:
[...]
> What is the max throughput people have seen on these?
> Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501
> board sustain 100Mbps?

I doubt it.

I did some work[1] on the vr driver on a pcengines ALIX, which has
very similar hardware (500MHz Geode CPUs and VT6105M ethernet chips).
The most I got though it for a TCP stream was 85MBit/s routing only.
It had CPU to spare, so I suspect the limitation was either the chip
or the driver.

The VT6105M doesn't have any receive-side interrupt mitigation (and
OpenBSD doesn't have a polling mode) so I suspect it'd be easy to DoS
it with tiny packets.  As long as that's not happening, there's
probably enough CPU to run PF.

Depending on your use case and environment this may or may not be good
enough.   If you do try it I'd be interested in hearing the result.

[1] http://undeadly.org/cgi?action=article&sid=20130201054156

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: PC-Engines Wireless - PPPOE timeouts.

[Patrick Dohman]

Stuart

Thanks for the reply

At this point it appears a specific LAN client “PS4” is responsible for a
high number of device interrupts.

Hoping to clarify if interrupts In excess of “3000” can cause PPPOE
timeouts.

#
#
Lan Streaming cat5 no switch

 procsmemory   pagedisk traps  cpu
 r b wavm  fre  flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
 1 0 0  18636 38255601   0   0   0   0   0   0 6872 7   10  0  9 91
 0 0 0  18636 38255601   0   0   0   0   0   0 2163 79  0  4 96
 0 0 0  18636 38255601   0   0   0   0   0   0 1921 9   11  0  2 98
 0 0 0  18636 38255601   0   0   0   0   0   0 1943 69  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 1705 69  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 1849 8   10  0  3 97
 0 0 0  18636 38255601   0   0   0   0   0   0 2276 69  0  4 96


Wlan Streaming

procsmemory   pagedisk traps  cpu
 r b wavm freflt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
 1 0 0  18632 38257321   0   0   0   0   0   0  368 7   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  365 8   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  355109  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  362 9   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  356 8   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  36110   10  0  1 99
 0 0 0  18632 38257321   0   0   0   0   0   0  365 9   10  0  2 98
 0 0 0  18632 38257321   0   0   0   0   0   0  383 8   10  0  1 99

#
No Lan or Wlan traffic

 procsmemory   pagedisk traps  cpu
 r b wavm fre flt  re  pi  po  fr  sr sd0  int   sys   cs us
sy id
 1 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   23 69  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   28 69  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   22 79  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   25 8   10  0  0 100
 0 0 0  18628 38257361   0   0   0   0   0   0   24 69  0  0 100

Regards
Patrick

> On Dec 15, 2016, at 5:05 AM, Stuart Henderson  wrote:
>
> On 2016-12-15, Patrick Dohman  wrote:
>> Stuart
>>
>> Please see below for more info:
>>
>> Please note the 5.7 dmesg is subsequent to a reboot.
>
> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
>
> Nothing stands out from what you've sent. Some possibilities:
>
> - connection somewhere between the APU and the ISP really is dropping out
> (are you using the same cable for the different locations you placed the
APU
> in? could a cable be bad? check for errors on the ethernet interface)
>
> - machine too busy to handle traffic - maybe tail -f /var/log/messages in
the
> background while "vmstat -w 10" or something is running (maybe under
"script"),
> look for the timeouts in the output and see what cpu is doing at the time
>
>> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>> (athn0:network), (re2:network) } modulate state
>
> btw using (...) causes an extra address lookup to be done when the rule
> is evaluated (i.e. when a packet doesn't match existing state) - you may
need
> this for pppoe0 but you can save a bit of cpu with
>
>  pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>  athn0:network, re2:network } modulate state
>
> (and same for the v4 rule)
>
>> ### --- Optional Runtime Options --- ###
>> set optimization conservative
>
> not likely to be the problem, but you're pretty unlikely to need that.

Re: PC-Engines Wireless - PPPOE timeouts.

[Patrick Dohman]

Stuart

Thanks for the reply

At this point it appears a specific LAN client “PS4” is responsible for a
high number of device interrupts.

Hoping to clarify if interrupts In excess of “3000” can cause PPPOE
timeouts.

#
#
Lan Streaming cat5 no switch

procsmemory   pagedisk traps  cpu
r b wavm  fre  flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18636 38255601   0   0   0   0   0   0 6872 7   10  0  9 91
0 0 0  18636 38255601   0   0   0   0   0   0 2163 79  0  4 96
0 0 0  18636 38255601   0   0   0   0   0   0 1921 9   11  0  2 98
0 0 0  18636 38255601   0   0   0   0   0   0 1943 69  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 1705 69  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 1849 8   10  0  3 97
0 0 0  18636 38255601   0   0   0   0   0   0 2276 69  0  4 96


Wlan Streaming

procsmemory   pagedisk traps  cpu
r b wavm freflt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18632 38257321   0   0   0   0   0   0  368 7   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  365 8   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  355109  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  362 9   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  356 8   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  36110   10  0  1 99
0 0 0  18632 38257321   0   0   0   0   0   0  365 9   10  0  2 98
0 0 0  18632 38257321   0   0   0   0   0   0  383 8   10  0  1 99

#
No Lan or Wlan traffic

procsmemory   pagedisk traps  cpu
r b wavm fre flt  re  pi  po  fr  sr sd0  int   sys   cs us sy
id
1 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   23 69  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   28 69  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   24 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   22 79  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   25 8   10  0  0 100
0 0 0  18628 38257361   0   0   0   0   0   0   24 69  0  0 100

Regards
Patrick

> On Dec 15, 2016, at 5:05 AM, Stuart Henderson  wrote:
>
> On 2016-12-15, Patrick Dohman  wrote:
>> Stuart
>>
>> Please see below for more info:
>>
>> Please note the 5.7 dmesg is subsequent to a reboot.
>
> Thanks. I was wondering about a bug with LCP echoes I accidentally
> introduced that made it into 5.9 (fixed for 6.0).
>
> Nothing stands out from what you've sent. Some possibilities:
>
> - connection somewhere between the APU and the ISP really is dropping out
> (are you using the same cable for the different locations you placed the
APU
> in? could a cable be bad? check for errors on the ethernet interface)
>
> - machine too busy to handle traffic - maybe tail -f /var/log/messages in
the
> background while "vmstat -w 10" or something is running (maybe under
"script"),
> look for the timeouts in the output and see what cpu is doing at the time
>
>> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
>> (athn0:network), (re2:network) } modulate state
>
> btw using (...) causes an extra address lookup to be done when the rule
> is evaluated (i.e. when a packet doesn't match existing state) - you may
need
> this for pppoe0 but you can save a bit of cpu with
>
> pass out quick on egress inet6 proto { tcp, udp } from { (pppoe0:network),
> athn0:network, re2:network } modulate state
>
> (and same for the v4 rule)
>
>> ### --- Optional Runtime Options --- ###
>> set optimization conservative
>
> not likely to be the problem, but you're pretty unlikely to need that.

Re: Hardware recommendations for compact 1U firewall

[Aaron Mason]

Thanks for some additional fleabay search terms :)

On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland
 wrote:
> On 12/14/16 20:39, Aaron Mason wrote:
>> All
>>
>> I'm looking for a 1U appliance that I can re-purpose into a firewall
>> using OpenBSD.  I've tried the near-free method by using an old Lacie
>> Ethernet Disk appliance I had lying around, but it turns out the
>> onboard SATA chipset is toast on this particular unit (it freezes at
>> CDBOOT when it detects hard drives and the BIOS freezes when I set it
>> to IDE mode with drives attached, plus it only has one onboard NIC and
>> one PCI slot, so I can't install another SATA card without removing
>> the other NIC I installed), so I'm looking for other options that fit
>> a limited budget.
>
> heh.  Little secret: if you look in many data centers, you will find
> lots of 1U boxes with various titles -- security appliances, load
> balancing devices, etc.  A lot of them, under the covers, are just PCs.
> And a lot of data centers have 'em rotting on the racks after they have
> been turned off and replaced, but no motivation to remove them.
>
> Just cleaned out some stuff from one of our data centers -- we had a
> three authentication devices and a couple "security appliances" that all
> turned out to have the same SuperMicro board on them...some with Pentium
> D, others with P4s...but both could pump a lot of packets through
> gigabit NICs (two on board).  The security appliances were kinda cool in
> that they have a LCD screen that looks like it could be accessed through
> a USB serial port (better yet, when you powered up the box, the LCD
> panel put up an advertisement, not for the security appliance maker, but
> for the LCD panel...including a website.  Bet there are docs there! :)
> (I once programmed the LCD panel of a Novell server to say, "WINDOWS
> SUCKS".  Wasn't noticed for years, but when it was, my name was quickly
> assumed as being responsible)
>
> We also had a couple odd little "load balancers" -- five NIC ports.  My
> coworkers were skeptical about it being a standard PC under the cover.
> Haven't tried to boot OpenBSD on them yet, but turns out the thing has a
> 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and
> a SATA hard disk in the box.  Again, all in one U.
>
> And I'll admit there's a certain fun in bringing up another OS on
> something like that.  And I HAVE to at least try to bring up OpenBSD on
> them...so I can wipe the media before the hw is disposed of.  (Company
> policy says "overwrite entire disk with random data", who's got the
> fastest random number generator in town?  OpenBSD, of course!)
>
> Nick.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: Hardware recommendations for compact 1U firewall

[Joel Wirāmu Pauling]

If someone hasn't already mentioned it : Lanner http://www.lannerinc.com/

On 19 December 2016 at 18:08, Aaron Mason  wrote:

> Thanks for some additional fleabay search terms :)
>
> On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland
>  wrote:
> > On 12/14/16 20:39, Aaron Mason wrote:
> >> All
> >>
> >> I'm looking for a 1U appliance that I can re-purpose into a firewall
> >> using OpenBSD.  I've tried the near-free method by using an old Lacie
> >> Ethernet Disk appliance I had lying around, but it turns out the
> >> onboard SATA chipset is toast on this particular unit (it freezes at
> >> CDBOOT when it detects hard drives and the BIOS freezes when I set it
> >> to IDE mode with drives attached, plus it only has one onboard NIC and
> >> one PCI slot, so I can't install another SATA card without removing
> >> the other NIC I installed), so I'm looking for other options that fit
> >> a limited budget.
> >
> > heh.  Little secret: if you look in many data centers, you will find
> > lots of 1U boxes with various titles -- security appliances, load
> > balancing devices, etc.  A lot of them, under the covers, are just PCs.
> > And a lot of data centers have 'em rotting on the racks after they have
> > been turned off and replaced, but no motivation to remove them.
> >
> > Just cleaned out some stuff from one of our data centers -- we had a
> > three authentication devices and a couple "security appliances" that all
> > turned out to have the same SuperMicro board on them...some with Pentium
> > D, others with P4s...but both could pump a lot of packets through
> > gigabit NICs (two on board).  The security appliances were kinda cool in
> > that they have a LCD screen that looks like it could be accessed through
> > a USB serial port (better yet, when you powered up the box, the LCD
> > panel put up an advertisement, not for the security appliance maker, but
> > for the LCD panel...including a website.  Bet there are docs there! :)
> > (I once programmed the LCD panel of a Novell server to say, "WINDOWS
> > SUCKS".  Wasn't noticed for years, but when it was, my name was quickly
> > assumed as being responsible)
> >
> > We also had a couple odd little "load balancers" -- five NIC ports.  My
> > coworkers were skeptical about it being a standard PC under the cover.
> > Haven't tried to boot OpenBSD on them yet, but turns out the thing has a
> > 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and
> > a SATA hard disk in the box.  Again, all in one U.
> >
> > And I'll admit there's a certain fun in bringing up another OS on
> > something like that.  And I HAVE to at least try to bring up OpenBSD on
> > them...so I can wipe the media before the hw is disposed of.  (Company
> > policy says "overwrite entire disk with random data", who's got the
> > fastest random number generator in town?  OpenBSD, of course!)
> >
> > Nick.
> >
>
>
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse