Re: Help with snmpd...
On Thu, Dec 2, 2010 at 10:33 PM, Bales, Tracy wrote: > I'm running 4.8 on an i386 platform. I have snmpd running with 300 custom > MIB's installed via snmpd.conf. I've confirmed that they're installed using > net-snmp's snmpwalk program. Each of my MIB's is an integer value...no > strings. Question: Has anyone written their own C code to update/change the > MIB values? If so, could you point me in the direction on how to do this? > I'm really trying to figure this out for myself so I'm not looking for a > full-blown solution, just a tip here and there or a simple example! FYI...I > have been studying the OpenBSD C source files for snmpd.c, snmpe.c and mps.c > Thanks! > > Which snmpd are you talking about ? If you're looking at net-snmp you can try the pass or pass_persist directives for easy extensions, for the snmpd that's shipped with openbsd you'll have to patch it.
Re: change hppa LCD display text
There is no support for changing the output right now. You can try to adapt the attached patch, I don't have access to an hppa machine anymore but it used to work (on a C3000). - pyr 2010/5/6 Kapetanakis Giannis > Hi, > > I have 2 HP J6000 and I want to change the text that is shown > on the LCD display. > > Right now it prints "OpenBSD/hppa" and I want to change that to > "OpenBSD/hppa > `hostname`" > > Is this possible? > lcd(4) wasn't very helpfull as it's only says about the heartbeat. > > thanks > > Giannis [demime 1.01d removed an attachment of type text/x-patch which had a name of lcd.diff]
Re: Apache Firefox and Ogg Theora (Byte-range requests)
> This appears to be due to the format of the string being passed to
> strtonum(). ap_strtol() was tolerant of it. It's being passed the
> string from the Range: header.
>
> For example, the following valid request (taken directly from sniffing a
> wget session).
>
> GET /testfile HTTP/1.0
> Range: bytes=300417024-
>
> This ends up following the code path of the first strtonum() call around
> line 159 in http_protocol.c in the parse_byterange() function. The
> string passed to strtonum to convert (r->range) not only contains the
> number from the header, but the trailing dash ("300417024-"), which
> strtonum does not like. As strtonum fails, the start offset is set to
> 0.
>
> This bug should be present on a 64-bit arch as well.
>
>
Hi,
I broke it when unbreaking support for large files in Content-Length (which
would otherwise report 0). I'll have a diff ready soon which fixes that.
- pyr.
Re: ypldap, "NULL domain !"
* Wijnand Wiersma (wijn...@videre.net) wrote: > Hi, > > I am trying to get ypldap working on a very recent snapshot and I > can't figure out what I am doing wrong. > It seems ypldap is working just fine: > # ypldap -dv > startup [debug mode] > configuration starting > applying configuration > connecting to directories > starting directory update > updates are over, cleaning up trees now > flattening trees > > > The domainname is set at startup, portmap runs, ypbind has run > (/var/yp/binding/`domainname`.2 is there). > When doing a query: > # ypcat passwd > No such map passwd.byname. Reason: YP server error > > the ypldap server says: > ypproc_all > NULL domain ! > > Why does it think the domainname isn't set? > Did I completely forget to enable something or is this a bug? > > Kind regards, > Wijnand > Sorry, I hadn't read right, ypcat isn't supported. You can check that the connection is succesfull with 'ypmatch someone passwd.byname'
Re: 'xterm -e mutt' doesn't show colors
On Wed, 17 Jun 2009 22:39:56 +0200 Pieter Verberne wrote: > Hi, > > When I run mutt (or tmux/colorls -G/etc) from xterm, I have fancy > colors=] But when I run: > > $ xterm -e mutt > > I don't have colors =[ (I'm running dwm and I want xterm to start tmux > automaticly) > > $ cat .Xdefaults > XTerm.*.colorMode: on# yes, two capitals > XTerm.*.dynamicColors: on > xterm.*.loginShell: true > xterm.*.scrollBar: false > xterm.*faceName: Mono > xterm.*faceSize: 13 > xterm.*.visualBell: true Add xterm*termName: xterm-color (or xterm-xfree86 if you prefer) > > $ echo $TERM > xterm-xfree86 > > All other settings in .Xdefaults are applied just fine with the '-e' > option, so I don't think it's a problem with that file or with > xterm-options; -title -T or -n . > > Can someone help me with this puzzle? > > Pieter
Re: sendmail vs. other MTAs
> Who was complaining? There's a difference between suggesting a good > design, such as qmail's and complaining. > So what you mean, is that when developing software we should look at what already exists and try to do things right by learning from the strength and weaknesses of other projects. Dude you just rocked my world, I'd never have thought of this myself. Also, I'd love for you to elaborate on the design of qmail (and why not postfix as well), I'm sure you know them deeply, as your ninitial post suggests.
Re: ypldap and ldaps
On Wed, 6 May 2009 18:51:45 +0300 Vasiliy Kiryanov wrote: > Hello community. > > I would want to use ypldap with our ldap server that work over ssl. > The problem is how to change ypldap.conf to work with ldaps. > > I will appreciate any ideas. > > thanks. > Hi, There is no ldaps support in ypldap so far, the only viable way of doing it is replicating with slurp and binding to a local ldap server without SSL, we will make ldaps support available at some point.
Re: Programming Question: using kqueue() and kevent()
* Taylor Venable (tay...@metasyntax.net) wrote: > I'm looking at using kqueue() and kevent() for some high-load > client-side socket work, writing part of a stress testing system for > our product at work. I've got an example that I put together, using > the read filter on the socket file descriptors, but kevent() doesn't > tell me that any data is available to be read. There is data there, > though, so I must have done something wrong in setup. If somebody > could take a look and tell me what I'm doing wrong, I'd really > appreciate it. > > The plain-text version is here: > http://real.metasyntax.net:2357/tmp/kevent.c > > Or if you like some HTML coloring: > http://real.metasyntax.net:2357/tmp/kevent_c.html > > I'm doing this on OpenBSD 4.5 BETA currently, while waiting for my CD > set to arrive. :) > > Thanks, > The way we do it is through libevent, it's reliable, simple and portable.
Re: relayctl host disable doesn't loop through all hosts
* Pascal Lalonde (plalo...@overnet.qc.ca) wrote: > Hello, > > I've been playing with relayd lately. There is a behavior which seems > unintuitive and I was wondering if that was a bug or the intended > behavior. > It's the intended behavior but I have been meaning to fix that at some point. > When I try to disable a host (e.g.: relayctl host disable 10.0.1.101), > and that host is part of more than one table, only the first occurence > gets disabled. I'm testing with relayd from Feb 28th snapshot. > > I would suppose it should disable all occurences, since disabling by ID > already lets you choose specific instances of that host. > > # relayctl show summary > Id TypeNameAvlblty Status > 1 redirecttestactive > 1 table test:8080 active > (3 hosts) > 1 host10.0.1.101 100.00% up > 2 host10.0.1.102 100.00% up > 3 host10.0.1.103 100.00% up > 2 redirecttest2 active > 2 table test2:3 active > (6 hosts) > 4 host10.0.1.101 100.00% up > 5 host10.0.1.102 100.00% up > 6 host10.0.1.103 100.00% up > 7 host10.0.1.104 100.00% up > 8 host10.0.1.105 100.00% up > 9 host10.0.1.106 100.00% up > # relayctl host disable 10.0.1.101 > command succeeded > # relayctl show summary > Id TypeNameAvlblty Status > 1 redirecttestactive > 1 table test:8080 active > (2 hosts) > 1 host10.0.1.101 disabled > 2 host10.0.1.102 100.00% up > 3 host10.0.1.103 100.00% up > 2 redirecttest2 active > 2 table test2:3 active > (6 hosts) > 4 host10.0.1.101 100.00% up > 5 host10.0.1.102 100.00% up > 6 host10.0.1.103 100.00% up > 7 host10.0.1.104 100.00% up > 8 host10.0.1.105 100.00% up > 9 host10.0.1.106 100.00% up > > Thanks in advance!
Re: hoststated on OpenBSD
* Beavis (pfu...@gmail.com) wrote: > Greetings List, > >I would like to ask some folks here regarding hoststated is it > still available for OpenBSD? All i got through google is > http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ > > I'm looking for a tool that would be able me to setup OpenBSD as a > High-availability appliance where i place behind it win or *nix > webservers and have them load-balance through it. I know that pf(4) > would be able to aid me on this but getting info for hoststated would > really help me a lot. > > Hi, hoststated is now called relayd, after being called hostated. - pyr.
Re: Realyd exits when relayctl disables and enables a host
* David Caro ([EMAIL PROTECTED]) wrote: > Hi all, > > first of all, sorry for my english (it's not my first language, but > i'm trying to learn) > > i have two testing firewalls running OpenBSD 4.3 -release (fresh > install), with carp and pfsync configured and working. > I was trying to configure relayd, so i halted one of the firewalls and > play with the other. I found that when i disable one host with > 'relayctl host disable' and then enable it, relayd exits a few moments > later (it seems that the problem is passing the host from the state > unknown to active). > > I've tried to find if there was people with the same error and found > various threads but none of them was solved. Should i report it as a > bug (i didn't find it)? It's just that i did not configure it right? (as > you can see below, the configuration is minimal) > > Thanks! > David > > Hi, Can you try again with -current please and if the bug still shows up file a bug indeed, so we can fix this before release. Thanks! - pyr.
Re: Trying to compile cwm on Linux
> 6. Compile and link: > >$ for i in *.c; do gcc -I /usr/include/freetype2 -c $i; done >$ gcc -lXft -lXrender -lX11 -lXau -lXdmcp -lXext -lfontconfig -lexpat > -lfreetype -lz -o cwm *.o > Most linux distributions carry a "pmake" package which provides the a bsd.prog.mk and thus support for the Makefiles distributed with OpenBSD source code. It can come in handy.
Re: sloppy states and dsr
* Ted Unangst ([EMAIL PROTECTED]) wrote: > One would only use sloppy state tracking on the load balancer, right? > The firewall in front of everything still uses normal tracking? > Yes, you use sloppy state only on the host(s) seeing half of the trafic.
Re: relayd and "src track"
> + if (rdr->conf.flags & F_STICKY)
> + if (ioctl(env->sc_pf->dev, DIOCCLRSRCNODES, 0) == -1)
> + fatal("sync_table: cannot clear the tree of source
> tracking nodes");
> +
>free(addlist);
>
>log_debug("sync_table: table %s: %d added, %d deleted, %d changed",
>
Good enough for now, it's in. We'll look for a way of clearing
individual nodes later on.
Re: relayd exits (crashes) if all hosts become disabled... expected?
* Mark Rolen ([EMAIL PROTECTED]) wrote: > > At that point, relayd is dead, and won't restart. /var/log/daemon shows: > fatal: flush_table: cannot flush table stats: Operation not supported by > device > This is a bug and has been fixed in -current yesterday, it will be part of the next snapshot.
Re: relayd http check connection failures; hoststated operates correctly
Brad Arrington <[EMAIL PROTECTED]> wrote:
> Hi Pierre-Yves,
>
> I guess we are both wrong...
> I used a few different timeout values including 1000 before
> changing any code. I just checked relayd(the unpatched version) again
> and I get the same results.
>
> These web servers just serve the default apache index page.
> I can connect to them instantly from the load balancer (using lynx)
> or any other (client)machine
> I have tested.
>
> So either the timeout value is not read/set correctly or it is
> something else.
>
Please try with an insanely high value (10seconds) and see if you still
get a connection timeout message.
To make logging more meaningful you can try with this diff and send me
the relayd -dv output:
Index: check_tcp.c
===
RCS file: /cvs/src/usr.sbin/relayd/check_tcp.c,v
retrieving revision 1.31
diff -u -p -r1.31 check_tcp.c
--- check_tcp.c 7 Dec 2007 17:17:00 - 1.31
+++ check_tcp.c 27 Feb 2008 13:40:45 -
@@ -109,21 +109,24 @@ tcp_write(int s, short event, void *arg)
if (event == EV_TIMEOUT) {
log_debug("tcp_write: connect timed out");
cte->host->up = HOST_DOWN;
- } else {
- len = sizeof(err);
- if (getsockopt(s, SOL_SOCKET, SO_ERROR, &err, &len))
- fatal("tcp_write: getsockopt");
- if (err != 0)
- cte->host->up = HOST_DOWN;
- else
- cte->host->up = HOST_UP;
+ close(s);
+ hce_notify_done(cte->host, "tcp_write: connect timed out");
+ return;
}
+ len = sizeof(err);
+ if (getsockopt(s, SOL_SOCKET, SO_ERROR, &err, &len))
+ fatal("tcp_write: getsockopt");
+ if (err != 0)
+ cte->host->up = HOST_DOWN;
+ else
+ cte->host->up = HOST_UP;
+
if (cte->host->up == HOST_UP)
tcp_host_up(s, cte);
else {
close(s);
- hce_notify_done(cte->host, "tcp_write: connect failed");
+ hce_notify_done(cte->host, "tcp_write: connection refused");
}
}
Re: relayd http check connection failures; hoststated operates correctly
Brad Arrington <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I ran into the same problem you did, I thought it was something I
> was doing wrong until I read your email...
>
> Here is the fix I came up with.
>
> --- check_tcp.c-current Mon Feb 25 15:11:40 2008
> +++ check_tcp.c Mon Feb 25 23:48:45 2008
> @@ -82,6 +82,7 @@
> if (fcntl(s, F_SETFL, O_NONBLOCK) == -1)
> goto bad;
>
> + gettimeofday(&cte->table->conf.timeout, NULL);
> bcopy(&cte->table->conf.timeout, &tv, sizeof(tv));
> if (connect(s, (struct sockaddr *)&cte->host->conf.ss, len)
> == -1) { if (errno != EINPROGRESS)
>
> I should check for return codes on gettimeofday but here it is
> anyway... I submited a bug report too.
>
> -Brad
>
Hi Brad,
Your fix is wrong, you run in a timeout which happens because the
default relayd configuration supposes you are in the same broadcast
domain than your relayed host and has a 200ms timeout.
The error reporting is a bit confusing and should just mention that a
timeout occured, I will fix that. The gettimeofday you used indeed
fixed your issue but is really wrong since it modifies the value you
specify in the configuration file.
A simple fix for you would be to specify:
timeout 1000 # (or any appropriate timeout value for your application)
in your configuration file.
> > startup
> > init_filter: filter init done
> > tcp_write: connect timed out
> > relay_privinit: adding relay www
> > init_tables: created 0 tables
> > hce_notify_done: aa.bb.cc.209 (tcp_write: connect failed)
> > protocol 0: name http
> > host aa.bb.cc.209, check http code (3ms), state unknown -> down,
> > availability 0.00%
> > flags: 0x0004
> > tcp_write: connect timed out
The timeout is mentionned here.
> > type: hce_notify_done: aa.bb.cc.211 (tcp_write: connect
> > failed) http
And then a connect failed error happens which might have confused you.
pyr.
Re: relayd http check connection failures; hoststated operates correctly
Brad Arrington <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I ran into the same problem you did, I thought it was something I
> was doing wrong until I read your email...
>
> Here is the fix I came up with.
>
> --- check_tcp.c-current Mon Feb 25 15:11:40 2008
> +++ check_tcp.c Mon Feb 25 23:48:45 2008
> @@ -82,6 +82,7 @@
> if (fcntl(s, F_SETFL, O_NONBLOCK) == -1)
> goto bad;
>
> + gettimeofday(&cte->table->conf.timeout, NULL);
> bcopy(&cte->table->conf.timeout, &tv, sizeof(tv));
> if (connect(s, (struct sockaddr *)&cte->host->conf.ss, len)
> == -1) { if (errno != EINPROGRESS)
>
> I should check for return codes on gettimeofday but here it is
> anyway... I submited a bug report too.
>
I'll handle the bug report, thanks for reporting.
Re: hoststated - some questions
[sent to wrong list] > Also hoststatectl reload does not work for me. > > [EMAIL PROTECTED] root# hoststatectl reload > command failed > > Expected behavior? > Unfortunately, yes. reload currently does not work for layer7 (relay) configurations. it should be available before 4.3 though.
Re: OpenBSD kernel janitors
n0g0013 <[EMAIL PROTECTED]> wrote: > i personally find it quite > disheartening to hear the attitude that prevails here but that's the > community's decision. it certainaly seems to refelect the attitute > of it's leaders (developers). > Instead of doing something useful like reading code, identifying and trying to fix bugs, you are whining on misc@ asking ``why are you guys mean and don't tell me what to do'' stop and think about this attitude for a second, please. Development is an involved process, it takes a lot of reading and commitment to get to the point where you're actually able to do something useful, and no list or misc@ chit-chat will change it.
Re: Network Time Synchronization using timed or ntpd or a Combination?
Boris Goldberg <[EMAIL PROTECTED]> wrote: > Hello Rogier, > > Tuesday, October 23, 2007, 9:01:32 AM, you wrote: > > RK> On 10/23/07, Boris Goldberg <[EMAIL PROTECTED]> wrote: > >> You don't really need ntpd on all systems. One (timeserver) > >> runs ntpd, and others use rdate, called from cron (once a day is > >> usually enough). > > RK> While your suggestion would work, it would also entail more work > RK> without adding benefit. Upon install, you get the question of > RK> whether you want to use ntpd. Starting with 4.2, it even asks for > RK> a specific NTP server. > > It's always better to don't run a demon if you don't have to. :) > Talking about a "more work" - I don't think that someone avoiding > small "after install" tuning like this should be taking care of > any network besides his home one. ;) Anyway, for the last five years > no version of OBSD (including 4.2) worked for me without tuning a > kernel, so an extra line in a crontab is nothing. :) > I hope nobody takes what you say seriously. Running rdate instead of ntpd like you describe is wrong for many reasons which have been stated over and over in the last few years. Please do not spread wrong information around, and do your homework before giving others advice on what you think is good sysadmin practice.
Re: hoststated: throws "Undefined error: 0" in i386 -current
"Rolf Sommerhalder" <[EMAIL PROTECTED]> wrote: > This simple configuration file for hoststated below is syntactically > correct (and semantically, too), however apparently only if its file > mode bits are 600 (which makes sense). > > Somehow, I ended up with mode bits being set to 644, upon which > hoststated refused to accept it but throws an "Undefined error: 0". > It took me a while to figure out that it occurs due to mode bits being > set somewhat too liberal because the error does not provide any hint. > Also, I only upgraded to -current last night, and the same > configuration file was accepted with mode bits 644 by the latest > available snapshot without complaint before upgrading. > > Actually, I just tried 'hoststated -d -f /etc/hoststated.rs' which > throuws the same error, but only after hinting about the mode bits > being wrong. So it might be helpful to just add the same hint output > to the -n option as well. > > I had no opportunity to crosscheck on sparc64 -current yet, or to > propose a small diff, sorry for that. > > Thanks, > Rolf > There was indeed no provision to check for this when running hoststated with -n. This will be fixed in CVS shortly.
Re: Hoststated & check https; what am I missing?
> I'm wondering how sensitive hoststated is to the certificate (might > "check https digest" fail because the server certificate and the name > I'm asking for don't match?), or could it be that hoststated computes > the https digest before the html output is decrypted? > Hoststated doesn't check certificates and computes the digest after the output is decrypted (it wouldn't be a static digest otherwise !). It could be that your real server is too slow to respond to hoststated and that the digest is done on incomplete data, please run hoststated with "-dv" to verify this assumption. Regards, Pierre-Yves.
Re: what if hoststated dies?
On Tue, 25 Sep 2007 14:22:19 +0200 Luca Corti <[EMAIL PROTECTED]> wrote: > On Wed, 2007-09-26 at 00:01 +1200, Josh wrote: > > What happens if hoststated crashes? Does its latest table entry's > > and rdr rules still remain? > > Maybe you can try a kill -9 and see what happens. > > ciao > > Luca > better try pkill -SEGV hoststated ;) in either case, the pfe process catches the fact that the hce process dies and cleans up the tables and rules before completely dying.
Re: hoststated, using the same tables for more than one service
On Tue, 25 Sep 2007 14:08:50 +0200 Pierre-Yves Ritschard <[EMAIL PROTECTED]> wrote: > On Tue, 25 Sep 2007 23:25:44 +1200 > Josh <[EMAIL PROTECTED]> wrote: > > > Well after trying it, it appears there _IS_ a problem there. One of > > the services was not > > working. As soon as I gave it its own separate tables, it worked. > > > > Pierre-Yves Ritschard wrote: > > > > Anyway, my question is, can I use the same tables in multiple > > service entries? ( one for each connection ) > > > > no problem there. > > > the following works: > After checking again, there seems to be a problem here indeed. I'll get working on a solution.
Re: hoststated, using the same tables for more than one service
On Tue, 25 Sep 2007 23:25:44 +1200
Josh <[EMAIL PROTECTED]> wrote:
> Well after trying it, it appears there _IS_ a problem there. One of
> the services was not
> working. As soon as I gave it its own separate tables, it worked.
>
> Pierre-Yves Ritschard wrote:
>
> Anyway, my question is, can I use the same tables in multiple
> service entries? ( one for each connection )
>
> no problem there.
>
the following works:
webhost1=a.b.c.d
webhost2=e.f.g.h
public1=w.x.y.z
public2=w.x.y.z
table web1 {
real port http
check http "/" code 200
host $webhost1
}
table web2 {
real port http
check http "/" code 200
host $webhost2
}
table sorry {
check icmp
real port http
host 127.0.0.1
}
service www1 {
virtual host $public1 port 80
table web1
backup table sorry
}
service www2 {
virtual host $public2 port 80
table web2
backup table sorry
}
Re: hoststated, using the same tables for more than one service
> Anyway, my question is, can I use the same tables in multiple service > entries? ( one for each connection ) > no problem there.
Re: Get rid of leaf packages
On Thu, 30 Aug 2007 09:22:18 +0100
"Edd Barrett" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On 30/08/2007, Jona Joachim <[EMAIL PROTECTED]> wrote:
> > You can find it here:
> > http://hcl-club.lu/svn/development/python/cutleaves
>
> This is useful! Why not write a port?
>
Why write it in python ?
The package system was written in perl and there are lots of
supporting modules readily available in the system.
Here's what I use (top-level-delete.pl), of course you will have
to change the last statement to call pkg_delete for actual deletion:
#!/usr/bin/perl
use strict;
use warnings;
use OpenBSD::Search;
use OpenBSD::PackageInfo;
use OpenBSD::PackageName;
use OpenBSD::PackageRepository::Installed;
use OpenBSD::RequiredBy;
die "not enough args" if (@ARGV < 1);
sub find_pkg
{
my $children = shift;
my $pname = shift;
my $repo = OpenBSD::PackageRepository::Installed->new;;
my $pkg = $repo->find($pname);
if (!defined($pkg) && OpenBSD::PackageName::is_stem($pname)) {
my @l = sort ($repo->match(OpenBSD::Search::Stem->new($pname)));
$pkg = $repo->find($l[0]) if (@l == 1);
}
$children->{$pkg->{name}} = 1 if (defined($pkg));
}
sub find_children
{
my $children = shift;
my @packages = OpenBSD::PackageInfo::installed_packages();
my $pkg;
my $nfound = 0;
FINDLOOP: foreach $pkg (@packages) {
next if grep $pkg eq $_,keys(%$children);
my @reqlist = OpenBSD::RequiredBy->new($pkg)->list;
next if (@reqlist == 0);
foreach my $req (@reqlist) {
next FINDLOOP if (!defined($children->{$req}));
}
if (!defined($children->{$pkg})) {
$children->{$pkg} = 1;
$nfound++;
}
}
return ($nfound);
}
my $children = {};
map { find_pkg $children, $_ } @ARGV;
# call while new removeable packages are found
1 while (find_children($children) > 0);
map { print "removing: $_\n" } keys(%$children);
Re: howto set global environment variable (e.g. PATH, JAVA_HOME)
On Fri, 10 Aug 2007 09:11:55 +0100 "Edd Barrett" <[EMAIL PROTECTED]> wrote: > On 09/08/07, Lars Hansson <[EMAIL PROTECTED]> wrote: > > If you're using xdm things are different though. The Xsession script > > does not source any global files so you'll have to modify it to > > source /etc/profile. > > Is there a global Xdefaults file which can be made to source every > users .profile and /etc/profile for xdm logins? > Yes: /etc/X11/app-defaults/XTerm, you can use LoginShell: true there.
Re: hoststated and UDP
On Thu, 28 Jun 2007 00:19:56 +0200 Luca Corti <[EMAIL PROTECTED]> wrote: > Hello, > > I've setup hoststated for load balancing of some services, and it > works well. If I'm not missing something hoststated actually works > just for TCP. Is there any plan to implement UDP support? > Yes there is, I will implement it at least for L3 pretty soon, there are other ongoing things for hoststated that are more important at the moment though.
Re: Regular Expression Problem
On Thu, 14 Jun 2007 18:49:46 +0200
OBSD <[EMAIL PROTECTED]> wrote:
> Hi All,
>
> thanks for all the suggestions.
> With this it works:
> cat mail.txt | egrep "[EMAIL PROTECTED]" | egrep
> "\.[a-zA-Z]{2,4}$"
>
> It is probably possible to avoid the last egrep but I have not find
> out how.
>
Have a look at p5-Email-Address, it provides a regular expression for
parsing email addresses, you should be able to use it in place of egrep,
or use its regular expression with egrep with some modifications.
p5-Regexp-Common provides other standard regexpes for URLs and the like.
Re: Load balancing with DSR
On Wed, 13 Jun 2007 17:05:44 +0200 Reyk Floeter <[EMAIL PROTECTED]> wrote: > > i don't like the idea about "DSR", it sounds like an evil hack to get > some performance at the wrong place. it is better to focus on > improving the pf/network stack performance itself and to be able to do > traffic filtering and normalization on the loadbalancers. > > There are scenari where DSR/DR really solves problem, some that the best pf network stack cannot solve. If DSR/DR ever finds it way into OpenBSD (through pf, hoststated, ...) it will be because we find a clean way to do it.
Re: Load balancing with DSR
> > pass in on $ext_if route-to { $webh1, $webh2 } round-robin proto
> > tcp \ from any to $virt_ip port http no state
> > pass out on $int_if from any to $virt_ip port http no state
>
> Wouldn't you need some kind of state here? Otherwise there's no
> guarantee of the packets for a given connection always being routed
> to the same physical server.
>
State is useless here as packets won't come back through this router.
Moreover, you're going to block some packets in some cases since you
only see half of the trafic.
If you want a sticky behavior you can change the pool type to
source-hash.
Re: Load balancing with DSR
On Wed, 13 Jun 2007 15:40:36 +1000
Darren Tucker <[EMAIL PROTECTED]> wrote:
> Would it be possible to to this the way the IBM eNetwork dispatchers
> used to do this? Put all of the machines on the same broadcast
> domain, then:
>
> 1. add a static published arp entry for the cluster address on the
> balancer with its own mac address so packets aimed at the cluster
> address will go to the balancer.
>
> 2. configure all cluster members with a loopback interface with the
> cluster address.
>
> 3. use route-to pf rules with a next-hop to punt incoming packets to
> various nodes in the cluster
I think all load balancers implementing direct server return / direct
routing use this trick.
You're not going to be able to get away without messing with arp so
you're bound to a single broadcast domain.
Your scenario should be tried out, yes, but it is still just a ugly
hack if you ask me :)
Now you still can't really make this work with hoststated or any
other LB on OpenBSD. I'd still like to find an elegant way to do this
and integrate it with hoststated.
And just for the record what you said maps to:
pass in on $ext_if route-to { $webh1, $webh2 } round-robin proto tcp \
from any to $virt_ip port http no state
pass out on $int_if from any to $virt_ip port http no state
If I get the occasion I'll try it out and see how that works.
I also wonder how it would behave when setting the arp entry to that of
a carp interface.
Re: Load balancing with DSR
On Wed, 13 Jun 2007 10:54:58 +0800 Lars Hansson <[EMAIL PROTECTED]> wrote: > Linden Varley wrote: > > Anyone know of any load balancing software for OpenBSD that can do > > direct-server return? (our load balancers (openbsd boxes) are > > co-located and we pay for all data bandwidth). > > hoststated? > No, hoststated won't do DSR yet, neither will any load balancers on OpenBSD. DSR needs Layer 2 trickery that is not possible with OpenBSD. Maybe someday, it is on my todo-list if I find a clean way to do it.
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
> --- src/usr.sbin/hoststated/relay.c.origWed Mar 7 19:40:32
> 2007 +++ src/usr.sbin/hoststated/relay.c Sun May 13 18:37:48 2007
> @@ -1775,7 +1775,7 @@
> fatalx("relay_dispatch_pfe: invalid
> host id"); if (host->flags & F_DISABLE)
> break;
> - if (host->up == st.up) {
> + if (host->up != st.up) {
> log_debug("relay_dispatch_pfe: host
> %d => %d", host->id, host->up);
> fatalx("relay_dispatch_pfe:
> desynchronized");
>
>
This fix is wrong, please do not apply it (you should not receive
updates for a status you already know about).
current CVS version has no issues and I will pull a 4.1-release
version, try to reproduce the issue and apply -stable fixes.
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
On Wed, 6 Jun 2007 21:29:42 +0300 Paulius Bulotas <[EMAIL PROTECTED]> wrote: > well ;) > probably you will have to wait for 4.2, but fix for similar problem > (try to disable table, then enable it ;) > so probably the same applies for host disabling, enabling... > at least, with this patch it works for me. > this will be taken care of by the end of the week. but give me some time to commit the reload support first.
Re: hoststated: fatal: relay_dispatch_pfe: desynchronized,
On Wed, 6 Jun 2007 14:09:19 +0200 Jvrg Streckfu_ <[EMAIL PROTECTED]> wrote: > Hi list, > > First a tribut for the good work to the authors of hoststated. > In the future i plan to use hoststated in production environments > to check for the availability of our webservices. > > But before I set it up on my production machine I would make some > testing. I took two tiny Soekrises with OpenBSD 4.1 stable installed, > configured the first one as loadbalancer and the second one as a > webserver with three IPs on one interface. > > Here ist the setup in explicit detail: > Hi, can you give the output of uname -a please, I'd like to know what versions of current you are running.
Re: hoststated
On Wed, 02 May 2007 11:39:01 +0200 holger glaess <[EMAIL PROTECTED]> wrote: > > i try to setup the hoststated daemon but it fail to start. > > i would to like setup an simple loadbalancer for http with 2 host. > > i add also rdr-anchor "hoststated/*" to my pf.conf after the rdr > > rules. > > > > thanks for your help > > Indeed, hoststated relies on INET and INET6 to be available.
Re: hoststated
On Fri, 27 Apr 2007 08:57:16 +0200 holger glaess <[EMAIL PROTECTED]> wrote: > hi > > i try to setup the hoststated daemon but it fail to start. > i would to like setup an simple loadbalancer for http with 2 host. > i add also rdr-anchor "hoststated/*" to my pf.conf after the rdr > rules. > > thanks for your help > > holger > Are you using a recent -current system ? I have no problem with this configuration.
Re: OpenBGPD MIB
On Sat, 24 Mar 2007 18:41:00 -0700 "Aaron Glenn" <[EMAIL PROTECTED]> wrote: > On 3/24/07, Sylwester S. Biernacki <[EMAIL PROTECTED]> wrote: > > Hi guys, > > > > I've looked over for importing bgpd status to snmp to use with > > 'sofisticated' monitoring system. Hope somebody has similar > > problem. Can you give me some links or tell the way you do such > > things ? > > > > ps. yeah, I know I can write my own, but I hope not to be > > Christopher Columbus :) > > dirty hack would be net-snmpd and lots of 'exec' OIDS > > No, net-snmpd has a good mechanism that is called pass and pass-persist. This allows to write really simple programs (ask me for a skeleton), you'd just have to write more code to open /var/log/bgpd.sock and gather the information needed to answer for the OIDs. If anybody is interested in doing this (I have some code available) for BGP-MIB and possibly OSPF please contact me off-list, I can give directions.
Re: http load balancing with pf (apache access log)
On Tue, 30 Jan 2007 15:20:42 + Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote: > Ter, 2007-01-30 `s 14:25 +0100, Pierre-Yves Ritschard escreveu: > > On Tue, 30 Jan 2007 13:06:00 + > > Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote: > > > > > By the way, what do you use/recommend in order to manage the > > > webserver pool? 1 test/min (in cron for instance) is too large a > > > value for many use cases, so what would be best in your opinion? > > > > > > It's likely I'll need this for the near future and this thread > > > basically cut my investigation time in over 90% ;) > > > > Maybe hoststated can suit your needs. You will need to build it from > > source since it's not linked in right now. > > > > See http://spootnik.org/hoststated for more information > > Promising, it does say that it's now part of the OpenBSD system, but > sine when? CURRENT? I can't seem to find it in the 4.0 CD's... > > Rui > Pending the link of hoststated in the builds you can follow the instructions i just put up on http://spootnik.org/hoststated#install .
Re: http load balancing with pf (apache access log)
On Tue, 30 Jan 2007 13:06:00 + Rui Miguel Silva Seabra <[EMAIL PROTECTED]> wrote: > By the way, what do you use/recommend in order to manage the webserver > pool? 1 test/min (in cron for instance) is too large a value for many > use cases, so what would be best in your opinion? > > It's likely I'll need this for the near future and this thread > basically cut my investigation time in over 90% ;) Maybe hoststated can suit your needs. You will need to build it from source since it's not linked in right now. See http://spootnik.org/hoststated for more information
Re: http load balancing with pf (apache access log)
On Mon, 29 Jan 2007 17:34:51 +0100 Marian Hettwer <[EMAIL PROTECTED]> wrote: > > > Pierre-Yves Ritschard schrieb: > > On Mon, 29 Jan 2007 17:20:50 +0100 > > Marian Hettwer <[EMAIL PROTECTED]> wrote: > > > >> Which would mean, I send a SYN to my load balancer, which forwards > >> the SYN to one of my webservers, and the webserver would send a > >> SYN-ACK back to me. But my machine, obviously can't do anything > >> with a SYN-ACK from an IP address it didn't even asked... > >> The client would assume to get a SYN-ACK from the load balancer > >> (which he asked...) > >> > >> understood? > > no you don't get it. > > you setup your webservers with IPs whose default gateway is the > > load-balancer, then use rdr, that's how its done hence all the > > traffic goes through the load-balancer and real client ips are > > preserved. > > > Ah... there we go. > I can't setup the webservers with their default gateway to my load > balancer. The boxes are scattered dedicated servers and I have no > possibility to change the network settings. > These are rented servers (dedicated boxes) at some cheap ISP and all > they have is an official IP address. > Changing the default gateway isn't possible... > Sorry 'bout that. > > ./Marian > You could also do an ugly hack which would consist of attaching a second network on your servers and load balancers (provided they are in the same (v)?lan) like 172.16.1.0/24 and use that for contacting the real, then you'll need to lookup another routing table when being contacted on the 172.16.1.0/24 network (using pf + alternate routing tables in openbsd or iproute2 in linux). Otherwise you're stuck with nat.
Re: http load balancing with pf (apache access log)
On Mon, 29 Jan 2007 17:20:50 +0100 Marian Hettwer <[EMAIL PROTECTED]> wrote: > > Which would mean, I send a SYN to my load balancer, which forwards > the SYN to one of my webservers, and the webserver would send a > SYN-ACK back to me. But my machine, obviously can't do anything with > a SYN-ACK from an IP address it didn't even asked... > The client would assume to get a SYN-ACK from the load balancer > (which he asked...) > > understood? no you don't get it. you setup your webservers with the load balancer as default gateway then use rdr as I described in my previous mail. hence all the traffic goes through the load-balancer and real client ips are preserved.
Re: http load balancing with pf (apache access log)
On Mon, 29 Jan 2007 16:21:13 +0100 Marian Hettwer <[EMAIL PROTECTED]> wrote: > However, one thing is bothering me. > Obviously, my apache access logs on those load balanced machines can > only show the IP address of my load balancer, not the real remote ip > of the request. Why are you rewriting the source address ? A typical rule for redirecting web traffic would be: rdr on $ext0 from any to $www port 80 -> This rewrite the destination address, not the source. Your apache logs are the same than they would have been had you been directly reachable.
Re: Redundant web servers
Nick Ryan wrote:
If you haven't already seen it on undeadly.org this might be what you're
after:
http://spootnik.org/hoststated/hoststated_introduction.html
Cheers
This means having a third machine.
If its OK with you you can indeed use hoststated (with 2 tables
containing 1 host each):
table slave {
check ...
host $slavehost
}
table master {
check ...
host $masterhost
}
service http {
virtual ip ...
table master
backup table slave
}
Otherwise you can also use sysutils/monit to monitor your HTTP server
and increase the demote counter in case of HTTP failure. Which would
seem simpler and more to the point in your scenario (and you keep only
two machines).
Re: pf and load balancing some webservers
PS.: although wrong thread, any chance to use the brand new hoststated in OpenBSD 4.0 ? If I get it via CVS, will it build? I don't like the idea to upgrade my production box to -CURRENT at all ;) What you can do is get the 4.0 source, then just checkout latest hoststated and hoststatectl directories. (in /usr/src/usr.sbin) # cvs -d :pserver:[EMAIL PROTECTED]:/cvs co -rHEAD -P hoststated hoststatectl They will build fine. Don't forget to add a user _hoststated to your /etc/master.passwd too: (as root) # group add -g 87 _hoststated # chpass -a '_hoststated:*:87:87::0:0:HostStated\ Daemon:/var/empty:/sbin/nologin' Please test and report !
Re: hoststated and 802.11
Sam Fourman Jr. wrote: I was reading about the new hoststated tool in OpenBSD, and wondering if it would be possible to use rssi as a link health check. Short answer: not at the moment. Scripting will soon be enabled and will allow you to specify external health checkers. Of course with RSSI it would be best to be able to weight hosts and this is not possible at the moment, it will be worked on too.
Re: pf load balancer and server health
> You might also want to check http://spootnik.org/slbd which is > specifically aimed at your problem. Its a privilege separated daemon > which can perform several types of health checks and has support for > sorry servers.
Re: building kernel for new release in previous stable system
* Stuart Henderson ([EMAIL PROTECTED]) wrote: > On 2006/11/03 11:34, Pierre-Yves Ritschard wrote: > > Another solution would be, once 4.1 gets out to unpack the base41.tgz, > > etc41.tgz and comp41.tgz into /usr/somewhere then unpack or checkout > > using cvs the 4.1 kernel sources in there as well. > > Nice idea, and it works sometimes, but only when the new binaries run > on your old kernel, which isn't guaranteed (see the 'reboot on a new > kernel' warnings in release(8) and the 'without install media' upgrade > documentation). > Yeah, I should have mentionned that. In the case of building a kernel it should work since cc has a great chance of still running on the new kernel (except for things like switching from a.out to elf or the like).
Re: building kernel for new release in previous stable system
Another solution would be, once 4.1 gets out to unpack the base41.tgz, etc41.tgz and comp41.tgz into /usr/somewhere then unpack or checkout using cvs the 4.1 kernel sources in there as well. Once you are in this situation you can chroot to this new fake 4.1 system: chroot /usr/somewhere /bin/sh Once in the chroot, you can build your raid enabled kernel. This method also works for building a release(8).
ospfd: multi-areas and cost problems
Hi misc@,
We're currently moving some of our routers from linux/quagga to
OpenBSD/OpenOSFPD.
In our topology, we have border routers connected to 2 areas, each
announcing routes from one area into another.
Basically in Quagga/IOS speak this gives (with imaginary networks):
network 10.0.1.0 area 0.0.0.1
network 10.0.2.0 area 0.0.0.1
network 192.168.1.0 area 0.0.0.0
When trying to mimick this behavior with OpenOSPF, we could not achieve
the same behavior with a config file basically like this one:
router-id 10.0.0.1
#redistribute connected
area 0.0.0.0 {
interface lo1 # for annoucing our loopback
interface trunk0 #
}
area 0.0.0.1 {
interface vlan32
}
With this config we can not see the route to the network attached on
vlan32 on the area 0.0.0.0
Adding redistribute connected doesn't help.
broadcom ips500a
Hi, The broadcom 5823 chipset is listed as supported in OpenBSD's supported hardware list. I found a card from broadcom, the ips500a, has anybody run that card, I'd like a fast (as in 500mpbs or faster when doing IPSEC) card that would work with OpenBSD, and its the only one I've found that seemed to fit the bill.
Re: upgrading without physical access
Thanks for all the advice. It's been working well for 3.6 -> 3.9.
upgrading without physical access
Hi list, I have a machine running OpenBSD 3.6 on a remote location that I would like to upgrade. I only have ssh access unless I buy myself an expensive plane ticket. I wondered if there's a safe way to upgrade remotely or should I just wait until I get an opportunity to be in front of the machine.
Re: Where to start studying OpenBSD networking code
The second volume of TCP/IP Illustrated is very interesting, it describes the BSD implementation of the TCP stack, walking you through the code. Although dated, the code still bears a lot of similarities with what you'll find in /usr/src.
Re: The HP nc7170 dual port
In case anyone was wondering, they work well with OpenBSD, they show up as em nics. em0 at pci5 dev 7 function 0 "Intel PRO/1000MT (82546EB)" rev 0x01: apic 7 int 2 (irq 11), address 00:11:0a:5c:6b:04 em1 at pci5 dev 7 function 1 "Intel PRO/1000MT (82546EB)" rev 0x01: apic 7 int 3 (irq 5), address 00:11:0a:5c:6b:05 em2 at pci5 dev 8 function 0 "Intel PRO/1000 (82542)" rev 0x02: apic 7 int 0 (irq 7), address 00:90:27:c2:2a:a6
Re: HP ProLiant DL 385
1 PCIX" rev 0x12 pci5 at ppb3 bus 5 em0 at pci5 dev 8 function 0 "Intel PRO/1000 (82542)" rev 0x02: apic 7 int 0 (irq 7), address 00:90:27:c2:2a:a6 "AMD 8131 PCIX IOAPIC" rev 0x01 at pci4 dev 9 function 1 not configured ppb4 at pci4 dev 10 function 0 "AMD 8131 PCIX" rev 0x12 pci6 at ppb4 bus 6 fxp0 at pci6 dev 9 function 0 "Intel 8255x" rev 0x08, i82559: apic 8 int 0 (irq 7), address 00:d0:b7:e3:df:65 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 "AMD 8131 PCIX IOAPIC" rev 0x01 at pci4 dev 10 function 1 not configured pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00 pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00 pchb4 at pci0 dev 25 function 0 "AMD AMD64 HyperTransport" rev 0x00 pchb5 at pci0 dev 25 function 1 "AMD AMD64 Address Map" rev 0x00 pchb6 at pci0 dev 25 function 2 "AMD AMD64 DRAM Cfg" rev 0x00 pchb7 at pci0 dev 25 function 3 "AMD AMD64 Misc Cfg" rev 0x00 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask 0 netmask 0 ttymask 0 pctr: user-level cycle counter enabled dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 cpu1: AMD Powernow: TS FID VID TTP -- Pierre-Yves Ritschard Ingenieur Systemes, Reseaux et Securite Steria Pour France Telecom - SCR/HDI/DOP/HEBEX Sophia-Antipolis - France
The HP nc7170 dual port
Hi, I've been desperately looking for syskonnect 9822 dual port cards but it seems its sold-out everywhere and syskonnect just told me on the phone that they won't produce anymore. I'm left with Intel based dual port cards and since I have access to cheap nc7170 (Intel 82546EB chipset) I was wondering if anybody knew if this was supposed to work (i.e: is it just a rebranding of the intel equivalent), if anybody has one on a box somewhere i'd be interested to know if it is detected and works. Thanks, Pierre-Yves
Re: The Apache Question
> Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff > out there, and is working great. > > However, the Subversion versioning control system (which my project > uses) demands Apache2 in order to do DAV checkouts and commits, better > authentication and more. So, my only choice was to manually install > Apache2 and compile mod_dav_svn.so in order to use these features in > OpenBSD. No big deal, but I would surely appreciate a port for > Apache2, it would have made my life much easier. > > Anyway, I agree with the other guys: no way Apache2 will make it to > the base system, its license is a major issue against that. Somewhat off-topic but if you need plone and subversion with dav lighttpd can do the trick for you (running plone as a fastcgi server).
Re: Flame bait - recommendations for web devlopment language?
> Yes, FastCGI looks really cool. > > However, in my particular case, it's not like I am the only one who does > some work on the website, and I'll not be around forever either (it's > volunteer work, basically). Using straight PHP is technically inferior, > but is much more likely to actually be used by the next guy. Not to > mention that just spitting out a page is a lot easier than dealing with > caching stuff and the like. Well php can be used as a fastcgi server actually. > Is there a specific language, though, that you could recommend, because > that's what we started out talking about? I think depending on your knowledge and needs perl, python and ruby may be eligible do to the job. If you plan on spitting out html directly from your code, I'd say use whichever you're most familiar with. If you need something more complex, then have a look at the maypole, catalyst, cherrypy and ruby on rails projects. The key element while trying to decide on a web technology is not to choose the hype technology of the day but evaluate each solution.
