OpenBSD Talk at Open Source Conference 2007 Tokyo/Fall
Hi all, At Open Source Conference 2007 Tokyo/Fall, I'll give an introductory talk about OpenBSD (in Japanese). The talk will be aimed at sysadmins who know the name but haven't used OpenBSD yet. It would be nice to have a chat with OpenBSD users in Japan after the talk. If you happen to be in or near Tokyo area on Oct. 5, please let me know. Open Source Conference 2007 Tokyo/Fall http://www.ospn.jp/osc2007-fall/ http://www.ospn.jp/osc2007-fall/modules/eguide/event.php?eid=43 On Oct. 6, itojun will give a talk, "IPv6 and security demystified", and answer all the questions you have about IPv6. http://www.ospn.jp/osc2007-fall/modules/eguide/event.php?eid=53 Best regards, -- Tomoyuki Sakurai
openvpn in rdomain hangs
hi misc, i'm trying to run OpenBSD with two default gateways, one for openvpn and another for everything else. openvpn is in rdomain 1 and everything works fine. OpenBSD 5.5-beta (GENERIC.MP) #284: Mon Feb 3 07:57:32 MST 2014 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP # cat hostname.em1 !echo "starting em1" rdomain 1 group vpn inet yy.yy.yy.yy/28 !/sbin/route -T 1 add default yy.yy.yy.default !echo -n "starting sshd in rdomain 1" !route -T 1 exec /etc/rc.d/sshd start && echo "." !echo -n "starting openvpn in rdomain 1" !install -d -o _openvpn -g _openvpn -m 0755 /var/run/openvpn && /sbin/route -T 1 exec /usr/local/sbin/openvpn --daemon --config /etc/openvpn/server.conf && echo "." # cat hostname.tun0 !echo "starting tun0" up 10.100.16.1 10.100.16.2 netmask 0x !route add 10.100.16.0/24 10.100.16.2 however, openvpn cannot be restarted in multi-user mode. it hangs in get_default_gateway(). http://www.openssh.com/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-src_openvpn_route_c?rev=1.2;content-type=text%2Fplain ktrace shows that read(2) to routing socket does not return. 10068 openvpn CALL socket(PF_ROUTE,SOCK_RAW,0) 10068 openvpn RET socket 3 10068 openvpn CALL sigprocmask(SIG_BLOCK,~0<>) 10068 openvpn RET sigprocmask 0<> 10068 openvpn CALL mprotect(0x10ee093000,0x2000,0x3) 10068 openvpn RET mprotect 0 10068 openvpn CALL mprotect(0x10ee093000,0x2000,0x1) 10068 openvpn RET mprotect 0 10068 openvpn CALL sigprocmask(SIG_SETMASK,0<>) 10068 openvpn RET sigprocmask ~0x10100 10068 openvpn CALL write(0x3,0x10ee1949c0,0x80) 10068 openvpn GIO fd 3 wrote 128 bytes "\M^@\0\^E\^D\0\0\0\0\0\0\0\0\^E\0\0\0\^C\0\0\0\0\0\0\0\0\0\0\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^P\^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\^P\^B\ \0\0\0\0\0\0\0\0\0\0\0\0\0\000" 10068 openvpn RET write 128/0x80 10068 openvpn CALL sigprocmask(SIG_BLOCK,~0<>) 10068 openvpn RET sigprocmask 0<> 10068 openvpn CALL mprotect(0x10ee093000,0x2000,0x3) 10068 openvpn RET mprotect 0 10068 openvpn CALL mprotect(0x10ee093000,0x2000,0x1) 10068 openvpn RET mprotect 0 10068 openvpn CALL sigprocmask(SIG_SETMASK,0<>) 10068 openvpn RET sigprocmask ~0x10100 10068 openvpn CALL read(0x3,0x10ee1949c0,0x260) when invoked from hostname.em1 during boot, read(2) immediately returned with ESRCH. according to route(4), messages written to the socket should be returned. how can read(2) be blocked? the behavior is same on 5.4, 5.3 and current. -- Tomoyuki Sakurai
carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER
I'm working on CARP with IP balancing on 4.6R. With trunk(4) failover setting, it doesn't work. # cat hostname.em0 up # cat hostname.em1 up # cat hostname.trunk1 trunkport em0 trunkport em1 trunkproto failover up # cat hostname.carp0 carpdev trunk1 carpnodes 72:0,172:100 balancing ip-stealth 158.205.129.72/28 up !route add default `cat /etc/mygate` !arp -d 158.205.129.67 !arp -s 158.205.129.67 00:00:0c:07:ac:00 permanent # ifconfig carp0 carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:48 priority: 0 carp: carpdev trunk1 advbase 1 balancing ip-stealth state MASTER vhid 72 advskew 0 state BACKUP vhid 172 advskew 100 groups: carp egress inet6 fe80::200:5eff:fe00:148%carp0 prefixlen 64 scopeid 0xb inet 158.205.129.72 netmask 0xfff0 broadcast 158.205.129.79 On the other node, configuration is almost identical, other than vhid and advskew pairs. So far, so good. But when em0 is down, carp0 incorrectly detects link state change and vhid 172 becomes MASTER (wtf?). # ifconfig em0 down # ifconfig carp0 carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:48 priority: 0 carp: carpdev trunk1 advbase 1 balancing ip-stealth state MASTER vhid 72 advskew 0 state MASTER vhid 172 advskew 100 groups: carp egress inet6 fe80::200:5eff:fe00:148%carp0 prefixlen 64 scopeid 0xb inet 158.205.129.72 netmask 0xfff0 broadcast 158.205.129.79 The other node is still BACKUP (vhid 72) and MASTER (vhid 172). Now vhid 172 is MASTER-MASTER state. Am I mssing something? Maybe fixed in -current? -- Tomoyuki Sakurai
Re: carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER
On Tue, Mar 9, 2010 at 4:10 PM, Tomoyuki Sakurai wrote: > The other node is still BACKUP (vhid 72) and MASTER (vhid 172). Now vhid 172 > is > MASTER-MASTER state. > > Am I mssing something? Maybe fixed in -current? As I saw a commit to trunk(4), upgraded to the latest snapshot. kern.version=OpenBSD 4.7-current (GENERIC.MP) #188: Sat Apr 17 16:12:03 MDT 2010 the config has changed, but only real interfaces were changed (em[01] -> bnx[01]). I had to do this due to other requirements. A small improvement is, double MASTER state doesn't happen any more. Still, both nodes can only enter either MASTER-MASTER or BACKUP-BACKUP state. Failover works, IP balancing doesn't. -- Tomoyuki Sakurai
Re: carp(4) on top of trunk(4) with IP balancing causes MASTER-MASTER
On Tue, Apr 20, 2010 at 8:17 AM, Tomoyuki Sakurai wrote: > Failover works, IP balancing doesn't. Trying to make it work, tweaking every possible options. Then, you set wrong advskew in the process... #fail Failover works. IP balancing DOES work. Sorry for the noise -- Tomoyuki Sakurai
Re: HA: pair of firewalls, 2 switches and 1 server
On Tue, May 18, 2010 at 10:32 PM, Axel Rau wrote: > Yes, but what carps/trunks do I need? I'm doing carp(4)+pfsync(4)+bridge(4)+vether(4)+trunk(4)+ospfd(8) for L3/L2 redundancy. Part of my config can be found at: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6318 You need additional two OSPF routers for L3 redundancy (claudio@ explained why in a paper). -- Tomoyuki Sakurai