Re: [OpenAFS] dynroot question

2009-09-02 Thread Jack Neely 
On Wed, Aug 05, 2009 at 07:08:30PM +0100, Simon Wilkinson wrote:
>
> On 5 Aug 2009, at 19:03, Russ Allbery wrote:
>
>> Apache recursively ascends the file hierarchy looking for .htaccess  
>> files
>> even if that directory itself is not being served, so it will attempt 
>> to
>> read /afs/.htaccess if you are serving any directory anywhere under / 
>> afs.
>
> I haven't looked at the code, so we may be already doing this, but it  
> seems to me that we could just bounce requests for /afs/.htaccess  
> immediately. In fact, there's probably a range of things that it makes  
> no sense to do DNS lookups for.
>
> S.
>

I agree here.  Turns out I am sending out DNS queries from each of the
web servers for the htaccess cell 20 or so times a second.

Jack

-- 
Jack Neely 
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-07 Thread Jack Neely 
On Wed, Aug 05, 2009 at 10:02:21AM -0400, Derrick Brashear wrote:
> On Wed, Aug 5, 2009 at 10:00 AM, Jack Neely wrote:
> > Folks,
> >
> > I'm having an issue with the dynroot functionality on my web servers.
> > I've straced the httpd process and discovered that it is attempting to
> > stat() /afs/.htaccess which, of course, doesn't exist.  The problem
> > being that AFS takes 10 to 20 seconds or more to return the stat call.
> >
> > The problem comes and goes.  I'm not exactly sure what is triggering it
> > and would like some help figuring that out.
> >
> > We're running 1.4.10 client side and the servers with the web volumes
> > are 1.4.7 and 1.4.10.  We are in the process of moving everything to
> > 1.4.11 but wanted to try to track down this issue.
> 
> tcpdump. i assume you see no afs traffic, but you do see dns traffic.
> yes? what's the round trip time on that?
> 
> fstrace. what do you see?

We did find the cause for this specific problem.  Our DNS servers'
firewall was dropping packets when the ip_conntrack table became full.

Thanks for the help!

Jack

-- 
Jack Neely 
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question]

2009-08-07 Thread Derrick Brashear 
On Fri, Aug 7, 2009 at 10:43 AM, Jack Neely wrote:
> On Wed, Aug 05, 2009 at 07:08:30PM +0100, Simon Wilkinson wrote:
>>
>> On 5 Aug 2009, at 19:03, Russ Allbery wrote:
>>
>>> Apache recursively ascends the file hierarchy looking for .htaccess
>>> files
>>> even if that directory itself is not being served, so it will attempt
>>> to
>>> read /afs/.htaccess if you are serving any directory anywhere under /
>>> afs.
>>
>> I haven't looked at the code, so we may be already doing this, but it
>> seems to me that we could just bounce requests for /afs/.htaccess
>> immediately. In fact, there's probably a range of things that it makes
>> no sense to do DNS lookups for.
>>
>> S.
>>
>
> I agree here.  Turns out I am sending out DNS queries from each of the
> web servers for the htaccess cell 20 or so times a second.

A hardcoded blacklist would be good, configurable blacklist would be
better, but at the same time, we could stand to cache negative answers
for a bit longer in some manner.



-- 
Derrick
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question]

2009-08-07 Thread Jack Neely 
On Wed, Aug 05, 2009 at 07:08:30PM +0100, Simon Wilkinson wrote:
>
> On 5 Aug 2009, at 19:03, Russ Allbery wrote:
>
>> Apache recursively ascends the file hierarchy looking for .htaccess  
>> files
>> even if that directory itself is not being served, so it will attempt 
>> to
>> read /afs/.htaccess if you are serving any directory anywhere under / 
>> afs.
>
> I haven't looked at the code, so we may be already doing this, but it  
> seems to me that we could just bounce requests for /afs/.htaccess  
> immediately. In fact, there's probably a range of things that it makes  
> no sense to do DNS lookups for.
>
> S.
>

I agree here.  Turns out I am sending out DNS queries from each of the
web servers for the htaccess cell 20 or so times a second.

Jack

-- 
Jack Neely 
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-05 Thread Simon Wilkinson 


On 5 Aug 2009, at 19:03, Russ Allbery wrote:

Apache recursively ascends the file hierarchy looking for .htaccess  
files
even if that directory itself is not being served, so it will  
attempt to
read /afs/.htaccess if you are serving any directory anywhere under / 
afs.


I haven't looked at the code, so we may be already doing this, but it  
seems to me that we could just bounce requests for /afs/.htaccess  
immediately. In fact, there's probably a range of things that it makes  
no sense to do DNS lookups for.


S.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-05 Thread Russ Allbery 
Harald Barth  writes:

> Just a note:
>
> Serving /afs/* from apache (if you have more than your own stuff in
> /afs) is generally a bad idea as someone might create a mountpoint
> loop in their AFS cell which then will keep the
> google/yahoo/whateverbots for some (long) time busy indexing that
> endless path through your web server.

Apache recursively ascends the file hierarchy looking for .htaccess files
even if that directory itself is not being served, so it will attempt to
read /afs/.htaccess if you are serving any directory anywhere under /afs.

-- 
Russ Allbery (r...@stanford.edu) 
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-05 Thread Harald Barth 

Just a note:

Serving /afs/* from apache (if you have more than your own stuff in
/afs) is generally a bad idea as someone might create a mountpoint
loop in their AFS cell which then will keep the
google/yahoo/whateverbots for some (long) time busy indexing that
endless path through your web server.

Harald.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-05 Thread Erik Dalén 
On Wed, Aug 5, 2009 at 16:00, Jack Neely wrote:
> Folks,
>
> I'm having an issue with the dynroot functionality on my web servers.
> I've straced the httpd process and discovered that it is attempting to
> stat() /afs/.htaccess which, of course, doesn't exist.  The problem
> being that AFS takes 10 to 20 seconds or more to return the stat call.
>
> The problem comes and goes.  I'm not exactly sure what is triggering it
> and would like some help figuring that out.
>
> We're running 1.4.10 client side and the servers with the web volumes
> are 1.4.7 and 1.4.10.  We are in the process of moving everything to
> 1.4.11 but wanted to try to track down this issue.
>
> Turning dynroot off, of course, fixes the issue.
>

Another fix would be to use:


AllowOverride None


in your apache config file. Then it will not even try to read the
.htaccess file in that directory (or any subdirectory, so you might
want to enable overrides for some subdirectories in your own cell.)

-- 
Erik Dalén
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] dynroot question

2009-08-05 Thread Derrick Brashear 
On Wed, Aug 5, 2009 at 10:00 AM, Jack Neely wrote:
> Folks,
>
> I'm having an issue with the dynroot functionality on my web servers.
> I've straced the httpd process and discovered that it is attempting to
> stat() /afs/.htaccess which, of course, doesn't exist.  The problem
> being that AFS takes 10 to 20 seconds or more to return the stat call.
>
> The problem comes and goes.  I'm not exactly sure what is triggering it
> and would like some help figuring that out.
>
> We're running 1.4.10 client side and the servers with the web volumes
> are 1.4.7 and 1.4.10.  We are in the process of moving everything to
> 1.4.11 but wanted to try to track down this issue.

tcpdump. i assume you see no afs traffic, but you do see dns traffic.
yes? what's the round trip time on that?

fstrace. what do you see?
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] dynroot question

2009-08-05 Thread Jack Neely 
Folks,

I'm having an issue with the dynroot functionality on my web servers.
I've straced the httpd process and discovered that it is attempting to
stat() /afs/.htaccess which, of course, doesn't exist.  The problem
being that AFS takes 10 to 20 seconds or more to return the stat call.

The problem comes and goes.  I'm not exactly sure what is triggering it
and would like some help figuring that out.

We're running 1.4.10 client side and the servers with the web volumes
are 1.4.7 and 1.4.10.  We are in the process of moving everything to
1.4.11 but wanted to try to track down this issue.

Turning dynroot off, of course, fixes the issue.

Jack
-- 
Jack Neely 
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4  EA6B 213B 765F 3B6A 5B89
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info