From lists at stringsutils.com Sun Jan 9 21:50:33 2011 From: lists at stringsutils.com (Francisco Reyes) Date: Sun, 09 Jan 2011 21:50:33 -0500 Subject: [nycbug-talk] Anyone using lagg? Message-ID: Anyone using lagg to load balance/round robin multiple connections? Found a couple of good lagg tutorials http://www.cyberciti.biz/faq/freebsd-network-link-aggregation-trunking/ http://wisekuma.net/linux-bsd/freebsd-lagg/ But there are a few things that I can't find so far... Does one need a third card to reach the machine where one runs lagg? Say I have em0 and em1, do I assign actual IPs to the cards before adding them to lagg or they can't have IPs of their own? Will the lagg ip allow connections to the machine itself (ie ssh). At my new job there is a T1 which is not enough bandwith so we are getting a connection from Time warner to hold us off until a move (we will order proper amount of bandwith in new location) I had this setup in mind. T1 | Switch | ----\ FreeBSD ----/ | | Time warner cable connection. I will be getting a machine to do the lagg setup and so far ordered 2 NICs. Also based on this thread, http://forums.freebsd.org/archive/index.php/t-2608.html, it seems lagg can cause havoc in some switches, but I am wondering if that is if both cards are in the same switch. In my planned scenario only one card will be connected to a switch (the T1 connection). From cwolsen at ubixos.com Mon Jan 10 06:17:59 2011 From: cwolsen at ubixos.com (Christopher Olsen) Date: Mon, 10 Jan 2011 06:17:59 -0500 Subject: [nycbug-talk] Anyone using lagg? In-Reply-To: References: Message-ID: <008701cbb0b8$0a101bd0$1e305370$@ubixos.com> Francisco, Just to follow up on your questions.. You don't need an additional interface to reach the box... Unless you only had two interfaces in the server and you need external and internal facing interfaces. Example lagg0 - em0,em1 public facing, then you would need em2 for internal addressing. Also you should not assign any IP addresses to the interfaces which are members of the lagg, all IP addressing should be done on the lagg interfaces. As far as what you're trying to do... load balance your timer warner and t1... lagg will not do that, lagg is designed to aggregate or control data flow for your Ethernet intfaces.. Load balancing there would have to be some trickery done with PF and NAT... If you have any more questions please let me know. -Christopher Christopher Olsen cwolsen at domainatlantic.com Domain Atlantic 88-B Toledo St Farmingdale, NY 11735 C: 516-903-2889 T: 347-987-3600 -----Original Message----- From: talk-bounces at lists.nycbug.org [mailto:talk-bounces at lists.nycbug.org] On Behalf Of Francisco Reyes Sent: Sunday, January 09, 2011 9:51 PM To: NYCBUG Talk Subject: [nycbug-talk] Anyone using lagg? Anyone using lagg to load balance/round robin multiple connections? Found a couple of good lagg tutorials http://www.cyberciti.biz/faq/freebsd-network-link-aggregation-trunking/ http://wisekuma.net/linux-bsd/freebsd-lagg/ But there are a few things that I can't find so far... Does one need a third card to reach the machine where one runs lagg? Say I have em0 and em1, do I assign actual IPs to the cards before adding them to lagg or they can't have IPs of their own? Will the lagg ip allow connections to the machine itself (ie ssh). At my new job there is a T1 which is not enough bandwith so we are getting a connection from Time warner to hold us off until a move (we will order proper amount of bandwith in new location) I had this setup in mind. T1 | Switch | ----\ FreeBSD ----/ | | Time warner cable connection. I will be getting a machine to do the lagg setup and so far ordered 2 NICs. Also based on this thread, http://forums.freebsd.org/archive/index.php/t-2608.html, it seems lagg can cause havoc in some switches, but I am wondering if that is if both cards are in the same switch. In my planned scenario only one card will be connected to a switch (the T1 connection). _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From lists at stringsutils.com Mon Jan 10 08:24:07 2011 From: lists at stringsutils.com (Francisco Reyes) Date: Mon, 10 Jan 2011 08:24:07 -0500 Subject: [nycbug-talk] Anyone using lagg? References: <008701cbb0b8$0a101bd0$1e305370$@ubixos.com> Message-ID: Christopher Olsen writes: > As far as what you're trying to do... load balance your timer warner and > t1... lagg will not do that, lagg is designed to aggregate or control data > flow for your Ethernet intfaces.. Load balancing there would have to be > some trickery done with PF and NAT... Thanks. I think I found something along the lines of what I need: http://www.openbsd.org/faq/pf/pools.html#outgoing Should be getting hardware today so i can test. From cwolsen at ubixos.com Mon Jan 10 08:56:10 2011 From: cwolsen at ubixos.com (Christopher Olsen) Date: Mon, 10 Jan 2011 08:56:10 -0500 Subject: [nycbug-talk] Anyone using lagg? In-Reply-To: References: <008701cbb0b8$0a101bd0$1e305370$@ubixos.com> Message-ID: <000301cbb0ce$232f3900$698dab00$@ubixos.com> Yeah I am doing something similar to that to all the on premise FBSD firewalls I dish out to clients... If you run into any trouble feel free to drop a line.. -Christopher Christopher Olsen cwolsen at domainatlantic.com Domain Atlantic 88-B Toledo St Farmingdale, NY 11735 C: 516-903-2889 T: 347-987-3600 -----Original Message----- From: Francisco Reyes [mailto:lists at stringsutils.com] Sent: Monday, January 10, 2011 8:24 AM To: Christopher Olsen Cc: 'NYCBUG Talk' Subject: Re: [nycbug-talk] Anyone using lagg? Christopher Olsen writes: > As far as what you're trying to do... load balance your timer warner > and t1... lagg will not do that, lagg is designed to aggregate or > control data flow for your Ethernet intfaces.. Load balancing there > would have to be some trickery done with PF and NAT... Thanks. I think I found something along the lines of what I need: http://www.openbsd.org/faq/pf/pools.html#outgoing Should be getting hardware today so i can test. From mark.saad at ymail.com Tue Jan 11 09:58:05 2011 From: mark.saad at ymail.com (Mark Saad) Date: Tue, 11 Jan 2011 09:58:05 -0500 Subject: [nycbug-talk] FreeBSD security and errata "P numbers" Message-ID: Talk I know there have been a few discussions about how the current FreeBSD security and errata "P numbers" are implemented . For starters the "-p numbers " are currently only implemented via newvers.sh as BRANCH variables . Take this snippit from newvers.sh on FreeBSD 7.3-RELEASE REVISION="7.3" BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" That's it, when you rebuild your kernel using updated sources the kernel's RELEASE is set to $REVISON-$BRANCH in this case 7.3-RELEASE-p3 . Think about this point, say in BRANCH p1, and p2 there are no kernel bugs, freebsd-update will never update the BRANCH variable in the kernel on your system as it has not downloaded a new kernel compiled with the new BRANCH variable. Freebsd-update uses its magic shell scripts to compare your running system with an update server's binaries and bspatch(s) by using this its able to tell you if you are running BRANCH -pN or -pN+1 . Well what do I do when I cant get to the update server and I never have the sources on my computer. I would not be able to verify what actual BRANCH I am running with out serious checking. More commonly I have a group of servers I want o verify what kernel they are running and what they have installed. I can manually create a list of hashes, md5, sha1 etc, for known kernels and check uname and the hashs for /boot/kernel/kernel . This is not quick to whip this up. It would be nice if there was a better way to check this. Well what do you do about this talk ? I have seen a few solution, some of them are simple from creating a /etc/release file with some info in it, to building system packages for parts of the base system and kernel once a fiscal quarter like 8.0-RELEASE-2010Q4 . So I said it syspkg (system packages) , netbsd had a project a few years ago to build installable packages for base parts of the system . This thread sums up what happened with that http://mail-index.netbsd.org/netbsd-desktop/2009/02/19/msg000091.html the most memorable quote here is "anyone doing the work is likely to encounter a vocal minority of users who think packages are the work of satan, which would be discouraging." So like I said what do you do ? --- Mark Saad mark.saad at ymail.com From korszca at gmail.com Tue Jan 11 11:36:50 2011 From: korszca at gmail.com (Brian Callahan) Date: Tue, 11 Jan 2011 11:36:50 -0500 Subject: [nycbug-talk] FreeBSD security and errata "P numbers" In-Reply-To: References: Message-ID: This might not be the most glorified of solutions, but I've always found the -p numbers as a convenience more than anything else. Though I don't personally use freebsd-update, I always make sure to write down by hand the dates and time of updates to my machines and machines in my care. Of course, depending on how many servers you need to check on, this quickly becomes tedious to impossible, but I've always found having a paper trail of what I did and when to be the best way to check whether or not my machines are updated. On another note, have you brought this up with Colin Percival? Maybe he has a solution. On 1/11/11, Mark Saad wrote: > Talk > I know there have been a few discussions about how the current > FreeBSD security and errata "P numbers" are implemented . > For starters the "-p numbers " are currently only implemented via > newvers.sh as BRANCH variables . > > Take this snippit from newvers.sh on FreeBSD 7.3-RELEASE > > REVISION="7.3" > BRANCH="RELEASE-p3" > if [ "X${BRANCH_OVERRIDE}" != "X" ]; then > BRANCH=${BRANCH_OVERRIDE} > fi > RELEASE="${REVISION}-${BRANCH}" > VERSION="${TYPE} ${RELEASE}" > > That's it, when you rebuild your kernel using updated sources the > kernel's RELEASE is set to $REVISON-$BRANCH > in this case 7.3-RELEASE-p3 . > > Think about this point, say in BRANCH p1, and p2 there are no kernel > bugs, freebsd-update will never update the > BRANCH variable in the kernel on your system as it has not downloaded > a new kernel compiled with the new BRANCH variable. > > Freebsd-update uses its magic shell scripts to compare your running > system with an update server's binaries and bspatch(s) > by using this its able to tell you if you are running BRANCH -pN or -pN+1 . > > Well what do I do when I cant get to the update server and I never > have the sources on my computer. I would not be able to verify > what actual BRANCH I am running with out serious checking. > > More commonly I have a group of servers I want o verify what kernel > they are running and what they have installed. I can manually create a > list of hashes, md5, sha1 etc, for known kernels and check uname > and the hashs for /boot/kernel/kernel . This is not quick to whip this > up. It would be > nice if there was a better way to check this. > > Well what do you do about this talk ? I have seen a few solution, > some of them are simple from creating a /etc/release file with some > info in it, to building system packages for parts of the base system > and kernel once a fiscal quarter like 8.0-RELEASE-2010Q4 . > > So I said it syspkg (system packages) , netbsd had a project a few > years ago to build installable packages for base parts of the system . > This thread sums up what happened with that > > http://mail-index.netbsd.org/netbsd-desktop/2009/02/19/msg000091.html > > the most memorable quote here is > > "anyone doing the work is likely to encounter a vocal minority of > users who think packages are the work of satan, which would be > discouraging." > > So like I said what do you do ? > > > --- > > Mark Saad > mark.saad at ymail.com > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From george at ceetonetechnology.com Fri Jan 14 10:07:13 2011 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 14 Jan 2011 10:07:13 -0500 Subject: [nycbug-talk] upcoming meetings Message-ID: <4D3066A1.2000200@ceetonetechnology.com> We have the next few meetings mapped out, including the next one on BSD Networking. For some reason, we have never approached the topic in a general sense. A bit strange in 8 years of existence. We are looking for volunteers to briefly cover some of the topics or similar listed here: http://www.nycbug.org/index.php?NAV=Home;SUBM=10287 If you would like to present something short (say, up to three slides), please hit us on admin@ thanks g From max at neuropunks.org Sun Jan 16 18:27:38 2011 From: max at neuropunks.org (Max Gribov) Date: Sun, 16 Jan 2011 18:27:38 -0500 Subject: [nycbug-talk] OpenBSD ipsec FBI backdoor (was: The BSD Connection) In-Reply-To: <201012311807.oBVI72wm003563@rs75.luxsci.com> References: <20101215193337.GJ14661@dixongroup.net> <4D0926C3.3010309@ceetonetechnology.com> <20101215205031.GA48741@bewilderbeast.blackhelicopters.org> <201012311807.oBVI72wm003563@rs75.luxsci.com> Message-ID: <4D337EEA.4030300@neuropunks.org> Some more updates.. http://extendedsubset.com/?p=43 On 12/31/2010 01:06 PM, Isaac Levy wrote: > On Dec 22, 2010, at 10:20 AM, Mark Saad wrote: > >> Some new updates > > Fascinating saga, (Mickey's posts are fascinating), here's a collection of various re-print posts; > > http://spectregroup.wordpress.com/2010/12/30/trusting-trust/ > > Happy New Year everyone! > > Best, > .ike > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From spork at bway.net Mon Jan 17 17:59:26 2011 From: spork at bway.net (Charles Sprickman) Date: Mon, 17 Jan 2011 17:59:26 -0500 (EST) Subject: [nycbug-talk] OT: gettext Message-ID: Hi all, I was wondering if anyone here has experience using gettext to internationalize an application... I've been trying to lend a hand on a project where the main developer's first language is not english and the source is full of lots of little grammar and spelling problems. What I haven't found yet is something sort of outlining best practices when using gettext - our current plan is for me to just use the .pot file from the project to find all the source files and make corrections there. Thankfully poedit can open each file with an external editor, so this part is not too tough. My changes (and we're talking upwards of a few hundred edits across a few dozen files) though are going to cause the other translators some grief. As I understand it, this is what the process is: *I open the template.pot file, which has a list of every translatable string as well as comments noting what files/line #'s the string is in. *I edit each file, making my corrections, submit back to the project. *At this point, I've changed the "keys" - the english strings in the source are what all the .po files for each other language reference - ick *Some poor bastards now have to re-do every .po file to match my new message strings Something smells wrong about that setup - by changing the source I'm altering something that all the other translations rely on to key their translated strings. That's making a ton of work for other people who may already have totally correct and clear translations. Am I missing something? Is the project lead pointing me in the wrong direction? My idea was to make english.po file and leave the source untouched, but I've been told that's the "wrong way" to do this. Any pointers appreciated... Thanks, Charles From sjt.kar at gmail.com Tue Jan 18 04:53:45 2011 From: sjt.kar at gmail.com (Sujit K M) Date: Tue, 18 Jan 2011 15:23:45 +0530 Subject: [nycbug-talk] OT: gettext In-Reply-To: References: Message-ID: seems to be very similar to locales in java environment. Is this an effort for internalization or localization. On Tue, Jan 18, 2011 at 4:29 AM, Charles Sprickman wrote: > Hi all, > > I was wondering if anyone here has experience using gettext to > internationalize an application... ?I've been trying to lend a hand on a > project where the main developer's first language is not english and the > source is full of lots of little grammar and spelling problems. > > What I haven't found yet is something sort of outlining best practices when > using gettext - our current plan is for me to just use the .pot file from > the project to find all the source files and make corrections there. > Thankfully poedit can open each file with an external editor, so this part > is not too tough. ?My changes (and we're talking upwards of a few hundred > edits across a few dozen files) though are going to cause the other > translators some grief. ?As I understand it, this is what the process is: > > *I open the template.pot file, which has a list of every translatable string > as well as comments noting what files/line #'s the string is in. > *I edit each file, making my corrections, submit back to the project. > *At this point, I've changed the "keys" - the english strings in the source > are what all the .po files for each other language reference - ick > *Some poor bastards now have to re-do every .po file to match my new message > strings > > Something smells wrong about that setup - ?by changing the source I'm > altering something that all the other translations rely on to key their > translated strings. ?That's making a ton of work for other people who may > already have totally correct and clear translations. > > Am I missing something? ?Is the project lead pointing me in the wrong > direction? > > My idea was to make english.po file and leave the source untouched, but I've > been told that's the "wrong way" to do this. > > Any pointers appreciated... > > Thanks, > > Charles > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- -- Sujit K M blog(http://kmsujit.blogspot.com/) From chsnyder at gmail.com Tue Jan 18 08:38:23 2011 From: chsnyder at gmail.com (Chris Snyder) Date: Tue, 18 Jan 2011 08:38:23 -0500 Subject: [nycbug-talk] OT: gettext In-Reply-To: References: Message-ID: On Mon, Jan 17, 2011 at 5:59 PM, Charles Sprickman wrote: > My idea was to make english.po file and leave the source untouched, but I've > been told that's the "wrong way" to do this. > It may be the wrong way, but it's the quickest way in'nit? But yeah, you want the source to be in good shape going forward so that some other poor hacker doesn't have to do this. You could write a script (or maybe just use rpl) to do all the .po replacements for you. Generate a list by diffing the original .po with the version generated from your revised source files. Now you have a list of old=>new pairs that you can apply in the other files. From matt at atopia.net Sat Jan 22 11:12:27 2011 From: matt at atopia.net (Matt Juszczak) Date: Sat, 22 Jan 2011 11:12:27 -0500 (EST) Subject: [nycbug-talk] [OT] Puppet question Message-ID: Hi folks, I know many of you use puppet pretty often, so I'm wondering if anyone has a solution to the problem I have. We use multiple data centers but use the same puppet tree at each data center. For the most part this works fine, but I have one issue: the /etc/ldap.conf (pushed by our basenode) as well as /etc/resolv.conf (pushed by our basenode) is different per data center. We don't use environments, so there are a few ideas I have: 1) Parse the ${cn}, which contains the data center. I'm not sure how to parse something inside puppet though - is that even possible to turn cn=xyz.dfw01.my-domain.net into just puppetVar: dataCenter=dfw01? 2) Set a puppetVar: dataCenter=xyz01 per node (I'm using external nodes). Since we use a launch script, this wouldn't be too hard - just add it to our template and populate for existing hosts. 3) Create a basenode per data center: basenode-dfw01, basenode-iad01, etc. However, this is about the same solution as adding a puppetVar to each node... so I'd avoid this one. Any thoughts on this from those who have good puppet expertise? Thanks, Matt From edlinuxguru at gmail.com Sat Jan 22 13:16:34 2011 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Sat, 22 Jan 2011 13:16:34 -0500 Subject: [nycbug-talk] [OT] Puppet question In-Reply-To: References: Message-ID: On Sat, Jan 22, 2011 at 11:12 AM, Matt Juszczak wrote: > Hi folks, > > I know many of you use puppet pretty often, so I'm wondering if anyone has a > solution to the problem I have. > > We use multiple data centers but use the same puppet tree at each data > center. ?For the most part this works fine, but I have one issue: the > /etc/ldap.conf (pushed by our basenode) as well as /etc/resolv.conf (pushed > by our basenode) is different per data center. ?We don't use environments, > so there are a few ideas I have: > > 1) Parse the ${cn}, which contains the data center. ?I'm not sure how to > parse something inside puppet though - is that even possible to turn > cn=xyz.dfw01.my-domain.net into just puppetVar: dataCenter=dfw01? > > 2) Set a puppetVar: dataCenter=xyz01 per node (I'm using external nodes). > Since we use a launch script, this wouldn't be too hard - just add it to our > template and populate for existing hosts. > > 3) Create a basenode per data center: basenode-dfw01, basenode-iad01, etc. > However, this is about the same solution as adding a puppetVar to each > node... so I'd avoid this one. > > Any thoughts on this from those who have good puppet expertise? > > Thanks, > > Matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > You should be able to use variables since they are evaluated at runtime class ldap { file { "/etc/ldap.conf" : source => "puppet:///mainfiles/security/$ldap", } file { "/etc/resolv.conf" : source => "puppet:///mainfiles/security/$resolve", } } class ldap_ny inherits ldap { $ldap => "ny_ldap.conf", $resolv => "ny_resolve.conf" } class ldap_tx inherits ldap { $ldap => "tx_ldap.conf", $resolv => "tx_resolve.conf" } Then on nodes in texas include ldap_tx. In nodes in ny include ldap_ny. Also the source of a file definition can be a list, and the list can use variables so your can do per host overrides source => [ "${fqdn}.txt', "standard.txt" ] There are other more complex methods such as modules or definitions that build the files based on variables. However I like the file method as it is less complex then making and debugging modules. From spork at bway.net Wed Jan 26 05:06:59 2011 From: spork at bway.net (Charles Sprickman) Date: Wed, 26 Jan 2011 05:06:59 -0500 (EST) Subject: [nycbug-talk] OT: gettext In-Reply-To: References: Message-ID: On Tue, 18 Jan 2011, Chris Snyder wrote: > On Mon, Jan 17, 2011 at 5:59 PM, Charles Sprickman wrote: > >> My idea was to make english.po file and leave the source untouched, but I've >> been told that's the "wrong way" to do this. >> > > It may be the wrong way, but it's the quickest way in'nit? > > But yeah, you want the source to be in good shape going forward so > that some other poor hacker doesn't have to do this. Almost two full days for the first pass. I'll probably take a second pass after using the thing for a few months. > You could write a script (or maybe just use rpl) to do all the .po > replacements for you. Generate a list by diffing the original .po with > the version generated from your revised source files. Now you have a > list of old=>new pairs that you can apply in the other files. Hmmm... Never heard of rpl (http://linux.die.net/man/1/rpl) before. Going to give that a shot before I resort to fighting with perl. Thanks! Charles