From matt at atopia.net Wed Jul 1 13:30:48 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 1 Jul 2009 13:30:48 -0400 (EDT) Subject: [nycbug-talk] [OT] - Subversion Conflicts In-Reply-To: References: <013801c9f748$b8183530$28489f90$@com> <91AC9D17-2D93-4259-B766-FE66C03A96D0@gmail.com> <1CA8D99C-882B-4572-986A-59C6E538DEFC@gmail.com> Message-ID: So I created a wrapper: -rwsrws--- 1 www users 114 Jul 1 13:29 /usr/local/bin/wsvn Shouldn't that always be executing as user www no matter what? It isn't... or doesn't seem to be, because new files still get created as my user. Any ideas? From matt at atopia.net Wed Jul 1 16:05:18 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 1 Jul 2009 16:05:18 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD Message-ID: Hi all, Recently did a migration to a new data center. All is well, except some of the webs are spiraling out of control. They are actually pegging at about 99% CPU usage, but hardly any memory usage, and not a ton of I/O. Load average climbs to be about the total amount of apache processes (so about 128.00) and we get lots of lockf's: 2105 www 1 20 0 179M 29692K lockf 2 0:06 17.09% httpd 2139 www 1 20 0 177M 28020K lockf 2 0:02 12.06% httpd 2134 www 1 52 0 177M 29316K select 1 0:03 9.86% httpd 2126 www 1 60 0 177M 28300K select 1 0:02 9.67% httpd 2150 www 1 53 0 177M 28028K select 0 0:04 9.57% httpd 2136 www 1 50 0 180M 30836K CPU2 0 0:03 9.08% httpd 2108 www 1 20 0 178M 28992K lockf 0 0:04 7.28% httpd 2118 www 1 49 0 180M 30264K CPU1 1 0:03 7.28% httpd 2121 www 1 20 0 177M 29480K lockf 3 0:04 6.79% httpd 2113 www 1 20 0 179M 30044K lockf 1 0:05 6.49% httpd 2112 www 1 20 0 178M 29240K lockf 2 0:03 5.86% httpd 2143 www 1 20 0 178M 28936K lockf 3 0:03 5.57% httpd 2123 www 1 20 0 178M 29068K lockf 0 0:03 5.18% httpd 2131 www 1 20 0 178M 29972K lockf 1 0:02 4.49% httpd 2130 www 1 20 0 177M 28592K lockf 0 0:02 4.05% httpd 2114 www 1 20 0 178M 30968K lockf 3 0:03 3.96% httpd 2127 www 1 20 0 178M 28920K lockf 2 0:02 3.66% httpd 2119 www 1 20 0 178M 29016K lockf 1 0:02 3.56% httpd 2132 www 1 20 0 177M 27700K lockf 0 0:01 3.56% httpd 2128 www 1 46 0 177M 27644K CPU0 0 0:01 3.17% httpd 2140 www 1 20 0 177M 27580K lockf 1 0:03 2.98% httpd 2147 www 1 20 0 177M 28000K lockf 1 0:02 2.88% httpd 2145 www 1 46 0 178M 28612K select 3 0:01 2.88% httpd 2129 www 1 45 0 177M 29120K select 3 0:01 2.78% httpd 2142 www 1 20 0 177M 27552K lockf 3 0:01 2.49% httpd 2117 www 1 20 0 179M 29872K lockf 0 0:02 2.39% httpd 2115 www 1 45 0 177M 29164K select 2 0:02 2.39% httpd 2141 www 1 46 0 177M 27956K select 2 0:02 2.29% httpd 2148 www 1 20 0 178M 28820K lockf 3 0:02 2.29% httpd 2124 www 1 20 0 177M 28100K lockf 1 0:01 2.10% httpd I did some reading online and found out that this could be do to the way freebsd handles binding to specific IP's, and that doing *:80 fixes this. We made that change, but we're still seeing tons of processes in lockf. Running ktrace (and kdump), I'm able to see a bunch of resources not available (see about 3/4th of the way down below): 67604 httpd RET write 259/0x103 67604 httpd CALL gettimeofday(0x7fffffffea50,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL getrusage(0,0x7fffffffe9a0) 67604 httpd RET getrusage 0 67604 httpd CALL getrusage(0xffffffff,0x7fffffffe9a0) 67604 httpd RET getrusage 0 67604 httpd CALL clock_gettime(0x4,0x7fffffffea30) 67604 httpd RET clock_gettime 0 67604 httpd CALL gettimeofday(0x7fffffffe840,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL shutdown(0x22,) 67604 httpd RET shutdown 0 67604 httpd CALL poll(0x7fffffffe850,0x1,0x7d0) 67604 httpd RET poll 1 67604 httpd CALL read(0x22,0x7fffffffe8a0,0x200) 67604 httpd GIO fd 34 read 0 bytes "" 67604 httpd RET read 0 67604 httpd CALL close(0x22) 67604 httpd RET close 0 67604 httpd CALL read(0x9,0x7fffffffead7,0x1) 67604 httpd RET read -1 errno 35 Resource temporarily unavailable 67604 httpd CALL gettimeofday(0x7fffffffea80,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL flock(0x1d,LOCK_EX) 67604 httpd RET flock 0 67604 httpd CALL kevent(0x21,0,0,0x808207478,0x3,0) 67604 httpd GIO fd 33 wrote 0 bytes Anything anyone can do to help enlighten me would be great! -Matt From cwolsen at ubixos.com Wed Jul 1 17:11:58 2009 From: cwolsen at ubixos.com (Christopher Olsen) Date: Wed, 1 Jul 2009 17:11:58 -0400 Subject: [nycbug-talk] Apache and FreeBSD Message-ID: <200907012111.n61LBjuC008301@fulton.nycbug.org> Do you have fs snapshots? -Christopher Ubix Technologies T: 212-514-6270 C: 516-903-2889 32 Broadway Suite 204 New York, NY 10004 http://www.tuve.tv/mrolsen -----Original Message----- From: Matt Juszczak Sent: Wednesday, July 01, 2009 4:05 PM To: talk at lists.nycbug.org Subject: [nycbug-talk] Apache and FreeBSD Hi all, Recently did a migration to a new data center. All is well, except some of the webs are spiraling out of control. They are actually pegging at about 99% CPU usage, but hardly any memory usage, and not a ton of I/O. Load average climbs to be about the total amount of apache processes (so about 128.00) and we get lots of lockf's: 2105 www 1 20 0 179M 29692K lockf 2 0:06 17.09% httpd 2139 www 1 20 0 177M 28020K lockf 2 0:02 12.06% httpd 2134 www 1 52 0 177M 29316K select 1 0:03 9.86% httpd 2126 www 1 60 0 177M 28300K select 1 0:02 9.67% httpd 2150 www 1 53 0 177M 28028K select 0 0:04 9.57% httpd 2136 www 1 50 0 180M 30836K CPU2 0 0:03 9.08% httpd 2108 www 1 20 0 178M 28992K lockf 0 0:04 7.28% httpd 2118 www 1 49 0 180M 30264K CPU1 1 0:03 7.28% httpd 2121 www 1 20 0 177M 29480K lockf 3 0:04 6.79% httpd 2113 www 1 20 0 179M 30044K lockf 1 0:05 6.49% httpd 2112 www 1 20 0 178M 29240K lockf 2 0:03 5.86% httpd 2143 www 1 20 0 178M 28936K lockf 3 0:03 5.57% httpd 2123 www 1 20 0 178M 29068K lockf 0 0:03 5.18% httpd 2131 www 1 20 0 178M 29972K lockf 1 0:02 4.49% httpd 2130 www 1 20 0 177M 28592K lockf 0 0:02 4.05% httpd 2114 www 1 20 0 178M 30968K lockf 3 0:03 3.96% httpd 2127 www 1 20 0 178M 28920K lockf 2 0:02 3.66% httpd 2119 www 1 20 0 178M 29016K lockf 1 0:02 3.56% httpd 2132 www 1 20 0 177M 27700K lockf 0 0:01 3.56% httpd 2128 www 1 46 0 177M 27644K CPU0 0 0:01 3.17% httpd 2140 www 1 20 0 177M 27580K lockf 1 0:03 2.98% httpd 2147 www 1 20 0 177M 28000K lockf 1 0:02 2.88% httpd 2145 www 1 46 0 178M 28612K select 3 0:01 2.88% httpd 2129 www 1 45 0 177M 29120K select 3 0:01 2.78% httpd 2142 www 1 20 0 177M 27552K lockf 3 0:01 2.49% httpd 2117 www 1 20 0 179M 29872K lockf 0 0:02 2.39% httpd 2115 www 1 45 0 177M 29164K select 2 0:02 2.39% httpd 2141 www 1 46 0 177M 27956K select 2 0:02 2.29% httpd 2148 www 1 20 0 178M 28820K lockf 3 0:02 2.29% httpd 2124 www 1 20 0 177M 28100K lockf 1 0:01 2.10% httpd I did some reading online and found out that this could be do to the way freebsd handles binding to specific IP's, and that doing *:80 fixes this. We made that change, but we're still seeing tons of processes in lockf. Running ktrace (and kdump), I'm able to see a bunch of resources not available (see about 3/4th of the way down below): 67604 httpd RET write 259/0x103 67604 httpd CALL gettimeofday(0x7fffffffea50,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL getrusage(0,0x7fffffffe9a0) 67604 httpd RET getrusage 0 67604 httpd CALL getrusage(0xffffffff,0x7fffffffe9a0) 67604 httpd RET getrusage 0 67604 httpd CALL clock_gettime(0x4,0x7fffffffea30) 67604 httpd RET clock_gettime 0 67604 httpd CALL gettimeofday(0x7fffffffe840,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL shutdown(0x22,) 67604 httpd RET shutdown 0 67604 httpd CALL poll(0x7fffffffe850,0x1,0x7d0) 67604 httpd RET poll 1 67604 httpd CALL read(0x22,0x7fffffffe8a0,0x200) 67604 httpd GIO fd 34 read 0 bytes "" 67604 httpd RET read 0 67604 httpd CALL close(0x22) 67604 httpd RET close 0 67604 httpd CALL read(0x9,0x7fffffffead7,0x1) 67604 httpd RET read -1 errno 35 Resource temporarily unavailable 67604 httpd CALL gettimeofday(0x7fffffffea80,0) 67604 httpd RET gettimeofday 0 67604 httpd CALL flock(0x1d,LOCK_EX) 67604 httpd RET flock 0 67604 httpd CALL kevent(0x21,0,0,0x808207478,0x3,0) 67604 httpd GIO fd 33 wrote 0 bytes Anything anyone can do to help enlighten me would be great! -Matt _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From bcully at gmail.com Wed Jul 1 17:18:41 2009 From: bcully at gmail.com (Brian Cully) Date: Wed, 1 Jul 2009 17:18:41 -0400 Subject: [nycbug-talk] [OT] - Subversion Conflicts In-Reply-To: References: <013801c9f748$b8183530$28489f90$@com> <91AC9D17-2D93-4259-B766-FE66C03A96D0@gmail.com> <1CA8D99C-882B-4572-986A-59C6E538DEFC@gmail.com> Message-ID: If it's a bash script it will ignore suid -bjc On Jul 1, 2009, at 13:30, Matt Juszczak wrote: > So I created a wrapper: > > -rwsrws--- 1 www users 114 Jul 1 13:29 /usr/local/bin/wsvn > > Shouldn't that always be executing as user www no matter what? It > isn't... or doesn't seem to be, because new files still get created > as my user. > > Any ideas? > From matt at atopia.net Wed Jul 1 17:20:55 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 1 Jul 2009 17:20:55 -0400 (EDT) Subject: [nycbug-talk] [OT] - Subversion Conflicts In-Reply-To: References: <013801c9f748$b8183530$28489f90$@com> <91AC9D17-2D93-4259-B766-FE66C03A96D0@gmail.com> <1CA8D99C-882B-4572-986A-59C6E538DEFC@gmail.com> Message-ID: Ah. So what's the work around for that? Write my little one liner in a C program? On Wed, 1 Jul 2009, Brian Cully wrote: > If it's a bash script it will ignore suid > > -bjc > > On Jul 1, 2009, at 13:30, Matt Juszczak wrote: > >> So I created a wrapper: >> >> -rwsrws--- 1 www users 114 Jul 1 13:29 /usr/local/bin/wsvn >> >> Shouldn't that always be executing as user www no matter what? It isn't... >> or doesn't seem to be, because new files still get created as my user. >> >> Any ideas? > From bruno at loftmail.com Wed Jul 1 17:31:17 2009 From: bruno at loftmail.com (Bruno Scap) Date: Wed, 1 Jul 2009 17:31:17 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: Message-ID: <20090701213117.GO27947@loftmail.com> Did you try looking outside of the Apache - PHP, accelerators, MySQL? Could it be that Apache is waiting for PHP to finish? httpd procs seem pretty large.. Does the server have enough memory to fit all apaches in? Is Apache using content on NFS? Try using server-status to see what is going on. And lsof. From matt at atopia.net Wed Jul 1 18:38:26 2009 From: matt at atopia.net (matt at atopia.net) Date: Wed, 1 Jul 2009 22:38:26 +0000 Subject: [nycbug-talk] Apache and FreeBSD Message-ID: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Its using php. Its also using nfs yes. Potentially waiting on nfs or mysql. How is that found out? ------Original Message------ From: Bruno Scap Sender: talk-bounces at lists.nycbug.org To: talk at lists.nycbug.org Subject: Re: [nycbug-talk] Apache and FreeBSD Sent: Jul 1, 2009 17:31 Did you try looking outside of the Apache - PHP, accelerators, MySQL? Could it be that Apache is waiting for PHP to finish? httpd procs seem pretty large.. Does the server have enough memory to fit all apaches in? Is Apache using content on NFS? Try using server-status to see what is going on. And lsof. _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From matt at atopia.net Wed Jul 1 19:28:36 2009 From: matt at atopia.net (matt at atopia.net) Date: Wed, 1 Jul 2009 23:28:36 +0000 Subject: [nycbug-talk] Apache and FreeBSD Message-ID: <461339684-1246490889-cardhu_decombobulator_blackberry.rim.net-1827374877-@bxe1284.bisx.prod.on.blackberry> And yes it has 8 gb ram. Only 2 reporting used. ------Original Message------ From: Matt Juszczak Sender: talk-bounces at lists.nycbug.org To: Bruno Scap To: talk-bounces at lists.nycbug.org To: talk at lists.nycbug.org ReplyTo: Matt Juszczak Subject: Re: [nycbug-talk] Apache and FreeBSD Sent: Jul 1, 2009 18:38 Its using php. Its also using nfs yes. Potentially waiting on nfs or mysql. How is that found out? ------Original Message------ From: Bruno Scap Sender: talk-bounces at lists.nycbug.org To: talk at lists.nycbug.org Subject: Re: [nycbug-talk] Apache and FreeBSD Sent: Jul 1, 2009 17:31 Did you try looking outside of the Apache - PHP, accelerators, MySQL? Could it be that Apache is waiting for PHP to finish? httpd procs seem pretty large.. Does the server have enough memory to fit all apaches in? Is Apache using content on NFS? Try using server-status to see what is going on. And lsof. _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From bruno at loftmail.com Thu Jul 2 10:58:38 2009 From: bruno at loftmail.com (Bruno Scap) Date: Thu, 2 Jul 2009 10:58:38 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: <20090702145838.GQ27947@loftmail.com> On Wed, Jul 01, 2009 at 10:38:26PM +0000, matt at atopia.net wrote: > Its using php. Its also using nfs yes. > > Potentially waiting on nfs or mysql. How is that found out? Did you check server-status and lsof? It might show they are stuck on the same file, or give you other hints about where to look next. Maybe use gdb on a stuck httpd child. You can also narrow it down by elimination. Remove NFS from the picture, remove MySQL from the picture. If you cannot, then poke at all of them, to narrow it down at least. From pete at nomadlogic.org Thu Jul 2 13:05:26 2009 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 2 Jul 2009 10:05:26 -0700 Subject: [nycbug-talk] [OT] - Subversion Conflicts In-Reply-To: References: <013801c9f748$b8183530$28489f90$@com> <91AC9D17-2D93-4259-B766-FE66C03A96D0@gmail.com> <1CA8D99C-882B-4572-986A-59C6E538DEFC@gmail.com> Message-ID: On 1-Jul-09, at 2:20 PM, Matt Juszczak wrote: > Ah. So what's the work around for that? Write my little one liner > in a C > program? > what does your wrapper look like? your wrapper could just su to the www user for the commit (su - www -c "some stuff here"). ugly, insecure and probably just plain bad - but things will have the correct permissions. -p > On Wed, 1 Jul 2009, Brian Cully wrote: > >> If it's a bash script it will ignore suid >> >> -bjc >> >> On Jul 1, 2009, at 13:30, Matt Juszczak wrote: >> >>> So I created a wrapper: >>> >>> -rwsrws--- 1 www users 114 Jul 1 13:29 /usr/local/bin/wsvn >>> >>> Shouldn't that always be executing as user www no matter what? It >>> isn't... >>> or doesn't seem to be, because new files still get created as my >>> user. >>> >>> Any ideas? >> > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From matt at atopia.net Thu Jul 2 15:49:39 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 2 Jul 2009 15:49:39 -0400 (EDT) Subject: [nycbug-talk] [OT] - Subversion Conflicts In-Reply-To: References: <013801c9f748$b8183530$28489f90$@com> <91AC9D17-2D93-4259-B766-FE66C03A96D0@gmail.com> <1CA8D99C-882B-4572-986A-59C6E538DEFC@gmail.com> Message-ID: > what does your wrapper look like? your wrapper could just su to the www user > for the commit (su - www -c "some stuff here"). ugly, insecure and probably > just plain bad - but things will have the correct permissions. We decided to go with the sudo route. sudo -u www svn ci .... I created a role (we use ldap for sudo) that only allows that command as that user on that server, so it's fairly secure imho. From matt at atopia.net Thu Jul 2 15:56:37 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 2 Jul 2009 15:56:37 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <20090702145838.GQ27947@loftmail.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <20090702145838.GQ27947@loftmail.com> Message-ID: > Did you check server-status and lsof? It might show they are stuck on > the same file, or give you other hints about where to look next. > Maybe use gdb on a stuck httpd child. hmmmm, interesting: httpd 87911 root 14u VREG 0,93 0 9 /tmp (/dev/amrd0s1e) httpd 87911 root 15u VREG 0,93 0 15 /tmp (/dev/amrd0s1e) httpd 87911 root 16u VREG 0,93 0 17 /tmp (/dev/amrd0s1e) httpd 87911 root 17u VREG 0,93 0 12 /tmp (/dev/amrd0s1e) httpd 87911 root 18u VREG 0,93 0 19 /tmp (/dev/amrd0s1e) httpd 87911 root 19u VREG 0,93 0 18 /tmp (/dev/amrd0s1e) httpd 87911 root 20u VREG 0,93 0 22 /tmp (/dev/amrd0s1e) httpd 87911 root 21u VREG 0,93 0 21 /tmp (/dev/amrd0s1e) httpd 87911 root 22u VREG 0,93 0 24 /tmp (/dev/amrd0s1e) httpd 87911 root 23u VREG 0,93 0 16 /tmp (/dev/amrd0s1e) httpd 87911 root 24u VREG 0,93 0 26 /tmp (/dev/amrd0s1e) httpd 87911 root 25u VREG 0,93 0 28 /tmp (/dev/amrd0s1e) httpd 87911 root 26u VREG 0,93 0 25 /tmp (/dev/amrd0s1e) httpd 87911 root 27u VREG 0,93 0 20 /tmp (/dev/amrd0s1e) httpd 87911 root 28u VREG 0,93 0 31 /tmp (/dev/amrd0s1e) httpd 87911 root 29u VREG 0,93 0 29 /tmp (/dev/amrd0s1e) From matt at atopia.net Thu Jul 2 16:58:09 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 2 Jul 2009 16:58:09 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <20090702145838.GQ27947@loftmail.com> Message-ID: Actually looks like the processes that use a lot of CPU continue to hang in select, while others hang in "lockf": 19717 www 1 64 0 215M 83808K select 2 0:34 13.57% httpd From cwolsen at ubixos.com Thu Jul 2 17:26:38 2009 From: cwolsen at ubixos.com (Christopher Olsen) Date: Thu, 2 Jul 2009 17:26:38 -0400 Subject: [nycbug-talk] Apache and FreeBSD Message-ID: <200907022126.n62LQOpP002466@fulton.nycbug.org> I know I am a little late on this but you mentioned nfs are you running lockd? -Christopher Ubix Technologies T: 212-514-6270 C: 516-903-2889 32 Broadway Suite 204 New York, NY 10004 http://www.tuve.tv/mrolsen -----Original Message----- From: Matt Juszczak Sent: Thursday, July 02, 2009 4:58 PM To: Bruno Scap Cc: talk at lists.nycbug.org Subject: Re: [nycbug-talk] Apache and FreeBSD Actually looks like the processes that use a lot of CPU continue to hang in select, while others hang in "lockf": 19717 www 1 64 0 215M 83808K select 2 0:34 13.57% httpd _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From matt at atopia.net Thu Jul 2 17:31:40 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 2 Jul 2009 17:31:40 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <20090702212624.7BD5B22900@pluto.atopia.net> References: <20090702212624.7BD5B22900@pluto.atopia.net> Message-ID: Potentially not? :) On Thu, 2 Jul 2009, Christopher Olsen wrote: > I know I am a little late on this but you mentioned nfs are you running lockd? > > -Christopher > > Ubix Technologies > T: 212-514-6270 > C: 516-903-2889 > 32 Broadway Suite 204 > New York, NY 10004 > http://www.tuve.tv/mrolsen > > -----Original Message----- > From: Matt Juszczak > Sent: Thursday, July 02, 2009 4:58 PM > To: Bruno Scap > Cc: talk at lists.nycbug.org > Subject: Re: [nycbug-talk] Apache and FreeBSD > > Actually looks like the processes that use a lot of CPU continue to hang > in select, while others hang in "lockf": > > 19717 www 1 64 0 215M 83808K select 2 0:34 13.57% httpd > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From matt at atopia.net Thu Jul 2 17:34:50 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 2 Jul 2009 17:34:50 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <20090702212624.7BD5B22900@pluto.atopia.net> Message-ID: >> I know I am a little late on this but you mentioned nfs are you running >> lockd? Sorry for the multiple replies: On the FreeBSD webserver: s$ ps auxw | grep lockd s$ (returned nothing) On the Linux (RHEL) NFS Server: s$ ps auxw | grep lockd root 116 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/0] root 117 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/1] root 118 0.0 0.0 0 0 ? S< May25 0:01 [kblockd/2] root 119 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/3] root 120 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/4] root 121 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/5] root 122 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/6] root 123 0.0 0.0 0 0 ? S< May25 0:00 [kblockd/7] 7000 9282 0.0 0.0 61164 728 pts/0 S+ 17:34 0:00 grep lockd root 18936 0.0 0.0 0 0 ? S Jun26 0:00 [lockd] Config (/etc/exports): /export/shared 10.15.8.0/255.255.240.0(rw,async) From o_sleep at belovedarctos.com Fri Jul 3 17:42:28 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Fri, 03 Jul 2009 17:42:28 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <20090702145838.GQ27947@loftmail.com> Message-ID: <4A4E7B44.9000804@belovedarctos.com> Matt Juszczak wrote: >> Did you check server-status and lsof? It might show they are stuck on >> the same file, or give you other hints about where to look next. >> Maybe use gdb on a stuck httpd child. >> > > hmmmm, interesting: > > httpd 87911 root 14u VREG 0,93 > 0 9 /tmp (/dev/amrd0s1e) > httpd 87911 root 15u VREG 0,93 > 0 15 /tmp (/dev/amrd0s1e) > httpd 87911 root 16u VREG 0,93 > 0 17 /tmp (/dev/amrd0s1e) > httpd 87911 root 17u VREG 0,93 > 0 12 /tmp (/dev/amrd0s1e) > httpd 87911 root 18u VREG 0,93 > 0 19 /tmp (/dev/amrd0s1e) > httpd 87911 root 19u VREG 0,93 > 0 18 /tmp (/dev/amrd0s1e) > httpd 87911 root 20u VREG 0,93 > 0 22 /tmp (/dev/amrd0s1e) > httpd 87911 root 21u VREG 0,93 > 0 21 /tmp (/dev/amrd0s1e) > httpd 87911 root 22u VREG 0,93 > 0 24 /tmp (/dev/amrd0s1e) > httpd 87911 root 23u VREG 0,93 > 0 16 /tmp (/dev/amrd0s1e) > httpd 87911 root 24u VREG 0,93 > 0 26 /tmp (/dev/amrd0s1e) > httpd 87911 root 25u VREG 0,93 > 0 28 /tmp (/dev/amrd0s1e) > httpd 87911 root 26u VREG 0,93 > 0 25 /tmp (/dev/amrd0s1e) > httpd 87911 root 27u VREG 0,93 > 0 20 /tmp (/dev/amrd0s1e) > httpd 87911 root 28u VREG 0,93 > 0 31 /tmp (/dev/amrd0s1e) > httpd 87911 root 29u VREG 0,93 > 0 29 /tmp (/dev/amrd0s1e) > > Do you see the same behavior if you run with just one httpd thread/child? httpd -X -Bjorn From matt at atopia.net Sat Jul 4 02:17:33 2009 From: matt at atopia.net (Matt Juszczak) Date: Sat, 4 Jul 2009 02:17:33 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A4E7B44.9000804@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <20090702145838.GQ27947@loftmail.com> <4A4E7B44.9000804@belovedarctos.com> Message-ID: > Do you see the same behavior if you run with just one httpd thread/child? > httpd -X The single httpd process that's created seems to always be in "select" - I never see it go into lockf (and I watched it for a while): 83383 www 1 44 0 182M 46912K select 1 0:02 0.00% httpd Here's the lsof for the single process: s# lsof | grep httpd | egrep -v "(\/usr\/local\/lib|\/usr\/lib)|(\/lib)" httpd 83404 www cwd VDIR 0,95 2560 4192973 /usr/local/www/webroot/html httpd 83404 www rtd VDIR 0,90 512 2 / httpd 83404 www txt VREG 0,95 508120 3395419 /usr/local/sbin/httpd httpd 83404 www 0u VCHR 0,110 0t271003 110 /dev/ttyp0 httpd 83404 www 1u VCHR 0,110 0t271003 110 /dev/ttyp0 httpd 83404 www 2w VREG 0,93 3206 353317 /var/log/apache/httpd-error.log httpd 83404 www 3u IPv6 0xffffff01e7cb0888 0t0 TCP *:http (LISTEN) httpd 83404 www 4u IPv4 0xffffff007e4a05b0 0t0 TCP *:* (CLOSED) httpd 83404 www 5u IPv6 0xffffff017216e888 0t0 TCP *:https (LISTEN) httpd 83404 www 6u IPv4 0xffffff0027f48888 0t0 TCP *:* (CLOSED) httpd 83404 www 7u IPv6 0xffffff016037c888 0t0 TCP *:snpp (LISTEN) httpd 83404 www 8u IPv4 0xffffff016293d5b0 0t0 TCP *:* (CLOSED) httpd 83404 www 9u PIPE 0xffffff0162b2c000 16384 ->0xffffff0162b2c158 httpd 83404 www 10u PIPE 0xffffff0162b2c158 0 ->0xffffff0162b2c000 httpd 83404 www 11w VREG 0,93 5463426 353319 /var/log/apache/httpd-access.log httpd 83404 www 12w VREG 0,93 0 353323 /var (/dev/amrd0s1d) httpd 83404 www 13u VREG 0,94 0 16 /tmp (/dev/amrd0s1e) httpd 83404 www 14u VREG 0,94 0 17 /tmp (/dev/amrd0s1e) httpd 83404 www 15u VREG 0,94 0 18 /tmp (/dev/amrd0s1e) httpd 83404 www 16u VREG 0,94 0 19 /tmp (/dev/amrd0s1e) httpd 83404 www 17u VREG 0,94 0 20 /tmp (/dev/amrd0s1e) httpd 83404 www 18u VREG 0,94 0 21 /tmp (/dev/amrd0s1e) httpd 83404 www 19u VREG 0,94 0 22 /tmp (/dev/amrd0s1e) httpd 83404 www 20w VREG 0,93 0 353326 /var/log/accept.lock.83404 httpd 83404 www 21w VREG 0,93 0 353326 /var/log/accept.lock.83404 httpd 83404 www 22w VREG 0,94 0 22 /tmp (/dev/amrd0s1e) httpd 83404 www 23u IPv4 0xffffff01daec55b0 0t0 TCP 10.11.12.12:58440->10.11.12.13:ldap (ESTABLISHED) httpd 83404 www 24w VREG 0,94 0 16 /tmp (/dev/amrd0s1e) httpd 83404 www 25u KQUEUE 0xffffff023cf56d00 count=2, state=0 httpd 83404 www 26u IPv6 0xffffff01613f02d8 0t0 TCP [::10.11.12.13]:http->some.ip.address:3301 (CLOSE_WAIT) httpd 83404 www 27r VREG 0,95 38745 4592821 /usr/local/www/webroot/html/effects.js httpd 83404 www 29u IPv4 0xffffff008ffe9888 0t0 TCP 10.11.12.13:54606->10.11.12.14:11211 (ESTABLISHED) httpd 83404 www 30u IPv4 0xffffff010a9a1000 0t0 TCP 10.11.12.13:53331->10.11.12.14:11211 (ESTABLISHED) From akosela at andykosela.com Mon Jul 6 09:26:48 2009 From: akosela at andykosela.com (Andy Kosela) Date: Mon, 06 Jul 2009 15:26:48 +0200 Subject: [nycbug-talk] Hyperic Message-ID: <4a51fb98.kVc3cbFPVCljCH8o%akosela@andykosela.com> What you think about Hyperic? We got a mixed environment consisting of FreeBSD/Linux/Windows we would like to monitor and someone from my team suggested Hyperic. http://www.hyperic.com It seems to be a robust and advanced solution, but it needs Java to function properly and I fear it can be an overkill. We are also considering Zabbix. --Andy From nikolai at fetissov.org Mon Jul 6 17:41:56 2009 From: nikolai at fetissov.org (nikolai) Date: Mon, 6 Jul 2009 17:41:56 -0400 Subject: [nycbug-talk] No audio for July 2009 meeting Message-ID: <434e0b6cae2acb4c74053fab80607e8b.squirrel@geekisp.com> Folks, In case anybody was waiting for the recording of Gregory Casamento presentation on GNUstep - my apologies - the audio turned to be of too low, not usable, quality, so I'm not posting it. Cheers, -- Nikolai From george at ceetonetechnology.com Tue Jul 7 10:45:39 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 07 Jul 2009 10:45:39 -0400 Subject: [nycbug-talk] [Fwd: Invitation to the *BSD community to Ohio LinuxFest - 40 Years of UNIX celebration] Message-ID: <4A535F93.5050106@ceetonetechnology.com> This is from the organizers of Ohio LinuxFest. It's a specific invite to the BSD community. George -------------- next part -------------- An embedded message was scrubbed... From: "Beth Lynn Eicher" Subject: Invitation to the *BSD community to Ohio LinuxFest - 40 Years of UNIX celebration Date: Mon, 6 Jul 2009 18:24:58 -0400 (EDT) Size: 3077 URL: From pete at nomadlogic.org Tue Jul 7 12:04:39 2009 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 7 Jul 2009 09:04:39 -0700 Subject: [nycbug-talk] [Fwd: Invitation to the *BSD community to Ohio LinuxFest - 40 Years of UNIX celebration] In-Reply-To: <4A535F93.5050106@ceetonetechnology.com> References: <4A535F93.5050106@ceetonetechnology.com> Message-ID: On 7-Jul-09, at 7:45 AM, George Rosamond wrote: > This is from the organizers of Ohio LinuxFest. It's a specific > invite to the BSD community. > > Topics of interest include: > > * BSD licensed services > * General sysadmin tips > * Open Source licenses > * Using FLOSS with MacOSX > * What is new with $yourfavoritebsddistro oh! oh! i know mine...none! it's an OS not a kernel+gnu-hippy-crap bolted onto it :p sorry, been working with a bunch of ubuntu kiddies for too long... this sounds pretty awesome though, nice one Ohio LinuxFest! -p From george at ceetonetechnology.com Tue Jul 7 13:35:57 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 07 Jul 2009 13:35:57 -0400 Subject: [nycbug-talk] [Fwd: Invitation to the *BSD community to Ohio LinuxFest - 40 Years of UNIX celebration] In-Reply-To: References: <4A535F93.5050106@ceetonetechnology.com> Message-ID: <4A53877D.1010709@ceetonetechnology.com> Pete Wright wrote: > > On 7-Jul-09, at 7:45 AM, George Rosamond wrote: > >> This is from the organizers of Ohio LinuxFest. It's a specific invite >> to the BSD community. >> > >> Topics of interest include: >> >> * BSD licensed services >> * General sysadmin tips >> * Open Source licenses >> * Using FLOSS with MacOSX >> * What is new with $yourfavoritebsddistro > > oh! oh! i know mine...none! it's an OS not a kernel+gnu-hippy-crap > bolted onto it :p > > sorry, been working with a bunch of ubuntu kiddies for too long... > > this sounds pretty awesome though, nice one Ohio LinuxFest! :) It's to their credit that they have a Bell speaker there. .. and don't think that Unix started in 1991. OH actually has some decent cons, AFAIK. . . . and the fact that they went out and hit me, dru and a bunch of others individually is also to their credit. George From isaac at diversaform.com Tue Jul 7 16:22:57 2009 From: isaac at diversaform.com (Isaac Levy) Date: Tue, 7 Jul 2009 16:22:57 -0400 Subject: [nycbug-talk] [Fwd: Invitation to the *BSD community to Ohio LinuxFest - 40 Years of UNIX celebration] In-Reply-To: <4A53877D.1010709@ceetonetechnology.com> References: <4A535F93.5050106@ceetonetechnology.com> <4A53877D.1010709@ceetonetechnology.com> Message-ID: Holy Moly, On Jul 7, 2009, at 1:35 PM, George Rosamond wrote: > Pete Wright wrote: >> >> On 7-Jul-09, at 7:45 AM, George Rosamond wrote: >> >>> This is from the organizers of Ohio LinuxFest. It's a specific >>> invite >>> to the BSD community. >>> >> >>> Topics of interest include: >>> >>> * BSD licensed services >>> * General sysadmin tips >>> * Open Source licenses >>> * Using FLOSS with MacOSX >>> * What is new with $yourfavoritebsddistro >> >> oh! oh! i know mine...none! it's an OS not a kernel+gnu-hippy-crap >> bolted onto it :p >> >> sorry, been working with a bunch of ubuntu kiddies for too long... >> >> this sounds pretty awesome though, nice one Ohio LinuxFest! > > :) > > It's to their credit that they have a Bell speaker there. .. and don't > think that Unix started in 1991. > > OH actually has some decent cons, AFAIK. . . . and the fact that they > went out and hit me, dru and a bunch of others individually is also to > their credit. > > George On Jul 7, 2009, at 10:45 AM, George Rosamond wrote: > Dr. M. Douglas McIlroy !!! "This is the Unix philosophy: Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface." Road trip?! Rocket- .ike From pete at nomadlogic.org Tue Jul 7 19:36:20 2009 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 7 Jul 2009 16:36:20 -0700 Subject: [nycbug-talk] openssh 0 day? Message-ID: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> http://isc.sans.org/diary.html?storyid=6742 anyone else see/hear anything 'bout this... -p From george at ceetonetechnology.com Tue Jul 7 19:49:47 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 07 Jul 2009 19:49:47 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> Message-ID: <4A53DF1B.5020008@ceetonetechnology.com> Pete Wright wrote: > http://isc.sans.org/diary.html?storyid=6742 > > anyone else see/hear anything 'bout this... > I used to check out that site more regularly. . .but haven't in a long while. I'm tailing logs on about 20 different IPs now. . . but I hadn't heard about it. Don't see anything on undeadly, misc. . . But sshd v 4.3? Hrmmm. . . Another reason not to run sshd on 22 :) and to keep at least relatively current. g From carton at Ivy.NET Tue Jul 7 21:42:31 2009 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 07 Jul 2009 21:42:31 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <4A53DF1B.5020008@ceetonetechnology.com> (George Rosamond's message of "Tue, 07 Jul 2009 19:49:47 -0400") References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> <4A53DF1B.5020008@ceetonetechnology.com> Message-ID: >>>>> "gr" == George Rosamond writes: gr> But sshd v 4.3? _ arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> on p0r| 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze ph33r iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From billtotman at billtotman.com Tue Jul 7 22:12:31 2009 From: billtotman at billtotman.com (Bill Totman) Date: Tue, 7 Jul 2009 22:12:31 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> <4A53DF1B.5020008@ceetonetechnology.com> Message-ID: <98e9d1d30907071912r78a694cdrff4e8e57a38b1337@mail.gmail.com> > gr> But sshd v 4.3? > _ > arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> on p0r| > 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze ph33r > iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. Would it have been faster to first learn and then write that in Esperanto? I'm just saying. -Bill > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nikolai at fetissov.org Wed Jul 8 14:12:08 2009 From: nikolai at fetissov.org (nikolai) Date: Wed, 8 Jul 2009 14:12:08 -0400 Subject: [nycbug-talk] July 2009 meeting audio In-Reply-To: <434e0b6cae2acb4c74053fab80607e8b.squirrel@geekisp.com> References: <434e0b6cae2acb4c74053fab80607e8b.squirrel@geekisp.com> Message-ID: > In case anybody was waiting for the recording of Gregory Casamento > presentation on GNUstep - my apologies - the audio turned to be > of too low, not usable, quality, so I'm not posting it. > After prodding by Trish I took another look into this and now the audio recording of Gregory Casamento GNUstep presentation is available at: http://www.fetissov.org/public/nycbug/nycbug-07-01-09.mp3 Cheers, -- Nikolai From george at ceetonetechnology.com Thu Jul 9 11:54:11 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 09 Jul 2009 11:54:11 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <98e9d1d30907071912r78a694cdrff4e8e57a38b1337@mail.gmail.com> References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> <4A53DF1B.5020008@ceetonetechnology.com> <98e9d1d30907071912r78a694cdrff4e8e57a38b1337@mail.gmail.com> Message-ID: <4A5612A3.90303@ceetonetechnology.com> Bill Totman wrote: > > gr> But sshd v 4.3? > > _ > arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> > on p0r| > 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze ph33r > iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. > > > Would it have been faster to first learn and then write that in Esperanto? > > I'm just saying. > Well. . . back to the main point about the apparent exploit. FUD. Nothing. http://isc.sans.org/diary.html?storyid=6760&rss Damien Miller's reply breaks down the 'exploit' http://lwn.net/Articles/340483/ I would expect the security site to do a bit more research in posting such stuff. . . especially when it's a 0day exploit with a widely used daemon. That blog has a lot of credibility, and I wonder how much hassle was caused by it. g From alex at pilosoft.com Thu Jul 9 12:05:14 2009 From: alex at pilosoft.com (Alex Pilosov) Date: Thu, 9 Jul 2009 12:05:14 -0400 (EDT) Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <4A5612A3.90303@ceetonetechnology.com> Message-ID: On Thu, 9 Jul 2009, George Rosamond wrote: > Bill Totman wrote: > > > > gr> But sshd v 4.3? > > > > _ > > arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> > > on p0r| > > 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze > > ph33r > > iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. > > > > > > Would it have been faster to first learn and then write that in > > Esperanto? > > > > I'm just saying. > > > > Well. . . back to the main point about the apparent exploit. > > FUD. Nothing. > > http://isc.sans.org/diary.html?storyid=6760&rss > > Damien Miller's reply breaks down the 'exploit' > > http://lwn.net/Articles/340483/ > > I would expect the security site to do a bit more research in posting > such stuff. . . especially when it's a 0day exploit with a widely used > daemon. > > That blog has a lot of credibility, and I wonder how much hassle was > caused by it. whose blog? isc.sans.org? It's a joke, really. crossing media with security people who have almost no clue... From george at ceetonetechnology.com Thu Jul 9 12:15:18 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 09 Jul 2009 12:15:18 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: References: Message-ID: <4A561796.2020304@ceetonetechnology.com> Alex Pilosov wrote: > On Thu, 9 Jul 2009, George Rosamond wrote: > >> Bill Totman wrote: >>> gr> But sshd v 4.3? >>> >>> _ >>> arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> >>> on p0r| >>> 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze >>> ph33r >>> iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. >>> >>> >>> Would it have been faster to first learn and then write that in >>> Esperanto? >>> >>> I'm just saying. >>> >> Well. . . back to the main point about the apparent exploit. >> >> FUD. Nothing. >> >> http://isc.sans.org/diary.html?storyid=6760&rss >> >> Damien Miller's reply breaks down the 'exploit' >> >> http://lwn.net/Articles/340483/ >> >> I would expect the security site to do a bit more research in posting >> such stuff. . . especially when it's a 0day exploit with a widely used >> daemon. >> >> That blog has a lot of credibility, and I wonder how much hassle was >> caused by it. > whose blog? isc.sans.org? It's a joke, really. crossing media with > security people who have almost no clue... I was stating that the blog has wide credibility . . I wasn't stating who by, who should, is it valid, etc. Alex P could think it's a joke which is certainly valid, but many people out there do follow it. That's reality. g From pete at nomadlogic.org Thu Jul 9 12:23:32 2009 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 9 Jul 2009 09:23:32 -0700 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <4A5612A3.90303@ceetonetechnology.com> References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> <4A53DF1B.5020008@ceetonetechnology.com> <98e9d1d30907071912r78a694cdrff4e8e57a38b1337@mail.gmail.com> <4A5612A3.90303@ceetonetechnology.com> Message-ID: <369EB3B9-3630-4C28-9ABD-0D72CB89DB37@nomadlogic.org> On 9-Jul-09, at 8:54 AM, George Rosamond wrote: > Bill Totman wrote: >> >> gr> But sshd v 4.3? >> >> _ >> arhhahaar 3zpl0it iz unr334l. my namez carton und ir u|\|aphr4i|> >> on p0r| >> 22 bc n0 1 can hakxz0r my big-endian LP64 zystemsz!!!1!11!! ze >> ph33r >> iz 1n ze m4i1. wif 4 ph33rzt4|\/|Pz 0n 1t. >> >> >> Would it have been faster to first learn and then write that in >> Esperanto? >> >> I'm just saying. >> > > Well. . . back to the main point about the apparent exploit. > > FUD. Nothing. > > http://isc.sans.org/diary.html?storyid=6760&rss > > Damien Miller's reply breaks down the 'exploit' > > http://lwn.net/Articles/340483/ > > I would expect the security site to do a bit more research in posting > such stuff. . . especially when it's a 0day exploit with a widely used > daemon. > > That blog has a lot of credibility, and I wonder how much hassle was > caused by it. thanks for the url's gman. regardless of how cool alex is (thanks for reminding me - i forgot!) and how it looked pretty fishy from the get- go - i do like to keep an eye on this stuff just as an added layer of paranoia and curiosity. -pete From max at neuropunks.org Thu Jul 9 12:44:26 2009 From: max at neuropunks.org (Max Gribov) Date: Thu, 09 Jul 2009 12:44:26 -0400 Subject: [nycbug-talk] large scale zfs backup howto Message-ID: <4A561E6A.8010504@neuropunks.org> saw this on freebsd-isp list, looks like a great comprehensive howto.. http://forums.freebsd.org/showthread.php?t=3689 From isaac at diversaform.com Thu Jul 9 15:38:38 2009 From: isaac at diversaform.com (Isaac Levy) Date: Thu, 9 Jul 2009 15:38:38 -0400 Subject: [nycbug-talk] openssh 0 day? In-Reply-To: <369EB3B9-3630-4C28-9ABD-0D72CB89DB37@nomadlogic.org> References: <8D62775F-BF69-4EDB-98D2-81A4BCCFBF85@nomadlogic.org> <4A53DF1B.5020008@ceetonetechnology.com> <98e9d1d30907071912r78a694cdrff4e8e57a38b1337@mail.gmail.com> <4A5612A3.90303@ceetonetechnology.com> <369EB3B9-3630-4C28-9ABD-0D72CB89DB37@nomadlogic.org> Message-ID: On Jul 9, 2009, at 12:23 PM, Pete Wright wrote: > On 9-Jul-09, at 8:54 AM, George Rosamond wrote: >> Bill Totman wrote: >>> >>> gr> But sshd v 4.3? >>> >>> _ >>> arhhahaar 3zpl0it iz unr334l. >>> Esperanto? >>> >>> I'm just saying. >> Well. . . back to the main point about the apparent exploit. >> >> FUD. Nothing. >> >> http://isc.sans.org/diary.html?storyid=6760&rss >> http://lwn.net/Articles/340483/ >> >> 0day exploit with a widely used >> daemon. >> >> I wonder how much hassle was >> caused by it. > looked pretty fishy from the get- > go - i do like to keep an eye on this stuff just as an added layer of > paranoia and curiosity. Regardless of if they cried a bit of wolf, I personally think it was appropriate. Anyone remember, http://lists.nycbug.org/pipermail/talk/2005-September/006865.html I'm personally going to release my SSH protocol exploits Jan 1, 2012 and see what happens... Muahahahaha. But seriously, for an app like OpenSSH (and the SSH protocol), which is understatedly so critical to everything, why not be a bit paranoid? http://nmap.org/images/matrix/matrix-poster-jsolomon-small.jpg Rocket- .ike From carton at Ivy.NET Thu Jul 9 16:13:43 2009 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 09 Jul 2009 16:13:43 -0400 Subject: [nycbug-talk] large scale zfs backup howto In-Reply-To: <4A561E6A.8010504@neuropunks.org> (Max Gribov's message of "Thu, 09 Jul 2009 12:44:26 -0400") References: <4A561E6A.8010504@neuropunks.org> Message-ID: >>>>> "mg" == Max Gribov writes: mg> http://forums.freebsd.org/showthread.php?t=3689 very nice. btw among many details I see he has used --inplace. --inplace is important for rsync/ZFS when the destination is a snapshotted ZFS and the files being backed up are large ones that change in the middle like .vmdk/.vdi/.db. By defauly rsync sends only changes over the wire, but when it WRITES the destination it does the copy/fsync/rename dance which will use more space in the ZFS snapshot/clone tree than --inplace. for the restore onto ext3/ufs --inplace should make no difference. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mark.saad at ymail.com Thu Jul 9 19:27:25 2009 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 9 Jul 2009 19:27:25 -0400 Subject: [nycbug-talk] FreeBSD 8-BETA1 Message-ID: <9D82BF46-8D64-4535-8C11-58BCBBB83648@ymail.com> Hello All Anyone tried FreeBSD 8-BETA1 yet ? I am curious to hear what grief its been giving . -=-=-=-=-=-=-=-=-=- Mark Saad mark.saad at ymail.com From akosela at andykosela.com Fri Jul 10 04:22:33 2009 From: akosela at andykosela.com (Andy Kosela) Date: Fri, 10 Jul 2009 10:22:33 +0200 Subject: [nycbug-talk] large scale zfs backup howto In-Reply-To: <4A561E6A.8010504@neuropunks.org> References: <4A561E6A.8010504@neuropunks.org> Message-ID: <4a56fa49.PFWsxo7U5T6GQLpQ%akosela@andykosela.com> Max Gribov wrote: > saw this on freebsd-isp list, looks like a great comprehensive howto.. > > http://forums.freebsd.org/showthread.php?t=3689 Thanks. Really some nice stuff. I don't usually follow FreeBSD forums as it mostly discusses things like 'tcsh vs bash' which are pointless but this one is very informative. --Andy From george at ceetonetechnology.com Sat Jul 11 10:33:16 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Sat, 11 Jul 2009 10:33:16 -0400 Subject: [nycbug-talk] embedded hardware Message-ID: <4A58A2AC.9050100@ceetonetechnology.com> I'm sure some others saw this on openbsd misc: http://bifferos.bizhat.com/ Wow. . . "I think I lost the firewall. Has anyone seen my firewall?" Curious about other small systems others have used and what shortcomings they've experienced. PCEngines' Wrap and Alix and Soekrises have been used by many on this list going back for years. A bit separately, I have a very nice and clean USB flash 2 gig image of FreeBSD I've been playing with. . . configured with desktop apps, virtual keyboard, etc., that I'll be posting for download with How-To and FAQ soon. Others? It would be nice to have a list, since there's been an explosion of these devices over the past year especially. . . George From carton at Ivy.NET Sat Jul 11 12:56:03 2009 From: carton at Ivy.NET (Miles Nordin) Date: Sat, 11 Jul 2009 12:56:03 -0400 Subject: [nycbug-talk] embedded hardware In-Reply-To: <4A58A2AC.9050100@ceetonetechnology.com> (George Rosamond's message of "Sat, 11 Jul 2009 10:33:16 -0400") References: <4A58A2AC.9050100@ceetonetechnology.com> Message-ID: >>>>> "gr" == George Rosamond writes: gr> http://bifferos.bizhat.com/ or, if you will run linux: Beagle Board -- omap evboard from TI/DigiKey, $150 http://www.alwaysinnovating.com/home/index.htm <-- beagle board based laptop https://omapzoom.org/gf/project/omapzoomhome/ <-- strange celfone random competitors, not necessarily good: http://www.luminarymicro.com/products/evaluation_kits.html/ http://www.lpc2000.com/ http://www.fudantech.com/pdf/pdf/AT91RM9200-CARD-ENGINE%A2%F1.pdf http://www.embeddedrelated.com/groups/lpc2000/1.php http://www.stm32circle.com/hom/index.php http://www.coridiumcorp.com/ARMmite.php $50 ARM-USB-TTL board there is a whole range of 1GHz ARM stuff coming out soon based on TI omap and Marvell orion in celfone and netbook form factor, with ~256MB of DRAM and NAND flash. This is the ``partnership'' with skeezy asian vendors google is talking about in chrome OS. for size / cost / power envelope, nothing running BSD can come close. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From matt at atopia.net Sat Jul 11 15:08:37 2009 From: matt at atopia.net (Matt Juszczak) Date: Sat, 11 Jul 2009 15:08:37 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: > Did you try looking outside of the Apache - PHP, accelerators, MySQL? > Could it be that Apache is waiting for PHP to finish? > > httpd procs seem pretty large.. > > Does the server have enough memory to fit all apaches in? > > Is Apache using content on NFS? > > Try using server-status to see what is going on. And lsof. Just an interesting tid bit: 136 processes: 1 running, 123 sleeping, 12 zombie Recent snap shot of "top". Seems really odd that there would be a spike to 120 processes, and then seeing them all sleeping. Something is really going on. Yet memory is only 20% used. CPU isn't totally pegged. I/O is low as well. 0.o From pete at nomadlogic.org Mon Jul 13 12:20:57 2009 From: pete at nomadlogic.org (Pete Wright) Date: Mon, 13 Jul 2009 09:20:57 -0700 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: On 11-Jul-09, at 12:08 PM, Matt Juszczak wrote: >> Did you try looking outside of the Apache - PHP, accelerators, MySQL? >> Could it be that Apache is waiting for PHP to finish? >> >> httpd procs seem pretty large.. >> >> Does the server have enough memory to fit all apaches in? >> >> Is Apache using content on NFS? >> >> Try using server-status to see what is going on. And lsof. > > > Just an interesting tid bit: > > 136 processes: 1 running, 123 sleeping, 12 zombie > > Recent snap shot of "top". Seems really odd that there would be a > spike > to 120 processes, and then seeing them all sleeping. Something is > really > going on. Yet memory is only 20% used. CPU isn't totally pegged. > I/O is > low as well. > have you tried to ktrace any of the processes? I'd take a peek at the zombies first so see if they are blocking on anything... -pete From matt at atopia.net Mon Jul 13 12:49:23 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 12:49:23 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: > have you tried to ktrace any of the processes? I'd take a peek at the > zombies first so see if they are blocking on anything... Oh yes, tons of times. I'm constantly seeing resource temporarily unavailable, especially in the high CPU processes. Also, here's something interesting: 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 38103 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff5250) 38103 httpd RET fcntl 0 And that repeats for a really long time. Tried to ktrace the zombie: s104# ps auxw | grep def root 9031 0.0 0.0 0 0 ?? Z Wed12AM 0:12.53 root 37846 0.0 0.0 7884 1164 p0 S+ 12:40PM 0:00.00 grep def s104# ktrace -p 9031 ktrace: ktrace.out: No such process s104# From matt at atopia.net Mon Jul 13 13:19:54 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 13:19:54 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: Actually, tracing these boxes, before it tries to open almost any file, it does: 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b80) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b80) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b70) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b70) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b50) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b50) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ce0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ce0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9dd0) 43765 httpd RET fcntl 0 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9dd0) Some go on for 1000's of lines. But this is the local file system... From o_sleep at belovedarctos.com Mon Jul 13 18:31:01 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Mon, 13 Jul 2009 18:31:01 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> Message-ID: <4A5BB5A5.2090109@belovedarctos.com> Matt Juszczak wrote: > Actually, tracing these boxes, before it tries to open almost any file, it > does: > > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b80) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b80) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b70) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b70) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b50) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9b50) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ba0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ce0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9ce0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9dd0) > 43765 httpd RET fcntl 0 > 43765 httpd CALL fcntl(0xd,F_SETLKW,0xffffffffffff9dd0) > > > Some go on for 1000's of lines. > > But this is the local file system... What file is the 0xd (14, right?) from lsof in the FD column. Maybe you have multiple DAVLockDBs set in the config or across multiple virtualhosts pointing at the same file. -Bjorn From matt at atopia.net Mon Jul 13 18:38:17 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 18:38:17 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BB5A5.2090109@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> Message-ID: > What file is the 0xd (14, right?) from lsof in the FD column. Maybe you have > multiple DAVLockDBs set in the config or across multiple virtualhosts > pointing at the same file. This is sort of interesting, and perhaps related?: httpd 4043 www 22u VREG 0,94 0 20 /tmp (/dev/amrd0s1e) httpd 4043 www 23u VREG 0,94 0 25 /tmp (/dev/amrd0s1e) httpd 4043 www 24u VREG 0,94 0 22 /tmp (/dev/amrd0s1e) httpd 4043 www 25u VREG 0,94 0 28 /tmp (/dev/amrd0s1e) httpd 4043 www 26u VREG 0,94 0 27 /tmp (/dev/amrd0s1e) httpd 4043 www 27u VREG 0,94 0 26 /tmp (/dev/amrd0s1e) httpd 4043 www 28u VREG 0,94 0 29 /tmp (/dev/amrd0s1e) httpd 4043 www 29u VREG 0,94 0 32 /tmp (/dev/amrd0s1e) httpd 4043 www 30u VREG 0,94 0 34 /tmp/aprKEahdw httpd 4043 www 31w VREG 0,93 0 23591 /var/log/accept.lock.52448 httpd 4043 www 32w VREG 0,93 0 23591 /var/log/accept.lock.52448 httpd 4043 www 33w VREG 0,94 0 34 /tmp/aprKEahdw From o_sleep at belovedarctos.com Mon Jul 13 18:41:06 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Mon, 13 Jul 2009 18:41:06 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> Message-ID: <4A5BB802.5020002@belovedarctos.com> Matt Juszczak wrote: >> What file is the 0xd (14, right?) from lsof in the FD column. Maybe >> you have multiple DAVLockDBs set in the config or across multiple >> virtualhosts pointing at the same file. > > This is sort of interesting, and perhaps related?: > > httpd 4043 www 22u VREG 0,94 0 20 > /tmp (/dev/amrd0s1e) > httpd 4043 www 23u VREG 0,94 0 25 > /tmp (/dev/amrd0s1e) > httpd 4043 www 24u VREG 0,94 0 22 > /tmp (/dev/amrd0s1e) > httpd 4043 www 25u VREG 0,94 0 28 > /tmp (/dev/amrd0s1e) > httpd 4043 www 26u VREG 0,94 0 27 > /tmp (/dev/amrd0s1e) > httpd 4043 www 27u VREG 0,94 0 26 > /tmp (/dev/amrd0s1e) > httpd 4043 www 28u VREG 0,94 0 29 > /tmp (/dev/amrd0s1e) > httpd 4043 www 29u VREG 0,94 0 32 > /tmp (/dev/amrd0s1e) > httpd 4043 www 30u VREG 0,94 0 34 > /tmp/aprKEahdw > httpd 4043 www 31w VREG 0,93 0 23591 > /var/log/accept.lock.52448 > httpd 4043 www 32w VREG 0,93 0 23591 > /var/log/accept.lock.52448 > httpd 4043 www 33w VREG 0,94 0 34 > /tmp/aprKEahdw > Can you do a kinit and lsof at the same time with timestamps to correlate a fcntl with the filename? 22u is FD 22 r/w (0x16 according to powertoy calc), do you have a related fcntl call for this? -Bjorn From matt at atopia.net Mon Jul 13 19:04:27 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 19:04:27 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BB802.5020002@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> Message-ID: > Can you do a kinit and lsof at the same time with timestamps to correlate a > fcntl with the filename? 22u is FD 22 r/w (0x16 according to powertoy calc), > do you have a related fcntl call for this? I can look into this. For now, why is /tmp opened so many itmes, and why is accept.lock there twice?: ktrace: 10317 httpd CALL fcntl(0xe,F_SETLKW,0xffffffffffffe4d0) 10317 httpd RET fcntl 0 lsof: httpd 10317 www 11w VREG 0,93 0 23600 /var (/dev/amrd0s1d) httpd 10317 www 12u VREG 0,94 0 7 /tmp/aprzFWU5v httpd 10317 www 13u VREG 0,94 0 9 /tmp (/dev/amrd0s1e) httpd 10317 www 14u VREG 0,94 0 11 /tmp (/dev/amrd0s1e) httpd 10317 www 15u VREG 0,94 0 13 /tmp (/dev/amrd0s1e) httpd 10317 www 16u VREG 0,94 0 21 /tmp (/dev/amrd0s1e) httpd 10317 www 17u VREG 0,94 0 31 /tmp (/dev/amrd0s1e) httpd 10317 www 18u VREG 0,94 0 34 /tmp/aprY9iT3d httpd 10317 www 19w VREG 0,93 0 23672 /var/log/accept.lock.8343 httpd 10317 www 20w VREG 0,93 0 23672 /var/log/accept.lock.8343 From matt at atopia.net Mon Jul 13 19:07:46 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 19:07:46 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BB802.5020002@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> Message-ID: > Can you do a kinit and lsof at the same time with timestamps to correlate a > fcntl with the filename? 22u is FD 22 r/w (0x16 according to powertoy calc), > do you have a related fcntl call for this? Isn't kinit kerberos related? Do you mean a ktrace and an lsof at the same time? Is there any special way of doing that, or just doing something like: ktrace &; lsof &; From o_sleep at belovedarctos.com Mon Jul 13 19:18:12 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Mon, 13 Jul 2009 19:18:12 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> Message-ID: <4A5BC0B4.90504@belovedarctos.com> Matt Juszczak wrote: >> Can you do a kinit and lsof at the same time with timestamps to >> correlate a fcntl with the filename? 22u is FD 22 r/w (0x16 >> according to powertoy calc), do you have a related fcntl call for this? > > Isn't kinit kerberos related? > > Do you mean a ktrace and an lsof at the same time? Is there any > special way of doing that, or just doing something like: > > ktrace &; lsof &; > > Yeah sorry, I use kinit so much it came out when I meant ktrace/kdump. You can kdump with -T to get timestamps and then try to match that with the lsof although it sounds like it may not be changing too frequently. Btw, my httpd.conf looks like: # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # #LockFile /var/log/accept.lock Is yours any different and just to double check, your /var/log is definitely local, right? I couldn't tell from your lsof, didn't see the underlying device. -Bjorn From matt at atopia.net Mon Jul 13 19:22:27 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 19:22:27 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BC0B4.90504@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> Message-ID: > Is yours any different and just to double check, your /var/log is definitely > local, right? I couldn't tell from your lsof, didn't see the underlying > device. Yes. It is. It's weird also, I'm getting this: 12943 httpd CALL fcntl(0xf,F_SETLK,0xffffffffffffcab0) 12943 httpd RET fcntl -1 errno 35 Resource temporarily unavailable in lsof, I'm getting this: httpd 12943 www 14u VREG 0,94 0 17 /tmp (/dev/amrd0s1e) httpd 12943 www 15uW VREG 0,94 0 18 /tmp (/dev/amrd0s1e) httpd 12943 www 16u VREG 0,94 0 19 /tmp (/dev/amrd0s1e) If you notice, the 15 (which maps to 0xf right, 0 - 15?) has a full out lock on /tmp? Or it's trying to? Why? Specific files? Also, the only two /var/log are: httpd 12943 www 19w VREG 0,93 0 23591 /var/log/accept.lock.12878 httpd 12943 www 20w VREG 0,93 0 23591 /var/log/accept.lock.12878 and don't appear in the resource unavailable. From matt at atopia.net Mon Jul 13 19:23:41 2009 From: matt at atopia.net (Matt Juszczak) Date: Mon, 13 Jul 2009 19:23:41 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BC0B4.90504@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> Message-ID: > # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. > # > > > #LockFile /var/log/accept.lock > > > > Is yours any different and just to double check, your /var/log is definitely > local, right? I couldn't tell from your lsof, didn't see the underlying > device. # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # LockFile "/var/log/accept.lock" Mine isn't commented out, but since that's the default name anyway, or so I assume, I think it's ok. From o_sleep at belovedarctos.com Mon Jul 13 20:01:04 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Mon, 13 Jul 2009 20:01:04 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> Message-ID: <4A5BCAC0.8000809@belovedarctos.com> Matt Juszczak wrote: >> Is yours any different and just to double check, your /var/log is >> definitely local, right? I couldn't tell from your lsof, didn't see >> the underlying device. > > Yes. It is. > > It's weird also, I'm getting this: > > 12943 httpd CALL fcntl(0xf,F_SETLK,0xffffffffffffcab0) > 12943 httpd RET fcntl -1 errno 35 Resource temporarily unavailable > > > in lsof, I'm getting this: > > httpd 12943 www 14u VREG 0,94 0 17 > /tmp (/dev/amrd0s1e) > httpd 12943 www 15uW VREG 0,94 0 18 > /tmp (/dev/amrd0s1e) > httpd 12943 www 16u VREG 0,94 0 19 > /tmp (/dev/amrd0s1e) > > > If you notice, the 15 (which maps to 0xf right, 0 - 15?) has a full > out lock on /tmp? Or it's trying to? Why? Specific files? > > Also, the only two /var/log are: > > httpd 12943 www 19w VREG 0,93 0 23591 > /var/log/accept.lock.12878 > httpd 12943 www 20w VREG 0,93 0 23591 > /var/log/accept.lock.12878 > > and don't appear in the resource unavailable. Can you try to recreate what httpd is doing? As www, try to mktemp in /tmp or run a flock on a file in /var/log. Alternatively, try to remove perms from either dir to www to see if you can see the behavior just before it errors. If you see the behavior before the crash, then you know it's not that dir but the other. Maybe you can find an httpd.conf directive or a module that lets you start a sub process, then have it start something that gives a shell (xterm, screen, vnc), then you play around from the perspective of the process and see what doesn't work. -Bjorn From matt at atopia.net Tue Jul 14 20:03:37 2009 From: matt at atopia.net (Matt Juszczak) Date: Tue, 14 Jul 2009 20:03:37 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5BCAC0.8000809@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> <4A5BCAC0.8000809@belovedarctos.com> Message-ID: > Can you try to recreate what httpd is doing? As www, try to mktemp in /tmp > or run a flock on a file in /var/log. Alternatively, try to remove perms > from either dir to www to see if you can see the behavior just before it > errors. If you see the behavior before the crash, then you know it's not > that dir but the other. Maybe you can find an httpd.conf directive or a > module that lets you start a sub process, then have it start something that > gives a shell (xterm, screen, vnc), then you play around from the perspective > of the process and see what doesn't work. It isn't actually crashing (well, not unless it gets totally bogged down). For the most part, we're just spiraling the box. From o_sleep at belovedarctos.com Tue Jul 14 22:12:17 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Tue, 14 Jul 2009 22:12:17 -0400 Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> <4A5BCAC0.8000809@belovedarctos.com> Message-ID: <4A5D3B01.9030603@belovedarctos.com> Matt Juszczak wrote: >> Can you try to recreate what httpd is doing? As www, try to mktemp >> in /tmp or run a flock on a file in /var/log. Alternatively, try to >> remove perms from either dir to www to see if you can see the >> behavior just before it errors. If you see the behavior before the >> crash, then you know it's not that dir but the other. Maybe you can >> find an httpd.conf directive or a module that lets you start a sub >> process, then have it start something that gives a shell (xterm, >> screen, vnc), then you play around from the perspective of the >> process and see what doesn't work. > > It isn't actually crashing (well, not unless it gets totally bogged > down). For the most part, we're just spiraling the box. I mean for you to force a crash or rather an permission error and see if the behavior happens before or after it depending on which place you lock down. Then you will know what component is actually affecting your behavior. -Bjorn From matt at atopia.net Wed Jul 15 09:24:57 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 15 Jul 2009 09:24:57 -0400 (EDT) Subject: [nycbug-talk] Apache and FreeBSD In-Reply-To: <4A5D3B01.9030603@belovedarctos.com> References: <403486650-1246487881-cardhu_decombobulator_blackberry.rim.net-1022198236-@bxe1284.bisx.prod.on.blackberry> <4A5BB5A5.2090109@belovedarctos.com> <4A5BB802.5020002@belovedarctos.com> <4A5BC0B4.90504@belovedarctos.com> <4A5BCAC0.8000809@belovedarctos.com> <4A5D3B01.9030603@belovedarctos.com> Message-ID: > I mean for you to force a crash or rather an permission error and see if the > behavior happens before or after it depending on which place you lock down. > Then you will know what component is actually affecting your behavior. Ah, understood. OK, will try that. Thank you. No idea why so many of /tmp are listed in lsof? From drulavigne at sympatico.ca Thu Jul 16 10:24:49 2009 From: drulavigne at sympatico.ca (Dru Lavigne) Date: Thu, 16 Jul 2009 14:24:49 +0000 Subject: [nycbug-talk] BSDA exam Message-ID: Just a reminder that the BSDA exam will be in NYC on August 2: https://register.bsdcertification.org//register/events/nycbug and that noone has registered and paid yet :-( Cheers, Dru -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Thu Jul 16 12:25:02 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 16 Jul 2009 12:25:02 -0400 Subject: [nycbug-talk] BSDA exam In-Reply-To: References: Message-ID: On Thu, Jul 16, 2009 at 10:24 AM, Dru Lavigne wrote: > Just a reminder that the BSDA exam will be in NYC on August 2: > > https://register.bsdcertification.org//register/events/nycbug > > and that noone has registered and paid yet :-( > > Cheers, > > Dru > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > I'm definately in. Getting BSCG ID now... s/(/)/ From matt at atopia.net Tue Jul 21 16:58:36 2009 From: matt at atopia.net (Matt Juszczak) Date: Tue, 21 Jul 2009 16:58:36 -0400 (EDT) Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues Message-ID: Hi all, I'm having trouble diagnosing a perl issue. I have a hypothesis on what's going on. At some point, I think FreeBSD 7.1-RELEASE was installed by our data center techs with perl 5.8.8 installed. It was installed into /usr/local/bin/perl5.8.8, and a symlink of /usr/bin/perl was created. I installed some things from ports which required 5.8.9 (or added it as a dependency, anyway). Right now, every FreeBSD box I have has the perl-5.8.9_2.tbz package installed. However, some have a /usr/bin/perl, some don't. And that's my problem. If I login to a *newer* 7.1-RELEASE box, here's what I get: s104$ ls -l /usr/bin/perl* ls: /usr/bin/perl*: No such file or directory s104$ ls -l /usr/local/bin/perl* -rwxr-xr-x 2 root wheel 7248 May 17 02:19 /usr/local/bin/perl -r-xr-xr-x 1 root wheel 13698 May 17 02:19 /usr/local/bin/perl-after-upgrade lrwxr-xr-x 1 root wheel 24 Jul 21 13:50 /usr/local/bin/perl5 -> /usr/local/bin/perl5.8.9 -rwxr-xr-x 2 root wheel 7248 May 17 02:19 /usr/local/bin/perl5.8.9 -rwxr-xr-x 2 root wheel 44787 May 17 02:18 /usr/local/bin/perlbug -rwxr-xr-x 1 root wheel 17965 May 17 02:18 /usr/local/bin/perlcc -rwxr-xr-x 1 root wheel 236 May 17 02:18 /usr/local/bin/perldoc -rwxr-xr-x 1 root wheel 12286 May 17 02:18 /usr/local/bin/perlivp -rwxr-xr-x 2 root wheel 44787 May 17 02:18 /usr/local/bin/perlthanks s104$ ls /var/db/pkg | grep perl perl-5.8.9_2 So perl 5.8.8 isn't installed at all, and /usr/bin/perl doesn't exist. If I look at an older box, I get: s504$ ls -l /usr/bin/perl* lrwxr-xr-x 1 root wheel 24 Apr 24 14:25 /usr/bin/perl -> /usr/local/bin/perl5.8.8 lrwxr-xr-x 1 root wheel 24 Apr 24 14:25 /usr/bin/perl5 -> /usr/local/bin/perl5.8.8 s504$ ls -l /usr/local/bin/perl* -rwxr-xr-x 2 root wheel 7248 Apr 27 06:59 /usr/local/bin/perl -r-xr-xr-x 1 root wheel 13698 Apr 27 06:59 /usr/local/bin/perl-after-upgrade lrwxr-xr-x 1 root wheel 24 Apr 28 18:41 /usr/local/bin/perl5 -> /usr/local/bin/perl5.8.9 -rwxr-xr-x 1 root wheel 12968 Dec 9 2008 /usr/local/bin/perl5.8.8 -rwxr-xr-x 2 root wheel 7248 Apr 27 06:59 /usr/local/bin/perl5.8.9 -rwxr-xr-x 2 root wheel 44787 Apr 27 06:58 /usr/local/bin/perlbug -rwxr-xr-x 1 root wheel 17965 Apr 27 06:58 /usr/local/bin/perlcc -rwxr-xr-x 1 root wheel 236 Apr 27 06:58 /usr/local/bin/perldoc -rwxr-xr-x 1 root wheel 12286 Apr 27 06:58 /usr/local/bin/perlivp -rwxr-xr-x 2 root wheel 44787 Apr 27 06:58 /usr/local/bin/perlthanks s504$ As you can see, there is stuff in /usr/bin/perl that was setup the day the server was installed, but a perl5.8.8 binary with a date of Dec 9, 2008. My gut is, perl 5.8.8 was installed via /usr/sbin/sysinstall on some of these boxes, and not on others. Is that a fair guess? If so, I've seen a "use.perl" script somewhere that tells the system which perl you want to use, but I assumed the perl5.8.9 port would create the /usr/bin/perl symlink, and it doesn't seem to be doing that. Thanks for any suggestions! -M From akosela at andykosela.com Wed Jul 22 02:43:51 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 22 Jul 2009 08:43:51 +0200 Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: References: Message-ID: <4a66b527.Ut0W2Z0IRgeEYrvs%akosela@andykosela.com> Matt Juszczak wrote: > My gut is, perl 5.8.8 was installed via /usr/sbin/sysinstall on some of > these boxes, and not on others. Is that a fair guess? If so, I've seen a > "use.perl" script somewhere that tells the system which perl you want to > use, but I assumed the perl5.8.9 port would create the /usr/bin/perl > symlink, and it doesn't seem to be doing that. By simply looking at /usr/ports/lang/perl5.8/Makefile it seems something is not right in your installation. Do you really need both versions of perl? I would wipe it all and reinstall from scratch the latest 5.8.x. --Andy From matt at atopia.net Wed Jul 22 09:04:21 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 22 Jul 2009 09:04:21 -0400 (EDT) Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: <4a66b527.Ut0W2Z0IRgeEYrvs%akosela@andykosela.com> References: <4a66b527.Ut0W2Z0IRgeEYrvs%akosela@andykosela.com> Message-ID: > By simply looking at /usr/ports/lang/perl5.8/Makefile it seems something > is not right in your installation. Do you really need both versions of > perl? I would wipe it all and reinstall from scratch the latest 5.8.x. What do you mean something isn't right? What would be wrong? And I'm not sure how both versions are on these boxes, but that's the case. I believe perl 5.8.8 got installed via sysinstall, but there's no record of it in /var/db/pkg. From billtotman at billtotman.com Wed Jul 22 09:16:35 2009 From: billtotman at billtotman.com (billtotman at billtotman.com) Date: Wed, 22 Jul 2009 13:16:35 +0000 Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues Message-ID: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> Matt wrote: And I'm not sure how both versions are on these boxes, but that's the case. I believe perl 5.8.8 got installed via sysinstall, but there's no record of it in /var/db/pkg. Check the contents of "/etc/make.conf" - it might have a clue as to what's going on with your perl versions. -BT ------Original Message------ From: Matt Juszczak Sender: talk-bounces at lists.nycbug.org To: Andy Kosela Cc: talk at lists.nycbug.org Cc: brian at atopia.net Subject: Re: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues Sent: Jul 22, 2009 09:04 > By simply looking at /usr/ports/lang/perl5.8/Makefile it seems something > is not right in your installation. Do you really need both versions of > perl? I would wipe it all and reinstall from scratch the latest 5.8.x. What do you mean something isn't right? What would be wrong? And I'm not sure how both versions are on these boxes, but that's the case. I believe perl 5.8.8 got installed via sysinstall, but there's no record of it in /var/db/pkg. _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk Sent via BlackBerry by AT&T From matt at atopia.net Wed Jul 22 09:22:10 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 22 Jul 2009 09:22:10 -0400 (EDT) Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> References: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> Message-ID: > Check the contents of "/etc/make.conf" - it might have a clue as to > what's going on with your perl versions. Already did. Nothing related to perl. From brian.gupta at gmail.com Wed Jul 22 12:33:36 2009 From: brian.gupta at gmail.com (Brian Gupta) Date: Wed, 22 Jul 2009 12:33:36 -0400 Subject: [nycbug-talk] Need network cabling/wiring vendor recommendations. In-Reply-To: <5b5090780907220930q66744f21kff24ddf7a748f061@mail.gmail.com> References: <5b5090780907220930q66744f21kff24ddf7a748f061@mail.gmail.com> Message-ID: <5b5090780907220933g12c127a3yb867a7b7f2be6830@mail.gmail.com> Basically I have a job requiring the termination of roughly 100+ RJ45 (Cat5/6) receptacles, with basically no cable pulling required. Please address all replies to brian.gupta at brandorr.com. Thanks, Brian - Brian Gupta New York City user groups calendar: http://nyc.brandorr.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at atopia.net Thu Jul 23 09:24:58 2009 From: matt at atopia.net (Matt Juszczak) Date: Thu, 23 Jul 2009 09:24:58 -0400 (EDT) Subject: [nycbug-talk] VPS solutions? Message-ID: Hi all, I need to setup a few production VPS servers on a quad core beefy box. Seems like some options we have are OpenVZ, HyperVM, and Virtuozzo. This will be my first venture into the virtualization world, and I'm wondering which option is better cost-wise (the latter isn't free), and FreeBSD-wise (I'd like to run at least one or two FreeBSD instances). Thanks! -Matt From dave at donnerjack.com Thu Jul 23 09:34:07 2009 From: dave at donnerjack.com (David Lawson) Date: Thu, 23 Jul 2009 09:34:07 -0400 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: Message-ID: <451D6A3A-FB18-4CDD-A0ED-B7AB93951DB9@donnerjack.com> I'd at least consider Xen as well, since that's the free version of Virtuozzo, basically. --Dave On Jul 23, 2009, at 9:24 AM, Matt Juszczak wrote: > Hi all, > > I need to setup a few production VPS servers on a quad core beefy box. > > Seems like some options we have are OpenVZ, HyperVM, and Virtuozzo. > This > will be my first venture into the virtualization world, and I'm > wondering > which option is better cost-wise (the latter isn't free), and > FreeBSD-wise > (I'd like to run at least one or two FreeBSD instances). > > Thanks! > > -Matt > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From pete at nomadlogic.org Thu Jul 23 08:11:45 2009 From: pete at nomadlogic.org (User Pete) Date: Thu, 23 Jul 2009 12:11:45 +0000 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: Message-ID: <20090723121141.GA40554@pv.nomadlogic.org> On Thu, Jul 23, 2009 at 09:24:58AM -0400, Matt Juszczak wrote: > Hi all, > > I need to setup a few production VPS servers on a quad core beefy box. > > Seems like some options we have are OpenVZ, HyperVM, and Virtuozzo. This > will be my first venture into the virtualization world, and I'm wondering > which option is better cost-wise (the latter isn't free), and FreeBSD-wise > (I'd like to run at least one or two FreeBSD instances). > I'd say that Xen may be your best bet atm. i know this is what rootbsd.net is using for their VPS offerings and it seems to work quite well. a close second for bsd systems would be sun's virtual-box imho. virtual box will allow you to run freebsd as the hypervisor as well as a "guest". for xen i've heard good things about using netbsd as the hypervisor. http://wiki.freebsd.org/FreeBSD/Xen http://www.virtualbox.org/ -p From akosela at andykosela.com Fri Jul 24 02:53:30 2009 From: akosela at andykosela.com (Andy Kosela) Date: Fri, 24 Jul 2009 08:53:30 +0200 Subject: [nycbug-talk] VPS solutions? In-Reply-To: <20090723121141.GA40554@pv.nomadlogic.org> References: <20090723121141.GA40554@pv.nomadlogic.org> Message-ID: <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> pete at nomadlogic.org (User Pete) wrote: > On Thu, Jul 23, 2009 at 09:24:58AM -0400, Matt Juszczak wrote: > > Hi all, > > > > I need to setup a few production VPS servers on a quad core beefy box. > > > > Seems like some options we have are OpenVZ, HyperVM, and Virtuozzo. This > > will be my first venture into the virtualization world, and I'm wondering > > which option is better cost-wise (the latter isn't free), and FreeBSD-wise > > (I'd like to run at least one or two FreeBSD instances). > > > > > I'd say that Xen may be your best bet atm. i know this is what > rootbsd.net is using for their VPS offerings and it seems to work quite > well. a close second for bsd systems would be sun's virtual-box imho. > > virtual box will allow you to run freebsd as the hypervisor as well as a > "guest". for xen i've heard good things about using netbsd as the > hypervisor. If you think about serious virtualization I would not consider virtualbox as an option. It is good for "home" development as this doesn't really compare to real VZ solutions like VMWare ESXi or Citrix XenServer, as those are bare metal hypervisors. If you wanna go with that, I would choose VMWare as they got full support for FreeBSD as guest. On the other note though, why not use FreeBSD's native jail(8). This is a very mature and advanced virtualization technology especially now with full virtual network stack implemented. --Andy From pete at nomadlogic.org Sun Jul 26 19:27:39 2009 From: pete at nomadlogic.org (User Pete) Date: Sun, 26 Jul 2009 23:27:39 +0000 Subject: [nycbug-talk] VPS solutions? In-Reply-To: <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> Message-ID: <20090726232735.GA14827@pv.nomadlogic.org> On Fri, Jul 24, 2009 at 08:53:30AM +0200, Andy Kosela wrote: > pete at nomadlogic.org (User Pete) wrote: > > > On Thu, Jul 23, 2009 at 09:24:58AM -0400, Matt Juszczak wrote: > > > Hi all, > > > > > > I need to setup a few production VPS servers on a quad core beefy box. > > > > > > Seems like some options we have are OpenVZ, HyperVM, and Virtuozzo. This > > > will be my first venture into the virtualization world, and I'm wondering > > > which option is better cost-wise (the latter isn't free), and FreeBSD-wise > > > (I'd like to run at least one or two FreeBSD instances). > > > > > > > > > I'd say that Xen may be your best bet atm. i know this is what > > rootbsd.net is using for their VPS offerings and it seems to work quite > > well. a close second for bsd systems would be sun's virtual-box imho. > > > > virtual box will allow you to run freebsd as the hypervisor as well as a > > "guest". for xen i've heard good things about using netbsd as the > > hypervisor. > > If you think about serious virtualization I would not consider > virtualbox as an option. It is good for "home" development as this > doesn't really compare to real VZ solutions like VMWare ESXi or Citrix > XenServer, as those are bare metal hypervisors. If you wanna go with > that, I would choose VMWare as they got full support for FreeBSD as > guest. hrm - i guess i can see what you mean in regards of commercial support but one feature i that i feel has always been a problem for vmwware (and to a lesser extent xenserver) is the api in which i can program against it with. i have built a fair amount of production systems using both xen and kvm with heavy leveraging lib-virt (sorry, ot since this run on linux systems). from what i understand about the virtualbox road map i hope it is going to have a friendly api as well. this is not to say that vmware does not have an api (obviously it does, as well as a cli) - but i never felt comfortable programming in it. this does not even touch the fact that you need to run windows for live migration of vm's (this may have changed but was definatly a show stopper for any prod systems i needed to support) along with other advanced management tasks. > > On the other note though, why not use FreeBSD's native jail(8). This is > a very mature and advanced virtualization technology especially now with > full virtual network stack implemented. > +1 there! -p From matt at atopia.net Sun Jul 26 23:31:41 2009 From: matt at atopia.net (Matt Juszczak) Date: Sun, 26 Jul 2009 23:31:41 -0400 (EDT) Subject: [nycbug-talk] VPS solutions? In-Reply-To: <20090726232735.GA14827@pv.nomadlogic.org> References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> Message-ID: > hrm - i guess i can see what you mean in regards of commercial support > but one feature i that i feel has always been a problem for vmwware (and > to a lesser extent xenserver) is the api in which i can program against > it with. i have built a fair amount of production systems using both > xen and kvm with heavy leveraging lib-virt (sorry, ot since this run on > linux systems). from what i understand about the virtualbox road map i > hope it is going to have a friendly api as well. We are not going to get that elaborate in this setup. We need a solution that is cheap, and allows us to run 2 Linux instances and 2 FreeBSD instances on a single, 64 bit multi processor box. We would like something simple, reliable, and preferably cheap if not free. This will most likely be a "launch it and forget it" setup, where we'll set the four or five instances up, OS each instance, and launch it as a production box. Once that's up and running, we probably won't touch them again for a while, and there's no need to automate or anything like that. So with that in mind - simplicity and reliability - can anyone recommend a solution that fits these needs? (Cheap and supports both OS's). We will have Console access to the box if that helps. -M From carton at Ivy.NET Mon Jul 27 01:02:10 2009 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 27 Jul 2009 01:02:10 -0400 Subject: [nycbug-talk] VPS solutions? In-Reply-To: <20090726232735.GA14827@pv.nomadlogic.org> (User Pete's message of "Sun, 26 Jul 2009 23:27:39 +0000") References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> Message-ID: >>>>> "up" == User Pete writes: up> you need to run windows for live migration of vm's weak! I think it would be smart to make a live migration storage platform from DRBD, AVS/ii, or zfs send/recv rather than proper shared storage. This would require bringing the hypervisor and the storage under control of the same script, so involving windows is a fail. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pete at nomadlogic.org Mon Jul 27 08:22:40 2009 From: pete at nomadlogic.org (User Pete) Date: Mon, 27 Jul 2009 12:22:40 +0000 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> Message-ID: <20090727122237.GA68801@pv.nomadlogic.org> On Mon, Jul 27, 2009 at 01:02:10AM -0400, Miles Nordin wrote: > >>>>> "up" == User Pete writes: > > up> you need to run windows for live migration of vm's > > weak! > > I think it would be smart to make a live migration storage platform > from DRBD, AVS/ii, or zfs send/recv rather than proper shared storage. > This would require bringing the hypervisor and the storage under > control of the same script, so involving windows is a fail. yea - that's when the meeting with vmware came to a end. it was kinda akward to say the least :) fwiw i don't think moving the bits from one hypervisor to another is the hard bit (infact we were using netapps and fcp or iscsi for our block devices so that bit just worked). i think they had some "magic" on the windows controller that syncronized the hypervisors to do the live migration. i dunno i kinda stopped listening to them when they told me i needed a win2k server to make this all work. it wouldn't have been such a huge issue but i already had it working with rhel5, xen and lib-virt. -p From akosela at andykosela.com Mon Jul 27 14:27:37 2009 From: akosela at andykosela.com (Andy Kosela) Date: Mon, 27 Jul 2009 20:27:37 +0200 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> Message-ID: <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> Matt Juszczak wrote: > > hrm - i guess i can see what you mean in regards of commercial support > > but one feature i that i feel has always been a problem for vmwware (and > > to a lesser extent xenserver) is the api in which i can program against > > it with. i have built a fair amount of production systems using both > > xen and kvm with heavy leveraging lib-virt (sorry, ot since this run on > > linux systems). from what i understand about the virtualbox road map i > > hope it is going to have a friendly api as well. > > We are not going to get that elaborate in this setup. We need a solution > that is cheap, and allows us to run 2 Linux instances and 2 FreeBSD > instances on a single, 64 bit multi processor box. > > We would like something simple, reliable, and preferably cheap if not > free. This will most likely be a "launch it and forget it" setup, where > we'll set the four or five instances up, OS each instance, and launch it > as a production box. Once that's up and running, we probably won't touch > them again for a while, and there's no need to automate or anything like > that. > > So with that in mind - simplicity and reliability - can anyone recommend a > solution that fits these needs? (Cheap and supports both OS's). Then I would definetly recommend once again either VMware or Citrix XenServer. I don't think anything can surpass those technologies in simplicity and ease of management. And on top of that both technologies are free of charge at the moment. Citrix free version seems to offer a little bit more than VMware but I think you need to check out both to really see which one you like more. I would choose VMware anyday because it is really a standard in virtualization technology and FreeBSD has been supported on it as a guest for years now. And what's wrong with having one Windoze box as a management machine? You probably has a lot more of these Windoze management boxes as pretty much everything in the enterprise sector (storage arrays etc.) needs one. HP EVA or XP comes to my mind. --Andy From matt at atopia.net Wed Jul 29 01:32:03 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 29 Jul 2009 01:32:03 -0400 (EDT) Subject: [nycbug-talk] VPS solutions? In-Reply-To: <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> Message-ID: > I would choose VMware anyday because it is really a standard in > virtualization technology and FreeBSD has been supported on it as a > guest for years now. And what's wrong with having one Windoze box as a > management machine? So are you saying that in order to use VMware, you have to have a windows machine to manage it? We only have access to Unix-based OS's and console. There isn't a good solution that supports both FreeBSD and linux that we can manage right from the console of the master box? From akosela at andykosela.com Wed Jul 29 05:22:52 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 29 Jul 2009 11:22:52 +0200 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> Message-ID: <4a7014ec.jZXbGw0DdgF70vkz%akosela@andykosela.com> Matt Juszczak wrote: > > I would choose VMware anyday because it is really a standard in > > virtualization technology and FreeBSD has been supported on it as a > > guest for years now. And what's wrong with having one Windoze box as a > > management machine? > > So are you saying that in order to use VMware, you have to have a windows > machine to manage it? We only have access to Unix-based OS's and console. There is a beta version of vCenter for Linux. http://communities.vmware.com/community/beta/vcserver_linux > There isn't a good solution that supports both FreeBSD and linux that we > can manage right from the console of the master box? This is exactly what VMware and Citrix Xen are addressing. They allow to remotely manage all virtual resources from the central console. Though I will leave it to others to comment on the stability of FreeBSD under Xen. I only know about VMware and I can say that the speed and performance is good. Linux is probably behaving similar under both technologies. --Andy From matt at atopia.net Wed Jul 29 08:46:15 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 29 Jul 2009 08:46:15 -0400 (EDT) Subject: [nycbug-talk] VPS solutions? In-Reply-To: <4a7014ec.jZXbGw0DdgF70vkz%akosela@andykosela.com> References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> <4a7014ec.jZXbGw0DdgF70vkz%akosela@andykosela.com> Message-ID: > This is exactly what VMware and Citrix Xen are addressing. They allow > to remotely manage all virtual resources from the central console. So what was the "single windows management box" that was mentioned earlier in the thread for? > Though I will leave it to others to comment on the stability of FreeBSD > under Xen. I only know about VMware and I can say that the speed and > performance is good. Linux is probably behaving similar under both > technologies. OK, thanks! Anyone have experience with Xen? From akosela at andykosela.com Wed Jul 29 08:57:34 2009 From: akosela at andykosela.com (Andy Kosela) Date: Wed, 29 Jul 2009 14:57:34 +0200 Subject: [nycbug-talk] VPS solutions? In-Reply-To: References: <20090723121141.GA40554@pv.nomadlogic.org> <4a695a6a.Zi/eeUk8V8+lQUcZ%akosela@andykosela.com> <20090726232735.GA14827@pv.nomadlogic.org> <4a6df199.5fyh3gQ7Cnlh9Wij%akosela@andykosela.com> <4a7014ec.jZXbGw0DdgF70vkz%akosela@andykosela.com> Message-ID: <4a70473e.QJ6WCYizwClBKXzV%akosela@andykosela.com> Matt Juszczak wrote: > > This is exactly what VMware and Citrix Xen are addressing. They allow > > to remotely manage all virtual resources from the central console. > > So what was the "single windows management box" that was mentioned earlier > in the thread for? VMware recommends Windows appliance to run vCenter. Personally I have nothing against it as it's all GUI console anyway. My point was that nearly all vendors use some form of Windows management box when it comes to enterprise. Some call it SMS (Systems Management Server) or similar but you need one to access those GUI consoles. --Andy From billtotman at billtotman.com Wed Jul 29 09:15:17 2009 From: billtotman at billtotman.com (Bill Totman) Date: Wed, 29 Jul 2009 09:15:17 -0400 Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: References: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> Message-ID: <98e9d1d30907290615m6a4359d7t9c64f78ce3f57a80@mail.gmail.com> Don't know if this will help but while building Perl anew I noticed this config option: [X] USE_PERL Rewrite links in /usr/bin On Wed, Jul 22, 2009 at 9:22 AM, Matt Juszczak wrote: > Check the contents of "/etc/make.conf" - it might have a clue as to what's >> going on with your perl versions. >> > > Already did. Nothing related to perl. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at atopia.net Wed Jul 29 09:19:15 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 29 Jul 2009 09:19:15 -0400 (EDT) Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: <98e9d1d30907290615m6a4359d7t9c64f78ce3f57a80@mail.gmail.com> References: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> <98e9d1d30907290615m6a4359d7t9c64f78ce3f57a80@mail.gmail.com> Message-ID: Hi Bill, Wow, awesome! I didn't notice that. Is it checked by default? -M On Wed, 29 Jul 2009, Bill Totman wrote: > Don't know if this will help but while building Perl anew I noticed this config option: > > [X] USE_PERL?????? Rewrite links in /usr/bin > > > > On Wed, Jul 22, 2009 at 9:22 AM, Matt Juszczak wrote: > Check the contents of "/etc/make.conf" - it might have a clue as to what's going on with your > perl versions. > > > Already did. ?Nothing related to perl. > > > > From billtotman at billtotman.com Wed Jul 29 10:17:33 2009 From: billtotman at billtotman.com (billtotman at billtotman.com) Date: Wed, 29 Jul 2009 14:17:33 +0000 Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues Message-ID: <1240275698-1248877093-cardhu_decombobulator_blackberry.rim.net-1590362112-@bxe1028.bisx.prod.on.blackberry> Yes, that is the default, and it means it can be unchecked if one installs another version of Perl. -BT ------Original Message------ From: Matt Juszczak To: Bill Totman Cc: talk at lists.nycbug.org Subject: Re: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues Sent: Jul 29, 2009 09:19 Hi Bill, Wow, awesome! I didn't notice that. Is it checked by default? -M On Wed, 29 Jul 2009, Bill Totman wrote: > Don't know if this will help but while building Perl anew I noticed this config option: > > [X] USE_PERL?????? Rewrite links in /usr/bin > > > > On Wed, Jul 22, 2009 at 9:22 AM, Matt Juszczak wrote: > Check the contents of "/etc/make.conf" - it might have a clue as to what's going on with your > perl versions. > > > Already did. ?Nothing related to perl. > > > > Sent via BlackBerry by AT&T From marcoscoffier at gmail.com Thu Jul 30 21:12:22 2009 From: marcoscoffier at gmail.com (Marco Scoffier) Date: Thu, 30 Jul 2009 21:12:22 -0400 Subject: [nycbug-talk] dns slaves serve up empty data Message-ID: Help. Today suddenly the servers which I have setup to slave for my domain are serving empty pages. $ dig metm.org @ns6.gandi.net ; <<>> DiG 9.5.1-P2 <<>> metm.org @ns6.gandi.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6198 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;metm.org. IN A ;; Query time: 98 msec ;; SERVER: 217.70.177.40#53(217.70.177.40) ;; WHEN: Thu Jul 30 21:08:19 2009 ;; MSG SIZE rcvd: 26 Which means my main server has become completely inaccessible. I have tested everything I can think of the master server (my machine) is serving up the dns info properly. Transfers are allowed. I was trying to test the zone transfer with telnet but don't know the commands. I can telnet to 53 When I request the dns info directly from my ip everything is ok. (see below) Any ideas ? very annoyed at this one... Marco $ dig metm.org @69.31.45.154 ; <<>> DiG 9.5.1-P2 <<>> metm.org @69.31.45.154 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5074 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;metm.org. IN A ;; ANSWER SECTION: metm.org. 86400 IN A 69.31.45.154 ;; AUTHORITY SECTION: metm.org. 86400 IN NS ns1.xname.org. metm.org. 86400 IN NS ns6.gandi.net. metm.org. 86400 IN NS ns.metm.org. metm.org. 86400 IN NS ns0.xname.org. ;; ADDITIONAL SECTION: ns.metm.org. 86400 IN A 69.31.45.154 ns6.gandi.net. 170942 IN A 217.70.177.40 ;; Query time: 264 msec ;; SERVER: 69.31.45.154#53(69.31.45.154) ;; WHEN: Thu Jul 30 21:11:10 2009 ;; MSG SIZE rcvd: 160 -------------- next part -------------- An HTML attachment was scrubbed... URL: From billtotman at billtotman.com Thu Jul 30 21:48:10 2009 From: billtotman at billtotman.com (billtotman at billtotman.com) Date: Fri, 31 Jul 2009 01:48:10 +0000 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: References: Message-ID: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Have you seen the latest DNS security reports and applied the latest patches? -BT Sent via BlackBerry by AT&T -----Original Message----- From: Marco Scoffier Date: Thu, 30 Jul 2009 21:12:22 To: Subject: [nycbug-talk] dns slaves serve up empty data _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From marcoscoffier at gmail.com Thu Jul 30 22:15:59 2009 From: marcoscoffier at gmail.com (Marco Scoffier) Date: Thu, 30 Jul 2009 22:15:59 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Message-ID: Hi Bill, Thanks, for the response. I updated the sources about 2 weeks ago. And just re-updated the bind and named now as per this page http://www.cyberciti.biz/faq/freebsd-patch-upgrade-bind-9x/ Funny thing is that I don't see the "sending notifies" in the /var/log/messages that I used to. Actually my DNS had always been an OpenBSD box just switched everything to a freshly updated FreeBSD 6.4 a few weeks ago -- not sure if those notifications show up in messages in OpenBSD they were in /var/log/daemon I changed the serial on my zone file hoping that a notification would be send to the secondaries but this didn't seem to happen. Marco On Thu, Jul 30, 2009 at 9:48 PM, wrote: > Have you seen the latest DNS security reports and applied the latest > patches? > > -BT > Sent via BlackBerry by AT&T > > -----Original Message----- > From: Marco Scoffier > > Date: Thu, 30 Jul 2009 21:12:22 > To: > Subject: [nycbug-talk] dns slaves serve up empty data > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From carton at Ivy.NET Thu Jul 30 22:22:36 2009 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 30 Jul 2009 22:22:36 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: Marco Scoffier's message of "Thu, 30 Jul 2009 21:12:22 -0400" References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Message-ID: >>>>> "ms" == Marco Scoffier writes: >>>>> "b" == billtotman writes: ms> I was trying to test the zone transfer with telnet the way you test zone transfers is: dig metm.org. axfr @primary Also in other cases of debugging broken slave servers, but not this case, you may want to check: dig metm.org. soa @ and look at the serial number. The slave will not AXFR unless the master has a higher serial number. but, that is not your problem because the slave is reporting SERVFAIL rather than old data---your guess that the slave cannot download the zone and the Expire time in the SOA has elapsed, is probably right. b> Have you seen the latest DNS security reports and applied the b> latest patches? pfft, whatever. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From dave at donnerjack.com Thu Jul 30 22:44:53 2009 From: dave at donnerjack.com (David Lawson) Date: Thu, 30 Jul 2009 22:44:53 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Message-ID: <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> I'd at least consider starting the master up attached to your terminal and crank up the debugging output, then restart the slave and see if you can see it asking for notifies and throwing an error or whatever. Might be worth trying that on the slave as well. I wouldn't sweat the latest security thing, that'll just kill the server, it wont cause weirdness. Or shouldn't, anyway. --Dave From marcoscoffier at gmail.com Thu Jul 30 22:47:48 2009 From: marcoscoffier at gmail.com (Marco Scoffier) Date: Thu, 30 Jul 2009 22:47:48 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Message-ID: Sorry miles forgot the "reply all" to talk On Thu, Jul 30, 2009 at 10:22 PM, Miles Nordin wrote: > > > the way you test zone transfers is: > > dig metm.org. axfr @primary > thanks. I needed that. > > Also in other cases of debugging broken slave servers, but not this > case, you may want to check: > > dig metm.org. soa @ > > and look at the serial number. The slave will not AXFR unless the > master has a higher serial number. but, that is not your problem > because the slave is reporting SERVFAIL rather than old data---your > guess that the slave cannot download the zone and the Expire time in > the SOA has elapsed, is probably right. I just increased the serial number to try to force a notify of the slaves -- nothing happend removed all the allow-transfer clauses from named.conf (which used to have an acl with all the slaves in it) and still the secondarys give a SERVFAIL .... grrr Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at donnerjack.com Thu Jul 30 23:25:02 2009 From: dave at donnerjack.com (David Lawson) Date: Thu, 30 Jul 2009 23:25:02 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> Message-ID: <2D41A3DF-838D-4499-BA94-73F5866CF8C5@donnerjack.com> > > > I just increased the serial number to try to force a notify of the > slaves -- nothing happend > removed all the allow-transfer clauses from named.conf (which used > to have an acl with all the slaves in it) > > and still the secondarys give a SERVFAIL .... grrr I can do an AXFR from your master, so I don't think it's that. How are those zones updated? I've run into weird issues with named not sending notifies for zones updated dynamically. I'd still recommend running the demons attached to a terminal or something to see if you can get some logging out of it. --Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcoscoffier at gmail.com Thu Jul 30 23:36:41 2009 From: marcoscoffier at gmail.com (Marco Scoffier) Date: Thu, 30 Jul 2009 23:36:41 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> Message-ID: On Thu, Jul 30, 2009 at 10:44 PM, David Lawson wrote: > I'd at least consider starting the master up attached to your terminal > and crank up the debugging output, then restart the slave and see if > you can see it asking for notifies and throwing an error or whatever. > Might be worth trying that on the slave as well. thanks. I don't have access to the slaves. They are at large companies who offer secondary service, my registar gandi.net and a free service xname.orgEverything has worked fine for multiple years and multiple OS upgrades ... I had to add an extra logging {} section to named.conf and now see the notifies in debug.log. Annoyingly I see zone metm.org/IN: notify to 87.98.164.164#53: retries exceeded This is the most annoying problem I have had in a long long time. I wish I had control over all the slaves. I've been effectively kicked off the net and I still don't understand why. Marco -------------- next part -------------- An HTML attachment was scrubbed... URL: From akosela at andykosela.com Fri Jul 31 02:37:32 2009 From: akosela at andykosela.com (Andy Kosela) Date: Fri, 31 Jul 2009 08:37:32 +0200 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> Message-ID: <4a72912c.nsr4QZgXH+V4dd+F%akosela@andykosela.com> Marco Scoffier wrote: > On Thu, Jul 30, 2009 at 10:44 PM, David Lawson wrote: > > > I'd at least consider starting the master up attached to your terminal > > and crank up the debugging output, then restart the slave and see if > > you can see it asking for notifies and throwing an error or whatever. > > Might be worth trying that on the slave as well. > > > thanks. I don't have access to the slaves. They are at large companies who > offer secondary service, my registar gandi.net and a free service > xname.orgEverything has worked fine for multiple years and multiple OS > upgrades ... > > I had to add an extra logging {} section to named.conf and now see the > notifies in debug.log. Annoyingly I see > > zone metm.org/IN: notify to 87.98.164.164#53: retries exceeded > > This is the most annoying problem I have had in a long long time. I wish I > had control over all the slaves. I've been effectively kicked off the net > and I still don't understand why. The fault is probably on the slaves' side. It seems they don't accept your zone updates anymore. Consult it with your slaves' admins. Also make sure your domain is *properly* delegated. --Andy From carton at Ivy.NET Fri Jul 31 14:57:49 2009 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 31 Jul 2009 14:57:49 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: (Marco Scoffier's message of "Thu, 30 Jul 2009 23:36:41 -0400") References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> Message-ID: >>>>> "ms" == Marco Scoffier writes: ms> zone metm.org/IN: notify to 87.98.164.164#53: retries exceeded I've never seen that before. notifies are an optional part of the protocol to speed things up. I'd the impression they weren't even acknowledged, so I'm not sure why they would be retried---I'd therefore not infer too much from the soudn of the error message. The mandatory way for slaves to operate, whether the master sends notifies or not, is to poll your master for an SOA record on a period specified by the 'refresh' timer in the SOA record they already have. If they don't succeed, they begin polling on the 'retry' timer's period, which is typically more frequent. There's no exponential backoff or anything like that. notifies didn't used to be part of the standard at all, and the whole process will work without them, so don't overfocus on it. notifies could be broken in your environment if gandi doesn't in fact use the single nameserver they expose to you. It's possible to use a slave as the master for another slave, so if they wanted (not sure why they would), they could have one hidden server that sucks down all the zones from their customers' masters, and then a network of exposed slaves that sucks zones from that hidden zonesuck server. In that case, you'd send a notify to the exposed master, which might (I'm not sure) say ``this notify's coming from the wrong source, so I'm ignoring it.'' I don't think they do this weird arrangement---it's just a reasonable example that breaks notifies, unless you manually reconfigure your master. and you'll never notice, because notifies aren't actually needed: gandi is allowed to openly or accidentally not support them. really notifies go together with IXFR as a mechanism for synchronizing dyndns updates. Without notifies you will have to wait the 'retry' period after making changes to the master for the slaves to poll again, although I'm not absolutely certain slaves will respect SOA 'retry' on an expired zone---they may use a fixed default polling timer which, without actually knowing (I control all my slaves so I just 'rndc reload' or ask my friend to do so), I would guess to be about an hour. If you have been working on this for several days and writing all these mails you probably have some effort to burn: why don't you try setting up your own slave server on your laptop or something, and see if you can get it to suck down the zone. If you can't, fix it. If you can, check that gandi has the right IP for your master, and if they do, get a different company to be your slave server. (I like gandi in general but have not used this feature of theirs.) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sahil at tandon.net Fri Jul 31 19:38:42 2009 From: sahil at tandon.net (Sahil Tandon) Date: Fri, 31 Jul 2009 19:38:42 -0400 Subject: [nycbug-talk] FreeBSD 7.1-RELEASE perl issues In-Reply-To: References: <1659642232-1248268630-cardhu_decombobulator_blackberry.rim.net-889863803-@bxe1028.bisx.prod.on.blackberry> <98e9d1d30907290615m6a4359d7t9c64f78ce3f57a80@mail.gmail.com> Message-ID: <20090731233841.GA3843@tandon.net> On Wed, 29 Jul 2009, Matt Juszczak wrote: > Wow, awesome! I didn't notice that. Is it checked by default? Yes. See lang/perl5.10/Makefile. -- Sahil Tandon From marco at metm.org Fri Jul 31 09:57:01 2009 From: marco at metm.org (Marco Scoffier) Date: Fri, 31 Jul 2009 09:57:01 -0400 Subject: [nycbug-talk] dns slaves serve up empty data In-Reply-To: <4a72912c.nsr4QZgXH+V4dd+F%akosela@andykosela.com> References: <920498180-1249004931-cardhu_decombobulator_blackberry.rim.net-91468090-@bxe1028.bisx.prod.on.blackberry> <60DF27ED-1BCA-49DF-ADB4-5A2CD79149CA@donnerjack.com> <4a72912c.nsr4QZgXH+V4dd+F%akosela@andykosela.com> Message-ID: <4A72F82D.5010605@metm.org> Andy Kosela wrote: > The fault is probably on the slaves' side. It seems they don't accept > your zone updates anymore. Consult it with your slaves' admins. Also > make sure your domain is *properly* delegated. > > Thanks for the tips. As Andy said the problem was on their side. Finally got one of their techs to respond and they are serving the correct zone file. Still not sure what was going on. Still not sure why I don't see the "sending notifies" line in /var/log/message or /var/log/debug.log I added this huge chunk of logging to my named.conf : logging { channel "default-syslog" { syslog local2; severity debug; }; category default { default-syslog; }; category notify { default-syslog; }; category general { default-syslog; }; category security { default-syslog; }; category default { default_syslog; }; category general { default_syslog; }; category security { default_syslog; }; category config { default_syslog; }; category resolver { default-syslog; }; category xfer-in { default-syslog; }; category xfer-out { default-syslog; }; category notify { default-syslog; }; category client { default-syslog; }; category network { default-syslog; }; category update { default-syslog; }; category queries { default-syslog; }; category lame-servers { default-syslog; }; }; Marco