up_the_irons: toddf: roger on openbgpd and megaraid; i have a feeling you're not using 'megacli' (the one LSI wrote)
***: [FBI] starts logging #arpnetworks at Mon Mar 08 01:54:54 2010
[FBI] has joined #arpnetworks
[FBI] starts logging #arpnetworks at Mon Mar 08 02:46:29 2010
[FBI] has joined #arpnetworks
[FBI] starts logging #arpnetworks at Mon Mar 08 02:55:33 2010
[FBI] has joined #arpnetworks
ziyourenxiang has joined #arpnetworks
boogeyman has quit IRC (Remote host closed the connection)
boogeyman has joined #arpnetworks
[FBI] starts logging #arpnetworks at Mon Mar 08 04:00:05 2010
[FBI] has joined #arpnetworks
[FBI] starts logging #arpnetworks at Mon Mar 08 04:01:05 2010
[FBI] has joined #arpnetworks
visinin has joined #arpnetworks
[FBI] starts logging #arpnetworks at Mon Mar 08 04:21:54 2010
[FBI] has joined #arpnetworks
nuke` has quit IRC (Ping timeout: 245 seconds)
visinin has quit IRC (Quit: sleep)
toddf: up_the_irons: but of course, megacli is not open source ;-)
up_the_irons: just use bioctl on OpenbSD, it `works' ;-)
up_the_irons: yeah, but on my other systems, non-openbsd, megacli blows
sleep is consuming me
cd $bed
***: vtoms has joined #arpnetworks
toddf: there is a reason why a common raid interface at the userland level makes tons of sense, one can do the oss thing and make it useful, let the os do its job and abstract the hardware as it can
***: visinin has joined #arpnetworks
toddf: yes, OpenBSD may not have all the spiffy features of say zfs, but it is sad it is often alone speaking up for what is right
vendor supplied drivers and user interface bits are windows models, not unix models *sigh*
visinin: i really like openbsd but i'm getting fairly dismal httpd performance compared to freebsd
toddf: there are rather conservative settings on by default
if you do not tune anything yes your system may not perform optimally
for a http server you might consider tuning
visinin: yeah, i've been doing some research but i'm not coming up with much
can you give me some pointers in regards to what i should tweak?
toddf: net.inet.{tcp,udp}.recvspace=262144
(the above via cmdline to sysctl and in /etc/sysctl.conf)... s/ffs/ffs,softdep/ in /etc/fstab
if you have a kernel recent enough to sport kern.bufcachepercent, then set it to 90 (what mem is not used by apps up to 90% of system mem will become disk buffers, giving way to application allocations instead of swapping though)
those should get you started..
visinin: i'd already made the recvspace and sendspace changes and that only got me about 15Kbps more throughput
i'll try the softdep change, and my kernel's not new enough for bufcachepercent
i've been wondering whether a lack of sendfile() could be to blame for some of the slowdown
***: schmir has joined #arpnetworks
toddf: might try a current snapshot which is pretty stable btw .. if you want to test the bufcachepercent=90 thing
visinin: going to try a different webserver, too (been playing with cherokee but it's giving me trouble)
toddf: the softdep thing mainly helps if you have lots of files created or removed at once, but there are other benifits also
mike-burns: I do nginx (with thin for Rails apps).
On FreeBSD though.
epid: same here
on OpenBSD though :)
toddf: there are various webservers in ports..
visinin: well, turns out it was the webserver!
let it be known that cherokee on openbsd is abominably slow
***: baklava has quit IRC (Quit: Game Over. Please insert another token into the ring.)
visinin has quit IRC (Quit: sleep)
toddf: any chance you tried the httpd that comes with base?
***: nuke` has joined #arpnetworks
schmir has quit IRC (Ping timeout: 265 seconds)
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
hiram is now known as BarberRonny
visinin has joined #arpnetworks
vtoms has quit IRC (Quit: Leaving.)
coil has quit IRC (Ping timeout: 256 seconds)
coil_ has joined #arpnetworks
coil- has joined #arpnetworks
coil- is now known as coil
coil has quit IRC (Changing host)
coil has joined #arpnetworks
coil_ has quit IRC (Ping timeout: 260 seconds)
islandfo1 has joined #arpnetworks
islandfox has quit IRC (Read error: Connection reset by peer)
islandfo1 is now known as islandfox
islandfox: is there any sort of incoming ssh connection throttling that has been applied?
up_the_irons: islandfox: yes, it has always been this way. more than 10 ssh syn's in 1 minute will lock your IP until the next minute or so
protection from dictionary attacks
islandfox: ah, I haven't sone rapid ssh until recently
RandalSchwartz: is that for all boxes?
up_the_irons: islandfox: it is applied to port 22 only; so if you hate it, you can move your port
islandfox: that also explain the lack of much attacks I suppose
up_the_irons: RandalSchwartz: yes
RandalSchwartz: that hurts some SVN applications
do you have a FAQ that says "move your SVN port"?
up_the_irons: no, but, good idea :)
RandalSchwartz: because that's being discussed right now on the freebsd pages
as in "why not throttle incoming ssh"
and that was one of the response
islandfox: I'll just implement connection multiplexing in my app I suppose
RandalSchwartz: or get off port 22. :)
which isn't a bad idea anyway
22 = Very Low Hanging Fruit
up_the_irons: only like 2 customers have ever noticed the throttling phenomenon; yet bandwidth graphs for dictionary attacks were slammed to the floor when i implemented it; == win :)
RandalSchwartz: so I impressed Neil yesterday. told him I hosed my IP settings for my box, and yet was able to reboot the box remotely, login with the console, fix the settings and reboot again
up_the_irons: RandalSchwartz: yeah he *better* be impressed ;)
islandfox: I just discovered it when running a new backup script against it a few days ago :)
RandalSchwartz: a backup that *doesn't* use rsync? :)
islandfox: not really worried about dictionary attacks since I only allow public key auth, but I might change the port on the main VM if I am too lazy to implement multiplexing for a while...
RandalSchwartz: well at $previous_hosting, that would have required a pair of helping hands
islandfox: RandalSchwartz: yes, a script managing zfs snapshots+send/recv
RandalSchwartz: aha.
ok - yeah, multi-connections
up_the_irons: I love the fact that customers can do their own repairs also ;)
RandalSchwartz: less work for you
up_the_irons: I can click Acknowledge in Nagios a lot more...
islandfox: anyhow, thank up_the_irons, good to know I'm not going crazy, I had thought it was unfiltered :)
up_the_irons: islandfox: np! sorry to temporarily make u crazy
shmget: i mentioned changing ssh ports one time to my friends on facebook, and they mumbled "security through obscurity"
***: mart1n has quit IRC (Ping timeout: 256 seconds)
mart1n has joined #arpnetworks
up_the_irons: shmget: yeah, if that's the only thing you do; but on the flip side, if everyone used random ssh ports and port 22 was not used at all, break-ins through dictionary attacks would be reduced; i find it hard to be able to refute that
it's not "security" per-se, but it makes a concrete difference
shmget: right
it at least makes intruders search for the right port
(by running SSH on a different port, you can also get through corporate firewalls that disallow port 22)
up_the_irons: yeah
shmget: i'm surprised I haven't been caught yet, been doing it for years
i made a simple vpn one time before the company i worked for had one
i had a freebsd server that checked my mail on an exchange server. if i emailed myself an email at work with my IP address at home, it would initiate an SSH connection to my home computer.
then, I did another tunnel back through, and did what I needed to do
it worked great
no one busted me for it
i have heard they only bust you when you transfer large amounts of data, as it could be someone trying to send out corporate docuements/secrets
***: amdprophet has joined #arpnetworks
amdprophet: up_the_irons: you around?
up_the_irons: shmget: interesting
amdprophet: yes
amdprophet: having some slowdowns on our vps, just wondering if there's any known issues
up_the_irons: amdprophet: migrating a VM to the kvr04 server (not sure if that is you or not); maybe I should ionice that...
(done)
amdprophet: thanks
up_the_irons: np
amdprophet: i think it's worse now lol
http://aelatis.com/
we are on kvr04 btw
up_the_irons: this migration is a pain :(
amdprophet: :(
any ETA as to when it will be doe?
done &
done *
up_the_irons: 7G left, 7.3 MB/s
2G left
corrupt disk image <sigh...>
jeev: raid sucks
up_the_irons: ddrescue is pretty cool
jeev: up_the_irons, i think you should give in and use a real distribution, a.k.a. slackware.
***: heavysixer has quit IRC (Quit: heavysixer)
visinin has quit IRC (Quit: sleep)
jeev has left