[00:27] *** visinin has quit IRC (Quit: leaving) [00:43] toddf: roger on openbgpd and megaraid; i have a feeling you're not using 'megacli' (the one LSI wrote) [01:54] *** [FBI] starts logging #arpnetworks at Mon Mar 08 01:54:54 2010 [01:54] *** [FBI] has joined #arpnetworks [02:46] *** [FBI] starts logging #arpnetworks at Mon Mar 08 02:46:29 2010 [02:46] *** [FBI] has joined #arpnetworks [02:55] *** [FBI] starts logging #arpnetworks at Mon Mar 08 02:55:33 2010 [02:55] *** [FBI] has joined #arpnetworks [03:21] *** ziyourenxiang has joined #arpnetworks [03:46] *** boogeyman has quit IRC (Remote host closed the connection) [03:55] *** boogeyman has joined #arpnetworks [04:00] *** [FBI] starts logging #arpnetworks at Mon Mar 08 04:00:05 2010 [04:00] *** [FBI] has joined #arpnetworks [04:01] *** [FBI] starts logging #arpnetworks at Mon Mar 08 04:01:05 2010 [04:01] *** [FBI] has joined #arpnetworks [04:10] *** visinin has joined #arpnetworks [04:21] *** [FBI] starts logging #arpnetworks at Mon Mar 08 04:21:54 2010 [04:21] *** [FBI] has joined #arpnetworks [04:42] *** nuke` has quit IRC (Ping timeout: 245 seconds) [04:44] *** visinin has quit IRC (Quit: sleep) [05:28] up_the_irons: but of course, megacli is not open source ;-) [05:29] up_the_irons: just use bioctl on OpenbSD, it `works' ;-) [05:29] yeah, but on my other systems, non-openbsd, megacli blows [05:31] sleep is consuming me [05:31] cd $bed [06:15] *** vtoms has joined #arpnetworks [06:19] there is a reason why a common raid interface at the userland level makes tons of sense, one can do the oss thing and make it useful, let the os do its job and abstract the hardware as it can [06:25] *** visinin has joined #arpnetworks [06:26] yes, OpenBSD may not have all the spiffy features of say zfs, but it is sad it is often alone speaking up for what is right [06:26] vendor supplied drivers and user interface bits are windows models, not unix models *sigh* [06:28] i really like openbsd but i'm getting fairly dismal httpd performance compared to freebsd [06:28] there are rather conservative settings on by default [06:29] if you do not tune anything yes your system may not perform optimally [06:29] for a http server you might consider tuning [06:29] yeah, i've been doing some research but i'm not coming up with much [06:29] can you give me some pointers in regards to what i should tweak? [06:29] net.inet.{tcp,udp}.recvspace=262144 [06:30] (the above via cmdline to sysctl and in /etc/sysctl.conf)... s/ffs/ffs,softdep/ in /etc/fstab [06:30] if you have a kernel recent enough to sport kern.bufcachepercent, then set it to 90 (what mem is not used by apps up to 90% of system mem will become disk buffers, giving way to application allocations instead of swapping though) [06:31] those should get you started.. [06:32] i'd already made the recvspace and sendspace changes and that only got me about 15Kbps more throughput [06:32] i'll try the softdep change, and my kernel's not new enough for bufcachepercent [06:33] i've been wondering whether a lack of sendfile() could be to blame for some of the slowdown [06:39] *** schmir has joined #arpnetworks [06:43] might try a current snapshot which is pretty stable btw .. if you want to test the bufcachepercent=90 thing [06:46] going to try a different webserver, too (been playing with cherokee but it's giving me trouble) [06:47] the softdep thing mainly helps if you have lots of files created or removed at once, but there are other benifits also [06:47] I do nginx (with thin for Rails apps). [06:47] On FreeBSD though. [06:48] same here [06:48] on OpenBSD though :) [06:48] there are various webservers in ports.. [07:16] well, turns out it was the webserver! [07:17] let it be known that cherokee on openbsd is abominably slow [07:25] *** baklava has quit IRC (Quit: Game Over. Please insert another token into the ring.) [07:35] *** visinin has quit IRC (Quit: sleep) [07:35] any chance you tried the httpd that comes with base? [07:43] *** nuke` has joined #arpnetworks [08:26] *** schmir has quit IRC (Ping timeout: 265 seconds) [09:01] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang) [11:56] *** hiram is now known as BarberRonny [14:59] *** visinin has joined #arpnetworks [15:29] *** vtoms has quit IRC (Quit: Leaving.) [16:09] *** coil has quit IRC (Ping timeout: 256 seconds) [16:16] *** coil_ has joined #arpnetworks [16:52] *** coil- has joined #arpnetworks [16:53] *** coil- is now known as coil [16:53] *** coil has quit IRC (Changing host) [16:53] *** coil has joined #arpnetworks [16:54] *** coil_ has quit IRC (Ping timeout: 260 seconds) [18:02] *** islandfo1 has joined #arpnetworks [18:02] *** islandfox has quit IRC (Read error: Connection reset by peer) [18:05] *** islandfo1 is now known as islandfox [18:06] is there any sort of incoming ssh connection throttling that has been applied? [18:07] islandfox: yes, it has always been this way. more than 10 ssh syn's in 1 minute will lock your IP until the next minute or so [18:07] protection from dictionary attacks [18:07] ah, I haven't sone rapid ssh until recently [18:07] is that for all boxes? [18:07] islandfox: it is applied to port 22 only; so if you hate it, you can move your port [18:07] that also explain the lack of much attacks I suppose [18:08] RandalSchwartz: yes [18:08] that hurts some SVN applications [18:08] do you have a FAQ that says "move your SVN port"? [18:08] no, but, good idea :) [18:08] because that's being discussed right now on the freebsd pages [18:08] as in "why not throttle incoming ssh" [18:08] and that was one of the response [18:09] I'll just implement connection multiplexing in my app I suppose [18:09] or get off port 22. :) [18:09] which isn't a bad idea anyway [18:09] 22 = Very Low Hanging Fruit [18:10] only like 2 customers have ever noticed the throttling phenomenon; yet bandwidth graphs for dictionary attacks were slammed to the floor when i implemented it; == win :) [18:10] so I impressed Neil yesterday. told him I hosed my IP settings for my box, and yet was able to reboot the box remotely, login with the console, fix the settings and reboot again [18:11] RandalSchwartz: yeah he *better* be impressed ;) [18:11] I just discovered it when running a new backup script against it a few days ago :) [18:11] a backup that *doesn't* use rsync? :) [18:12] not really worried about dictionary attacks since I only allow public key auth, but I might change the port on the main VM if I am too lazy to implement multiplexing for a while... [18:12] well at $previous_hosting, that would have required a pair of helping hands [18:12] RandalSchwartz: yes, a script managing zfs snapshots+send/recv [18:13] aha. [18:13] ok - yeah, multi-connections [18:13] I love the fact that customers can do their own repairs also ;) [18:13] less work for you [18:14] I can click Acknowledge in Nagios a lot more... [18:15] anyhow, thank up_the_irons, good to know I'm not going crazy, I had thought it was unfiltered :) [18:15] islandfox: np! sorry to temporarily make u crazy [18:22] i mentioned changing ssh ports one time to my friends on facebook, and they mumbled "security through obscurity" [18:30] *** mart1n has quit IRC (Ping timeout: 256 seconds) [18:30] *** mart1n has joined #arpnetworks [18:40] shmget: yeah, if that's the only thing you do; but on the flip side, if everyone used random ssh ports and port 22 was not used at all, break-ins through dictionary attacks would be reduced; i find it hard to be able to refute that [18:41] it's not "security" per-se, but it makes a concrete difference [18:43] right [18:43] it at least makes intruders search for the right port [18:44] (by running SSH on a different port, you can also get through corporate firewalls that disallow port 22) [18:44] yeah [18:45] i'm surprised I haven't been caught yet, been doing it for years [18:46] i made a simple vpn one time before the company i worked for had one [18:47] i had a freebsd server that checked my mail on an exchange server. if i emailed myself an email at work with my IP address at home, it would initiate an SSH connection to my home computer. [18:47] then, I did another tunnel back through, and did what I needed to do [18:47] it worked great [18:47] no one busted me for it [18:48] i have heard they only bust you when you transfer large amounts of data, as it could be someone trying to send out corporate docuements/secrets [18:49] *** amdprophet has joined #arpnetworks [18:54] up_the_irons: you around? [18:55] shmget: interesting [18:55] amdprophet: yes [18:55] having some slowdowns on our vps, just wondering if there's any known issues [18:57] amdprophet: migrating a VM to the kvr04 server (not sure if that is you or not); maybe I should ionice that... [18:57] (done) [18:58] thanks [18:59] np [19:07] i think it's worse now lol [19:07] http://aelatis.com/ [19:07] we are on kvr04 btw [19:09] this migration is a pain :( [19:10] :( [19:19] any ETA as to when it will be doe? [19:21] done & [19:21] done * [19:24] 7G left, 7.3 MB/s [19:34] 2G left [19:38] corrupt disk image [19:50] raid sucks [19:51] ddrescue is pretty cool [19:52] up_the_irons, i think you should give in and use a real distribution, a.k.a. slackware. [20:56] *** heavysixer has quit IRC (Quit: heavysixer) [23:24] *** visinin has quit IRC (Quit: sleep) [23:40] *** jeev has left