do they need to? no, but clients would be nice :p ntp clients? yes, on the host, because everytime I reboot my clock is half an hour off, I do run a ntp client myself, but by default it refuses to correct such a big difference in one go. yeah, ntp won't update if it's like 1000 seconds off my current workaround is to rdate manually after a reboot infrared: i haven't had any support requests that i can recall with that neg runtime error, although i have seen it in the logs infrared: i do use supermicro with intel, but as far as the VMs are concerned, it can't see it; they only see the emulated proc and chipsets DaCa: yeah, i need to run ntp on the hosts; my last few servers have it, but i've delayed putting it on the others since i don't want a huge clock jump; need to do so during a maintenance window, which i haven't declared in a while note: I just signed up on a FreeBSD 8.0 system. I ran 'portaudit -Fda' and there were I think three vulnerabilities ootb. what vulns? sudo, curl and I think ca_root_nss (I've patched them now so the list is too far back in my buffer) ah :) just thought I'd mention it. hey up_the_irons you guys don't take paypal eh? aem: no http://support.arpnetworks.com/faqs/billing/do-you-accept-paypal :) hehe thanks np does arpnetworks run an ntp server? no <- joshua here btw hey joshua looks like buildworld doesn't like ccache, although I've used it on my other BSD installations :( if I plan to setup BSD jails, is there a particular private subnet/range I should or should not use? no wanted to make sure I wasn't going to conflict with existing addresses do you have 2 nics? cedwards: i put my jails on a private internal interface, and used pf for nat all behind one ip fink_: that's what I was planning. cedwards: if the ips are on an internal interface, then they won't interfere with anything public Wouldn't one neeed a pretty decent VPS for jails? :) dxtr: nah. jails are incredibly lightweight. Cool. Might look into it then dxtr: i see now overhead increase with idle jails s/now/no/ infrared: Interesting dxtr: I just loaded up 26 jails on a P4 1G ram and the load went to.. wait for it.. 0.30. it's because it's kernel based not "real" vps But what's *REALLY* worth jailing without losing functionality (Like userdirs in a webserver and stuff) fink_: so I can just create alias IPs on my em0 assigning private IPs and I should be fine? cedwards: create an lo1 or whatever I guess some sort of *sql database could be jailed assign them there dxtr: dxtr: I segregate all my major services into jails (postfix, bind, squid, ssh-bastion, etc) dxtr: "application" jails dxtr: i jail based on processes/domains like www.example.org is a www jail dns.example.org is a dns jail db dxtr: and I'm planning on building some shell jails for some of the guys in my UG as well. mail etc fink_: Yeah, I was thinking about it How do one administer DNS in a cool way? without sql :) i use tinydns/dnscache I use BIND old-school bind here too. zone files by hand :) I'd like some cool way to remotely administer the DNS :) Or, well, maybe not *TOO* remotely But something other than editing zone files by hand bind is big, slow, and insecure Right. I'm actually considering switching :) What are the competitors to BIND? small, fast and secure? powerdns djbdns i like bind though i know a lot of people who use powerdns and have only good things to say about it going from bind to tinydns was kind of like going from apache to cherokee, for me "wow this program is so much easier to admin" and "wow half the memory footprint" fink_: How do one admin djbdns? I've only briefly used tinydns, but I'd like to learn it. dxtr: command line, web, sql, etc. fink_: How do the command line work? And how would it work if I jailed djbdns? i've jailed tinydns/dnscache that's not what I asked :) fink_: I've done jails before, so I'm familiar with creating alias IPs but I've always done it on the same interface. fink_: can you refer me to how to create a virtual internal interface for alias IPs? cedwards: heh, a bunch of people have been asking me this recently! mb i should just blog it ;) yeah :P cedwards: do you mind asking me later? i'm at work at i have to finish some stuff fink_: no problem thanks i think i just found it on the google machine. link? fink_: tinydns looks like hell to admin .( What the hell is wrong with those configuration files? :( s/configuration/zone/ dxtr: are you serious? no? mike-burns: nsd and unbound, are current best practices for DNS Excellent, I'll check them out. mike-burns: recursive dns and authoritative-only dns are separate in that stack. nsd is for authoritative, unbound for recursive so, you use unbound for servers to configure in their /etc/resolv.conf; and nsd for hosting zones Oh interesting. That makes sense. yeah, i've been migrating to unbound for recursive. i run it on my laptop too and just have "nameserver 127.0.0.1" in my resolv.conf, makes things faster not using nsd yet, but i put it in a test environment, and i like it both are made by the same people up_the_irons: "current best practices" as in...? :) dxtr: a resolver and authoritative name server software completely written from scratch, in coordination with RIPE NCC, to offer a solution that was not ridden with bugs and security flaws like BIND is it's analagous to sendmail vs. postfix up_the_irons: I just love you answer. Seriously. Straight and consistent. your* up_the_irons: can I pay for a year in one go? aem: What's wrong with paying monthly? : :) I want to buy a pre paid credit card to order so it would make it easier if I were able to order for a longer time period I hate that one can't buy that here :/ aem: yes -- http://support.arpnetworks.com/faqs/billing/is-there-a-discount-for-paying-in-advance dxtr: glad you like my answer ;) ok up_the_irons sorry for not reading the FAQ :P will get a pre paid card tomorrow aem: no problem :) up_the_irons: I didn't mean to make that singular :D dxtr: whut? ;) up_the_irons: I like your answer*S* dxtr: ah! :) You're always straight and concose. concise ffs haha yes that's usually how i am ... straight? :D wow we actually have 50+ people in here; i like the idea of VPS hosting that's cheap enough to be an impulse buy LOL, wish I could offer instant setup in that case trust me i wish you could too up_the_irons: that's something the slicehost guys were pointing out as a drawback doesn't bother me much Why is make distclean so incredibily slow? up_the_irons: Actually; what's stopping you? Shouldn't it be possible to create a perl script to do it or whatever? :)) i mean i saw the site and I figured oh cool $10 i'll try this out deespite having no compelling use for it :)* dxtr: write it for me and we'll solve two problems :) fink_: indeed, it is a drawback, but from the beginning i've always targetted an audience that is looking for a long term relationship with a reliable hosting company. in that respect, waiting 24 or so for your vps is not a long time; i expect most people will stay for over 12 months up_the_irons: i agree; i think they are thinking "cloud" fink_: right up_the_irons: perhaps you need a sexy bsd assistant? maybe then i could go outsideā€¦ a sexy bsd assistant? yes please ceren ercen Uhm... Hmm.. anybody have good resources for an ldap noob? Hey, up_the_irons Speaking of unbound - I'm trying it now. How can I make it recursive? right now it doesn't seem to recurse anything :p dxtr: what exactly is doomsday drunk? amdprophet: Haha, what the hell? :D lol i know it's a delayed reaction Don't tell me that's what you've been thinking about alla day? was just wondering all day* it totally was Haha It's basically getting really wasted - but even more :) dxtr: that's the whole point. unbound is not a recursive name server. if you want recursion, use nsd. BIND vulnerabilities have shown you do not want recursion and delegation on the same IP anyway dxtr: whups, i meant that the other way around dxtr: unbound for recursion, nsd for delegation dxtr: if your unbound doesn't recurse, i have no idea what u did wrong ;) up_the_irons: Exactly. I'm trying unbound on my obsd box now but can't get it to recurse :D ** server can't find www.arpnetworks.com.dxtr.cc: SERVFAIL FFFFFUUUUUU aaah. Found the error I rock! lol sweet. with a little help from google I figured out the internal virtual interface and IPs. up_the_irons - did you see http://twitter.com/merlyn/statuses/12577877305 even got retweeted by bob even got retweeted by me! oh hey I'm off for bed now! Should've gone like 3-4 hours ago. But still1 ! better late than never RandalSchwartz: yeah i saw that randomly this morning, tnx :) oh wow, twitter now says "Reweeted by X people" however, there are no links to them, which is pretty lame lol, "southlandtvfans" RT'd it i love that show so I've got my internal interface and IPs setup. I've got inbound nat setup to reach the jails. only thing I haven't quite figured out is outbound connections from the jails. cedwards i think you want an outbound nat and inbound forward hi hi hi infrared hey infrared: thanks. i think that put me on the right path. would this be valid to allow outbound nat from jails: nat on em0 inet from 10.100.1.0/24 to any -> (em0) cedwards: you got your jails on nat? fink: I can get in from the outside, and I have that rule above applied, but I can't get out from the jails. i've done jails a number of times before, but never like this. cedwards: how are you troubleshooting your net access? watching the pflog, and I've done some tcpdumps but I'm not getting much.. cedwards: can you resolve anything? no, and I do have a valid resolv.conf can you ping out? there's a sysctl to enable to allow pinging ..err I did have a resolv.conf. checking again now I don't. I think I've been looking at this too long today. getting to the point that i'm losing my mind hehe cedwards: you should put a resolv.conf in the ezjail flavour, then you don't have to worry about it in each jail yeah. i even forgot to apply the flavour this go-round. heh. i think it's probably time for bed! cedwards: let's try it tomorrow i'll consult my notes