***: coil has quit IRC (Ping timeout: 260 seconds)
j3m has quit IRC (Ping timeout: 240 seconds)
coil has joined #arpnetworks
j3m has joined #arpnetworks infrared: do they need to? DaCa: no, but clients would be nice :p infrared: ntp clients? DaCa: yes, on the host, because everytime I reboot my clock is half an hour off, I do run a ntp client myself, but by default it refuses to correct such a big difference in one go. infrared: yeah, ntp won't update if it's like 1000 seconds off DaCa: my current workaround is to rdate manually after a reboot up_the_irons: infrared: i haven't had any support requests that i can recall with that neg runtime error, although i have seen it in the logs
infrared: i do use supermicro with intel, but as far as the VMs are concerned, it can't see it; they only see the emulated proc and chipsets
DaCa: yeah, i need to run ntp on the hosts; my last few servers have it, but i've delayed putting it on the others since i don't want a huge clock jump; need to do so during a maintenance window, which i haven't declared in a while ***: residual has joined #arpnetworks
ziyourenxiang has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
CESSMASTER has joined #arpnetworks
vtoms has joined #arpnetworks
amdprophet has quit IRC (Ping timeout: 260 seconds)
cedwards has joined #arpnetworks
amdprophet has joined #arpnetworks
vtoms has quit IRC (Remote host closed the connection)
vtoms has joined #arpnetworks cedwards: note: I just signed up on a FreeBSD 8.0 system. I ran 'portaudit -Fda' and there were I think three vulnerabilities ootb. bob^^: what vulns? cedwards: sudo, curl and I think ca_root_nss
(I've patched them now so the list is too far back in my buffer) bob^^: ah :) cedwards: just thought I'd mention it. ***: fink_ has joined #arpnetworks
fink_ has quit IRC (Client Quit)
fink_ has joined #arpnetworks
schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 264 seconds)
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
woland has quit IRC (Remote host closed the connection)
heavysixer has quit IRC (Quit: BAMPF!)
schmir has joined #arpnetworks aem: hey up_the_irons you guys don't take paypal eh? up_the_irons: aem: no
http://support.arpnetworks.com/faqs/billing/do-you-accept-paypal
:) aem: hehe thanks up_the_irons: np fink_: does arpnetworks run an ntp server? up_the_irons: no aem: <- joshua here btw up_the_irons: hey joshua ***: djbclark has quit IRC (Ping timeout: 246 seconds)
lll_ has quit IRC (Quit: leaving)
djbclark has joined #arpnetworks
djbclark has quit IRC (Changing host)
djbclark has joined #arpnetworks
lll has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer cedwards: looks like buildworld doesn't like ccache, although I've used it on my other BSD installations :(
if I plan to setup BSD jails, is there a particular private subnet/range I should or should not use? infrared: no cedwards: wanted to make sure I wasn't going to conflict with existing addresses infrared: do you have 2 nics? fink_: cedwards: i put my jails on a private internal interface, and used pf for nat
all behind one ip cedwards: fink_: that's what I was planning. fink_: cedwards: if the ips are on an internal interface, then they won't interfere with anything public dxtr: Wouldn't one neeed a pretty decent VPS for jails? :) cedwards: dxtr: nah. jails are incredibly lightweight. dxtr: Cool. Might look into it then infrared: dxtr: i see now overhead increase with idle jails
s/now/no/ dxtr: infrared: Interesting cedwards: dxtr: I just loaded up 26 jails on a P4 1G ram and the load went to.. wait for it.. 0.30. infrared: it's because it's kernel based
not "real" vps dxtr: But what's *REALLY* worth jailing without losing functionality (Like userdirs in a webserver and stuff) cedwards: fink_: so I can just create alias IPs on my em0 assigning private IPs and I should be fine? fink_: cedwards: create an lo1 or whatever dxtr: I guess some sort of *sql database could be jailed fink_: assign them there infrared: dxtr: cedwards: dxtr: I segregate all my major services into jails (postfix, bind, squid, ssh-bastion, etc) infrared: dxtr: "application" jails fink_: dxtr: i jail based on processes/domains
like www.example.org is a www jail
dns.example.org is a dns jail
db cedwards: dxtr: and I'm planning on building some shell jails for some of the guys in my UG as well. fink_: mail
etc dxtr: fink_: Yeah, I was thinking about it
How do one administer DNS in a cool way?
without sql :) fink_: i use tinydns/dnscache dxtr: I use BIND cedwards: old-school bind here too.
zone files by hand :) dxtr: I'd like some cool way to remotely administer the DNS :)
Or, well, maybe not *TOO* remotely
But something other than editing zone files by hand fink_: bind is big, slow, and insecure dxtr: Right. I'm actually considering switching :) mike-burns: What are the competitors to BIND? dxtr: small, fast and secure? bob^^: powerdns
djbdns
i like bind though
i know a lot of people who use powerdns and have only good things to say about it fink_: going from bind to tinydns was kind of like going from apache to cherokee, for me
"wow this program is so much easier to admin" and "wow half the memory footprint" dxtr: fink_: How do one admin djbdns? cedwards: I've only briefly used tinydns, but I'd like to learn it. fink_: dxtr: command line, web, sql, etc. dxtr: fink_: How do the command line work?
And how would it work if I jailed djbdns? fink_: i've jailed tinydns/dnscache dxtr: that's not what I asked :) cedwards: fink_: I've done jails before, so I'm familiar with creating alias IPs but I've always done it on the same interface.
fink_: can you refer me to how to create a virtual internal interface for alias IPs? fink_: cedwards: heh, a bunch of people have been asking me this recently!
mb i should just blog it ;) dxtr: yeah :P fink_: cedwards: do you mind asking me later? i'm at work at i have to finish some stuff cedwards: fink_: no problem fink_: thanks cedwards: i think i just found it on the google machine. fink_: link? dxtr: fink_: tinydns looks like hell to admin .(
What the hell is wrong with those configuration files? :(
s/configuration/zone/ fink_: dxtr: are you serious? dxtr: no? up_the_irons: mike-burns: nsd and unbound, are current best practices for DNS mike-burns: Excellent, I'll check them out. up_the_irons: mike-burns: recursive dns and authoritative-only dns are separate in that stack. nsd is for authoritative, unbound for recursive
so, you use unbound for servers to configure in their /etc/resolv.conf; and nsd for hosting zones mike-burns: Oh interesting. That makes sense. up_the_irons: yeah, i've been migrating to unbound for recursive. i run it on my laptop too and just have "nameserver 127.0.0.1" in my resolv.conf, makes things faster
not using nsd yet, but i put it in a test environment, and i like it
both are made by the same people dxtr: up_the_irons: "current best practices" as in...? :) up_the_irons: dxtr: a resolver and authoritative name server software completely written from scratch, in coordination with RIPE NCC, to offer a solution that was not ridden with bugs and security flaws like BIND is
it's analagous to sendmail vs. postfix dxtr: up_the_irons: I just love you answer. Seriously. Straight and consistent.
your* aem: up_the_irons: can I pay for a year in one go? dxtr: aem: What's wrong with paying monthly? :
:) aem: I want to buy a pre paid credit card to order
so it would make it easier if I were able to order for a longer time period dxtr: I hate that one can't buy that here :/ up_the_irons: aem: yes -- http://support.arpnetworks.com/faqs/billing/is-there-a-discount-for-paying-in-advance
dxtr: glad you like my answer ;) aem: ok up_the_irons sorry for not reading the FAQ
:P
will get a pre paid card tomorrow up_the_irons: aem: no problem :) dxtr: up_the_irons: I didn't mean to make that singular :D up_the_irons: dxtr: whut? ;) dxtr: up_the_irons: I like your answer*S* up_the_irons: dxtr: ah! :) dxtr: You're always straight and concose.
concise
ffs up_the_irons: haha
yes that's usually how i am dxtr: ... straight?
:D up_the_irons: wow we actually have 50+ people in here; CESSMASTER: i like the idea of VPS hosting that's cheap enough to be an impulse buy ***: vtoms has quit IRC (Quit: Leaving.) up_the_irons: LOL, wish I could offer instant setup in that case CESSMASTER: trust me i wish you could too fink_: up_the_irons: that's something the slicehost guys were pointing out as a drawback
doesn't bother me much dxtr: Why is make distclean so incredibily slow?
up_the_irons: Actually; what's stopping you? Shouldn't it be possible to create a perl script to do it or whatever? :)) CESSMASTER: i mean i saw the site and I figured oh cool $10 i'll try this out deespite having no compelling use for it dxtr: :)* up_the_irons: dxtr: write it for me and we'll solve two problems :)
fink_: indeed, it is a drawback, but from the beginning i've always targetted an audience that is looking for a long term relationship with a reliable hosting company. in that respect, waiting 24 or so for your vps is not a long time; i expect most people will stay for over 12 months fink_: up_the_irons: i agree; i think they are thinking "cloud" up_the_irons: fink_: right fink_: up_the_irons: perhaps you need a sexy bsd assistant? -: fink_ could go for one of those fink_: maybe then i could go outside… up_the_irons: a sexy bsd assistant? yes please DaCa: ceren ercen dxtr: Uhm... Hmm.. ***: schmir has quit IRC (Remote host closed the connection) fink_: anybody have good resources for an ldap noob? dxtr: Hey, up_the_irons
Speaking of unbound - I'm trying it now.
How can I make it recursive? right now it doesn't seem to recurse anything :p amdprophet: dxtr: what exactly is doomsday drunk? dxtr: amdprophet: Haha, what the hell? :D amdprophet: lol
i know it's a delayed reaction dxtr: Don't tell me that's what you've been thinking about alla day? amdprophet: was just wondering dxtr: all day* amdprophet: it totally was dxtr: Haha
It's basically getting really wasted - but even more :) up_the_irons: dxtr: that's the whole point. unbound is not a recursive name server. if you want recursion, use nsd. BIND vulnerabilities have shown you do not want recursion and delegation on the same IP anyway
dxtr: whups, i meant that the other way around
dxtr: unbound for recursion, nsd for delegation
dxtr: if your unbound doesn't recurse, i have no idea what u did wrong ;) dxtr: up_the_irons: Exactly. I'm trying unbound on my obsd box now but can't get it to recurse :D
** server can't find www.arpnetworks.com.dxtr.cc: SERVFAIL
FFFFFUUUUUU
aaah. Found the error
I rock! up_the_irons: lol ***: fink_ has quit IRC (Quit: fink_) cedwards: sweet. with a little help from google I figured out the internal virtual interface and IPs. RandalSchwartz: up_the_irons - did you see http://twitter.com/merlyn/statuses/12577877305
even got retweeted by bob amdprophet: even got retweeted by me! RandalSchwartz: oh hey dxtr: I'm off for bed now!
Should've gone like 3-4 hours ago. But still1
!
better late than never up_the_irons: RandalSchwartz: yeah i saw that randomly this morning, tnx :)
oh wow, twitter now says "Reweeted by X people"
however, there are no links to them, which is pretty lame
lol, "southlandtvfans" RT'd it
i love that show cedwards: so I've got my internal interface and IPs setup. I've got inbound nat setup to reach the jails.
only thing I haven't quite figured out is outbound connections from the jails. -: up_the_irons is a jail noob infrared: cedwards i think you want an outbound nat
and inbound forward ***: dbgi has joined #arpnetworks dbgi: hi ***: fink has joined #arpnetworks infrared: hi fink: hi infrared infrared: hey cedwards: infrared: thanks. i think that put me on the right path.
would this be valid to allow outbound nat from jails: nat on em0 inet from 10.100.1.0/24 to any -> (em0) fink: cedwards: you got your jails on nat? cedwards: fink: I can get in from the outside, and I have that rule above applied, but I can't get out from the jails.
i've done jails a number of times before, but never like this. fink: cedwards: how are you troubleshooting your net access? cedwards: watching the pflog, and I've done some tcpdumps but I'm not getting much.. fink: cedwards: can you resolve anything? cedwards: no, and I do have a valid resolv.conf fink: can you ping out?
there's a sysctl to enable to allow pinging cedwards: ..err I did have a resolv.conf. checking again now I don't.
I think I've been looking at this too long today. getting to the point that i'm losing my mind fink: hehe
cedwards: you should put a resolv.conf in the ezjail flavour, then you don't have to worry about it in each jail cedwards: yeah. i even forgot to apply the flavour this go-round.
heh. i think it's probably time for bed! fink: cedwards: let's try it tomorrow
i'll consult my notes ***: heavysixer has quit IRC (Quit: heavysixer)
fink has quit IRC (Read error: Connection reset by peer)
fink has joined #arpnetworks
homosaur has joined #arpnetworks
coil has quit IRC (Read error: Operation timed out)
homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
fink has quit IRC (Quit: fink)
steinberg has joined #arpnetworks