#arpnetworks 2010-04-21,Wed

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)
WhoWhatWhen
***residual has quit IRC (Ping timeout: 240 seconds) [00:53]
coil has quit IRC (Ping timeout: 260 seconds)
j3m has quit IRC (Ping timeout: 240 seconds) 		[01:04]
..... (idle for 20mn)
coil has joined #arpnetworks
j3m has joined #arpnetworks 		[01:26]
.................................. (idle for 2h46mn)
infrareddo they need to? [04:12]
DaCano, but clients would be nice :p [04:17]
infraredntp clients? [04:19]
DaCayes, on the host, because everytime I reboot my clock is half an hour off, I do run a ntp client myself, but by default it refuses to correct such a big difference in one go. [04:21]
infraredyeah, ntp won't update if it's like 1000 seconds off [04:21]
DaCamy current workaround is to rdate manually after a reboot [04:21]
....... (idle for 32mn)
up_the_ironsinfrared: i haven't had any support requests that i can recall with that neg runtime error, although i have seen it in the logs
infrared: i do use supermicro with intel, but as far as the VMs are concerned, it can't see it; they only see the emulated proc and chipsets
DaCa: yeah, i need to run ntp on the hosts; my last few servers have it, but i've delayed putting it on the others since i don't want a huge clock jump; need to do so during a maintenance window, which i haven't declared in a while 		[04:53]
.... (idle for 17mn)
***residual has joined #arpnetworks [05:13]
................. (idle for 1h24mn)
ziyourenxiang has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[06:37]
.... (idle for 15mn)
CESSMASTER has joined #arpnetworks [06:52]
vtoms has joined #arpnetworks
amdprophet has quit IRC (Ping timeout: 260 seconds)
cedwards has joined #arpnetworks 		[06:59]
.... (idle for 19mn)
amdprophet has joined #arpnetworks [07:19]
.... (idle for 16mn)
vtoms has quit IRC (Remote host closed the connection) [07:35]
.... (idle for 16mn)
vtoms has joined #arpnetworks [07:51]
..... (idle for 22mn)
cedwardsnote: I just signed up on a FreeBSD 8.0 system. I ran 'portaudit -Fda' and there were I think three vulnerabilities ootb. [08:13]
bob^^what vulns? [08:14]
cedwardssudo, curl and I think ca_root_nss
(I've patched them now so the list is too far back in my buffer) 		[08:14]
bob^^ah :) [08:15]
cedwardsjust thought I'd mention it. [08:15]
***fink_ has joined #arpnetworks
fink_ has quit IRC (Client Quit)
fink_ has joined #arpnetworks 		[08:24]
schmir has joined #arpnetworks [08:32]
schmir has quit IRC (Ping timeout: 264 seconds) [08:42]
...... (idle for 29mn)
ziyourenxiang has quit IRC (Quit: ziyourenxiang) [09:11]
..... (idle for 21mn)
woland has quit IRC (Remote host closed the connection) [09:32]
............... (idle for 1h12mn)
heavysixer has quit IRC (Quit: BAMPF!) [10:44]
..... (idle for 20mn)
schmir has joined #arpnetworks [11:04]
....... (idle for 33mn)
aemhey up_the_irons you guys don't take paypal eh? [11:37]
up_the_ironsaem: no
http://support.arpnetworks.com/faqs/billing/do-you-accept-paypal
:) 		[11:43]
aemhehe thanks [11:43]
up_the_ironsnp [11:43]
fink_does arpnetworks run an ntp server? [11:44]
up_the_ironsno [11:44]
aem<- joshua here btw [11:44]
up_the_ironshey joshua [11:44]
.... (idle for 16mn)
***djbclark has quit IRC (Ping timeout: 246 seconds)
lll_ has quit IRC (Quit: leaving)
djbclark has joined #arpnetworks
djbclark has quit IRC (Changing host)
djbclark has joined #arpnetworks
lll has joined #arpnetworks 		[12:00]
...... (idle for 26mn)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer 		[12:31]
cedwardslooks like buildworld doesn't like ccache, although I've used it on my other BSD installations :( [12:31]
........... (idle for 51mn)
if I plan to setup BSD jails, is there a particular private subnet/range I should or should not use? [13:22]
infraredno [13:23]
cedwardswanted to make sure I wasn't going to conflict with existing addresses [13:24]
infrareddo you have 2 nics? [13:24]
fink_cedwards: i put my jails on a private internal interface, and used pf for nat
all behind one ip 		[13:25]
cedwardsfink_: that's what I was planning. [13:25]
fink_cedwards: if the ips are on an internal interface, then they won't interfere with anything public [13:26]
dxtrWouldn't one neeed a pretty decent VPS for jails? :) [13:26]
cedwardsdxtr: nah. jails are incredibly lightweight. [13:26]
dxtrCool. Might look into it then [13:26]
infrareddxtr: i see now overhead increase with idle jails
s/now/no/ 		[13:26]
dxtrinfrared: Interesting [13:27]
cedwardsdxtr: I just loaded up 26 jails on a P4 1G ram and the load went to.. wait for it.. 0.30. [13:27]
infraredit's because it's kernel based
not "real" vps 		[13:27]
dxtrBut what's *REALLY* worth jailing without losing functionality (Like userdirs in a webserver and stuff) [13:27]
cedwardsfink_: so I can just create alias IPs on my em0 assigning private IPs and I should be fine? [13:27]
fink_cedwards: create an lo1 or whatever [13:28]
dxtrI guess some sort of *sql database could be jailed [13:28]
fink_assign them there [13:28]
infrareddxtr: [13:28]
cedwardsdxtr: I segregate all my major services into jails (postfix, bind, squid, ssh-bastion, etc) [13:28]
infrareddxtr: "application" jails [13:28]
fink_dxtr: i jail based on processes/domains
like www.example.org is a www jail
dns.example.org is a dns jail
db 		[13:28]
cedwardsdxtr: and I'm planning on building some shell jails for some of the guys in my UG as well. [13:29]
fink_mail
etc 		[13:29]
dxtrfink_: Yeah, I was thinking about it
How do one administer DNS in a cool way?
without sql :) 		[13:29]
fink_i use tinydns/dnscache [13:30]
dxtrI use BIND [13:30]
cedwardsold-school bind here too.
zone files by hand :) 		[13:30]
dxtrI'd like some cool way to remotely administer the DNS :)
Or, well, maybe not *TOO* remotely
But something other than editing zone files by hand 		[13:30]
fink_bind is big, slow, and insecure [13:31]
dxtrRight. I'm actually considering switching :) [13:32]
mike-burnsWhat are the competitors to BIND? [13:33]
dxtrsmall, fast and secure? [13:33]
bob^^powerdns
djbdns
i like bind though
i know a lot of people who use powerdns and have only good things to say about it 		[13:33]
fink_going from bind to tinydns was kind of like going from apache to cherokee, for me
"wow this program is so much easier to admin" and "wow half the memory footprint" 		[13:34]
dxtrfink_: How do one admin djbdns? [13:35]
cedwardsI've only briefly used tinydns, but I'd like to learn it. [13:35]
fink_dxtr: command line, web, sql, etc. [13:35]
dxtrfink_: How do the command line work?
And how would it work if I jailed djbdns? 		[13:37]
fink_i've jailed tinydns/dnscache [13:37]
dxtrthat's not what I asked :) [13:38]
cedwardsfink_: I've done jails before, so I'm familiar with creating alias IPs but I've always done it on the same interface.
fink_: can you refer me to how to create a virtual internal interface for alias IPs? 		[13:39]
fink_cedwards: heh, a bunch of people have been asking me this recently!
mb i should just blog it ;) 		[13:40]
dxtryeah :P [13:41]
fink_cedwards: do you mind asking me later? i'm at work at i have to finish some stuff [13:41]
cedwardsfink_: no problem [13:41]
fink_thanks [13:41]
cedwardsi think i just found it on the google machine. [13:44]
fink_link? [13:45]
dxtrfink_: tinydns looks like hell to admin .(
What the hell is wrong with those configuration files? :(
s/configuration/zone/ 		[13:46]
fink_dxtr: are you serious? [13:47]
dxtrno? [13:47]
up_the_ironsmike-burns: nsd and unbound, are current best practices for DNS [13:56]
mike-burnsExcellent, I'll check them out. [13:57]
up_the_ironsmike-burns: recursive dns and authoritative-only dns are separate in that stack. nsd is for authoritative, unbound for recursive
so, you use unbound for servers to configure in their /etc/resolv.conf; and nsd for hosting zones 		[13:59]
mike-burnsOh interesting. That makes sense. [14:00]
up_the_ironsyeah, i've been migrating to unbound for recursive. i run it on my laptop too and just have "nameserver 127.0.0.1" in my resolv.conf, makes things faster
not using nsd yet, but i put it in a test environment, and i like it
both are made by the same people 		[14:00]
dxtrup_the_irons: "current best practices" as in...? :) [14:09]
up_the_ironsdxtr: a resolver and authoritative name server software completely written from scratch, in coordination with RIPE NCC, to offer a solution that was not ridden with bugs and security flaws like BIND is
it's analagous to sendmail vs. postfix 		[14:16]
dxtrup_the_irons: I just love you answer. Seriously. Straight and consistent.
your* 		[14:17]
aemup_the_irons: can I pay for a year in one go? [14:18]
dxtraem: What's wrong with paying monthly? :
:) 		[14:19]
aemI want to buy a pre paid credit card to order
so it would make it easier if I were able to order for a longer time period 		[14:19]
dxtrI hate that one can't buy that here :/ [14:20]
up_the_ironsaem: yes -- http://support.arpnetworks.com/faqs/billing/is-there-a-discount-for-paying-in-advance
dxtr: glad you like my answer ;) 		[14:22]
aemok up_the_irons sorry for not reading the FAQ
:P
will get a pre paid card tomorrow 		[14:25]
up_the_ironsaem: no problem :) [14:26]
dxtrup_the_irons: I didn't mean to make that singular :D [14:28]
up_the_ironsdxtr: whut? ;) [14:28]
dxtrup_the_irons: I like your answer*S* [14:29]
up_the_ironsdxtr: ah! :) [14:30]
dxtrYou're always straight and concose.
concise
ffs 		[14:31]
up_the_ironshaha
yes that's usually how i am 		[14:31]
dxtr... straight?
:D 		[14:33]
up_the_ironswow we actually have 50+ people in here; [14:35]
CESSMASTERi like the idea of VPS hosting that's cheap enough to be an impulse buy [14:38]
***vtoms has quit IRC (Quit: Leaving.) [14:41]
up_the_ironsLOL, wish I could offer instant setup in that case [14:46]
CESSMASTERtrust me i wish you could too [14:46]
fink_up_the_irons: that's something the slicehost guys were pointing out as a drawback
doesn't bother me much 		[14:46]
dxtrWhy is make distclean so incredibily slow?
up_the_irons: Actually; what's stopping you? Shouldn't it be possible to create a perl script to do it or whatever? :)) 		[14:47]
CESSMASTERi mean i saw the site and I figured oh cool $10 i'll try this out deespite having no compelling use for it [14:47]
dxtr:)* [14:47]
up_the_ironsdxtr: write it for me and we'll solve two problems :)
fink_: indeed, it is a drawback, but from the beginning i've always targetted an audience that is looking for a long term relationship with a reliable hosting company. in that respect, waiting 24 or so for your vps is not a long time; i expect most people will stay for over 12 months 		[14:48]
fink_up_the_irons: i agree; i think they are thinking "cloud" [14:49]
up_the_ironsfink_: right [14:49]
fink_up_the_irons: perhaps you need a sexy bsd assistant?
fink_ could go for one of those
maybe then i could go outsideā€¦ 		[14:51]
up_the_ironsa sexy bsd assistant? yes please [14:52]
DaCaceren ercen [14:53]
dxtrUhm... Hmm.. [14:54]
***schmir has quit IRC (Remote host closed the connection) [14:57]
fink_anybody have good resources for an ldap noob? [15:02]
........ (idle for 35mn)
dxtrHey, up_the_irons
Speaking of unbound - I'm trying it now.
How can I make it recursive? right now it doesn't seem to recurse anything :p 		[15:37]
amdprophetdxtr: what exactly is doomsday drunk? [15:41]
dxtramdprophet: Haha, what the hell? :D [15:42]
amdprophetlol
i know it's a delayed reaction 		[15:42]
dxtrDon't tell me that's what you've been thinking about alla day? [15:42]
amdprophetwas just wondering [15:42]
dxtrall day* [15:42]
amdprophetit totally was [15:42]
dxtrHaha
It's basically getting really wasted - but even more :) 		[15:42]
up_the_ironsdxtr: that's the whole point. unbound is not a recursive name server. if you want recursion, use nsd. BIND vulnerabilities have shown you do not want recursion and delegation on the same IP anyway
dxtr: whups, i meant that the other way around
dxtr: unbound for recursion, nsd for delegation
dxtr: if your unbound doesn't recurse, i have no idea what u did wrong ;) 		[15:43]
dxtrup_the_irons: Exactly. I'm trying unbound on my obsd box now but can't get it to recurse :D
** server can't find www.arpnetworks.com.dxtr.cc: SERVFAIL
FFFFFUUUUUU 		[15:44]
aaah. Found the error
I rock! 		[15:51]
up_the_ironslol [15:53]
.... (idle for 19mn)
***fink_ has quit IRC (Quit: fink_) [16:12]
cedwardssweet. with a little help from google I figured out the internal virtual interface and IPs. [16:22]
RandalSchwartzup_the_irons - did you see http://twitter.com/merlyn/statuses/12577877305
even got retweeted by bob 		[16:31]
amdpropheteven got retweeted by me! [16:32]
RandalSchwartzoh hey [16:32]
....... (idle for 30mn)
dxtrI'm off for bed now!
Should've gone like 3-4 hours ago. But still1
!
better late than never 		[17:02]
........... (idle for 53mn)
up_the_ironsRandalSchwartz: yeah i saw that randomly this morning, tnx :)
oh wow, twitter now says "Reweeted by X people"
however, there are no links to them, which is pretty lame
lol, "southlandtvfans" RT'd it
i love that show 		[17:55]
cedwardsso I've got my internal interface and IPs setup. I've got inbound nat setup to reach the jails.
only thing I haven't quite figured out is outbound connections from the jails. 		[17:59]
up_the_ironsup_the_irons is a jail noob [18:06]
infraredcedwards i think you want an outbound nat
and inbound forward 		[18:08]
......... (idle for 41mn)
***dbgi has joined #arpnetworks [18:49]
dbgihi [18:57]
***fink has joined #arpnetworks [18:59]
infraredhi [19:02]
finkhi infrared [19:10]
.... (idle for 16mn)
infraredhey [19:26]
cedwardsinfrared: thanks. i think that put me on the right path.
would this be valid to allow outbound nat from jails: nat on em0 inet from 10.100.1.0/24 to any -> (em0) 		[19:36]
finkcedwards: you got your jails on nat? [19:46]
cedwardsfink: I can get in from the outside, and I have that rule above applied, but I can't get out from the jails.
i've done jails a number of times before, but never like this. 		[19:46]
finkcedwards: how are you troubleshooting your net access? [19:47]
cedwardswatching the pflog, and I've done some tcpdumps but I'm not getting much.. [19:48]
finkcedwards: can you resolve anything? [19:50]
cedwardsno, and I do have a valid resolv.conf [19:51]
finkcan you ping out?
there's a sysctl to enable to allow pinging 		[19:51]
cedwards..err I did have a resolv.conf. checking again now I don't.
I think I've been looking at this too long today. getting to the point that i'm losing my mind 		[19:52]
finkhehe
cedwards: you should put a resolv.conf in the ezjail flavour, then you don't have to worry about it in each jail 		[19:52]
cedwardsyeah. i even forgot to apply the flavour this go-round.
heh. i think it's probably time for bed! 		[19:53]
finkcedwards: let's try it tomorrow
i'll consult my notes 		[19:53]
....... (idle for 33mn)
***heavysixer has quit IRC (Quit: heavysixer) [20:26]
fink has quit IRC (Read error: Connection reset by peer) [20:34]
..... (idle for 23mn)
fink has joined #arpnetworks [20:57]
.......... (idle for 47mn)
homosaur has joined #arpnetworks [21:44]
coil has quit IRC (Read error: Operation timed out) [21:55]
.... (idle for 15mn)
homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party) [22:10]
.............. (idle for 1h6mn)
fink has quit IRC (Quit: fink) [23:16]
......... (idle for 42mn)
steinberg has joined #arpnetworks [23:58]
↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)