Re: Help provisioning a Samba AD in a jail on ZFS

2017-11-02 Thread Alexander Zagrebin 
В Wed, 1 Nov 2017 16:01:18 +0100
Andrea Venturoli  пишет:

It seems it's offtopic here, but I'll try to answer.

To setup a new samba46-based domain controller on ZFS in jail (I'm
using it with the VIMAGE) you can try following:

1. Rebuild the net/samba46 port with the attached patches
   (patch-librpc__idl__xattr.idl, patch-python__samba__provisioninit__.py)

2. Initialize new domain with the following command (the last two
   parameters makes magic):
   samba-tool domain provision --use-rfc2307 \
--host-name= \
--realm= \
--domain= \
--adminpass= \
--option="vfs objects = acl_xattr" \
--option="acl_xattr:ignore system acls = yes"

3. After successful provisioning, edit /usr/local/etc/smb4.conf:
   - remove or comment out 
 vfs objects = acl_xattr
 acl_xattr:ignore system acls = yes
   - add the following:
 vfs objects = zfsacl
 nfs4:mode = special
 nfs4:acedup = merge
 nfs4:chown = yes

4. Execute `samba-tool ntacl sysvolreset`

5. Start samba

It is not ideal solution, but it seems to be working,
despite there are another resolvable issues (with BIND9_DLZ
and so on)...
I've sent patches to the port maintainer, but have no answer.

> As per subject, I'm building a new box which must host a jail running
> a Samba AD, but I have trouble provisioning it.
> Currently I'm trying samba44.
> 
> I read a lot of material and I think I understand the problem: it
> seems the "samba-tool provision" script is incompatible with NFSv4ACL
> used by ZFS. AFAICT this issue has been raised, the Samba team has
> acknowledged a patch should be made, but so far nothing happened.
> 
> So I'm looking into workarounds:
> 
> a) someone suggest installing samba43, provision, then upgrade to 
> samba44. In fact this is some path I went through a couple of times
> in the past (on UFS, however). Alas samba43 is no longer there.
> 
> b) I think I might get around this by provisioning with the
> deprecated NTVFS, then switch to S3FS.
> Unfortunately samba44 does not build NTVFS anymore, unless the
> DEVELOPER option is used; but if the DEVELOPER option is used
> compilation (on Poudriere) fails with:
> > ../source4/lib/socket/socket_ip.c:864:12: error: comparison of
> > array 'addr.__u6_addr.__u6_addr8' equal to a null pointer is always
> > false [-Werror,-Wtautological-pointer-compare] if (addr.s6_addr ==
> > 0) { ~^~~~ /usr/include/netinet6/in6.h:103:29: note:
> > expanded from macro 's6_addr' #define s6_addr   __u6_addr.__u6_addr8
> > ^
> > 1 error generated.  
> 
> c) I tried creating a ZVOL, formatting it with UFS, mounting it with 
> ACLs inside the jail, but still provisioning says I have no ACL
> support.
> 
> d) I know samba46 is incompatible with jails (at least as AD DC), but 
> didn't try samba45. AFAICT, however, nothing should have improved WRT
> to my problem.
> 
> So, after spending a couple of days on this and before spending
> another week trying every path, I tought I'd ask...
> 
> Should I temporarily revive samba43?
> Can samba44 with NTVFS compilation error be fixed?
> Should I try samba45 or is it just a waste of time?
> Would creating a jail on another (UFS) box and then moving 
> /var/db/samba4 and smb4.conf here work?
> 
> I'm open to any other suggestion as long as the objective (AD in a
> jail on ZFS) is met in the end.

-- 
Alexander Zagrebin
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Low default setting of UDBHASHSIZE leads to unresponsive system

2017-11-02 Thread Eugene Grosbein 
On 01.11.2017 22:35, Lev Serebryakov wrote:
> 
>  Now 11-STABLE (and 12-CURRENT too) have this:
> 
> sys/netinet/udp_usrreq.c:#define   UDBHASHSIZE 128
> 
>  Looks like such low value could lead to 100% consumption of CPU by
> interrupt threads (igb queues in my case) on heavy incoming UDP traffic
> (torrents with uTP in my case).
> 
>  My system (E3-1220v3 with I210 NICs) becomes completely unresponsive
> (nut complains about lost connection to UPS, ssh to system times out,
> etc) when system downloads torrent with many uTP (UDP) peers. Four igb0
> queues consume 100% CPU each in this scenario.
> 
>  Total traffic could be very low like 500KiB/s (yes, 500KiB/s, not
> MiB/s!), I don't speak about 1Gbit/s or even 100Mbit/s here!
> 
>   Rebuilding kernel with UDBHASHSIZE=16384 seems to help.
> 
>   Why is this value so low and why I need to patch sources to change it?
> Many such settings are changeable via sysctl and/or tunables, but this
> one looks hardcoded.

You should fill a PR. Attach these performance numbers you got.

If possible, attach a patch introducing new loader tunnable, that should be 
easy.
Keep me CC'd.


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VLANing between jails not segmenting traffic

2017-11-02 Thread Marko Cupać 
On Mon, 30 Oct 2017 22:46:35 +0100
Michael Gmelin  wrote:

> You can use fibs with net.add_addr_allfibs=0 to get separate routing
> tables (comes with its own set of complications though).

I hoped to go this way, but the fact that host (in fib0) replies to
icmp requests destined to jail with raw_sockets disabled (in fib 1) via
host's default gateway, making really wierd routing situation.

Had to go back to separate physical hosts for now. Will check VIMAGE.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VLANing between jails not segmenting traffic

2017-11-02 Thread Michael Gmelin 


On Thu, 2 Nov 2017 13:19:31 +0100
Marko Cupać  wrote:

> On Mon, 30 Oct 2017 22:46:35 +0100
> Michael Gmelin  wrote:
> 
> > You can use fibs with net.add_addr_allfibs=0 to get separate routing
> > tables (comes with its own set of complications though).  
> 
> I hoped to go this way, but the fact that host (in fib0) replies to
> icmp requests destined to jail with raw_sockets disabled (in fib 1)
> via host's default gateway, making really wierd routing situation.

Shouldn't you be able to fix this using a pf pass rule with rtable?

Maybe you can share more of your setup, quite curious.

-m

> 
> Had to go back to separate physical hosts for now. Will check VIMAGE.



-- 
Michael Gmelin
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VLANing between jails not segmenting traffic

2017-11-02 Thread Marko Cupać 
On Thu, 2 Nov 2017 15:42:55 +0100
Michael Gmelin  wrote:

> On Thu, 2 Nov 2017 13:19:31 +0100
> Marko Cupać  wrote:
> 
> > On Mon, 30 Oct 2017 22:46:35 +0100
> > Michael Gmelin  wrote:
> >   
> > > You can use fibs with net.add_addr_allfibs=0 to get separate
> > > routing tables (comes with its own set of complications
> > > though).
> > 
> > I hoped to go this way, but the fact that host (in fib0) replies to
> > icmp requests destined to jail with raw_sockets disabled (in fib 1)
> > via host's default gateway, making really wierd routing situation.  
> 
> Shouldn't you be able to fix this using a pf pass rule with rtable?

I am sure it could be fixed as you said, but I don't want to introduce
more complexity with PF.

> Maybe you can share more of your setup, quite curious.

I wrote about that here on the list, and on -jail as well (both are
the same):
[https://lists.freebsd.org/pipermail/freebsd-jail/2017-September/003442.html]
[https://lists.freebsd.org/pipermail/freebsd-net/2017-October/049037.html]

I also got off-list reply from a guy who says this behaviour was
introduced in 11.X, and not present in 10.X. Didn't have the time to
test on 10.X.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VLANing between jails not segmenting traffic

2017-11-02 Thread Michael Gmelin 
On Thu, 2 Nov 2017 16:21:01 +0100
Marko Cupać  wrote:

> On Thu, 2 Nov 2017 15:42:55 +0100
> Michael Gmelin  wrote:
> 
> > On Thu, 2 Nov 2017 13:19:31 +0100
> > Marko Cupać  wrote:
> >   
> > > On Mon, 30 Oct 2017 22:46:35 +0100
> > > Michael Gmelin  wrote:
> > > 
> > > > You can use fibs with net.add_addr_allfibs=0 to get separate
> > > > routing tables (comes with its own set of complications
> > > > though).  
> > > 
> > > I hoped to go this way, but the fact that host (in fib0) replies
> > > to icmp requests destined to jail with raw_sockets disabled (in
> > > fib 1) via host's default gateway, making really wierd routing
> > > situation.
> > 
> > Shouldn't you be able to fix this using a pf pass rule with
> > rtable?  
> 
> I am sure it could be fixed as you said, but I don't want to introduce
> more complexity with PF.

It would be something simple like

"pass proto icmp to y rtable n"

If you're not already using pf you obviously don't want to introduce
it only to solve this problem.

> 
> > Maybe you can share more of your setup, quite curious.  
> 
> I wrote about that here on the list, and on -jail as well (both are
> the same):
> [https://lists.freebsd.org/pipermail/freebsd-jail/2017-September/003442.html]
> [https://lists.freebsd.org/pipermail/freebsd-net/2017-October/049037.html]
> 
> I also got off-list reply from a guy who says this behaviour was
> introduced in 11.X, and not present in 10.X. Didn't have the time to
> test on 10.X.

I only use 10.x for complex networking in production right now :/

-m
> 
> Regards,





-- 
Michael Gmelin
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

FreeBSD 11.1 vmx + netmap queues

2017-11-02 Thread Santiago Martinez 
Hi list, hope you guys are doing well.

I have a basic question. Do you know if multiple TX queues are
supported  for vmx + netmap ?

Basically I'm using pkt-gen to generate bulk traffic @10Gbps and its OK
with packet size >~1000b.

For small packets I should use multiple cores/processes to be able to
generate the required pps, but pkg-gen complain that I have only one queue.

I tried adding multiple queues for vmx on loader.conf (can verify with
sysctl) but netmap still complaining there is only one queue.

sysctl -a | grep vmx.1:
dev.vmx.1.mbuf_load_failed: 0
dev.vmx.1.mgetcl_failed: 0
dev.vmx.1.defrag_failed: 0
dev.vmx.1.defragged: 0
dev.vmx.1.nrxqueues: 8
dev.vmx.1.ntxqueues: 4
dev.vmx.1.max_nrxqueues: 8
dev.vmx.1.max_ntxqueues: 4
dev.vmx.1.%parent: pci4
dev.vmx.1.%pnpinfo: vendor=0x15ad device=0x07b0 subvendor=0x15ad
subdevice=0x07b0 class=0x02
dev.vmx.1.%location: slot=0 function=0 dbsf=pci0:11:0:0
handle=\_SB_.PCI0.PE50.S1F0
dev.vmx.1.%driver: vmx
dev.vmx.1.%desc: VMware VMXNET3 Ethernet Adapter

pkg-gen still saying one queue for vmx:

Sending on netmap:vmx1: 1 queues, 2 threads and 4 cpus.


Thanks in advance.

Santiago

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: IP packet header visualization software

2017-11-02 Thread DES 

thank you for the response Kevin and Bakul,

but neither tcptrace nor ethereal/wireshark is what I'm looking for. As 
I said, the application I was using was drawing single IP packet header 
similar to what is presented in RFC791 -


+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|  Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Identification    |Flags|  Fragment Offset    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   | Header Checksum   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Source Address  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Destination Address    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Options    | Padding    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

But a) graphically with colors, b) with actual packet/header data from 
the captured IP packet.


Actual result looked similar to this picture -
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.networkcomm/figures/comma35.jpg

thank you
3des

On 02.11.2017 02:38, Kevin Oberman wrote:
On Wed, Nov 1, 2017 at 2:46 PM, DES <3...@inx.su > 
wrote:


Hello FreeBSD-Net,

does anybody remember, around year 2004, there was a software
application available (either as port, or package). Unfortunately
I do not recall the application name and I'm not able to find it
again, although I've reviewed the Ports collection from year 2005
which I have on 3 DVDs. I do not remember if the application
captured data from the network interface by itself, or used
tcpdump output, that actually doesn't matter. What matters is that
this app draw a picture of the selected IP packet's header,
similar to the one in RFC791 at page 11, chapter "3.1. Internet
Header Format". The picture drawn was minimalistic and in colors
(green, yellow), and it showed the field values from the actual
capture. I've ran it under TWM, and it looked close to that one,
but showing captured values instead of (or along with) field names -

Appreciate if anybody remembers that application by a chance and
could tell its name.

thank you

3des


tcptrace? I have not used it since I retired, but I think it was 
similar to what you are looking for. Its output is just text. It used 
an external tool to implement the plots, xplot. xplot died back on 
gcc-3.3 and I have no idea what its current status is, but I fear it's 
abandoned, xpolt.org  still is alive, though.




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: IP packet header visualization software

2017-11-02 Thread Adam Vande More 
On Thu, Nov 2, 2017 at 2:35 PM, DES <3...@inx.su> wrote:

> thank you for the response Kevin and Bakul,
>
> but neither tcptrace nor ethereal/wireshark is what I'm looking for. As I
> said, the application I was using was drawing single IP packet header
> similar to what is presented in RFC791 -
>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>|Version|  IHL  |Type of Service|  Total Length |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>| Identification|Flags|  Fragment Offset|
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>|  Time to Live |Protocol   | Header Checksum   |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>|   Source Address  |
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>|Destination Address|
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>|Options| Padding|
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> But a) graphically with colors, b) with actual packet/header data from the
> captured IP packet.
>
> Actual result looked similar to this picture -
> https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/co
> m.ibm.aix.networkcomm/figures/comma35.jpg
>
> thank you
> 3des
>

I believe the application you are looking may be called "protocol".

-- 
Adam
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: FreeBSD 11.1 vmx + netmap queues

2017-11-02 Thread Vincenzo Maffione 
Hi,
  With vmx driver netmap will use the emulated netmap adapter. On freebsd
netmap still does not have a way to see how many rings an interface has. So
by default will assume 1 tx/rx rings couple for emulated adapter. You can
however change this by sysctl dev.netmap.generic_rings.

Cheers,
  Vincenzo

Il 2 nov 2017 6:22 PM, "Santiago Martinez"  ha scritto:

> Hi list, hope you guys are doing well.
>
> I have a basic question. Do you know if multiple TX queues are
> supported  for vmx + netmap ?
>
> Basically I'm using pkt-gen to generate bulk traffic @10Gbps and its OK
> with packet size >~1000b.
>
> For small packets I should use multiple cores/processes to be able to
> generate the required pps, but pkg-gen complain that I have only one queue.
>
> I tried adding multiple queues for vmx on loader.conf (can verify with
> sysctl) but netmap still complaining there is only one queue.
>
> sysctl -a | grep vmx.1:
> dev.vmx.1.mbuf_load_failed: 0
> dev.vmx.1.mgetcl_failed: 0
> dev.vmx.1.defrag_failed: 0
> dev.vmx.1.defragged: 0
> dev.vmx.1.nrxqueues: 8
> dev.vmx.1.ntxqueues: 4
> dev.vmx.1.max_nrxqueues: 8
> dev.vmx.1.max_ntxqueues: 4
> dev.vmx.1.%parent: pci4
> dev.vmx.1.%pnpinfo: vendor=0x15ad device=0x07b0 subvendor=0x15ad
> subdevice=0x07b0 class=0x02
> dev.vmx.1.%location: slot=0 function=0 dbsf=pci0:11:0:0
> handle=\_SB_.PCI0.PE50.S1F0
> dev.vmx.1.%driver: vmx
> dev.vmx.1.%desc: VMware VMXNET3 Ethernet Adapter
>
> pkg-gen still saying one queue for vmx:
>
> Sending on netmap:vmx1: 1 queues, 2 threads and 4 cpus.
>
>
> Thanks in advance.
>
> Santiago
>
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"