OpenSMTPD memory leak...
Hi, I'm running OpenBSD5 (all from binaries) as a spam filter installed in SPARC LDOM (T1000). I've changed sendmail for OpenSMTPD and after few weeks a see that OpenSMTPD ate almost all memory: root@homer $ ps aux | grep smtpd root 5866 0.0 0.1 1296 2544 ?? Is23Nov110:10.40 smtpd: [priv] (smtpd) _smtpd 32416 0.0 0.1 1088 2160 ?? I 23Nov110:23.96 smtpd: control (smtpd) _smtpd 862 0.0 0.1 1136 2384 ?? I 23Nov116:59.17 smtpd: lookup agent (smtpd) _smtpd 25812 0.0 0.1 848 1944 ?? I 23Nov110:04.31 smtpd: mail delivery agent (smtpd) _smtpd 19507 0.0 0.1 944 1984 ?? I 23Nov113:01.57 smtpd: mail filter agent (smtpd) _smtpd7286 0.0 64.5 3180912 1184408 ?? I 23Nov11 950:16.16 smtpd: mail transfer agent (smtpd) _smtpd1789 0.0 0.1 1536 2640 ?? I 23Nov117:35.61 smtpd: queue (smtpd) _smtpd 27134 0.0 0.1 1288 2384 ?? I 23Nov118:22.50 smtpd: runner (smtpd) _smtpd4856 0.0 0.2 1768 4296 ?? I 23Nov11 10:01.85 smtpd: smtp server (smtpd) Are you devs already aware of that leak? Can I help with some traces/dumps till I'll must restart it? I.
Re: customize CFLAG with /etc/mk.conf
Aaron, I built 3.7 base + OpenVPN for VPN gateway with custom CFLAGS/LDFLAGS and it worked well for years, even with such aggressive flags as CFLAGS="-O3 -march=c3 -mmmx -m3dnow -fomit-frame-pointer" and LDFLAGS="-Wl,-z,combreloc -Wl,-O2 -Wl,--sort-common -Wl,--enable-new-dtags". But build was broken and I must to fix many things in OpenBSD makefiles, to get binaries done. Such LDFLAGS significantly speedups application loading, cause it's doing the same things as prelink utility, but it link time. CFLAGS helps me speedup C3 500MHz router device as about 20-30%, but it was synthetic measurement on nbench built with and without CLFAGS. Kernel build was also forced for such CFLAGS and no stability issue and subjectively more speedy. It was few years ago, when I've had mood to compile everything with all CPU features on. ;-) Looking at this concrete OpenBSD build my summary is that it took me more than 20h to build it and speedups was not such significant, comparing that it should took an about 1h to do the same functionality with release binaries only bit slow. And two other things to keep on mind: nowadays x86 CPUs has very heuristic instruction handling/prefetching so it will not speedup as much with custom CFLAGS; OpenBSD still use gcc 3.3.5 which can't do as good optimization for new CPUs as to loose time with custom flags build. And many makefiles in OpenBSD base don't handle CFLAGS/LDFLAGS correctly. The last time I tried it (about 1/2y. ago), I made only kernel with custom flags (for kernel it is COPTS variable if I remember right). Rest of system didn't build and I didn't had a time to bother with broken makefiles. So if you don't want to do HPC, don't loose time with custom flags. I if you want to do HPC, choose other operating system, cause OpenBSD strengths are other. I. On Sat, 2010-03-27 at 10:05 +0800, Aaron Lewis wrote: > Hi, > Is that possible to modify CFLAG for port installed software ? > > I read `man mk.conf' found there's no CFLAGS or CXXFLAG entries , > even though i tried to > put `CFLAG += -O3 -march=i686' into that file , but ports doesn't > recognize it. > > Just want to optimize ports software , during compilation of kernel > , i'd comment them out. > > Does anyone has any ideas ? > > Thanks in advance !
Re: Force Internet traffic out IPSec VPN
It is not demand of PF... It's about IPSec behavior. IPSec tunnels could be established between exact 2 IPs, or exact 2 IP networks. You can't have IP net on one side of tunnel and rest of Internet on other side, which is case you wrote about. Solutions: 1. Build IP-IP IPSec and then build GRE tunnel on those 2 IP. You could route anything over GRE tunnel. Beware of encapsulation overhead, cause it is tunnel in tunnel. 2. Use OpenVPN instead of IPSec. It is far less painful. I. On Thu, 2011-04-07 at 16:51 -0700, Andrew Klettke wrote: > We have a working IPSec VPN between two 4.8 endpoints. One of them is at > a remote location, and the other at the main office. The remote location > has its own external, routable IP (to establish the VPN), and an > internal subnet behind it. The main office has its own external IP, > though which it is NATing its own internal subnet. > > Basically, I want to force all internet traffic from the remote, > internal subnet through the main office's internal gateway so it can NAT > out from there. > > I've been attempting to accomplish this with "route-to" and "reply-to" > rules on the remote box, but have had no luck. I know IPSec keeps its > own routing table, is this interfering? Is this possible to do with PF?
TRESOR - Runs Encryption Securely Outside RAM
Hi, Just idea: http://www1.informatik.uni-erlangen.de/tresor/ Should be interesting for OpenBSD kernel too. Of course if not already there in some form. I.
Re: Slow disk IO HP DL120 G5 with LSI1068E
Download "Smart Start" CD from HP site. Boot this CD and configure SCSI adapter an RAID settings. There is far more options to configure, than from SCSI adapter BIOS. Btw if you have battery backed cache, you can switch on write cache. You should also download and boot "Firmware CD"... I. On Tue, 2010-08-31 at 18:52 +0300, Evgeniy Sudyr wrote: > I have troubles with on OpenBSD 4.7 with HP DL 120 G5 > > Actually I'm trying to unpack src.tar.gz and see that it's very slow. > > There is my systat during unpacking and dmesg for the server > > systat > >2 usersLoad 2.77 2.48 2.17 Tue Aug 31 19:46:02 > 2010 > > memory totals (in KB)PAGING SWAPPING Interrupts >real virtual free in out in out 568 total > Active13212 13212 3281736 ops400 clock > All 410024410024 7342468 pages 79 ipi > 88 mpi0 > Proc:r d s wCsw Trp Sys Int Sof Flt forks 1 em0 > 2 6 164 1 25889 1009 fkppw uhci3 > fksvm ehci1 >0.0%Int 0.1%Sys 0.2%Usr 0.0%Nic 99.7%Idle pwait > ||||||||||| relck > rlkok > noram > Namei Sys-cacheProc-cacheNo-cache ndcpy > Calls hits%hits %miss % fltcp > 881 742 84 4 0 135 15 zfod > cow > Disks sd0 30764 fmin > seeks 41018 ftarg > xfers88 itarg > speed 761K49 wired > sec 1.0 pdfre > pdscn > pzidle >15 kmapent > > dmesg > > OpenBSD 4.7 (GENERIC.MP) #130: Wed Mar 17 20:48:50 MDT 2010 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 3889758208 (3709MB) > avail mem = 3780005888 (3604MB) > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xdc010 (43 entries) > bios0: vendor HP version "O22" date 10/09/2009 > bios0: HP ProLiant DL120 G5 > acpi0 at bios0: rev 2 > acpi0: tables DSDT FACP SPMI EINJ HEST BERT SSDT ERST MCFG APIC BOOT > SPCR SSDT SSDT SSDT > acpi0: wakeup devices USB4(S3) USB5(S3) USB7(S3) ESB2(S4) EXP1(S4) > EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EXP6(S4) USB1(S3) USB2(S3) > USB3(S3) USB6(S3) ESB1(S3) PCIB(S3) PWRB(S3) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz, 2133.65 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG > cpu0: 4MB 64b/line 16-way L2 cache > cpu0: apic clock running at 266MHz > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz, 2133.33 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG > cpu1: 4MB 64b/line 16-way L2 cache > cpu2 at mainbus0: apid 2 (application processor) > cpu2: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz, 2133.33 MHz > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG > cpu2: 4MB 64b/line 16-way L2 cache > cpu3 at mainbus0: apid 3 (application processor) > cpu3: Intel(R) Xeon(R) CPU X3210 @ 2.13GHz, 2133.33 MHz > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG > cpu3: 4MB 64b/line 16-way L2 cache > ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 1 (PEG1) > acpiprt2 at acpi0: bus -1 (PEG2) > acpiprt3 at acpi0: bus 5 (EXP1) > acpiprt4 at acpi0: bus -1 (EXP2) > acpiprt5 at acpi0: bus -1 (EXP3) > acpiprt6 at acpi0: bus -1 (EXP4) > acpiprt7 at acpi0: bus 13 (EXP5) > acpiprt8 at acpi0: bus 14 (EXP6) > acpiprt9 at acpi0: bus 17 (PCIB) > acpicpu0 at acpi0: C3, PSS > acpicpu1 at acpi0: C3, PSS > acpicpu2 at acpi0: C3, PSS > acpicpu3 at acpi0: C3, PSS > acpibtn0 at acpi0: PWRB > ipmi
Re: C++ CGI script
Save your time with http://www.webtoolkit.eu/wt when you are in mindset
to write CGIs in C++... ;-)
On Mon, 2010-12-13 at 22:18 +0100, Jean-Francois wrote:
> Hello,
>
> Sorry for posting basic question here, would you please let me know why such
> script does'nt work (error with "Premature end of script headers") ?
>
>
> #include
> using namespace std;
>
> int main()
> {
> cout << "Content-type: text/plain" << endl << endl << "Hello, World!";
> }
>
>
> It actually shows flush needed on google but I'm not able to do a hello world
> CGI in C++.
>
> Thjanks for your help,
>
> Reagrds
Re: OpenVPN client on OpenBSD
Hi, Remove folloving line from OpenVPN config: redirect-gateway def1 It redirects your default gateway to tunnel you have just opened. Btw you have copied /etc/hostname.tun0 from install suggestion, but this is not the only right way to start it. I found that it is better to setup tunnel device, assign IP, routes and PF settings usual way as any other interface, then start OpenVPN in /etc/rc.local. Of course then no IP, route settings in OpenVPN config. Start/Stop of OpenVPN then behaves the same way as plug/unplug cable to net device. Best setup for permanent VPNs, also LAN bridges over VPN works well this way. For 'roadwarrior' VPNs it is better to write own simple up/down scripts to create tun device and setup IPs/routes, than mixing it with OpenBSD netstart script and semi universal ifconfig abilities of OpenVPN. I. On Wed, 2011-02-02 at 11:17 -0500, Emile Sanders wrote: > Has anyone ever gotten OpenVPN to run as a client successfully with a VPN > subscription? OpenBSD seems to be the only OS I can't get OpenVPN up > successfully on for some reason, and I'd like to make it work. So I've > confirmed it's not a server-side issue as I've tested it on other operating > systems as well as other people who are currently using the VPN service > without a problem (except none of them are on OpenBSD). > > The issue is that when I connect with OpenVPN, it's apparently "connected", > but I can't seem to ping the gateway, any websites such as Google, nor use > any internet-relying services such as browsing to a website or going on IRC. > > I am running OpenBSD 4.8 release, with almost a default install. I've just > got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the > barebones/fresh install. > > Here are some logs/configs: > > /etc/hostname.tun0 > $ cat /etc/hostname.tun0 > up > !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn > > /* I'd like to mention here that even after rebooting, the tun0 interface > does NOT come up. An ifconfig shows that it is still down, and OpenVPN is > not started up at boottime. I have no idea why /etc/hostname.tun0 isn't > being read. */ > > OpenVPN client config: > $ cat /etc/client.ovpn > # VPN config > ns-cert-type server > tls-client > pull > verb 3 > tls-timeout 6 > cipher BF-CBC > keysize 256 > pkcs12 cert.dat > keepalive 30 120 > hand-window 120 > route-delay 2 > persist-tun > persist-key > redirect-gateway def1 > remote-random > route-metric 2 > route-method exe > dev tun0 > topology subnet > > proto tcp-client > remote [vpn url] 11000 > remote [vpn ip] 11000 > connect-retry 10 > > > proto udp > remote [vpn url] 11000 > remote [vpn ip] 11000 > > > /* The square brackets contain the URL and IP address of the VPN service I > connect to. I filtered them out as to not spam/advertise their service. */ > > OpenVPN connection log: > > $ sudo openvpn --config /etc/openvpn/client.ovpn > Wed Feb 2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] > built on Aug 10 2010 > Wed Feb 2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or > higher to call user-defined scripts or executables > Wed Feb 2 10:19:53 2011 WARNING: file 'cert.dat' is group or others > accessible > Wed Feb 2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 > ET:0 EL:0 ] > Wed Feb 2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 > ET:0 EL:0 ] > Wed Feb 2 10:19:53 2011 Local Options hash (VER=V4): '91138c76' > Wed Feb 2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca' > Wed Feb 2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536] > Wed Feb 2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194 > Wed Feb 2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000 > Wed Feb 2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000, > sid=a16fdfdd b22d9c39 > Wed Feb 2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O= > example.com/CN=example.com_CA/emailAddress=ad...@example.com > Wed Feb 2 10:19:54 2011 VERIFY OK: nsCertType=SERVER > Wed Feb 2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O= > example.com/CN=server/emailAddress=ad...@example.com > Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized > with 256 bit key > Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized > with 256 bit key > Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Wed Feb 2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 2048 bit RSA > Wed Feb 2 10:20:02 2011 [server] Peer Connection Initiated with [vpn > ip]:11000 > Wed Feb 2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) > Wed Feb 2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route > 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS > 10.100.2.1,route-ga
