Friday, May 2, 2008

OpenBSD 4.3 Release

Apa saja sih yang baru di OpenBSD 4.3?
  • New/extended platforms:
    • OpenBSD/sparc64.
      SMP support. This should work on all supported systems, with the exception of the Sun Enterprise 10000.
    • OpenBSD/hppa.
      K-class servers like the K200 and K410 are supported now.
    • OpenBSD/mvme88k
      SMP support on MVME188 and MVME188A systems.
      88110 processor, and thus MVME197LE/SP/DP boards, are supported now.
    • OpenBSD/sgi.
      Contains many new drivers, however the kernel requires an important
      errata fix.

  • Improved hardware support, including:
    • The bge(4) driver now supports BCM5906/BCM5906M 10/100 and BCM5755
      10/100/Gigabit Ethernet devices.
    • The cas(4) driver now supports Cassini+ 10/100/Gigabit Ethernet devices.
    • The em(4) driver now supports ICH9 10/100 and 10/100/Gigabit Ethernet devices.
    • The gem(4) driver now supports the onboard 1000base-SX interface on the Sun Fire V880 server.
    • The ixgb(4) driver now supports the Sun 10Gb PCI-X Ethernet devices.
    • The msk(4) driver now supports Yukon FE+ 10/100 and Yukon Supreme 10/100/Gigabit Ethernet devices.
    • The nfe(4) driver now supports MCP73, MCP77 and MCP79 10/100/Gigabit Ethernet devices.
    • The ral(4) driver now supports RT2800 based wireless network devices.
    • The cmpci(4) driver now supports CMI8768 based audio adapters.
    • The it(4) driver now supports ITE IT8705F/8712F/8716F/8718F/8726F and SiS SiS950 ICs. Watchdog timer functionality added.
    • The mfi(4) driver now supports Dell CERC6/PERC6 and LSI SAS1078 RAID controllers.
    • The viapm(4) driver now supports the VIA VT8237S south bridges SMBus
      controller.
    • Support for hotplugging ExpressCard devices has been added.
    • New amdpcib(4) driver for the AMD-8111 series LPC bridge and timecounter on amd64.
    • New pctr(4) driver for the CPU performance counters on amd64.
    • New bwi(4) driver for the Broadcom AirForce IEEE 802.11b/g wireless network device.
    • New envy(4) driver for the VIA Envy24 audio device.
    • New et(4) driver for the Agere/LSI ET1310 10/100/Gigabit Ethernet device.
    • New etphy(4) driver for the Agere/LSI ET1011 TruePHY Gigabit Ethernet PHY.
    • New amdpcib(4) driver for the AMD-8111 series LPC bridge and timecounter on i386.
    • New glxpcib(4) driver for the AMD CS5536 PCI-ISA bridge with timecounter, watchdog timer, and GPIO on i386.
    • New iwn(4) driver for the Intel Wireless WiFi Link 4965AGN IEEE 802.11a/b/g/Draft-N wireless network device.
    • New msts(4) line discipline to interface Meinberg Standard Time String devices and to provide a timedelta sensor.
    • New gbe(4) driver for the SGI Graphics Back End (GBE) Frame Buffer on sgi.
    • New mkbc(4) driver for the Moosehead PS/2 Controller on sgi.
    • New power(4) driver for the power button on sgi.
    • New ecadc(4) driver for the Environmental Monitoring Subsystem temperature sensor on sparc64.
    • New tda(4) driver for the fan controller on the Sun Blade 1000/2000, making these machines much less noisy.
    • New spdmem(4) driver retrieves information about memory modules.
    • New thmc(4) driver for the TI THMC50, Analog ADM1022/1028 temperature sensor.
    • New uchcom(4) driver for the WinChipHead CH341/340 based USB serial adapter.
    • New umbg(4) driver for the Meinberg Funkuhren USB5131 radio clock to provide a timedelta sensor.
    • New upgt(4) driver for the Conexant/Intersil PrismGT SoftMAC USB IEEE 802.11b/g wireless network device.
    • New wbng(4) driver for the Winbond W83793G temperature, voltage, and, fan sensor.
    • New wbsio(4) driver for the Winbond LPC Super I/O ICs.
    • New adl(4) driver for the Andigilog aSC7621 temperature, voltage, and fan sensor.
    • The siop(4) driver now supports the (non-PCI) NCR 53c720/770 in big-endian mode.
    • New lmn(4) driver for the National Semiconductor LM93 sensor.

  • New tools:
    • snmpd(8), implementing the Simple Network Management Protocol.
    • The snmpctl(8) program controls the SNMP daemon.
    • The pcidump(8) utility displays the device address, vendor, and product name of PCI devices.
    • ldattach(8) ldattach(8) is used to attach a line discipline to a serial line to
      allow for in-kernel processing of the received and/or sent data.

  • New functionality:
    • eeprom(8) is now able to display the OpenPROM device tree on systems that have it.
    • Support for X11 on sgi has been added.
    • The periodic security(8) reports now include package changes.
    • The cmpci(4) driver now supports multichannel audio playback if the hardware supports it.
    • The auvia(4) driver now supports multichannel audio playback if the hardware supports it.
    • The auich(4) driver now supports recording from the microphone as well as full-duplex mode.
    • The eso(4) driver now supports recording as well as full-duplex mode.
    • The ffs layer is now 64-bit disk block address clean. This means that disks, partitions and filesystems larger than 2TB are now supported, with the exception of statfs(2) and quotas.
    • DMA is now enabled for 1-sector devices such as flash drives, providing significant speed improvement.
    • Sparc and Sparc64 disklabels now provide automatic recognition of ext2fs partitions.
    • Filesystems on USB devices are automatically dismounted if the device is disconnected.
    • The configuration of carp(4) load balancing has been vastly simplified.
    • fstab(5) entries referring to non-existent mount points are now ignored, allowing subsequent entries to be processed.
    • Additional configuration files can now be included in pf.conf(5).
    • sppp(4) now has IPv6 support.
    • ipsec.conf(5) now supports defining 192 and 256 bit keysizes for AES.

  • Assorted improvements and code cleanup:
    • Improved support for an lkm(4) subsystem on amd64.
    • ossaudio(3) received several bug fixes and enhancements including but not limited to improved recording and full-duplex support.
    • audio(4) received several bug fixes and enhancements including but not limited to improved recording and full-duplex support.
    • make(1) was heavily modified, mostly to improve support for parallel build. Parallel builds now run commands in the same way the sequential builds do, and the output from commands is more readable. A large part of the source tree, xenocara, and quite a few ports now build correctly with make -j.
    • rcs tools improvements and bug fixes.
    • RTM_VERSION was increased so that all routing messages could be modified to include additional fields for upcoming networking features.
    • sendbug(1) has stricter comment parsing, to avoid mangling diffs.
    • umass(4) devices no longer detect bogus LUNs.
    • USB st(4) devices can now successfully disconnect.
    • More deviant umass devices accommodated.
    • svnd(4) devices now work on block devices.
    • disklabel(8) is now aware of NTFS partitions.
    • raidctl(8) now correctly handles trailing whitespace in configuration files.
    • mt(4) no longer triggers panics when processing the 'rewoffl' command.
    • raid(4) devices no longer hang when searching for components during boot.
    • sd(4) devices no longer receive spurious SYNCHRONIZE CACHE commands that confuse some hardware.
    • sd(4) no longer claim that SYNCHRONIZE CACHE commands are 16 bytes long when they are actually 10 bytes. Some devices took this too literally.
    • dhcpd(8) now always issues packets equal or larger than the minimum IP MTU.
    • disklabel(8) -E mode does not allow manual editing of the 'c' partition, which is always set to cover the entire disk.
    • disklabel(8) -E mode does not allow changing the cpg value of a partition.
    • disklabel(8) -E mode no longer permits assigning arbitrary sizes to FS_BOOT and FS_UNUSED partitions.
    • The bge(4) driver problems receiving jumbo frames have been resolved.
    • Many dangerous unsigned comparisons with -1 when checking the results of read and write calls have been eliminated.
    • The new M_ZERO flag for malloc(9) replaces many malloc+bzero/memset combinations, fixing a number of bugs in memory initialization and shrinking the kernel.
    • dhcpd(8) now correctly constructs response packets that use the overflow buffers to store options.
    • SCSI drivers are more reliable in MP machines due to better locking around command completion.
    • TCP responses to highly fragmented packets are now constructed without risking corruption of kernel memory.
    • Sockets now allow 4095 multicast group memberships.

  • Install/Upgrade process changes:
    • All platforms now have serial console support when installing.
    • Serial console speed is detected and appropriate /etc/ttys entries automatically created.
    • OpenBSD/vax now also has both kinds of install ISO CD images.
    • DNS server addresses are remembered if an install is restarted.
    • OpenBSD/sgi can now be installed using the glass console.

  • OpenBGPD 4.3:
    • Correctly handle prefixes which would cause a routing loop.
    • bgpctl's detailed RIB output shows additional attributes like extended communities or the cluster id list.

  • OpenNTPD 4.3:
    • Handle IP changes of clients more gracefully.
    • Log peer and sensor status to syslog if the majority of either is bad, or if a SIGINFO signal is received.
    • Allow offsetting of time sensors that have a systematic error.

  • OpenOSPFD 4.3:
    • Equal cost multipath support -- don't forget to set the right sysctls.
    • Parser and commandline options are now in sync with bgpd.

  • relayd 4.3:
    • hoststated(8)/hoststatectl(8) were renamed to relayd(8)/relayctl(8).
    • Improved configuration grammar for relayd.conf(5).
    • Allow to send SNMP traps via snmpd(8) when host states change.
    • Improved support for URL filtering and protocol actions.
    • Added support for UDP-based DNS relaying with request ID randomisation.
    • Various bug fixes, optimisations, and cleanups.
    • Improved reload support.

  • OpenSSH 4.8:
    • Added chroot(2) support for sshd(8), controlled by a new option "ChrootDirectory". Please refer to sshd_config(5) for details, and please use this feature carefully.
    • Linked sftp-server(8) into sshd(8). The internal sftp server is used when the command "internal-sftp" is specified in a Subsystem or ForceCommand declaration. When used with ChrootDirectory, the internal sftp server requires no special configuration of files inside the chroot environment. Please refer to sshd_config(5) for more information.
    • Added a protocol extension method "posix-rename@openssh.com" for sftp-server(8) to perform POSIX atomic rename() operations.
    • Removed the fixed limit of 100 file handles in sftp-server(8). The server will now dynamically allocate handles up to the number of available file descriptors.
    • ssh(1) will now skip generation of SSH protocol 1 ephemeral server keys when
      in inetd mode and protocol 2 connections are negotiated. This speeds up protocol 2 connections to inetd-mode servers that also allow Protocol 1.
    • Accept the PermitRootLogin directive in a sshd_config(5) Match block. Allows for, e.g. permitting root only from the local network.
    • Reworked sftp(1) argument splitting and escaping to be more internally consistent (i.e. between sftp commands) and more consistent with sh(1). Please note that this will change the interpretation of some quoted strings, especially those with embedded backslash escape sequences.
    • Support "Banner=none" in sshd_config(5) to disable sending of a pre-login banner (e.g. in a Match block).
    • ssh(1) ProxyCommands are now executed with $SHELL rather than /bin/sh.
    • ssh(1)'sConnectTimeout option is now applied to both the TCP connection and the SSH banner exchange (previously it just covered the TCP connection). This allows callers of ssh(1) to better detect and deal with stuck servers that accept a TCP connection but don't progress the protocol, and also makes ConnectTimeout useful for connections via a ProxyCommand.
    • Many new regression tests, including interop tests against PuTTY's plink. SSH2_MSG_UNIMPLEMENTED packets did not correctly reset the client keepalive logic, causing disconnections on servers that did not explicitly implement "keepalive@openssh.com".
    • ssh(1) used the obsolete SIG DNS RRtype for host keys in DNS, instead of the current standard RRSIG.
    • Correctly drain ACKs when a sftp(1) upload write fails midway, avoids a fatal(1) exit from what should be a recoverable condition.
    • Fixed packet size advertisements. Previously TCP and agent forwarding incorrectly advertised the channel window size as the packet size, causing fatal errors under some conditions.
    • Many more bugfixes. Please refer to the Release Notes.

  • Over 4,500 ports, minor robustness improvements in package tools:
    • i386: 4782 sparc64: 4613 alpha: 4233 sh: 2046
    • amd64: 4708 powerpc: 4634 sparc: 3159 m68k: 830
    • arm: 3377 hppa: 3971 m88k: 27 mips64: 1897
    • vax: 296
    • Highlights include:
    • Gnome 2.18.
    • GNUstep 1.14.
    • KDE 3.5.7 and koffice 1.6.3.
    • Xfce 4.4.1.
    • OpenMotif 2.3.0.
    • OpenOffice.org 2.2.1.
    • Mozilla Firefox 2.0.0.6.
    • PostgreSQL 8.2.6.
    • GHC 6.6.1 (amd64 and i386 only)
  • As usual, steady improvements in manual pages and other documentation.

  • The system includes the following major components from outside suppliers:
    • Xenocara (based on X.Org 7.2 + patches, freetype 2.2.1, fontconfig 2.4.2, expat 2.0.0, Mesa 6.5.2, xterm 225 and more)
    • Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
    • Perl 5.8.8 (+ patches)
    • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
    • OpenSSL 0.9.7j (+ patches)
    • Groff 1.15
    • Sendmail 8.14.1, with libmilter
    • Bind 9.3.4 (+ patches)
    • Lynx 2.8.5rel.4 with HTTPS and IPv6 support (+ patches)
    • Sudo 1.6.9p4
    • Ncurses 5.2
    • Latest KAME IPv6
    • Heimdal 0.7.2 (+ patches)
    • Arla 0.35.7
    • Binutils 2.15 (+ patches)
    • Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.2 and 4.3, look at http://www.OpenBSD.org/plus43.html

Thank you to all of the developers who make OpenBSD possible. Please be sure to make a donation to continue to make OpenBSD releases possible.


Posted by Generation Unix at 7:48 AM 0 comments
Labels: , , ,

Thursday, April 24, 2008

Install Squid + transparent on OpenBSD 4.2

Akhirnya selesai juga install Proxy transparent di OpenBSD. Sebenarnya sih sama saja waktu aku coba install di linux, cuman untuk package agak sedikit beda, harus menyesuaikan dengan kebutuhan. Contoh sekarang ini transparent proxy, nah kita harus ambil package yang support transparent, kalo ga kita mesti compile ulang.

Ok kita mulai aja neh untuk proses instalasinya. pertama kita bisa ambil paket dari port ato langsung dari source. Disini aku pake squid untuk proxynya dan jangan lupa ambil yang support transparent (squid-2.6.STABLE13-transparent.tgz)

$ cd /usr/ports/
$ sudo pkg_add squid-2.6.STABLE13-transparent.tgz

Aku pake sudo supaya ga jadi kebiasaan menggunakan user root, asal user privilege kita sudah di set di /etc/sudoers.
Kemudian edit di file /etc/squid/squid.conf, sebelum edit usahakan untuk copy file aslinya

$ cd /etc/squid/
$ cp squid.conf squid.conf.ori

Setelah itu edit file squid.conf :

$ sudo vi squid.conf

http_port 127.0.0.1:3128 transparent
icp_port 3120

cache_effective_user _squid
cache_effective_group _squid

visible_hostname xxx.ciputra.ac.id

cache_mgr xxx@ciputra.ac.id

cache_store_log none
shutdown_lifetime 3 second

acl localnet src 0.0.0.0/0
acl ict src 10.2.4.0/24
acl localhost src 172.0.0.1/255.255.255.255
forwarded_for off
via off
uri_whitespace strip

cache_mem 64 MB
maximum_object_size 4196 KB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
offline_mode off
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 10240 128 256
access_log /var/squid/logs/access.log squid

lanjutan konfigurasinya bisa di tambah sendiri sesuai kebutuhan.

Setelah selesai dengan squid.conf, coba jalankan dulu "squid -z" untuk mengaktifkan swap direktorinya, baru setelah itu jalankan perintah squid secara normal

$ sudo squid -z

$ sudo squid

Lalu kita liat prosesnya apakah sudah jalan ato ada problem

$ ps aux |grep squid
root 18168 0.0 0.2 1260 932 ?? Is 10:25PM 0:00.06 /usr/local/sbin/squid
_squid 8966 0.0 1.3 4552 6768 ?? S 10:25PM 0:02.09 (squid) (squid)
_squid 21712 0.0 0.1 400 492 ?? Is 10:25PM 0:00.11 (unlinkd) (unlinkd)

Nah selesai untuk proxynya, langkah selanjutnya menambahkan di pf.conf. Seandainya proxy itu merupakan router dan firewall juga maka penambahannya jadi seperti ini

rdr pass on $Internal_Int proto tcp from $Internal_Int to any port 80 -> 127.0.0.1 port 3128

Jikalau proxy itu device terpisah maka yang harus dilakukan yaitu seperti ini

rdr pass on $Internal_Int proto tcp from $Internal_Int to any port 80 -> (IP Address proxy) port 3128

Well, selesai deh jika masih ada error coba diperhatikan lagi
Posted by dmc_leonard at 11:43 PM 0 comments

Thursday, March 20, 2008

Upgrade Wars: Attack of the Clones. Foo!!

Artikel menarik di undeadly tentang bagaimana prosedur membuat backup disk(cloning) sebelum upgrade mesin production kita. Adakah rekan-rekan lain yang punya tips trick untuk solusi backup?


At each new release, some sysadmins seem to get a bit skittish about upgrading critical production machines. In some environments, you have to be 100% sure you won't break something or at the very least be sure to have a fall-back plan should everything go pear-shaped. While you may have a patching policy in place, upgrading the entire OS in one fell swoop can be risky business if you are not completely prepared. Too much apprehension, and you don't get to take advantage of 'the new hotness' features and possibly result in running releases with either known issues or security problems.

There is a solution however, even on a tight budget. That solution (as the title suggests) is disk cloning. If you tried this before you may be saying, "Ghost is crap: it doesn't like *BSD disks" or "must be nice to have exact duplicate disks lying around."

Those approaches are good but we can do better.

Posted by Krisna at 12:00 AM 0 comments
Labels: , ,

Wednesday, March 19, 2008

Fun, Formatstrings and OpenBSD

Error

sid file not found

Request: action=article&sid=20080319153224
Address: beef:beef:dead:beef
User agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Referer: http://id.infobsd.org/
Time: Thu, 20 Mar 2008 06:50:55 GMT

If you believe this is a bug in this server, please send reports with instructions about how to reproduce to daniel@benzedrine.cx

Doh kok error.... setelah buka website undeadly.org ternyata memang tidak ada page ini, tapi dirss kok ada yah.
Posted by Krisna at 11:57 PM 0 comments

Monday, March 17, 2008

What’s coming in pfSense 1.3

We plan to release pfSense 1.3 based on FreeBSD 7.0. The first publicly available release will come within the next month.

This release already contains some significant new features. Among them:

  • Traffic shaper completely rewritten - now supports any number of internal interfaces and multiple WAN interfaces. This work is 99% finished and is working exceptionally well in our testing. Thanks to Ermal Luçi for doing the work, and the numerous people who contributed to the bounty to make this happen!
  • User manager - multiple administrative users can be created, with varying levels of access. Access groups can be defined to easily grant identical access rights to multiple users. Rights can be defined individually for each page in the web interface.
  • LDAP authentication - LDAP is integrated into the user manager so pfSense can authenticate from any LDAP server. Microsoft Active Directory and Novell eDir have been throughly tested, though any LDAP server should work. You can even define groups in your directory and assign rights in pfSense to those groups.
  • Significant OpenVPN improvements - these are still a work in progress, more info to come.
  • Routing improvements - still a work in progress as well, but will allow more flexible routing capabilities.


Sepertinya yang memakai pfsense 1.2 tidak bisa langsung upgrade ke versi ini deh.
Posted by Krisna at 7:47 PM 0 comments
Labels: ,

Saturday, March 15, 2008

4.3 Pre-release tests & OpenBSD 4.3 Pre-Orders Online!

Ayo testing rekan-rekan, OpenBSD 4.3 akan dirilis sebentar lagi. Mari rekan yang punya PC laptop & yang bisa menyumbangkan waktu luang untuk testing openbsd 4.3-beta.

Ayo rekan-rekan lain yang punya duit & silahkan beli online OpenBSD 4.3 Itung-itung sebagai donasi bagi OpenBSD team untuk mengembangkan project mereka.
Date: Tue, 04 Mar 2008 19:38:34 -0700                                     
From: Theo de Raadt                              
Subject: Pre-release tests                                                
To: misc@openbsd.org


Right about now is a great time for our user community to jump in and
do some install and upgrade tests.

The 4.3 release cycle is fully in swing, and I hope that I can get it
over with soon so that the developers can start work on the bug fixes
and new work that can't make it into 4.3.

Here's a list of the things that need testing.  I hope that to most
people this list is rather self explanatory; if in doubt just think
for a particular test might mean, grab a snapshot for some
architecture, and take a shot at testing the ones that you can!

Our developers work from a list similar to this, but this time I am
asking that our user community jump in and help as much as they can,
too.  I'm hoping to expose the testing mentality a bit.. so that more
people help.

I must note something of importance in this list.  Some things are
easy to test, because well... everyone has a PC.  Well, the problem is
that the bugs we look for in the last bit of a release cycle are more
likely to be in vax net booting, or sun4c having a problem, or a
particular alpha bug... I mention this hoping that some of you see
that there must be a balance of some sort.  We want all of our
architectures to shine.  When everything is great on the little old
architectures, then the common ones will be great too.

As always, if you find a problem, please file a high quality Problem
Report (if you have the strength, check the PR database first to see
if similar PRs are not yet closed).  You can use the command
sendbug(1) to send a PR...

If you are able to, please submit a dmesglog of the running machine to
dmesg@openbsd.org -- with the Subject: set to the type of your machine
(ie. SunFire V215, or IBM eServer 325 or such) -- and PLEASE avoid the
use of MIME, but instead send your messages without any special
encoding since it lets our developers grep easily through the logs
looking for specific machines when they are fixing bugs.  Recently, I
have had to start deleting the MIME submissions with the SPAM.

Of course, little that you report will be fixed in the release, but if
we run into any show stoppers.. it is a best that we know now.

Please also note something else of importance.  Since we are close to
a release, the snapshots are in a constant state of flux -- as we make
changes new ones are being put onto the FTP mirrors very quickly.
Please make sure that the files you download have correct MD5
checksums, and please include the timestamps of the files in your bug
reports.

Thanks.

i386
cd43
cdemu43
install43
bsd.rd
floppyA
floppyB
floppyC
pxeboot
install
upgrade
bsd.mp on MP
real CD
X11R6
All the packages

amd64
cd43
install43
floppy
pxeboot
bsd.rd
install
upgrade
bsd.mp
X11R6
All the packages

macppc
cd43
install43
bsd.rd hfs
bsd.rd ffs
install
upgrade
X11R6
All the packages

sparc64
cd43
install43
netboot
miniroot
bsd.rd
bsd.mp
floppy
install
upgrade
X11R6
All the packages

alpha
cd43
install43
netboot
bsd.rd
floppy
floppyB
install
upgrade
X11R6
All the packages

zaurus
ipkg
bsd.rd ffs
bsd.rd ext2fs
install
upgrade
X11R6
All the packages

sparc
floppy
tape
cd43
install43
netboot
miniroot
bsd.rd
install
upgrade
X11R6
All the packages
Make sure sun4c and sun4 work

sgi
cd43
netboot(tftp)
bsd.rd
install
upgrade
X11R6
All the packages

landisk
bsd.rd
miniroot
install
upgrade
X11R6
All the packages

armish
bsd.rd
install
upgrade
X11R6
All the packages

mac68k
bsd.rd
install
upgrade
X11R6
All the packages

hp300
bsd.rd
bsd.rd on cd
netboot
install
upgrade
X11R6
All the packages

mvme68k
bsd.rd
netboot
s-records
install
upgrade
X11R6 (no srv)
All the packages

mvme88k
bsd.rd
tftpboot
netboot
install
upgrade
X11R6 (no server)
All the packages

hppa
cd43
install43
bsd.rd
lif
netboot
tape
install
upgrade
X11R6 (no server)
All the packages

vax
cd43
install43
floppy/simh
mop
tape
bsd.rd
install
upgrade
X11R6
All the packages
Posted by Krisna at 6:46 PM 0 comments
Labels: , ,

Overload File Descriptor SQUID - OpenBSD 4.2

2008/03/12 10:57:47| sslWriteServer: FD 101: write failure: (32) Broken pipe.
2008/03/12 10:57:49| sslWriteServer: FD 57: write failure: (32) Broken pipe.
2008/03/12 10:57:49| sslWriteServer: FD 187: write failure: (32) Broken pipe.
2008/03/12 10:58:19| sslWriteServer: FD 100: write failure: (32) Broken pipe.
2008/03/12 11:01:01| httpReadReply: Excess data from "GET http://webcsp.msg.yahoo.com/crossdomain.xml"
2008/03/12 11:04:05| WARNING: All url_rewriter processes are busy.
2008/03/12 11:04:05| WARNING: up to 9 pending requests queued
2008/03/12 11:04:11| sslWriteServer: FD 235: write failure: (32) Broken pipe.
2008/03/12 11:04:37| Reconfiguring Squid Cache (version 2.6.STABLE13)...
2008/03/12 11:04:37| FD 24 Closing HTTP connection
2008/03/12 11:04:37| FD 26 Closing ICP connection
2008/03/12 11:04:37| FD 30 Closing SNMP socket

Saya menggunakan OpenBSD 4.2 sebagai squid proxy. Ketika banyak client menggunakan SSL maka akan terjadi hal seperti ini, koneksi SSL akan ngadat lama banget bahkan kadang error.

Gimana yah ngatasinnya:
1. Test pertama recompile squid dengan FD lebih besar
  • echo "kern.maxfiles=8192" >> /etc/sysconf.conf && sysctl -w  kern.maxfiles=8192
  • Edit /usr/port/www/squid/Makefile
    CONFIGURE_ARGS+=--datadir="${PREFIX}/share/squid" \
              --enable-auth="basic digest" \
              --enable-arp-acl \
              --enable-basic-auth-helpers="NCSA YP LDAP" \
              --enable-digest-auth-helpers="password ldap" \
              --enable-external-acl-helpers="ip_user unix_group ldap_group" \
              --enable-removal-policies="lru heap" \
              --enable-delay-pools \
              --enable-ssl \
              --enable-poll \
              --enable-htcp \
              --enable-underscores \
              --enable-referer-log \
              --enable-carp \
              --enable-useragent-log \
              --enable-large-files \
              --enable-cache-digests \
              --enable-storeio="ufs diskd null" \
              --localstatedir="${SQUIDDIR}"
    Save /usr/port/www/squid/Makefile &
    root@cache /usr/ports/www/squid # ulimit -n 8192
    root@cache /usr/ports/www/squid # env FLAVOR="snmp transparent" make

  • Ups errors komplain tentang LDAP Library :
    edit
    {PATH_BUILD}/build-i386-transparent-snmp/helpers/basic_auth/LDAP/Makefile
    {PATH_BUILD}/build-i386-transparent-snmp/helpers/external_acl/ldap_group/Makefile
    tambahkan:
    DEFAULT_INCLUDES= (old-option) -I/usr/local/include
    LDADD = (old-option) -L/usr/local/lib/
    Save &&
    root@cache /usr/ports/www/squid # env FLAVOR="snmp transparent" make
  • Ok tinggal tunggu performance dari squid kita
2. Modify /etc/login.conf && cap_mkdb /etc/login.conf && usermod -L squid _squid

Posted by Krisna at 9:12 AM 1 comments
Labels: , , , ,
Subscribe to: Posts (Atom)