On Wed, 18 Apr 2012, Dave Oxley <dave@daveoxley.co.uk> wrote:
I have an 7 year old dell server that is in need of replacement. It's uses among others are MythTV backend, Asterisk, Web server, email, IP routing, various Java web apps. I had spec'ed and almost bought a new Dell server but got really disenchanted with their crappy sales guys. They wouldn't remove the 500Gb hard disk that added $300 to the price
It appears that Dell makes the vast majority of their profit from disks, RAM, etc. The prices on Dell systems are quite low but the prices on parts (particularly disks) are unreasonably high.
and suggested I go to ebay for additional hard disk caddies which apparently don't come with it. The plan was to add 4 Seagate SV35.5 3Tb drives which are about $300 ea and mdraid them.
http://etbe.coker.com.au/2012/04/17/zfs-btrfs-cheap-servers/ Ihave just blogged about similar issues at the above URL. http://www.servertrays.com/category/823/Dell Someone commented with the above URL. E30 per tray is fairly expensive, but a lot cheaper than the price difference between Dell disks and regular SATA disks. It should also be a lot easier than buying on eBay.
I've since been looking into building my own server but I'm not sure what to do for a case. I'm after a case with 6+ hot-plug backplane, preferably redundant PSU and tool-less.
Why do you want a redundant PSU and hot-plug disks? If it's a home server then why not just take some downtime if a PSU fails and schedule downtime for disk replacement?
So does anyone have any suggestions of where I go from here? I'm happy to buy a pre-built server but not happy about buying Dell anymore. I'm also happy to build my own.
http://www.graysonline.com/ Check out Grays, they have lots of refurbished and ex-demo servers from big name companies. I've bought a few HP servers from them and was pleased by the result.
The budget is about $3000 and the specs I'm after are roughly are: 1x 6 core Intel Xeon processor Motherboard with 2 processor sockets, 2+ Gigabit LAN, 6+ SATA 12+ GB or ram upgradable 6+ hot plug case with SATA backplane redundant PSU 9+ TB raid 5 Disk space
Why aren't you using BTRFS or ZFS? As an aside, I'm trying to avoid upgrading some of my servers until I feel that BTRFS is ready to use on them. I'd rather implement a new filesystem and new disks at the same time. One of my servers has a RAID-1 array of 1TB disks and I'm planning to make it a BTRFS RAID-1 of 4TB disks some time after Wheezy is released. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 18/04/12 14:06, Russell Coker wrote:
As an aside, I'm trying to avoid upgrading some of my servers until I feel that BTRFS is ready to use on them.
Current state of play is that 3.2.x seems like both the earliest and latest stable version of btrfs - there are regressions in 3.3.x which are not fixed yet (early ENOSPC issues). Certainly don't run anything earlier than 3.2 with btrfs as that can corrupt filesystems on power loss. -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
On 18 April 2012 14:06, Russell Coker <russell@coker.com.au> wrote:
On Wed, 18 Apr 2012, Dave Oxley <dave@daveoxley.co.uk> wrote:
I have an 7 year old dell server that is in need of replacement. It's uses among others are MythTV backend, Asterisk, Web server, email, IP routing, various Java web apps. I had spec'ed and almost bought a new Dell server but got really disenchanted with their crappy sales guys. They wouldn't remove the 500Gb hard disk that added $300 to the price
It appears that Dell makes the vast majority of their profit from disks, RAM, etc. The prices on Dell systems are quite low but the prices on parts (particularly disks) are unreasonably high.
Dell are hopeless. Several years ago I purchased an R210, rack mount system, to fit into my smallish rack. I made sure the dimensions of the R210 fit into my rack (it is fine, with room to spare). however the rack mount kit doesn't fit - it is too deep (A lot deeper then the system in fact). I couldn't find any dimensions on Dell's website for the rack mount kit either, so I couldn't have known about this issue beforehand. I asked the sales person to see if there was anything better, and to contact me even if he couldn't find anything suitable. They never did contact me. I am happy with the R210, which I placed on a rack mount shelf (which fortunately got free due to delivery stuff up - that is another story). However I have this new condition Dell rack mount kit taking up space, and I don't know what to do with it. -- Brian May <brian@microcomaustralia.com.au>
On 18/04/12 14:06, Russell Coker wrote:
http://etbe.coker.com.au/2012/04/17/zfs-btrfs-cheap-servers/ Interesting read. It was actually the T410 that I had spec'ed from Dell. Why do you want a redundant PSU and hot-plug disks? If it's a home server then why not just take some downtime if a PSU fails and schedule downtime for disk replacement? A few years ago, downtime of the server wouldn't have been an issue. These days the server is used for all phones, TV, Internet connection, Lighting control (CBus). We're in the bush without a decent computer store nearby so a failed PSU is likely 1-2 days downtime. Hot-plug disks is mainly a convenience. Not only from replacement of failed disks but also upgrading of each disk in the array with larger disks sometime in the future which would be a pain without hot-plug disks. http://www.graysonline.com/
Check out Grays, they have lots of refurbished and ex-demo servers from big name companies. I've bought a few HP servers from them and was pleased by the result. I'll check them out, thanks. Why aren't you using BTRFS or ZFS?
As an aside, I'm trying to avoid upgrading some of my servers until I feel that BTRFS is ready to use on them. I'd rather implement a new filesystem and new disks at the same time. One of my servers has a RAID-1 array of 1TB disks and I'm planning to make it a BTRFS RAID-1 of 4TB disks some time after Wheezy is released. I hadn't realised the functionality of these filesystems extended to raid. I'll have to investigate these further. However the lack of raid 5 or 6 would probably rule out BTRFS for me.
Cheers, Dave.
On 18/04/12 14:06, Russell Coker wrote:
http://etbe.coker.com.au/2012/04/17/zfs-btrfs-cheap-servers/ Interesting read. It was actually the T410 that I had spec'ed from Dell. Why do you want a redundant PSU and hot-plug disks? If it's a home server then why not just take some downtime if a PSU fails and schedule downtime for disk replacement?
A few years ago, downtime of the server wouldn't have been an issue. These days the server is used for all phones, TV, Internet connection, Lighting control (CBus). We're in the bush without a decent computer store nearby so a failed PSU is likely 1-2 days downtime. Hot-plug disks is mainly a convenience. Not only from replacement of failed disks but also upgrading of each disk in the array with larger disks sometime in the future which would be a pain without hot-plug disks.
If that's your only reason then just having a second PSU packed away in a cupboard at home resolves the "1-2 days downtime" issue for less cost. We had a pair of redundant PSU's both go at the same time not long ago, which were harder to replace at short notice! We've also had a PSU backplane go, with similar consequences. That said, if you're like me and have better things to do than replace cold plug power supplies I would still highly recommend the redundant PSU's if you have the cash. They are just easier, and only marginally less efficient than a single PSU (last time I checked, which was a while ago, ymmv). James
James Harper wrote:
If that's your only reason then just having a second PSU packed away in a cupboard at home resolves the "1-2 days downtime" issue for less cost.
+1
That said, if you're like me and have better things to do than replace cold plug power supplies I would still highly recommend the redundant PSU's if you have the cash. They are just easier, and only marginally less efficient than a single PSU (last time I checked, which was a while ago, ymmv).
Don't forget noisier, which might matter in a home environment.
On Wed, Apr 18, 2012 at 03:53:42PM +1000, Dave Oxley wrote:
On 18/04/12 14:06, Russell Coker wrote:
http://etbe.coker.com.au/2012/04/17/zfs-btrfs-cheap-servers/ Interesting read. It was actually the T410 that I had spec'ed from Dell. Why do you want a redundant PSU and hot-plug disks? If it's a home server then why not just take some downtime if a PSU fails and schedule downtime for disk replacement? A few years ago, downtime of the server wouldn't have been an issue. These days the server is used for all phones, TV, Internet connection,
I strongly recommend you get a little netbook computer like an eeepc to handle the internet connection, iptables, dns cache, dhcp server, asterisk and similar relatively light tasks. maybe even squid proxy. can also act as a wireless AP if you install and configure hostapd. that way, even if a power outage or dead PSU takes out the storage server for a day or two, you wont lose internet or phones. low power usage, and as it's a laptop it effectively has a 6+ hour UPS built-in (but you'll need a separate UPS for the ADSL modem anyway unless you have a USB and USB-powered ADSL modem - if any exist, that is). also, do you really want your file server to be your internet gateway and firewall? that's a completely hypocritical question, btw :)
Lighting control (CBus).
dunno anything about CBus but a netbook may be able to handle that too, if the interface is USB or ethernet. craig -- craig sanders <cas@taz.net.au> BOFH excuse #310: asynchronous inode failure
Craig Sanders wrote:
I strongly recommend you get a little netbook computer like an eeepc to handle the internet connection, iptables, dns cache, dhcp server, asterisk and similar relatively light tasks. maybe even squid proxy.
can also act as a wireless AP if you install and configure hostapd.
+1, except I would normally use a Netgear WNDR3800 running OpenWRT.[0] I don't like using netbooks for that role unless the project budget is $0 and there's a spare one rotting on a shelf. Aside from the lack of onboard UPS cf. netbooks, the other main malus would be you can't run a general-purpose x86 OS on it. [0] the ideal OpenWRT platform changes over time. TP-Link 1043ND is also current gen, cheaper, but can't be unbricked without opening the case -- not an issue unless you roll custom OpenWRT builds.
low power usage, and as it's a laptop it effectively has a 6+ hour UPS built-in
Bear in mind that what was originally a 6h battery is, by the time it becomes a hand-me-down router it's probably only 2h or 4h. (Well, I guess it depends how hard you use your netbooks, and how often you replace them.)
(but you'll need a separate UPS for the ADSL modem anyway unless you have a USB and USB-powered ADSL modem - if any exist, that is).
Good point.
also, do you really want your file server to be your internet gateway and firewall? that's a completely hypocritical question, btw :)
We used to do that, on the basis that fewer boxes = more gooder. Our BCP nowadays is to keep them separate, because 1) they're totally different rôles; and 2) failures often break one or the other, but not both. It's useful to a business if e.g. while their fileserver is down, they can still get to the internet.
On Thu, Apr 19, 2012 at 03:18:01PM +1000, Trent W. Buck wrote:
Craig Sanders wrote:
I strongly recommend you get a little netbook computer like an eeepc to handle the internet connection, iptables, dns cache, dhcp server, asterisk and similar relatively light tasks. maybe even squid proxy.
can also act as a wireless AP if you install and configure hostapd.
+1, except I would normally use a Netgear WNDR3800 running OpenWRT.[0] I don't like using netbooks for that role
yeah, i try really hard to like the idea of using a little openwrt compatible router (because they would/could be great), but every time i look into them in any detail, I end up at the same point: 1. finding a model that has all the features you need is next to impossible. maybe i just expect too much, but every time I find a brand/model that seems like it might meet my needs, i find it has some glaring flaw or deficiency that eliminates it from my consideration. 2. There's a substantial risk of bricking them when you replace the vendor-supplied firmware with OpenWRT or upgrade to the latest openwrt. 3. they cost almost as much as a new netbook but have serious deficiencies in CPU power, RAM, and storage. the lack of RAM in particular would make it painful to run memory-hogging services like bind9 and squid. OTOH they do have the advantage of having multiple 100baseT or Gbit ports built-in, and often have adsl built-in too. 4. openwrt is nowhere near as nice or convenient or flexible to use as a "real" linux distribution like debian. openwtt has very few available packages, and it tends to use minimalist versions of common tools (e.g. busybox instead of most of the bin & sbin directories. busybox is a hell of a lot better than nothing but painful if you need anything beyond the most basic functionality) I'm sure they can and do work perfectly for lots of people, but as much as i *want* to like them, I just can't find one that suits my needs. alternatively, a mini-ITX motherboard and case could be used instead of a netbook. but that would end up costing about as much as a new netbook, and wouldn't have a battery or a built-in screen and keyboard. the only advantage is that it would have one or two PCI or PCI-e slots and probably a mini-PCI/PCI-e slot for the wireless card as well.
unless the project budget is $0 and there's a spare one rotting on a shelf.
:) my ancient eeepc 701 was idle until i rescued it from the shelf, blew off the dust, and turned it into my wireless AP. I'm considering turning it into my internet gateway (incl. firewall, asterisk, dns, dhcp, squid, etc) box as well, but it needs either another (USB 2.0) NIC or a USB 2.0 ADSL modem. and maybe another sd card. a Celeron M 900Mhz with 512M RAM and 4GB of flash disk is pretty good for these tasks....sounds ancient today, but it's still a lot better than what i was using for the same job (minus asterisk, but add sendmail and other stuff*) in the mid 90s, a 40Mhz 386 system with 4MB RAM. one of the newer atom or amd fusion based netbooks would be even better. 802.11b, g, and n rather just b & g; more RAM; more powerful cpu, but lower power consumption, and cpu-freq compatible (the eeepc's celeron 900 doesn't support intel speedstep). and lots more USB 2.0 ports than my eeepc 701....might even be possible to find one with USB 3.0 * including a stallion multiport serial card and a bunch of serial terminals with people running elm or pine and lynx and other stuff. and a couple of dial-in modems for friends to use. craig -- craig sanders <cas@taz.net.au> BOFH excuse #397: T-1's congested due to porn traffic to the news server.
Quoting Craig Sanders (cas@taz.net.au):
yeah, i try really hard to like the idea of using a little openwrt compatible router (because they would/could be great), but every time i look into them in any detail, I end up at the same point:
Ditto. Here's the unit I'm considering to replace my decade-plus-old server: http://www.fit-pc.com/web/purchase/order-direct-fit-pc3/ It has dual eSATA, an AMD G-T44R 64-bit CPU, AMI Radeon HD 6250 (HDMI or DisplayPort), takes up to 8GB RAM on two DDR3 SO-DIMMs, room inside for one 2.5" disk, two MiniPCIE sockets. Power draw's about 10-20W depending on load and extras. Fanless. I haven't gotten through researching chipsets for compatibility with good open-source Linux drivers -- SATA and ethernet being for my purposes what matter. However, they claim it runs Linux Mint. Price depends on what RAM and mass-storage you put in it. I'm imagining one of those with 8GB RAM and a pair of 128 GB SSDs for mass storage. Total silence, and next to no power draw. Either one SSD inside and one out, or both in external eSATA-connected boxes.
On Thu, Apr 19, 2012 at 01:24:17AM -0700, Rick Moen wrote:
Quoting Craig Sanders (cas@taz.net.au):
yeah, i try really hard to like the idea of using a little openwrt compatible router (because they would/could be great), but every time i look into them in any detail, I end up at the same point:
Ditto. Here's the unit I'm considering to replace my decade-plus-old server: http://www.fit-pc.com/web/purchase/order-direct-fit-pc3/
neat. i ran across the fit-pc2 and fit-pc2i a year or two ago and thought they sounded pretty good...but the local .au distributor wants $625 for the base model with 1.0GHz CPU and 1GB RAM. it's $905 if you want the 1.6GHz model with 2GB RAM. for that price, i'd rather build my own mini-itx box (or even ATX...mini-ITX has very few slots due to size constraints, but there are a number of AMD F1 socket ATX boards available for around $100 with several PCI-e and PCI slots) or buy an AMD fusion based netbook. either would be much cheaper. the prices on the fit-pc.com site are far more reasonable ($275 for the 1GHz/1GB model), although they list prices in $ (presumably US), but also mention VAT...maybe the $ sign is a typo and they really mean pounds. the fit-pc3 looks even better. and prices seem OK too. The FACE modules sound interesting...looks like they only have 4xUSB module at the moment, but are working on others including some with multiple gigabit ethernet ports.
It has dual eSATA, an AMD G-T44R 64-bit CPU, AMI Radeon HD 6250 (HDMI or DisplayPort), takes up to 8GB RAM on two DDR3 SO-DIMMs, room inside for one 2.5" disk, two MiniPCIE sockets. Power draw's about 10-20W depending on load and extras. Fanless.
nice. and the AMD CPU means it has virtualisation extensions so it could even run kvm if you wanted to.. craig -- craig sanders <cas@taz.net.au> BOFH excuse #230: Lusers learning curve appears to be fractal
Craig Sanders wrote:
yeah, i try really hard to like the idea of using a little openwrt compatible router (because they would/could be great), but every time i look into them in any detail, I end up at the same point:
1. finding a model that has all the features you need is next to impossible. maybe i just expect too much, but every time I find a brand/model that seems like it might meet my needs, i find it has some glaring flaw or deficiency that eliminates it from my consideration.
Usually when I want a new batch, I pop over to #openwrt on irc.freenode.net and ask them what the current best choice is. Obviously your needs might differ to mine, but IME this has worked very well. Those models are also well documented on the openwrt "toh" wiki page. Also, if $customer has a $500 to $1000 budget for a router, I would quite likely deploy an ordinary rackmount x86-64 box rather than an embedded thing.
2. There's a substantial risk of bricking them when you replace the vendor-supplied firmware with OpenWRT or upgrade to the latest openwrt.
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
3. they cost almost as much as a new netbook but have serious deficiencies in CPU power, RAM, and storage.
the lack of RAM in particular would make it painful to run memory-hogging services like bind9 and squid.
Can't argue there, although they're getting better -- 32MB to 128MB this generation, compared to 8MB to 16MB in the previous generation. (If those were needed, I'd automatically put them on a "real" server. And I usually go with dnsmasq/nsd and polipo/squid depending on the use case.)
OTOH they do have the advantage of having multiple 100baseT or Gbit ports built-in, and often have adsl built-in too.
Standard for these units is a 5-port programmable gigE switch. By default port 0 is tagged as upstream and ports 1-4 are tagged downstream, but you can mix it up however you want.
4. openwrt is nowhere near as nice or convenient or flexible to use as a "real" linux distribution like debian.
No argument there.
openwrt has very few available packages
This is getting better. A notable difference between OpenWRT and ddwrt/tomato is that (AFAIK) only the former has a package manager -- opkg -- which allows you to add/remove packages without needing to (re)compile your own full image. Looking at http://downloads.openwrt.org/backfire/10.03.1/ar71xx/packages/Packages.gz I can see 2951 binary packages (though these are often broken up smaller than Debian binary packages, thus fewer source packages).
Trent W. Buck <trentbuck@gmail.com> wrote:
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
This works as long as it's hard to overwrite or corrupt the code executed on boot that performs the tftp. A good design would isolate that from the flash which holds the OS.
Jason White wrote:
Trent W. Buck <trentbuck@gmail.com> wrote:
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
This works as long as it's hard to overwrite or corrupt the code executed on boot that performs the tftp. A good design would isolate that from the flash which holds the OS.
AFAIK that part of the code is usually a ROM. Certainly when I brick ol' Asus WL-500gP or Netgear WNDR3700, I don't brick that part. I suppose if I deliberately and willfuly wrote zeroes to everything I could find, I might be able to break it.
2. There's a substantial risk of bricking them when you replace the vendor-supplied firmware with OpenWRT or upgrade to the latest openwrt.
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
You need to be very careful where you deploy such a router. Setting this up with a tftp-enabled port (often all Ethernet ports) exposed to a school network would be madness. James
James Harper wrote:
2. There's a substantial risk of bricking them when you replace the vendor-supplied firmware with OpenWRT or upgrade to the latest openwrt.
Wrong. Sane models have will attempt to boot off TFTP for a few seconds every boot. Even if you brick it, you can install a new image via TFTP. This is how I do *all* installs, because it's less aggravating than dealing with some "upload new firmware" page of the vendor OS.
You need to be very careful where you deploy such a router. Setting this up with a tftp-enabled port (often all Ethernet ports) exposed to a school network would be madness.
Typically only from port 0. I'm not disagreeing with you, but... The attacker (malicious student) in your scenario has direct access to a switch port, and (unless it's at the other end of a patch panel) direct access to the WRT as well. So if he can trigger a reboot of the WRT, he can reflash it with an arbitrary firmware. This process takes about ten minutes. (0) But he could also 1. unplug the power cable, cut the power cable, or fill ports with epoxy (DOS); 2. unless you hard-code neighbours table, he can ARP poison (MITM); 3. If you use DHCP, he can be a rogue DHCP server, and anything which receives his DHCP response before yours, will see his view of the world (MITM). That's just off the top of my head. If I was stuck in class all day for a year staring at a comms cabinet, I daresay I could come up with a few more. Also off the top of my head, I think (3) would be easier to implement, and harder to detect, than (0). And unlike (0), (3) does not require the ability to reboot a router, which would probably require phsyical access to the WRT, or access to the building mains and some vocational elec eng knowledge. Bottom line: when they have physical access, GAME OVER.
You need to be very careful where you deploy such a router. Setting this up with a tftp-enabled port (often all Ethernet ports) exposed to a school network would be madness.
Typically only from port 0. I'm not disagreeing with you, but...
The attacker (malicious student) in your scenario has direct access to a switch port, and (unless it's at the other end of a patch panel) direct access to the WRT as well. So if he can trigger a reboot of the WRT, he can reflash it with an arbitrary firmware. This process takes about ten minutes. (0)
I'm assuming that he doesn't have direct access to it, it's a router in a comms cabinet. He has minimally supervised physical access to network ports though (eg a school or internet café). Another openwrt router plugged into the network hidden under a desk sending out tftp packets at regular intervals wouldn't necessarily be noticed for a while in such a situation and could be installed easily. The breed of hardware can be derived easily enough from the MAC address and the instructions for flashing are readily available. Blocking the special MAC address required for the tftp process (02:AA:BB:CC:DD:1A for g300nh2) would probably suffice though if you have a switch capable of such things. James
3. they cost almost as much as a new netbook but have serious deficiencies in CPU power, RAM, and storage.
the lack of RAM in particular would make it painful to run memory-hogging services like bind9 and squid.
Can't argue there, although they're getting better -- 32MB to 128MB this generation, compared to 8MB to 16MB in the previous generation.
Buffalo WZR-HP-G300NH2AP Wireless N 5 x Gigabit ports 64MB RAM 32MB Flash USB2 port <$100 (according to shopbot) Supported by OpenWRT trunk, so presumably full support in the next release, but trunk works fine. The wiki page says that the models with A1 A0 next to the MAC address don't work but I have some of those and they work well. I run squid and bird (OSPF routing) on a few of them and there is still plenty of headroom. I'd question whether bind9 would be the right choice to run on a little router like that, maybe better off having something that can just run as a secondary if you can. James
Quoting James Harper (james.harper@bendigoit.com.au):
I run squid and bird (OSPF routing) on a few of them and there is still plenty of headroom. I'd question whether bind9 would be the right choice to run on a little router like that, maybe better off having something that can just run as a secondary if you can.
That would be a perfect application for Unbound. (I helped convince the OpenWRT people to package it.) http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound
Rick Moen wrote:
That would be a perfect application for Unbound. (I helped convince the OpenWRT people to package it.)
Do you have a salespitch for why one should switch a typical SOHO OpenWRT install from dnsmasq to unbound? I investigated it and found it did a noticably better job, but 1. the version I had could bind to a high port, but wouldn't talk to another DNS server on a high port (despite what the documentation claimed). 2. This made it difficult/impossible to continue using dnsmasq for DHCP in such a way that the LAN domain was seeded from DHCP. That is, if you have a DHCP client doing send host-name "agave"; and the LAN domain is .invalid, then other LAN hosts should magically be able to resolve agave.invalid to an IP and back. If I am calculating correctly, the unbound version I tested was 1.4.1. I can't remember if I discovered, or merely hoped, that newer versions fixed (1).
Quoting Trent W. Buck (trentbuck@gmail.com):
Do you have a salespitch for why one should switch a typical SOHO OpenWRT install from dnsmasq to unbound?
If I had a whole lot of time, I'd be glad to investigate the problems you recount. If you have an OpenWRT device with sufficient RAM (always a concern), one option is to run on it both a general-purpose recursive nameserver (such as Unbound) and the forwarding caching nameserver of your choice (such as Dnsmasq). Query path would be client software to Dnsmasq to Unbound to Internet, with the forwarding caching nameserver continuing to handle the LAN domain and forwarding everything else to Unbound. But I don't have time to work out implementation details.
On Fri, Apr 20, 2012 at 03:30:58AM +0000, James Harper wrote:
Buffalo WZR-HP-G300NH2AP Wireless N 5 x Gigabit ports 64MB RAM 32MB Flash USB2 port <$100 (according to shopbot)
the WBMR-HP-G300H with ADSL2+ for about $120 looks interesting, but i'd still rather use debian on a netbook.
I'd question whether bind9 would be the right choice to run on a little router like that, maybe better off having something that can just run as a secondary if you can.
i need something capable of acting as a primary authoritative name-server for my domains, not just a cache. of all the available open source name-servers, bind9 annoys me the least. for the most part, it doesn't annoy me at all - it just works. nsd would be my next best choice but when i tested it a few years ago, it was still fairly buggy, had more annoying quirks than bind9, and didn't use any less RAM than bind9 (which was my main reason for looking into alternatives at the time - these days, the size of cheaply and commonly available RAM sticks make that mostly irrelevant). from what i've read, there are good reasons for using nsd if you host many thousands of domains. i host only a handful. IIRC, none of the others support the zone standard file format, they all have their own specific format, and maybe have some sort of semi-functional converter...some of them OK, some of them ugly and unreadable. of these, dnsmasq would probably be my next choice....but i'd have to give up using ISC's dhcpd. but overall, i just don't see any compelling reason to switch from bind9 or ISC dhcpd. they meet my needs and don't cause me any problems. craig -- craig sanders <cas@taz.net.au> BOFH excuse #404: Sysadmin accidentally destroyed pager with a large hammer.
Quoting Craig Sanders (cas@taz.net.au):
nsd would be my next best choice but when i tested it a few years ago, it was still fairly buggy, had more annoying quirks than bind9, and didn't use any less RAM than bind9 (which was my main reason for looking into alternatives at the time - these days, the size of cheaply and commonly available RAM sticks make that mostly irrelevant).
from what i've read, there are good reasons for using nsd if you host many thousands of domains. i host only a handful.
I use it for a very small virtual-machine host that's extremely memory-constrained, and it's been a champ. Memory footprint is _markedly_ better than BIND9's. rick@gruyere:~$ nsd -v NSD version 2.3.7 Written by NLnet Labs. Copyright (C) 2001-2006 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. rick@gruyere:~$ ps auxw | grep nsd | grep -v grep nsd 32007 0.0 0.0 3536 116 ? S Mar27 0:00 /usr/sbin/nsd -f /var/lib/nsd/nsd.db -P /var/run/nsd.pid -u nsd nsd 32008 0.0 0.0 3928 236 ? S Mar27 0:12 /usr/sbin/nsd -f /var/lib/nsd/nsd.db -P /var/run/nsd.pid -u nsd rick@gruyere:~$ [rick@linuxmafia] ~ $ /usr/sbin/named -v BIND 9.8.1.dfsg.P1 [rick@linuxmafia] ~ $ ps auxw | grep named | grep -v grep bind 18665 0.1 2.5 84872 39004 ? Ssl Mar27 66:19 /usr/sbin/named -4 -u bind [rick@linuxmafia] ~ $ NSD's performance/throughput is also a great deal better, if that matters. The administrative tools and some of the procedures take a little getting used to. I have some notes that I can send if you ever need them.
but overall, i just don't see any compelling reason to switch from bind9 or ISC dhcpd. they meet my needs and don't cause me any problems.
My opinion, yours for a small fee and waiver of reverse-engineering rights: BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. Alteratives are always worth checking out.
On Thu, Apr 19, 2012 at 11:07:01PM -0700, Rick Moen wrote:
I use it for a very small virtual-machine host that's extremely memory-constrained, and it's been a champ. Memory footprint is _markedly_ better than BIND9's.
good. that's the main reason i looked at nsd a few years ago, it was supposed to use much less memory than bind.
rick@gruyere:~$ ps auxw | grep nsd | grep -v grep nsd 32007 0.0 0.0 3536 116 ? S Mar27 0:00 /usr/sbin/nsd -f /var/lib/nsd/nsd.db -P /var/run/nsd.pid -u nsd nsd 32008 0.0 0.0 3928 236 ? S Mar27 0:12 /usr/sbin/nsd -f /var/lib/nsd/nsd.db -P /var/run/nsd.pid -u nsd
[rick@linuxmafia]~$ ps auxw | grep named | grep -v grep bind 18665 0.1 2.5 84872 39004 ? Ssl Mar27 66:19 /usr/sbin/named -4 -u bind
is bind running as recursive cache too, or just authoritative server? if both, how much memory does unbound use to do the recursive cache part of what bind's doing?
NSD's performance/throughput is also a great deal better, if that matters.
not to me, my name server is never likely to be under anywhere near enough load for performance to be an issue. even if it came under some kind of port 53 DoS attack, my ADSL2 line is going to melt down under the traffic long before bind starts breaking a sweat on a six-core AMD 1090T machine. even if i moved it to the celeron 900 on my eeepc it would be fine.
The administrative tools and some of the procedures take a little getting used to. I have some notes that I can send if you ever need them.
but overall, i just don't see any compelling reason to switch from bind9 or ISC dhcpd. they meet my needs and don't cause me any problems.
My opinion, yours for a small fee and waiver of reverse-engineering rights: BIND is a slow, RAM-grabbing, overfeatured, monolithic daemon binary. Alteratives are always worth checking out.
yeah, well, if bind ever annoys me enough in future, i'll take another look at nsd and other alternatives. in the meantime, bind does the job. it's more than good enough for my little home name-server serving my own little domains. it's good enough for a handful of domains at work too. since i don't work in the ISP industry any more, i don't have to care much about high-performance DNS or managing tens of thousands of domains. also, i need something that acts as both an authoritative and a recursive name-server. from memory, it was difficult or impossible to set that up on the same machine/IP with nsd & unbound. craig -- craig sanders <cas@taz.net.au> BOFH excuse #371: Incorrectly configured static routes on the corerouters.
Quoting Craig Sanders (cas@taz.net.au):
is bind running as recursive cache too, or just authoritative server? if both, how much memory does unbound use to do the recursive cache part of what bind's doing?
Good question. I don't know the answer to the second question. BIND9 was performing both authoritative and (light) recursive duties. As suggested by the shell prompt details, the BIND example is the old server in my garage that runs linuxmafia.com. For better or worse, I've been running installations of that old pile of spaghetti code since BIND4 days. Like you, I'm still running BIND9 as a multipurpose nameserver in my own deployment because it's Good Enough[tm]. The NSD instance is running authoritative nameservice for a Linux user group (Silicon Valley Linux User Group) and for a number of sister groups and friends thereof.
also, i need something that acts as both an authoritative and a recursive name-server. from memory, it was difficult or impossible to set that up on the same machine/IP with nsd & unbound.
I have't tried to engineer that, but wouldn't ipaliasing solve that (if indeed you don't prefer segregating functions to different hosts anyway)? FWIW, in a quick check, I also found an example of Unbound running on localhost and NSD binding to the external network interface, which of course means that instance of Unbound is available for recursive service only to local processes. The author runs a second instance on a different host for his local LAN. http://measureofchaos.blogspot.com/2011/04/nsd-and-unbound-install-configure... http://measureofchaos.blogspot.com/2011/04/nsd-and-unbound-install-configure...
Rick Moen wrote:
The administrative tools and some of the procedures take a little getting used to. I have some notes that I can send if you ever need them.
I'm no bind9 expert, but I didn't find nsd3's workflow substantially different, other than nsd.conf struck me as a good deal more simple, sensible and consistent than did named.conf. FWIW here are the notes I prepared for coworker bind9 refugees: After editing master/com.example.zone, do this:: nsdc rebuild nsdc reload VISUAL=vi etckeeper commit # describe change & give your name Note that nsd MUST BE RUNNING when the rebuild is issued, or it will not DNS NOTIFY the associated slaves. If that happens, the slaves will serve the old zone until they time out and initiate an AXFR/IXFR on their own. For this reason, using "restart nsd3" after a master zonefile update is wrong -- it amounts to nsdc stop+rebuild+start:: restart nsd3 # WRONG! nsdc stop # ALSO WRONG! nsdc rebuild nsdc start Note that "restart nsd3" is this in-house upstart job. In upstart-land, "reload foo" is hard-coded to mean "kill -HUP <foo's PID>" (sigh). I wrote it because, when I first rolled out nsd, it seemed like a "clever" move to replace a 100-line sysvinit script with a four-line upstart one (and gain automatic restart if nsd heisencrashed). start on runlevel [2345] stop on runlevel [!2345] respawn # This DOES NOT WORK because even with -d, nsd will change PID every # time you HUP (nsdc reload) it, and there is no way for upstart to # deal with that. No, expect fork won't work, because that expects # one extra fork -- what happens when you HUP again next week? #pre-start script #install -donsd /var/run/nsd3 #exec nsdc rebuild #end script #exec nsd -d # This is icky, but does work. pre-start script install -donsd /var/run/nsd3 nsdc rebuild exec nsdc start end script post-stop exec nsdc stop PS: I apologize for my part in hijacking/derailing this thread.
On Fri, Apr 20, 2012 at 03:30:58AM +0000, James Harper wrote:
Buffalo WZR-HP-G300NH2AP Wireless N 5 x Gigabit ports 64MB RAM 32MB Flash USB2 port <$100 (according to shopbot)
the WBMR-HP-G300H with ADSL2+ for about $120 looks interesting, but i'd still rather use debian on a netbook.
Are the ADSL chipsets supported under OpenWRT? Last time I checked they weren't but that was a while ago... James
Craig Sanders wrote:
On Fri, Apr 20, 2012 at 03:30:58AM +0000, James Harper wrote:
Buffalo WZR-HP-G300NH2AP Wireless N 5 x Gigabit ports 64MB RAM 32MB Flash USB2 port <$100 (according to shopbot)
the WBMR-HP-G300H with ADSL2+ for about $120 looks interesting, but i'd still rather use debian on a netbook.
Please note that at this time (and AFAIK), OpenWRT cannot drive ADSL2+ modem chipsets. Nor can any other open-source Linux. Standard practice is to get a ADSL2+ modem, put it in bridged mode, and have the WRT speak PPPoE to it. There is *ONE* driver in the linux kernel for ADSL2+, and that is the Traverse Solos. It is a two-port PCI (*not* PCIe) card that contains a DSP chip, and a little FPGA running (a svn snapshot of) Traverse's code to translate between the kernel driver and the DSP. I have a traverse solos in a rackmount doing ADSL2+ to different ISPs at work. It's comparatively expensive, and a little quirky, but on the whole I have been pleased with it. (The Traverse Viking one-port card does not take this approach; it is basically the standard "ethernet <--> bridged ADSL2+ modem" components on a single card.)
I'd question whether bind9 would be the right choice to run on a little router like that, maybe better off having something that can just run as a secondary if you can.
i need something capable of acting as a primary authoritative name-server for my domains, not just a cache.
I migrated from bind9 to nsd3 and have been extremely satisfied with it. My only criticism is that "nsdc reload" will cause the daemon to do a fork dance, which upstart can't cope with. (Upstart can only handle double-forking if it happens when the service initially starts.)
nsd would be my next best choice but when i tested it a few years ago, it was still fairly buggy, had more annoying quirks than bind9, and didn't use any less RAM than bind9
I haven't measured performance, but the only quirk I've noticed was the above. Well, and the source of nsdc is fugly.
of these, dnsmasq would probably be my next choice....but i'd have to give up using ISC's dhcpd.
dnsmasq can be used to serve your zones to the world, but it is shit at that job. It is a reasonable caching resolver. You can, of course, run a separate zonefile-serving DNS daemon and a recursive resolver DNS daemon -- just do it on separate hosts, or on separate ifaces of the same host. Of course, the latter would mean you need to HUP or restart the internet-facing zonefile server every time ppp0 bounced...
Trent W. Buck <trentbuck@gmail.com> wrote:
There is *ONE* driver in the linux kernel for ADSL2+, and that is the Traverse Solos. It is a two-port PCI (*not* PCIe) card that contains a DSP chip, and a little FPGA running (a svn snapshot of) Traverse's code to translate between the kernel driver and the DSP.
I have one of these at home and it works well. Unfortunately, the line it's on doesn't: the modem loses sync occasionally, as did the ADSL 1 router which it replaced. The line has been patched several times in recent years, so problems aren't surprising. Thus I think the difficulty is in the line, not the modem.
On Fri, Apr 20, 2012 at 10:43:21PM +1000, Trent W. Buck wrote:
the WBMR-HP-G300H with ADSL2+ for about $120 looks interesting, but i'd still rather use debian on a netbook.
Please note that at this time (and AFAIK), OpenWRT cannot drive ADSL2+ modem chipsets. Nor can any other open-source Linux. Standard practice is to get a ADSL2+ modem, put it in bridged mode, and have the WRT speak PPPoE to it.
ok, thanks, that's good to know. it completely destroys any interest i have in openwrt devices. the only reason i have for wanting to replace my current gateway setup is so that i can have *one* simple little device that does it all - routing, iptables, dns, dhcp, squid, wireless AP, *AND* ADSL2. if i still need to have a ADSL modem in dumb bridged mode (as i currently have, with pppoe running on my main machine) then i can't see any personal benefit in having an openwrt device. i think i'll stick with Plan A - do nothing until NBN arrives in my street, then toss out the ADSL modem and plug the NBN ethernet directly into the 2nd nic of my gateway box. sounds hard, but i think i can manage it :)
You can, of course, run a separate zonefile-serving DNS daemon and a recursive resolver DNS daemon -- just do it on separate hosts, or on
it's hard to see any benefit in doing that - a lot of stuffing around to get something about as good as what I currently have just by running bind. craig -- craig sanders <cas@taz.net.au> BOFH excuse #367: Webmasters kidnapped by evil cult.
On Sat, Apr 21, 2012 at 6:32 PM, Craig Sanders <cas@taz.net.au> wrote:
if i still need to have a ADSL modem in dumb bridged mode (as i currently have, with pppoe running on my main machine) then i can't see any personal benefit in having an openwrt device.
Internet access while that machine is down, be it rebooting or catastrophic hardware failure. / Brett
On Fri, Apr 20, 2012 at 10:43:21PM +1000, Trent W. Buck wrote:
the WBMR-HP-G300H with ADSL2+ for about $120 looks interesting, but i'd still rather use debian on a netbook.
Please note that at this time (and AFAIK), OpenWRT cannot drive ADSL2+ modem chipsets. Nor can any other open-source Linux. Standard practice is to get a ADSL2+ modem, put it in bridged mode, and have the WRT speak PPPoE to it.
ok, thanks, that's good to know. it completely destroys any interest i have in openwrt devices.
the only reason i have for wanting to replace my current gateway setup is so that i can have *one* simple little device that does it all - routing, iptables, dns, dhcp, squid, wireless AP, *AND* ADSL2.
if i still need to have a ADSL modem in dumb bridged mode (as i currently have, with pppoe running on my main machine) then i can't see any personal benefit in having an openwrt device.
Different needs for different people I guess. My OpenWRT box means I can keep the server mostly off unless I want to record something or access some files on it, but still have internet access all the time. WOL if I want to turn it on remotely.
i think i'll stick with Plan A - do nothing until NBN arrives in my street, then toss out the ADSL modem and plug the NBN ethernet directly into the 2nd nic of my gateway box.
Will NBN give you an Ethernet cable from the street, or will there still be a modem required? James
James Harper <james.harper@bendigoit.com.au> wrote:
Different needs for different people I guess. My OpenWRT box means I can keep the server mostly off unless I want to record something or access some files on it, but still have internet access all the time. WOL if I want to turn it on remotely.
My ADSL 2+ card is in my desktop machine, which must therefore be on whenever I need network access. That's fine. The desktop system is also on a hardware support contract (at least until that expires), which takes care of the catastrophic failure possibility. I also have an old ADSL 1 router that I can plug in in an emergency. I can also run the ADSL 2+ PCI card from a live Linux CD, as the module is in the kernel and pppd is on the CD.
i think i'll stick with Plan A - do nothing until NBN arrives in my street, then toss out the ADSL modem and plug the NBN ethernet directly into the 2nd nic of my gateway box.
Will NBN give you an Ethernet cable from the street, or will there still be a modem required?
The termination device that connects to the fibre is supplied by them, as I understand it - fibre in one side, Ethernet and FXS ports out the other, and battery backup to accommodate power failures. Note: this is based only on what I've read.
Will NBN give you an Ethernet cable from the street, or will there still be a modem required? The termination device that connects to the fibre is supplied by them, as I understand it - fibre in one side, Ethernet and FXS ports out the other, and battery backup to accommodate power failures.
Note: this is based only on what I've read. You better check with your ISP; NBN even refers inquiries about the progress of the fibre connection to the ISP support ; which can be hilarious when that support doesn't even know what a fibre connection is !
regards Rohan McLeod
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On Sat, Apr 21, 2012 at 09:29:24AM +0000, James Harper wrote:
if i still need to have a ADSL modem in dumb bridged mode (as i currently have, with pppoe running on my main machine) then i can't see any personal benefit in having an openwrt device.
Different needs for different people I guess. My OpenWRT box means I can keep the server mostly off unless I want to record something or access some files on it, but still have internet access all the time. WOL if I want to turn it on remotely.
my main machine is on 24/7 anyway. i'm occasionally tempted to move the pppoe off it and onto a smaller device. hence the now-vanished interest in openwrt. my eeepc 701 will do a better job than any openwrt box. and if i felt like buying something new, i'd probably get a new netbook with an amd fusion chip, or maybe one of the fit-pc3 devices that Rick mentioned.
i think i'll stick with Plan A - do nothing until NBN arrives in my street, then toss out the ADSL modem and plug the NBN ethernet directly into the 2nd nic of my gateway box.
Will NBN give you an Ethernet cable from the street, or will there still be a modem required?
as i understand it, it will be a box on the wall with multiple (2? 3? more?) ethernet ports. apparently NBN will support simultaneous connections to multiple ISPs. IIRC, it may also have a few phone ports that emulate analog phone lines for old phones....but that could just be garbled memory. craig -- craig sanders <cas@taz.net.au> BOFH excuse #36: dynamic software linking table corrupted
participants (11)
-
Brett Pemberton -
Brian May -
Chris Samuel -
Craig Sanders -
Dave Oxley -
James Harper -
Jason White -
Rick Moen -
Rohan McLeod -
Russell Coker -
Trent W. Buck