[9fans] standalone authserver on CF card

[9fans] standalone authserver on CF card

[Matthias Teege]

Moin,

I have to upgrade parts of my Plan 9 system. I'm thinking of using a
soekris 5501 or 48xx as my authentication server. It would be nice to use
a CF Card for storage but I'm not sure about the read/write cycles. Does
anyone run a Plan 9 server on a system without rotating parts?

Many thanks
Matthias

Re: [9fans] standalone authserver on CF card

[erik quanstrom]

> Moin,
>
> I have to upgrade parts of my Plan 9 system. I'm thinking of using a
> soekris 5501 or 48xx as my authentication server. It would be nice to use
> a CF Card for storage but I'm not sure about the read/write cycles. Does
> anyone run a Plan 9 server on a system without rotating parts?
>
> Many thanks
> Matthias

yes.  it works fine.  however, if you have an internet-facing network
with abused protocols such as ftp, you may wish to have a more powerful
processor.

- erik

Re: [9fans] standalone authserver on CF card

[john]

>> Moin,
>>
>> I have to upgrade parts of my Plan 9 system. I'm thinking of using a
>> soekris 5501 or 48xx as my authentication server. It would be nice to use
>> a CF Card for storage but I'm not sure about the read/write cycles. Does
>> anyone run a Plan 9 server on a system without rotating parts?
>>
>> Many thanks
>> Matthias
>
> yes.  it works fine.  however, if you have an internet-facing network
> with abused protocols such as ftp, you may wish to have a more powerful
> processor.
>
> - erik

ftp was a major problem for my standalone cpu server; I was getting so
many connection attempts that it was becoming hard to use the system.
I eventually disabled the ftp daemon.  Has anyone hacked ftpd to make
such attempts less attractive or less disruptive?


John

Re: [9fans] standalone authserver on CF card

[Matthias Teege]

> yes.  it works fine.  however, if you have an internet-facing network

What is the best setup method? Because the soekris box hasn't a video
output I have to use a serial console.  I think of booting the box via
pxe and running replica/pull. Or is it better to put the cf card in
another box and set it up there?

Matthias

Re: [9fans] standalone authserver on CF card

[erik quanstrom]

this really helps us.  i know that steve has a list of bad
ftp users to reject out-of-hand, but this exponential backoff
keeps the bad guys from bothering our auth server enough to
notice.  we still get quite a few connections, though

- erik


/n/sources/plan9//sys/src/cmd/ip/ftpd.c:519,524 - ftpd.c:519,528
  int
  usercmd(char *name)
  {
+ 	static int usercmds = 1000;
+
+ 	if(usercmds <<= 1 > 2000)
+ 		sleep(usercmds);
  	logit("user %s %s", name, nci->rsys);
  	if(loggedin)
  		return reply("530 Already logged in as %s", user);
/n/sources/plan9//sys/src/cmd/ip/ftpd.c:537,542 - ftpd.c:541,548
  		strcpy(user, "none");
  	else if(anon_everybody)
  		strcpy(user,"none");
+ 	if(strcmp(user, "Administrator") == 0)
+ 		return reply("530 no way jose");
  	if(strcmp(user, "*none") == 0){
  		if(!anon_ok)
  			return reply("530 Not logged in: anonymous disallowed");
/n/sources/plan9//sys/src/cmd/ip/ftpd.c:593,600 - ftpd.c:599,606
  		ch->nresp = strlen(response);
  		ai = auth_response(ch);
  		if(ai == nil) {
- 			static long delay = 100;
-
+ 			static long delay = 1000;
+ hoser:
  			sleep(delay);		/* deter password-guessers */
  			if (delay < 60*1000)
  				delay *= 2;
/n/sources/plan9//sys/src/cmd/ip/ftpd.c:601,607 - ftpd.c:607,613
  			return reply("530 Not logged in: %r");
  		}
  		if(auth_chuid(ai, nil) < 0)
- 			return reply("530 Not logged in: %r");
+ 			goto hoser;
  		auth_freechal(ch);
  		ch = nil;

Re: [9fans] standalone authserver on CF card

[erik quanstrom]

> What is the best setup method? Because the soekris box hasn't a video
> output I have to use a serial console.  I think of booting the box via
> pxe and running replica/pull. Or is it better to put the cf card in
> another box and set it up there?

that really depends.  the fundamental decision is if the auth server
is completely standalone or if it's root is from the main fileserver.

at coraid, our auth server boots from a kernel on DOM (uses regular
ide connector rather than CF) and mounts the main fileserver.  it only
has a local plan9.ini and kernel.  nothing else.

unfortunately, this means that the fileserver is also completely standalone.
it boots from a kernel on DOM, too. this makes upgrading the fs somewhat
of a pain, but fs kernel updates are rare.

the upside is that the auth server which also serves pxe booting doesn't
live in its own world.  if we booted the auth server from DOM or CF root,
we would have to push pxe images & /lib/ndb/local to the auth server with
every change.

- erik

Re: [9fans] standalone authserver on CF card

[John Stalker]

> What is the best setup method? Because the soekris box hasn't a video
> output I have to use a serial console.  I think of booting the box via
> pxe and running replica/pull. Or is it better to put the cf card in
> another box and set it up there?

In general I've found pxe to work well.  One word of caution, though.
There is a problem with 5501's failing to detect CF cards some of the
time, especially on reboots.  This has bit a number of people, including
me this last weekend.  For low volume you might want to stick to 4801's,
although they are getting harder to find.  If you need a 5501 you might
want to wait for the next BIOS upgrade.
--
John Stalker
School of Mathematics
Trinity College Dublin
tel +353 1 896 1983
fax +353 1 896 2282

Re: [9fans] standalone authserver on CF card

[Matthias Teege]

> me this last weekend.  For low volume you might want to stick to 4801's,
> although they are getting harder to find.  If you need a 5501 you might
> want to wait for the next BIOS upgrade.

I have both systems "in stock" so I can try. Thanks for that hint. I
have the CF booting problem on the 5501 to.

Matthias

Re: [9fans] standalone authserver on CF card

[kokamoto]

> yes.  it works fine.  however, if you have an internet-facing network
> with abused protocols such as ftp,

Isn't Mathias going to build stand alone _authserver_, but cpu server?

If he wants to make authserver on CF card, I recommend him to use
kfs for CF card.   I'm using this from may 2004 without any problem.

Kenji

Re: [9fans] standalone authserver on CF card

[Matthias Teege]

> Isn't Mathias going to build stand alone _authserver_, but cpu server?

Yes, I'm going to build a standalone authserver. I do not need it as a
CPU Server.

> If he wants to make authserver on CF card, I recommend him to use
> kfs for CF card.   I'm using this from may 2004 without any problem.

That sounds good. I think it is not a major problem to make a copy of
the cf as backup but it would be nice to have not as much downtime.

Matthias