server was down all the weekend again...

[Pierre-Marie Baty]

I bet the swap partition bug struck again.

We really must get this fixed at all costs, admins. I'll check the logs tonight. What if I put back the default kernel ? I don't see why mine would cause the problem, though, but better make sure... No time for that right now, but in the meanwhile if memed or Nova want to take a look, please guys, do !

And to all members... we are sorry The server crashed just at the beginning of the weekend and the hosting company was closed and nobody could reboot it until this morning We'll be investigating the issue ASAP. Hopefully this won't happen ever again.

[Terran]

That's really sad as I considered this hoster for some of our servers but now I won't :-)

[botmeister]

Quote:

Originally Posted by Pierre-Marie Baty

I bet the swap partition bug struck again.

We really must get this fixed at all costs, admins. I'll check the logs tonight. What if I put back the default kernel ? I don't see why mine would cause the problem, though, but better make sure...

A bit off topic perhaps, but I am wondering about the modified kernel. Where did it come from, and why is it better than the default?

[Pierre-Marie Baty]

it's a kernel I compiled myself to get rid of the useless hardware drivers and all the bloatware there is in a generic Linux kernel. Recompiling a custom kernel can save up to 80% kernel space, saves resources (IRQ and memory) and leads to a non neglectable speed improvement.

[Onno Kreuzinger]

Quote:

Originally Posted by Pierre-Marie Baty

it's a kernel I compiled myself to get rid of the useless hardware drivers and all the bloatware there is in a generic Linux kernel. Recompiling a custom kernel can save up to 80% kernel space, saves resources (IRQ and memory) and leads to a non neglectable speed improvement.

Hmm, but your kernel was around 15% bigger on disk and you included everything static, allthough this may be more "secure" it prevents all kinds of nice features (ppp_mppe for el cheapo vpn, modules for loopback, network modules in general, e.g. ip_tables relies on modules [no firewall!])
But this are all not the reasosn, the only bug appearing which is a real indicator for anything is the swap_free call returning ugly errors, this is usually one of the las messages, then it takes some time until it's dead.

Oh b.t.w. the Hoster was not closed, they just did refuse to reboot, because i do not have proper authorization to trigger a reboot (i even miss-spelled Nova's realname...) and the guy capable of deciding to react simply because it is logic to reboot a stuck server does not work on weekends.

To rule out harddisk failure in the swap area i now switched to a swap file and disabled the swap partition, the swapfile is called /lin386.swp

@PMB there are CHANGELOG files on the server, just look in the root.

Cheers memed

[Terran]

Quote:

Originally Posted by memed

Hmm, but your kernel was around 15% bigger on disk and you included everything static, allthough this may be more "secure" it prevents all kinds of nice features (ppp_mppe for el cheapo vpn, modules for loopback, network modules in general, e.g. ip_tables relies on modules [no firewall!])

Netfilter (iptables) doesn't rely on modules, you can build all neccessary functions statically into the kernel. Same goes for most other "modules" only a small handful of them is designed as "module-only", e.g. the new cryptographic modules of the 2.6.x kernels.

[Onno Kreuzinger]

Afaik pptp with mppe is one of those module only, also beeing able to load and unload ip_table modules is a common practice for me. despite that, you words are contrary to PMB, why should all possible ip_tables modules be in the kernel (iiiieeeek), that makes it bigger and bloated. And im prety shure that some modules are (where) mutaly exclusive, resulting in the need for modules to get all funtions.
I also don't want to reinvent the wheel on a waggon allready in motion, e.g. my "forensic" connection tracker tool relies on being able to load/unload some of those modules. So i terms of security we ain't no border gate or secure login server and the kernel running now is atleast save enough for pmb and me ;-), while Nova can still recover what PMB and me failed.

cheers

p.s. when i dream of security:
If there where time and local access i would make it a GSX server running a cascaded openbsd/linux environment, preferably guarded by two aravox'es used in asynchonous mode (one for in and one for out). not to mention that i would like to have access to the onion router ring for cnnectivity to "my" border network which would be staffed with cisco's routers and pix'es running CSM on an isolated outband management station.

(apart from outband management, the number of aravox'es and the onion router ring access is did that once)

[Terran]

Btw (and off-topic): what is your profession memed?

[Onno Kreuzinger]

care
solve
trust
is my company credo, I'm an independent IT Consultant, mostly for liunx servers [Webserver, App.-Servers, Storage-Nodes and Multimedia] and telecommunication needs [change telco provider, assist in negotiations with sub-contractors, enforce SLA's by documenting failure] and security conceps, testing and implementation [includes teaching, data-protection laws and software QA].

http://kreuzinger.biz or kreuzinger.com

but enough of advertising, i no good at that anyways.

Cheers memed
{Onno Kreuzinger}

[Terran]

Quote:

Originally Posted by memed

Afaik pptp with mppe is one of those module only, also beeing able to load and unload ip_table modules is a common practice for me. despite that, you words are contrary to PMB, why should all possible ip_tables modules be in the kernel (iiiieeeek), that makes it bigger and bloated. And im prety shure that some modules are (where) mutaly exclusive, resulting in the need for modules to get all funtions.
I also don't want to reinvent the wheel on a waggon allready in motion, e.g. my "forensic" connection tracker tool relies on being able to load/unload some of those modules. So i terms of security we ain't no border gate or secure login server and the kernel running now is atleast save enough for pmb and me ;-), while Nova can still recover what PMB and me failed.

cheers

I didn't want you to do it this way but I wanted to say that it's possible. But you're right saying that this will blow up the size of the kernel without careful planing which features are required and which are not. For a production system those features normaly don't change very frequently therefore you can go with a static kernel.
And there is much more than the kernel regarding security. E.g. stopping unneccessary services, no direct root logins etc. (hardening systems)

Quote:

Originally Posted by memed

p.s. when i dream of security:
If there where time and local access i would make it a GSX server running a cascaded openbsd/linux environment, preferably guarded by two aravox'es used in asynchonous mode (one for in and one for out). not to mention that i would like to have access to the onion router ring for cnnectivity to "my" border network which would be staffed with cisco's routers and pix'es running CSM on an isolated outband management station.

(apart from outband management, the number of aravox'es and the onion router ring access is did that once)

I'm not sure this will result in a secure system but it will result in a hard to manage system because of the complexity you described.

Btw: aravox is out of buisness since last year...
Btw2: what is a "onion router ring"?