Cowles, Steve
2002-Jul-24 00:00 UTC
Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/loc k"
> -----Original Message----- > From: Tom Eastep > Sent: Tuesday, July 23, 2002 6:10 PM > To: Nerijus Baliunas > Cc: shorewall-users@shorewall.net > Subject: Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/lock" > > > On Tue, 23 Jul 2002, Tom Eastep wrote: > > > > > > > If lockfile is giving up, maybe it should be better to > > > remove the file and restart shorewall anyway? Or check > > > with ps that no another shorewall is running and restart then? > > > > > > > Or maybe the operator should simply remove the file :-) > > > > But seriously -- for 1.3.5, I''ll change the code to remove > the lockfile and continue after issuing the "give up" message.Hey!, some of us use the shorewall mutex feature for its intended purpose. i.e. cronjobs that update the blacklist file and then issue shorewall refresh. This feature insures that I do not issue a shorewall restart while the cronjob is running shorewall refresh. I hope when you make your changes to the code that it will include a prompt... Are you sure you want to delete the lock? Just my two bits Steve Cowles
Tom Eastep
2002-Jul-24 00:21 UTC
Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/loc k"
On Tue, 23 Jul 2002, Cowles, Steve wrote:> > Hey!, some of us use the shorewall mutex feature for its intended purpose. > i.e. cronjobs that update the blacklist file and then issue shorewall > refresh. This feature insures that I do not issue a shorewall restart while > the cronjob is running shorewall refresh. > > I hope when you make your changes to the code that it will include a > prompt... Are you sure you want to delete the lock? > > Just my two bits >I suppose that 30 seconds might be a little short on slow hardware if your code is waiting for a "shorewall restart" -- Would it help if I increased the amount of time that ''mutex_on'' waits for the lock? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Cowles, Steve
2002-Jul-24 01:59 UTC
Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/loc k"
> -----Original Message----- > From: Tom Eastep > Sent: Tuesday, July 23, 2002 7:22 PM > To: Cowles, Steve > Cc: shorewall-users@shorewall.net > Subject: RE: Re[3]: [Shorewall-users] giving up on"/var/lib/shorewall/lock"> > > On Tue, 23 Jul 2002, Cowles, Steve wrote: > > > > > Hey!, some of us use the shorewall mutex feature for its > > intended purpose. i.e. cronjobs that update the blacklist > > file and then issue shorewall refresh. This feature insures > > that I do not issue a shorewall restart while the cronjob > > is running shorewall refresh. > > > > I hope when you make your changes to the code that it will > > include a prompt... Are you sure you want to delete the lock? > > > > Just my two bits > > > > I suppose that 30 seconds might be a little short on slow hardware if > your code is waiting for a "shorewall restart" -- Would it help if I > increased the amount of time that ''mutex_on'' waits for the lock? >In my case, increasing the time on the mutex_on would help. I just reviewed my logfiles and see that a shorewall refresh (with 120+ entries in the blacklist file) takes 45 seconds on my P100. Maybe adding a new variable to shorewall.conf that allowed us to set the mutex_on timeout to our environment would help. At least it might be a little more universally accepted for those users that are not using this feature or have faster hardware. When I find some time in the future, I''m probably going to modify my update_blacklist script to use the new dynamic blacklisting features. i.e. shorewall deny xx.xx.xx.xx At least the script will not have to issue a shorewall refresh. Steve Cowles
Tom Eastep
2002-Jul-24 03:48 UTC
Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/loc k"
On Tue, 23 Jul 2002, Cowles, Steve wrote:> In my case, increasing the time on the mutex_on would help. I just reviewed > my logfiles and see that a shorewall refresh (with 120+ entries in the > blacklist file) takes 45 seconds on my P100. > > Maybe adding a new variable to shorewall.conf that allowed us to set the > mutex_on timeout to our environment would help. At least it might be a > little more universally accepted for those users that are not using this > feature or have faster hardware. > > When I find some time in the future, I''m probably going to modify my > update_blacklist script to use the new dynamic blacklisting features. i.e. > shorewall deny xx.xx.xx.xx At least the script will not have to issue a > shorewall refresh. >In the mean time, I''ve added a MUTEX_TIMEOUT variable to shorewall.conf. The default value is 60 (seconds). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Cowles, Steve
2002-Jul-24 04:21 UTC
Re[3]: [Shorewall-users] giving up on "/var/lib/shorewall/loc k"
> -----Original Message----- > From: Tom Eastep > Sent: Tuesday, July 23, 2002 10:49 PM > To: Cowles, Steve > Cc: shorewall-users@shorewall.net > Subject: RE: Re[3]: [Shorewall-users] giving up on > "/var/lib/shorewall/loc k" > > In the mean time, I''ve added a MUTEX_TIMEOUT variable to > shorewall.conf. The default value is 60 (seconds).Thanks Tom. I think adding this variable covers all bases. Steve
Nerijus Baliunas
2002-Jul-24 12:17 UTC
Re[5]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Tue, 23 Jul 2002 20:48:50 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote:> In the mean time, I''ve added a MUTEX_TIMEOUT variable to shorewall.conf. > The default value is 60 (seconds).Does it mean shorewall will wait 60 seconds for lock file to disappear, then, if it is still here, restart shorewall anyway? BTW, another idea - shorewall could check the timestamp of lock file, and, say, if it''s older than few minutes, restart anyway? Regards, Nerijus
Tom Eastep
2002-Jul-24 13:25 UTC
Re[5]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002, Nerijus Baliunas wrote:> Does it mean shorewall will wait 60 seconds for lock file to disappear, > then, if it is still here, restart shorewall anyway? >The mutex code is generic -- after 60 seconds, it will issue a message and return to the caller.> BTW, another idea - shorewall could check the timestamp of lock file, > and, say, if it''s older than few minutes, restart anyway? >Not so easy in a portable shell script me thinks... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Nerijus Baliunas
2002-Jul-24 13:39 UTC
Re[6]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002 06:25:26 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote:> > Does it mean shorewall will wait 60 seconds for lock file to disappear, > > then, if it is still here, restart shorewall anyway? > > The mutex code is generic -- after 60 seconds, it will issue a message and > return to the caller.So nothing changes, except timeout (mutex) is configurable? Operator still has to be near?> > BTW, another idea - shorewall could check the timestamp of lock file, > > and, say, if it''s older than few minutes, restart anyway? > > Not so easy in a portable shell script me thinks...Hmm, as you support only Linux, I don''t think it is so difficult. And it seems to be the only way then, if mutex is not what I thought. Regards, Nerijus
Tom Eastep
2002-Jul-24 13:57 UTC
Re[6]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002, Nerijus Baliunas wrote:> On Wed, 24 Jul 2002 06:25:26 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote: > > > > Does it mean shorewall will wait 60 seconds for lock file to disappear, > > > then, if it is still here, restart shorewall anyway? > > > > The mutex code is generic -- after 60 seconds, it will issue a message and > > return to the caller. > > So nothing changes, except timeout (mutex) is configurable? Operator still > has to be near?Today, the mutex code issues a message and DIES!!!!> > > > BTW, another idea - shorewall could check the timestamp of lock file, > > > and, say, if it''s older than few minutes, restart anyway? > > > > Not so easy in a portable shell script me thinks... > > Hmm, as you support only Linux, I don''t think it is so difficult. > And it seems to be the only way then, if mutex is not what I thought. >Patch welcome.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Jul-24 13:58 UTC
Re[6]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002, Nerijus Baliunas wrote:> > Hmm, as you support only Linux, I don''t think it is so difficult. > And it seems to be the only way then, if mutex is not what I thought. >The code must only use those utilities available on Bering. That''s quite limiting... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Nerijus Baliunas
2002-Jul-24 14:19 UTC
Re[7]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002 06:58:50 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote:> > Hmm, as you support only Linux, I don''t think it is so difficult. > > And it seems to be the only way then, if mutex is not what I thought. > > The code must only use those utilities available on Bering. That''s quite > limiting...As I understand, Bering is floppy distro? If so, it can be rebooted, as lock file is on ramdisk. Which is not a case now with normal distro - even after reboot shorewall does not start...;-( Regards, Nerijus
Tom Eastep
2002-Jul-24 14:32 UTC
Re[7]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002, Nerijus Baliunas wrote:> On Wed, 24 Jul 2002 06:58:50 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote: > > > > Hmm, as you support only Linux, I don''t think it is so difficult. > > > And it seems to be the only way then, if mutex is not what I thought. > > > > The code must only use those utilities available on Bering. That''s quite > > limiting... > > As I understand, Bering is floppy distro? If so, it can be rebooted, as > lock file is on ramdisk. Which is not a case now with normal distro - > even after reboot shorewall does not start...;-( >The change that I''m proposing will wait for MUTEX_TIMEOUT for the lock file to go away then WHATEVER COMMAND YOU ARE RUNNING WILL GO AHEAD AND FINISH!!!! So if it''s "shorewall start", the firewall will start; if it''s "shorewall restart", the firewall will restart. If you want the code today, it''s in CVS (Project Shorewall , file "functions" -- install it in /var/lib/shorewall). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Nerijus Baliunas
2002-Jul-24 14:42 UTC
Re[8]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002 07:32:48 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote:> The change that I''m proposing will wait for MUTEX_TIMEOUT for the lock > file to go away then WHATEVER COMMAND YOU ARE RUNNING WILL GO AHEAD AND > FINISH!!!!I misunderstood you then, sorry. Thanks. Regards, Nerijus
Tom Eastep
2002-Jul-24 14:48 UTC
Re[8]: [Shorewall-users] giving up on "/var/lib/shorewall/lock"
On Wed, 24 Jul 2002, Nerijus Baliunas wrote:> On Wed, 24 Jul 2002 07:32:48 -0700 (PDT) Tom Eastep <teastep@shorewall.net> wrote: > > > The change that I''m proposing will wait for MUTEX_TIMEOUT for the lock > > file to go away then WHATEVER COMMAND YOU ARE RUNNING WILL GO AHEAD AND > > FINISH!!!! > > I misunderstood you then, sorry. Thanks. >No problem -- here''s an example of it working: [root@gateway root]# touch /var/state/shorewall/lock [root@gateway root]# !sho shorewall refresh Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Giving up on lock file /var/state/shorewall/lock Refreshing Shorewall... Determining Zones and Interfaces... Adding Common Rules Shorewall Refreshed [root@gateway root]# ls /var/state/shorewall/ nat proxyarp [root@gateway root]# Note that after the refresh, the lock file has been removed; it was removed by the normal logic that gives up mutex after a command. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net