Re: GigaRouter (Was Re: Cisco as Big Brother))

[Alexis Rosen <alexis () panix com>]

Paul A Vixie writes:
> [...]
> naturally you need to edit the hell out of /etc/rc to make it build a big
> ramdisk, populate it from the Flash's binary tarball, and chroot to it
> before starting gated.  the chroot'd /etc/gated.conf should be a symlink to
> a small config file system on a second ATA Flash.  "/", even though a RAM
> disk, is mounted read-only.  system upgrades are done by powering off the
> unit, replacing "drive 0" with an updated 20MB Flash card, and powering it
> back up.
>
> caveats: 20MB isn't very large for a BSD system, even with shlibs -- you

It's not at all clear that you need to chroot at all. And it's true that
20MB isn't much, but how much (outside of /) do you really need? Give
yourself a few MB of buffer cache and the speed of flash won't matter much
anyway. You can be damn sure you're not going to be swapping, and that's
as it should be, given what this device is doing. (If it's not a router
it's probably a nameserver, and neither wants to swap.)

Now, since it's a real unix, it would be nice if you could use all your
favorite utilities while doing administration. But that's not hard- temporary
NFS mounts aren't all that nasty, and if you don't want to jam up your
backbone with NFS, copy stuff via ftp into a tempfs.

> have to be highly selective about what you take; also, for /var/log it is
> probably a good idea to include a rotating magnetic media, unless you're
> going to use syslog's "remote log server" mode, which since it's UDP is not
> reliable enough for some forms of auditing that i've needed to design for.

Hm. Interesting. I wonder how hard it would be to make syslog use TCP? Not
very, I think. The only remaining fly in the ointment would be short-term
situations where you can't move bytes of the net fast enough. Switching
log devices to an MFS/tempfs file temporarily might solve that too.

/a
- - - - - - - - - - - - - - - - -