Johan Hedberg Random notes of geeky stuff

OpenStack External Networking

Posted on February 8, 2016

Long time no see here. Guess I'm just not the person to blog very often, lol.

Anyhow, I've been playing around a bit with OpenStack lately. But of all the different guides I've read and courses I've attended there's been zero talk about how to get the network working. I don't consider the networking to be working just because the virtual instance get's an IP by DHCP. I consider the network setup to be working when I can fire up a new machine, assign a floating IP to it, SSH into and fire "apt-get -y dist-upgrade" without errors.

The few guides I've found for this (even RDO's own guide) have been faulty. The RDO one was pretty close though and helped me figure some stuff out.

Filed under: Hosting Continue reading

HHVM and Apache

Posted on March 23, 2015

A few months ago I moved all my sites out of a shared hosting environment (which I used due to laziness) and onto a VM in order to have some more freedom. I've sticked with Apache instead of switching to Nginx as I work with a huge Apache environment and it's only good to use that same skill-set privately too. (Although I do run nginx on some other boxes for other stuff too of course.)

Filed under: Hosting Continue reading

Back to web development

Posted on March 22, 2015

It's been quite some time since I did any web development at all. I was looking through my database of domain names (yes I have so many that I need a database to keep track of them), thinking of how many of them were still unused and a huge waste of money. First I made a list of the domains I know I'll never do anything useful with, and sent a delete command to the registry for each of those. Felt good in a way, I don't have to think about them anymore, but still a bit sad as I've wasted money on them.

Some fun with SNMP

Posted on March 8, 2015

I've had some fun with SNMP as I'm working on setting up some monitoring for a Raspberry PI. I've written a script for getting the data, but I couldn't find any existing SNMP OID to use for my data points. So I thought, maybe it's time to start using that PEN-number that I've gotten registered on me. Googling around on guides for creating MIB's didn't turn up anything easy, so it took a lot of trial and error. But at least there's the smilint tool which one can use to validate a MIB and see hints on what to fix, example:

Filed under: Coding Continue reading

Forgotten passwords in Solaris

Posted on June 13, 2013

Hopefully you haven't been just as stupid as me and forgot your passwords. At least not to any important stuff like for example your storage servers. I had been smart and used long and cryptic passwords which weren't written up anywhere and wasn't used anywhere else. Not that smart when I forgot the passwords. Anyhow, of course there is a way to solve this. You will need a Solaris live/installer CD which you can get from Oracle here.

Kernel coding debute (OpenBSD 5.3 AMD64)

Posted on May 29, 2013

I've written my first few lines of kernel code which aims to customize the IPv6 stack for a set of firewalls. I know the OpenBSD community thinks that you'll just about never need to modify the kernel and that GENERIC will do fine. Yes it does just fine, except that relayd doesn't work correctly with IPv6. When relayd on a firewall with BACKUP state on it's CARP interface is about to check the health of backend hosts it chooses the wrong IPv6 source address. After loads of googling, questions on IRC and so on I've found out that it's not possible to configure the IPv6 source address selection (SAR) in OpenBSD.

My issue was that with CARP interface in BACKUP state, the kernel thought that the link-local (fe80::) address of the CARP interface would be a fine choice of source address for checking backend hosts on a totally different subnet. That and some other small fixes (like turning off DAD, disabling link-local completely since it isn't used and a fix for never ever using the addresses of a CARP interface in BACKUP state as source for outgoing packets) is in the patch below.

I will not write how to apply the patch or how to compile an OpenBSD kernel since I mostly publish this for my own (future) use, and that you should never fiddle with kernel code unless you know what you're doing and how it will affect you and your computer. And although I've tested this with very high load (undergoing DOS attacks) on very busy firewalls I can't guarantee that it purely perfect. I have to admit that this is the first time I've ever touched kernel code.

diff -r sys/netinet6/in6.c sys_jh/netinet6/in6.c
100a101,104
> #if NCARP > 0
> #include <netinet/ip_carp.h> /* Fix for BACKUP carp */
> #endif
> 
2147a2152,2154
> #if NCARP > 0
>       struct sockaddr_dl *proxydl = NULL; 
> #endif
2162a2170,2175
>               /* Never use address of carp interface in BACKUP state */
> #if NCARP > 0
>               if (ifp->if_type == IFT_CARP && !carp_iamatch6(ifp, NULL, &proxydl))
>                       continue;
> #endif
> 
2175a2189,2192
>                       /* Disqualify link-local IPv6 from source address selection */
>                       if(strncmp(ip6_sprintf(IFA_IN6(ifa)), "fe80", 4) == 0)
>                               continue;
> 
2437a2455,2459
> #if NCARP > 0
>       case IFT_CARP:
>               /* DAD doesn't work on CARP, disabling here. */
>               return (0);
> #endif
diff -r sys/netinet6/nd6_nbr.c sys_jh/netinet6/nd6_nbr.c
563a564,567
> #if NCARP > 0
>       /* Don't use carp interfaces in BACKUP state */
>       struct sockaddr_dl *proxydl = NULL; 
> #endif
619a624,628
> #if NCARP > 0
>       /* Don't use carp interfaces in BACKUP state */
>       if (ifp->if_type == IFT_CARP && ifa && !carp_iamatch6(ifp, lladdr, &proxydl))
>               ifa = NULL;
> #endif
Filed under: Coding No Comments

Portscanner in Erlang

Posted on May 14, 2013

I've been playing around a bit with Erlang lately. I wanted to try a new language and at the same time something very different from the programming languages I already know. Below is the second application I've written in Erlang. And a helper shell script I wrote for easier launch of the application.

Filed under: Coding Continue reading

Installing Steam on Linux Mint 13

Posted on January 3, 2013

Today I've went through the hassle of installing steam on Linux Mint 13 (Maya). It wasn't that straightforward, because the guides that exists are horribly wrong and for example the ones I tried to follow will make you end up with API version mismatch between Nvidia kernel module and X11 driver. So I'm providing correct and up to date instructions here. You can start by downloading the steam package.

The steam package is installed the standard way with "dpkg -i steam_latest.deb". It will complain about a few i386 packages if you run a 64bit OS. Just do "apt-get -f install" which will remove the steam package again. Then you install all these missed dependencies by manually specifying them in an "apt-get install ..." command. Then install the steam package again.

However this isn't enough, Steam requires beta Nvidia drivers to run anything more than the login window. This is where it becomes fun. First of all you'll need an extra repo added:

sudo add-apt-repository ppa:xorg-edgers/ppa
sudo apt-get update

Then you'll need to find out which version of kernel module that is the current version. This is done with "aptitude show nvidia-current". The version line as of now reports 313.09, the ubuntu crap added at the end of the version string isn't important. So go and download yourself the correct version of X11 driver module for the current kernel module version. This you do via FTP here:

32bit OS: ftp://download.nvidia.com/XFree86/Linux-x86/

64bit OS: ftp://download.nvidia.com/XFree86/Linux-x86_64/

You'll see a bunch of folders named with only the version number they correspond to. Open up the one for the current version and download the .run-file. If there is a file named compat32-something, ignore it, you only care about the standard binary. For the sake of an example, this file was the correct one for me:

ftp://download.nvidia.com/XFree86/Linux-x86_64/313.09/NVIDIA-Linux-x86_64-313.09.run

Now for the installation part..

sudo apt-get install nvidia-current nvidia-settings

Now, hit Ctrl+Alt+F3 to get to a tty. Log in there and kill X11, preferably by stopping your window manager (like I did). If you got no clue about what window manager (and you for some reason still want to manually install beta drivers) you may go wild with kill -9 too, it'll probably work just as well. When done, run the binary you downloaded from the Nvidia FTP site and follow the on screen instructions. After that reboot your machine and you'll have the beta drivers installed and running. If it doesn't work you've probably fucked something up and should read X11 and kernel logs and then ask Google what you did wrong.

Filed under: Gaming No Comments

Fixing blue-tinted colors in flash

Posted on December 23, 2012

There is a bug with the combined use of Flashplayer 11.2 and the proprietary Nvidia drivers on Linux which gives blue-tinted colors. A temporary solution is right-clicking on the video you're currently watching, selecting "Settings" and disabling hardware acceleration. This will of course introduce quite some lag if you don't have the CPU power to decode the video fast enough. But no more, the following is a permanent solution for this bug.

Create a file named /etc/adobe/mms.cfg and put this into it:


EnableLinuxHWVideoDecode=1
OverrideGPUValidation=true

Filed under: General geeky No Comments

SSL Certificate failure

Posted on December 16, 2012

I did a quite embarassing failure lately, by letting the SSL certificate on this blog expire. I've finally gotten around to renew that cert. So new and shiny cert, valid for another year.

Also I can recommend StartSSL for those who want an SSL certificate and don't have the money or want to protect something not really worth paying for a certificate for. They provide fully valid certificates, signed by a CA trusted by the standard browsers. Though you can only get the certificates for one year, but that I can live with. If you have a hard time remembering to renew your certificates (as I do) you can use check_http in Nagios/Icinga/op5. It has an option to check if a sites certificate is valid and you can get it to alert you X days before expiration.

Filed under: General geeky No Comments