tag:blogger.com,1999:blog-72013612571601291962024-02-18T22:32:57.053-08:00Yet another neglected technology blog!Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.comBlogger70125tag:blogger.com,1999:blog-7201361257160129196.post-35708836423568150912024-01-01T17:21:00.000-08:002024-01-01T17:21:16.423-08:00Getting Prometheus Metrics from TrueNAS<p> TrueNAS (specifically referring to TrueNAS SCALE, but CORE should be the same) doesn't offer native support for monitoring by Prometheus. Suggestions on the Internets seem to point at using the built-in Graphite exporter to send metrics to graphite_exporter, which can be scraped by Prometheus. This DOES work, with some caveats:</p><p></p><ol style="text-align: left;"><li>Many metrics seem to report 0, incorrectly.</li><li>Tons of work to parse and create tags in the style of Prometheus</li></ol><div>I spent several hours poking at point number 2, only to realize number 1. My solution, just run node_exporter directly on the truenas. It's a Go application, so it Just Works™, and it gets you probably everything that you would otherwise get from the graphite_exporter. To do this, I created a startup script in the truenas to run after boot. The script starts up node_exporter inside of tmux, done deal. Feel free to point out why this is a bad idea.</div><div><br /></div><div>If you really want to go the graphite_exporter path, here is the beginning of my config file to start parsing the data stream. If anyone has a better one, let me know and I'll happily link to it.</div><div><br /></div><p></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;">---</span></p><div><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;">mappings:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish.truenas.disk_ops.*.*'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_disk_ops'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>device: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>operation: $2</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish.truenas.cputemp.temperatures.*'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_cputemp'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>cpu: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish.truenas.cpu.cpufreq.*'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_cpufreq'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>cpu: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish.truenas.cpu.core_throttling.*'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_cpu_core_throttling'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>cpu: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish.truenas.zfspool_state.*.*'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_zpool_state'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>pool: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>state: $2</span></p><p class="p2" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px; min-height: 21px;"><span style="background-color: #f3f3f3;"><span class="s1" style="font-variant-ligatures: no-common-ligatures;"></span><br /></span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span># regex matches are performed after regular matches</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish\.truenas\.cpu\.cpu(\d+)_cpuidle\.(.*)'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>match_type: regex</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_cpuidle'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>cpu: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>idlestate: $2</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish\.truenas\.cpu\.cpu(\d+)\.(\w+)'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>match_type: regex</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_cpu_utilization'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>cpu: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>type: $2</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish\.truenas\.disk_avgsz\.([[:alnum:]]+)\.writes'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>#help: 'Average I/O write operation size.'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>match_type: regex</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_disk_avgsz_writes'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>device: $1</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>- match: 'dragonfish\.truenas\.disk_avgsz\.([[:alnum:]]+)\.reads'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>#help: 'Average I/O read operation size.'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>match_type: regex</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>name: 'dragonfish_truenas_disk_avgsz_reads'</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>labels:</span></p><p class="p1" style="font-family: Menlo; font-feature-settings: normal; font-kerning: auto; font-optical-sizing: auto; font-size: 18px; font-stretch: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-variant-numeric: normal; font-variant-position: normal; font-variation-settings: normal; line-height: normal; margin: 0px;"><span class="s1" style="background-color: #f3f3f3; font-variant-ligatures: no-common-ligatures;"><span class="Apple-converted-space"> </span>device: $1</span></p></div>Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-21751533034432168722021-09-12T14:04:00.003-07:002021-09-12T14:04:26.954-07:00Finding the hardware revision of a raspberry pi on EL platformsEnterprise Linux platforms on Raspberry Pi (Centos, Oracle, etc.) do not have the /proc/cpuinfo lines referenced by the official docs to determine what hardware version you have. Instead, read the following files to get model and serial numbers.<div><br /></div><div><span style="font-family: courier;"># cat /proc/device-tree/serial-number</span></div><div><span style="font-family: courier;">000000003fe78687</span></div><div><span style="font-family: courier;"># cat /proc/device-tree/model</span></div><div><span style="font-family: courier;">Raspberry Pi 3 Model B+</span></div>Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-20561269912206548892019-07-31T13:06:00.001-07:002019-07-31T13:11:17.461-07:00Multiple passwords with geli (on root)As described in the man page, geli supports two slots for passphrases and/or keyfiles that can be used to decrypt the disk. By default, both of these slots are identical, using the passphrase provided at init. However, they can be set separately. We are using this feature to keep a "backup" passphrase on the encrypted zroot of a host. In theory, this allows us to walk remote hands through unlocking the disk, if we're not on-site, without disclosing the master passphrase. The backup passphrase could then be reset, restoring security.<br />
<br />
In the case of geli-on-root configurations, the vintage of the installation determines the correct way to (re)set a passphrase. FreeBSD sysinstall on versions prior to 12.0 created an unencrypted boot partition, and utilize a keyfile in addition to a passphrase. Versions 12.0 and later just use a passphrase.
<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">root@host: cat /boot/loader.conf<br />geli_ada1p4_keyfile0_load="YES"<br />geli_ada1p4_keyfile0_type="ada1p4:geli_keyfile0"<br />geli_ada1p4_keyfile0_name="/boot/encryption.key"<br />geli_ada2p4_keyfile0_load="YES"<br />geli_ada2p4_keyfile0_type="ada2p4:geli_keyfile0"<br />geli_ada2p4_keyfile0_name="/boot/encryption.key"</span><br />
<br />
The newer style does not typically have the above parameters. Before changing a passphrase, verify that the disks you are going to operate on are the correct disks. For example, in the case of a zfs-on-root setup:<br />
<span style="font-family: "courier new" , "courier" , monospace;"><br />root@host: zpool status zroot<br /> pool: zroot<br /> state: ONLINE<br /> scan: resilvered 31.5G in 0 days 00:13:54 with 0 errors on Wed Jul 10 09:57:10 2019<br />config:<br /><br /> NAME STATE READ WRITE CKSUM<br /> zroot ONLINE 0 0 0<br /> mirror-0 ONLINE 0 0 0<br /> ada2p4.eli ONLINE 0 0 0<br /> ada1p4.eli ONLINE 0 0 0<br /><br />errors: No known data errors</span><br />
<br />
Once you have determined which style the host is configured with, you can reset the password. The only difference between the two is that for the older style you need to provide the keyfile argument (<span style="font-family: "courier new" , "courier" , monospace;">-K</span>):<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">root@host: geli setkey -n 1 -K /boot/encryption.key ada1p4<br />Enter new passphrase: <br />Reenter new passphrase: <br />Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.</span><br />
<br />
If you are using a mirrored root, don't forget to update the passphrase on the second disk.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">root@host: geli setkey -n 1 -K /boot/encryption.key ada2p4<br />Enter new passphrase: <br />Reenter new passphrase: <br />Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.</span><br />
<br />
Newer style setups can simply omit the passphrase directive.<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">root@host: geli setkey -n 1 ada1p4<br />Enter new passphrase: <br />Reenter new passphrase: <br />Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.</span><br />
<br />
If using two different passphrases, you can verify this by rebooting the host and trying each one. Disclaimer: I tested this using a throw-away virtual machine. I recommend testing this before trying it on your real data! Don't trust your data to something that you just copy-paste from the Internet!Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com1tag:blogger.com,1999:blog-7201361257160129196.post-79772118926928157082019-04-19T13:22:00.000-07:002019-04-19T13:46:55.016-07:00Kodi Youtube plugin resolutionI recently started playing around with Kodi on a Raspberry Pi (Model 3+). I'm really interested in the Youtube plugin, because I have been binging on EDM shows lately. However, I was disappointed to discover that the plugin was only playing low quality streams (360P).<br />
<br />
After some searching around, I learned that I need to get the MPEG-DASH functionality turned on. This can be found in the Youtube plugin settings, but it is grayed out by default. After some more wild flailing about, I finally got it working, something like this.<br />
<br />
<ol>
<li>The "kodi-inputstream-adaptive" package needs to be installed from the Raspbian repos. It doesn't get pulled in as a dep of Kodi.</li>
<li>The inputstream plugin now needs to be enabled. Start Kodi and go to the settings menu. Select Add-ons, My add-ons, and VideoPlayer InputStream. Here you will find the InputStream Adaptive plugin. Click on it, and select "Enable".</li>
<li>You should now be able to go back to Youtube and enable MPEG-DASH. I also installed the Inputstream Helper plugin from that menu, but I'm not sure what effect it has. </li>
</ol>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-25086808473934784752019-03-15T07:06:00.000-07:002019-03-15T07:06:32.294-07:00I seem to have stumbled on an issue with the ipsec implementation on OpenBSD. While trying to configure manually-keyed transport SAs between hosts on the same subnet, I discovered that NDP appears to fail. Specifically, it appears that one endpoint will briefly learn the L2 address of the other endpoint, while the other host ndp cache never learns the address. This results in behavior where icmp6 traffic is encrypted in one direction (ironically, it is the traffic transmitted by the host that never appears to learn the address of the other), and not in the other. A tcpdump shows the following pattern:<br />
<br />
<pre>20:48:22.518275 08:00:27:42:35:6a 33:33:ff:00:00:02 ip6 86: fc0a:4600::3 > ff02::1:ff00:2: icmp6: neighbor sol: who has fc0a:4600::2(src lladdr: 08:00:27:42:35:6a) [icmp6 cksum ok] (len 32, hlim 255)
20:48:22.519842 08:00:27:31:0f:52 08:00:27:42:35:6a ip6 142: esp spi 0xa753d86c seq 801 len 88 (len 88, hlim 255)
20:48:22.521577 08:00:27:31:0f:52 08:00:27:42:35:6a ip6 142: esp spi 0xa753d86c seq 802 len 88 (len 88, hlim 255)
20:48:23.521836 08:00:27:31:0f:52 08:00:27:42:35:6a ip6 142: esp spi 0xa753d86c seq 803 len 88 (len 88, hlim 255)</pre>
<br />
Some searching turns up a <a href="http://openbsd-archive.7691.n7.nabble.com/IPv6-NDP-IPsec-breakage-in-current-td306027.html" target="_blank">conversation on the OpenBSD mailing lists</a> that appears to describe the same behavior. However, it appears that there was never a consensus on the solution, and thus one was never implemented.
I did find a hacky workaround that gets IPSec working between the two hosts. By setting static ndp entries for the remote host, there is no need for neighbor discovery to run, and the transport works.<br />
<br />
<pre>root@net70-3[][20:51:37]:/etc ndp -s fc0a:4600::2 08:00:27:31:0f:52
root@net70-3[][20:51:58]:/etc ndp -an
Neighbor Linklayer Address Netif Expire S Flags
fc0a:4600::2 08:00:27:31:0f:52 vio1 permanent R
</pre>
<br />
For reference, the following is my SA configuration. The spi and key values are the same in both directions, as I was working towards trying to make OpenBSD protect OSPFv3 traffic (I am still unsuccessful).<br />
<br />
<pre>flow esp from fc0a:4600::3 to fc0a:4600::2
esp transport from fc0a:4600::3 to fc0a:4600::2 spi 0xa753d86c:0xa753d86c \
authkey $akey1:$akey1 \
enckey $ekey1:$ekey1</pre>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-11079740587468063682018-11-01T08:05:00.000-07:002018-11-01T08:05:46.077-07:00Proftpd builds broken on FreeBSD? Use gmakeI recently discovered an issue with our automated build of proftpd. I changed the target branch from the ancient 1.3.5 branch to 1.3.6. When I tried building this branch, I got a failure in the mod_sftp directory.<br />
<br />
In file included from mod_sftp.c:29:<br />
./mod_sftp.h:29:10: fatal error: 'conf.h' file not found<br />
#include "conf.h"<br />
<br />
After a bunch of screwing around and ripping my hair out, I took the time to actually read the INSTALL file. It turns out that GNU Make is required. We have been using BSD Make, so there must have been a recent-ish change that causes make to fail.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-77096972432951523812018-09-11T16:21:00.001-07:002018-09-11T16:21:46.833-07:00Pulling your hair out trying to fix your Mikrotik? Maybe your version of Netinstall is broken.I spent an afternoon tearing my hair out. First, I managed to kinda-brick my Mikrotik during a firmware upgrade; the OS appeared to boot, but none of the network interfaces were visible, and it was generally disfunctional.<br />
<br />
Reading up on the recovery process, I downloaded and installed the latest version of Netinstall, per the Mikrotik wiki. I spent the next four hours hating life, cursing technology, until I figured out the problem...the current version of Netinstall is broken!<br />
<br />
If your copy of Netinstall just sits there, and your device never appears in the list, try this.<br />
<br />
<ol>
<li>Download and extract Netinstall version 6.38.7 (I was running 6.43).</li>
<li>If you're using Windows 10 64-bit like me, open the properties for the executable. Change compatibility mode to Windows XP SP3, and run as Administrator (I'm not positive that either of these are required, but it's what I used).</li>
<li>Run Netinstall.</li>
<li>Device promptly appears.</li>
</ol>
<br />
Grrr. <br />
<br />
<br />Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-54518423694017981482018-08-22T06:52:00.000-07:002018-08-22T06:52:00.445-07:00sudo: ldap_start_tls_s(): Connect errorA quick hint for FreeBSD users of sudo that authorize via LDAP. If you're getting the following message when running sudo:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">sudo: ldap_start_tls_s(): Connect error</span><br />
<div>
<br /></div>
<div>
associated with this error message in the logs:</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">sudo: in openpam_check_error_code(): pam_sm_authenticate(): unexpected return value 27</span></div>
<div>
<br /></div>
<div>
Check that your ldap.conf TLS parameters are correct! In my case, Ansible pushed a bunch of pending config changes (and an OS update) to a neglected host, one of which included moving the CA certificate file, but failed to update the ldap.conf file. I chased my tail for a bit, thinking the issue was with nslcd.conf.</div>
<div>
<br /></div>
<div>
You may also notice a corresponding error in the log of the LDAP server. In the case of slapd:</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">slapd[40731]: conn=4892528 fd=219 closed (TLS negotiation failure)</span></div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-10189608833155085942017-09-18T17:16:00.000-07:002017-09-18T17:16:49.080-07:00VMFS version confusion and FreeBSD UNMAPI recently started moving VMWare guests to a new ESXi 6.5 host, when I experienced an unusual problem. Guests would get tied up in knots, endlessly sending the following error messages to the console.<br />
<br />
<pre>(da0:mpt0:0:0:0): UNMAP. CDB: 42 00 00 00 00 00 00 02 68 00
(da0:mpt0:0:0:0): CAM status: SCSI Status Error
(da0:mpt0:0:0:0): SCSI status: Busy
(da0:mpt0:0:0:0): Retrying command</pre>
<br />
After a bunch of Google hits (mostly <a href="https://communities.vmware.com/thread/553503" target="_blank">FreeNAS</a> <a href="https://www.reddit.com/r/homelab/comments/5m8ewe/freenas_910_esxi_65_lsi_92118i_error_during/" target="_blank">users</a>) that didn't totally add up for me, I have a theory on the actual cause of the issue. In short, I think that this issue is caused by the presence of the following conditions.<br />
<br />
<br />
<ol>
<li> VMWare vSphere 6.5 host, which supports both VMFS5 and VMFS6.</li>
<li>A FreeBSD guest, using...</li>
<li>A virtual disk that is thinly-provisioned, and stored on a VMFS5 filesystem.</li>
</ol>
<div>
<a href="http://vsphere-land.com/news/a-comparison-of-vmfs5-vmfs6-in-vsphere-6-5.html" target="_blank">VMFS6 supports the use of the UNMAP command</a>, which allows the guest operating system to inform the hypervisor that it is no longer using a block. When the virtual disk is thin-provisioned, the host can reallocate the block to the pool of available disk space. FreeBSD has included support for this SCSI command for <a href="https://lists.freebsd.org/pipermail/freebsd-scsi/2011-December/005149.html" target="_blank">some time</a>.</div>
<div>
<br /></div>
<div>
My theory is this. I think ESXi is lying to the guests. I think that when a thin guest is created on a VMFS5 filesystem, the UNMAP command is still exposed/permitted, even though the underlying filesystem doesn't actually support it. When the guest tries to send the UNMAP command, it gets a bogus response. In the case of FreeBSD, it retries the command perpetually, hanging up the system.</div>
<div>
<br /></div>
<div>
The search hits I found (linked above) mention switching the virtual disk to a SATA/IDE bus as a workaround. I suspect that this works because the UNMAP command does not exist on those buses, preventing the issue from occurring. I believe that the following solutions are less hacky. </div>
<div>
<br /></div>
<div>
<ol>
<li>When creating virtual disks for FreeBSD on VMFS5 filesystems, they should always be thick provisioned (I use eager zeroing, I haven't tested lazy). This seems to be the one-size-fits-all solution. It's also worth noting that the ESXi installer uses VMFS5 on the system disk, with no apparent way to use VMFS6.</li>
<li>If you must use thin-provisioning, make sure that it is on a VMFS6 filesystem. I have not tested this extensively, but it seems to work.</li>
<li>Thin-provisioned guests also seem to behave normally on NFS-backed storage.</li>
</ol>
</div>
<div>
In my testing, I have not had any issues on guests provisioned per #1.</div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com1tag:blogger.com,1999:blog-7201361257160129196.post-7395661069505726942017-08-26T06:52:00.002-07:002017-08-26T06:52:52.557-07:00Display the listening ports on CentOS 7It's been a while since I was serious about Linux, but the fun new goodies have lured me back towards the fold. A lot of things have changed over the last few years, some for the better, some not, but that's way beyond the scope here.<br />
<br />
One thing that has been removed (at least from CentOS) is netstat. I'm going to call that a win, because invoking netstat always required a trip to the man page, aside from the trusty <span style="font-family: Courier New, Courier, monospace;">netstat -lnp</span>. The problem I have is that CentOS (and presumably RHEL) removed netstat, but decades worth of Google indexing has entrenched netstat as the blessed method of pulling a list of listening sockets.<br />
<br />
Installing net-tools seems like the wrong approach, there must be a better way...and there is! Buried in a <a href="https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/" target="_blank">blog post</a>, I found a conversion reference for netstat functionality. From this, I learned that<span style="font-family: inherit;"> </span><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Performance_Tuning_Guide/sect-Red_Hat_Enterprise_Linux-Performance_Tuning_Guide-Tool_Reference-ss.html" style="font-family: "Courier New", Courier, monospace;" target="_blank">ss</a> is the replacement for the functionality I need. As an added bonus, it appears that the basic syntax is similar to my beloved <a href="https://www.freebsd.org/cgi/man.cgi?query=sockstat&sektion=1" target="_blank"><span style="font-family: Courier New, Courier, monospace;">sockstat</span></a>.<br />
<br />
For example, my oft-used "what's listening on the network":<br />
<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">ss -l46</span></blockquote>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-87032673204516163322016-08-12T09:00:00.000-07:002016-08-12T09:00:06.097-07:00Arcane Bourne shell behavior. The colon (:)I finally learned the purpose of starting a command with the colon utility (:) in bourne shell. It expands any arguments, then exits 0. This is handy for hiding pointless error messages resulting from variable substitution. Consider the following example.<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">$ ${D:=foo}</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">foo: not found</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">$ echo $D</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">foo</span></span></div>
<div class="p1">
<span class="s1"><br /></span></div>
<div class="p1">
<span class="s1">The example above sets variable D to "foo" if it is unset or null. It works fine, but causes the annoying error '</span>foo: not found'. We can suppress that message with the colon.</div>
<div class="p1">
<br /></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">$ unset D</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">$ : ${D:=foo}</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">$ echo $D</span></span></div>
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace;">foo</span></span></div>
<div class="p1">
<span class="s1"><br /></span></div>
<div class="p1">
<span class="s1">Much prettier!</span></div>
<div class="p1">
<span class="s1"><br /></span></div>
<div class="p1">
<span class="s1">Also see:</span></div>
<div class="p1">
<span class="s1"><a href="http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_02" target="_blank">Parameter Expansion</a> (and explanation of the colon utility at the bottom of the page)</span></div>
<div class="p1">
<br /></div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-59828995344136484982016-03-03T06:20:00.001-08:002016-03-03T06:20:57.689-08:00LDAP password hashing in PHP, a better wayReviewing some PHP code related to user password changes, I noticed that the code was using unsalted SHA-1 hashes to store the password in LDAP. This is potentially very bad, if an attacker were able to gain access to the password hashes, because pre-computed rainbow tables for unsalted SHA-1 are pretty common. This has been the basis for a number of high-profile data breaches in recent memory, and I don't want to be on the news.<br />
<br />
Looking for a better solution on Google, I quickly discovered the source of the bad code, the OpenLDAP FAQ-o-matic. In <a href="http://www.openldap.org/faq/data/cache/347.html" target="_blank">this FAQ entry</a>, there are code examples for a variety of languages, many offering higher security. However, the PHP example included only a SHA-1 variant, and was copy-pasted nearly verbatim into my subject code (I wonder how many other web applications have done this very thing).<br />
<br />
OpenLDAP has support for a variety of different hashing algorithms, including an optional SHA-2 module, and passthrough to the OpenSSL crypto(3) library. The strongest native cipher supported by OpenLDAP is salted-SHA1 (SSHA), which allows sufficient strength for this application, when used with a decently-large salt. I wrote the following function to generate such hashes from PHP, provided here in hopes that people will quit using unsalted SHA in their web-apps.<br />
<br />
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">/*</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * This is a helper function, returning a Salted SHA-1 hash, suitable for LDAP.</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * OpenLDAP uses a slightly strange scheme for generating these hashes, but it's</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * far better than unsalted SHA. The only limit on salt length appears to be the</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * maximum length of the userPassword attribute in LDAP (128), allowing us to</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * safely use a 64-byte salt, resulting in a 118-byte SSHA. For the curious,</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * this works out to:</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * 6B ({SSHA} tag) + 28B (20B SHA, B64 encoded) + 88B (64B salt, B64 encoded)</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s2">function</span><span class="s1"> </span><span class="s3">generate_ssha_hash</span><span class="s2">(</span><span class="s4">$</span><span class="s5">cleartext</span><span class="s2">)</span></span></div>
<div class="p4">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">{</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"> </span><span class="s6">/*</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Generate a unique 64-byte salt value for the salt.</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> *</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * Use mcrypt_create_iv to generate some random bytes. PHP 7 has a</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * random_bytes() function, and the OpenSSL extension provides</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * openssl_random_pseudo_bytes(), which may be better, but this</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> * should work</span></span></div>
<div class="p1">
<span class="s1"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> */</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"> </span><span class="s4">$</span><span class="s5">pw_salt</span><span class="s1"> </span><span class="s4">=</span><span class="s1"> </span><span class="s5">mcrypt_create_iv</span><span class="s2">(</span><span class="s7">64</span><span class="s1">, MCRYPT_DEV_URANDOM</span><span class="s2">)</span><span class="s1">;</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s8"> </span><span class="s1">// Concatenate and hash password+salt.</span></span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s8"> </span><span class="s4">$</span><span class="s1">hashed</span><span class="s8"> </span><span class="s4">=</span><span class="s8"> </span><span class="s1">sha1</span><span class="s2">(</span><span class="s4">$</span><span class="s1">cleartext</span><span class="s8"> </span><span class="s4">.</span><span class="s8"> </span><span class="s4">$</span><span class="s1">pw_salt</span><span class="s8">, </span><span class="s7">TRUE</span><span class="s2">)</span><span class="s8">;</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s8"> </span><span class="s1">// Add the tag and encoded hash+salt.</span></span></div>
<div class="p5">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s8"> </span><span class="s4">$</span><span class="s1">hashed</span><span class="s8"> </span><span class="s4">=</span><span class="s8"> '</span><span class="s7">{SSHA}</span><span class="s8">' </span><span class="s4">.</span><span class="s8"> </span><span class="s1">base64_encode</span><span class="s2">(</span><span class="s4">$</span><span class="s1">hashed</span><span class="s8"> </span><span class="s4">.</span><span class="s8"> </span><span class="s4">$</span><span class="s1">pw_salt</span><span class="s2">)</span><span class="s8">;</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p1">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s8"> </span><span class="s1">// Clean up</span></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"> </span><span class="s4">unset</span><span class="s2">(</span><span class="s4">$</span><span class="s5">pw_salt</span><span class="s2">)</span><span class="s1">;</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<div class="p3">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"> </span><span class="s4">return</span><span class="s1"> </span><span class="s4">$</span><span class="s5">hashed</span><span class="s1">;</span></span></div>
<div class="p2">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s1"></span><br /></span></div>
<br />
<div class="p6">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="s2">}</span><span class="s8"> </span><span class="s6">// </span><span class="s3">generate_ssha_hash</span></span></div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-73378094585182943882016-03-03T05:57:00.000-08:002016-03-03T05:57:41.363-08:00iTunes: An unknown error has occurred (-39)I have been using the "consolidate library" function of iTunes to move all of my music from my NAS to my Macbook. Everything went fine for a while, then I started getting an error to the effect of "Error copying files: An unknown error has occurred (-39)". I didn't take a screen capture, and the exact verbage escapes me. Google didn't turn up anything about error -39.<br />
<br />
Poking around the XML file, there were no obvious problems, but it appeared that the problem files were grouped around a time period, several years ago. Over time I have switched between AFP and SMB (Samba) as my protocol of choice to access my music. I recalled running into issues between the two, with regard to special character handling in filenames. I also recalled that the time period in question may have been when I was using SMB.<br />
<br />
On a hunch, I reconnected to the NAS, using SMB instead of AFP. I re-ran the organize/consolidate function, and the remainder of my library is currently consolidating without problem.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-80450550754398049832014-05-20T07:17:00.002-07:002014-05-20T07:17:56.524-07:00Deleting locked IPSec SAs from FortigatesWe have had a borked IPSec Phase1 definition in our configuration since the initial configuration. The delete option was grayed out for it, despite the ref count showing 0. I finally had to call Fortinet about it. The engineer I spoke with said that the ref count of 0 doesn't necessarily mean that there aren't any references (what good is the ref count then?). He grabbed a copy of the configuration, and searched for the name of the Phase1. Sure enough, a policy routing entry turned up that we had long forgotten about. After removing this, I was able to delete the Phase1.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-35425175493201358462014-05-19T13:21:00.000-07:002014-05-19T13:21:19.067-07:00Advertising arbitrary routes via OSPF on FortigateTo be clear, I'm not sure this is the correct way to inject routes into OSPF. That being said, it yields the desired behavior. The situation goes like this...<br />
<br />
I have addressed all of the interfaces of my Fortigate (FGT) with subnets of network 65.65.65.0/24. Additionally, I have some virtual IPs (VIPs) defined that map addresses from 65.65.64.0/24 to corresponding addresses in 65.65.65.0/24. For example:<br />
<br />
65.65.64.1 -> 65.65.65.1<br />
<br />
This is not a garden-variety configuration, mapping one public subnet to another. The reasons are complex, involving BGP, portable subnets, multiple data centers. The bottom line, I need the FGT to NAT this traffic.<br />
<br />
My initial solution to this problem was static routes. However, this becomes difficult to maintain as the network grows in complexity (we're definitely into that territory). What I want to do is advertise a subnet of 65.65.64.0/24 via OSPF. In the Fortigate, it's not as easy as saying "inject this subnet into OSPF." My solution, create a loopback interface on the FGT, and redistribute the connected subnet into OSPF.<br />
<ol>
<li>Create a Loopback network interface, with an address in the subnet you want to advertise. It doesn't seem to make a difference what address you use.
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> edit </span>"port-<span style="background-color: #e6e600; color: #991200;">loop</span>back"</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set vdom <span style="color: #ab1f0f;">"root"</span></div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set ip 65.65.64.1 255.255.255.192</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set type <span style="background-color: #e6e600;">loop</span>back</div>
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> set description </span>"Loopback interface used to provide route for portable addresses."</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set snmp-index 28</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
next</div>
<br />
</li>
<li>Create a prefix-list entry that identifies the loopback subnet.
<div>
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> edit </span>"connected-to-ospf-v4"</div>
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> set comments </span>"Define connected routes to export to OSPF"</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
config rule</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
edit 10</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set <span style="background-color: #e6e600;">prefix</span> 65.65.64.0 255.255.255.192</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
unset ge</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
unset le</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
next</div>
</div>
<br />
</li>
<li>Create a route-map that uses the prefix list.
<div>
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> edit </span>"rm-connected-to-ospf"</div>
<div style="background-color: #d0d0d0; color: #ab1f0f; font-family: Menlo; font-size: 12px;">
<span style="color: black;"> set comments </span>"Defines IPv4 connected routes to redistribute to OSPF"</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
config rule</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
edit 10</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set match-ip-address <span style="color: #ab1f0f;">"connected-to-ospf-v4"</span></div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
next</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
end</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
next</div>
</div>
<br />
</li>
<li>Configure OSPF to redistribute connected networks.
<div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
config redistribute <span style="color: #ab1f0f;">"connected"</span></div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set status enable</div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
set routemap <span style="color: #ab1f0f;">"rm-connected-to-ospf"</span></div>
<div style="background-color: #d0d0d0; font-family: Menlo; font-size: 12px;">
end</div>
</div>
</li>
</ol>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-8336304836280815672014-05-06T07:24:00.001-07:002014-05-06T07:25:43.479-07:00Fortigate VIPs ate my packets.We traded our Cisco ASAs for Fortinet Fortigates (FGT). So far, the trade-off seems to be a pretty, useable interface, for the rock solid (albeit annoying) functionality of the Cisco. One major issue (for us) that came up during our rollout was related to Virtual IPs (VIPs), essentially Fortinet parlance for destination NAT.<br />
<br />
We have a very odd NAT situation. For a particular service we offer, we have clients that are incapable of connecting to the listening port (more accurately, the amount of red tape required to change a port number in a their script requires hundreds of hours of meetings, and many thousands of developer hours).<br />
<br />
As a result, we have supported these clients by using a port redirection, but only for certain source addresses, because the port they <i>MUST</i> connect to is in use by another application (confused yet? I am). On the Fortigate, we solved this by creating a pair of VIPs. One broad, for all ports; The other specific to the goofy awfulness. Here is the example of how we made it work.<br />
<br />
edit "srv-v4-redir"<br />
set src-filter "1.2.3.4" "5.6.7.8"<br />
set extip 111.222.0.1<br />
set extintf "any"<br />
set portforward enable<br />
set mappedip 10.0.0.1<br />
set extport 77<br />
set mappedport 10077<br />
next<br />
edit "srv-v4"<br />
set extip 111.222.0.1<br />
set extintf "any"<br />
set mappedip 10.0.0.1<br />
next<br />
<br />
As horrible as it looks, it actually works. The result is that clients 1.2.3.4 and 5.6.7.8 connect to port 77, but they actually get DNAT to port 10077. Anyone else connecting to port 77 goes to port 77.<br />
<br />
It is worth noting that our original configuration was more awful, and broken. When I originally configured this bit of NAT, I was still learning my way around the FGT. I mistakenly configured the "src-v4-redir" VIP with an extintf of "vlan7", our outside interface. This broke other services using the broader "src-v4" VIP, but in amazingly random ways. All traffic from the outside worked fine. However, we discovered breakage for some users who connect to another service on that VIP from "vlan4"… but only for users coming from some source networks (networks unrelated to the "redid" sources).<br />
<br />
In these cases, the traffic would just vanish into the FGT, as confirmed by the sniffer, and flow traces. In the latter case, traffic would fail with the following cryptic trace messages.<br />
<br />
fortinet-1a # id=12 trace_id=26 msg="vd-root received a packet(proto=6, 172.25.1.7:52606->111.222.0.1:443) from vlan4."<br />
id=12 trace_id=26 msg="allocate a new session-00e3addb"<br />
id=12 trace_id=26 msg="find SNAT: IP-10.0.0.1(from IPPOOL), port-0"<br />
id=12 trace_id=26 msg="use addr/intf hash, len=13"<br />
id=12 trace_id=26 msg="pre_route_auth check fail(id=0), drop"<br />
<br />
After escalating the ticket several times with Fortinet, and two weeks of broken connections (I'm calling you out here Fortinet, two weeks for an answer is unacceptable), we finally got assigned to a foul-mouthed engineer (the best kind). He identified the extintf problem, in between bouts of telling me what a kludgy setup this is…Yes, I know. I don't like it either, and offered a number of possible solutions, with the caveat of "I can't guarantee it, because nobody does this." We tested the change, which annoyingly required us to remove all references to the "redid" VIP, and it worked. Life goes on, I'm pretty satisfied with the FGT.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-37762208889981998212014-03-13T17:06:00.000-07:002014-03-13T17:06:47.257-07:00Understanding resolvconf behavior on pxe-booted hosts.I have been learning more than I ever cared to know about resolvconf, and what happens when you use it on a host with a read-only root filesystem. I have been preparing to roll out pxe-boot virtual machines at a second location. The PXE image has the following characteristics.<br />
<br />
* NFS-mounted, read-only / filesystem.<br />
* Local writeable disk for swap and /var.<br />
* Unionfs, md-backed /etc (non-persistent, r/w)<br />
<br />
I noticed that on the initial boot of a new VM, /etc/resolv.conf would be written correctly. However, all subsequent boots never see the NFS-supplied resolv.conf updated. After a frustrating afternoon of digging, I determined why resolvconf appears to stop working.<br />
<br />
Resolvconf stores state data in /var/run/resolvconf. When dhclient is run for an interface, the dhclient-script script calls resolvconf with DNS particulars, resolvconf looks in the interfaces/ sub-directory for an entry named after the interface. If the file does not exist, or does not match the domain/nameserver options received by resolvconf, a new file is written, and appropriate changes are made to /etc/resolv.conf. If the options match what resolvconf already has, no changes are made. The below output shows the contents of the interfaces/ directory on my pxe host.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">> ll /var/run/resolvconf/interfaces/</span><br />
<span style="font-family: Courier New, Courier, monospace;">total 8</span><br />
<span style="font-family: Courier New, Courier, monospace;">-rw-r--r-- 1 root wheel 80 Mar 13 18:00 vmx0:dhcp4</span><br />
<span style="font-family: Courier New, Courier, monospace;">-rw-r--r-- 1 root wheel 76 Mar 13 18:00 vmx1</span><br />
<br />
The problem with my pxe hosts lies in the volatile /etc. Every time the host reboots, the modified contents of /etc vanish. /etc/resolv.conf is replaced with the copy from NFS. In my case, this copy reflects the nameservers at the "original" datacenter. Since the state directory for resolvconf exists on the persistent /var, resolvconf sees the old [unchanged] lease data, and assumes everything is peachy with the resolv.conf file.<br />
<br />
I don't need the extra features of resolvconf, so I can solve the problem by disabling it. I created a file in the pxe image, /etc/dhclient-enter-hooks, that contains the following.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">resolvconf_enable=NO</span><br />
<br />
My initial, more complicated fix, was to create an rc script to re-initialize the resolvconf state directory on every boot. This also worked flawlessly.<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">#!/bin/sh</span><br />
<span style="font-family: Courier New, Courier, monospace;">#</span><br />
<span style="font-family: Courier New, Courier, monospace;"># Clean out the contents of the resolvconf state directory. Otherwise,</span><br />
<span style="font-family: Courier New, Courier, monospace;"># /etc/resolv.conf never gets updated after the initial boot of a new pxe host.</span><br />
<span style="font-family: Courier New, Courier, monospace;">#</span><br />
<span style="font-family: Courier New, Courier, monospace;"># BEFORE: netif</span><br />
<span style="font-family: Courier New, Courier, monospace;"># AFTER: FILESYSTEMS</span><br />
<span style="font-family: Courier New, Courier, monospace;"># PROVIDE: clean_resolvconf</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">echo -n "Cleaning out resolvconf state directory: "</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">/sbin/resolvconf -I</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">if [ $? ]; then</span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "OK"</span><br />
<span style="font-family: Courier New, Courier, monospace;">else </span><br />
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>echo "FAILED"</span><br />
<span style="font-family: Courier New, Courier, monospace;">fi</span>Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-17430848059722381642014-02-05T10:30:00.000-08:002014-02-05T10:30:07.951-08:00dhclient exits chroot on FreeBSD 10.0I've booted my first pxe FreeBSD 10.0 image, and discovered that dhclient, of all things, doesn't seem to work. Running dhclient from the command-line after boot results in the following output:<br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">WARNING dhclient failed to start</span><br />
<span style="font-family: Courier New, Courier, monospace;">chroot</span><br />
<span style="font-family: Courier New, Courier, monospace;">exiting</span><br />
<br />
Some searching turns up a<a href="https://forums.freebsd.org/viewtopic.php?&t=43123" target="_blank"> thread on the FreeBSD forums</a>. A missing /var/empty directory is to blame. It should be owned by root, with permissions of 755.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com1tag:blogger.com,1999:blog-7201361257160129196.post-19934340779015154052013-11-12T09:45:00.000-08:002013-11-12T09:45:50.114-08:00Using CARP with VMWare ESXiIf you want to use CARP on your VMWare guest VMs, you will probably find that it doesn't work out of the box. This is due to ESXi rejecting promiscuous mode on the virtual switch by default. To enable promiscuous mode, go to the Network configuration section for the host (in vSphere Client), and click properties for the vSwitch. Edit the properties for the vSwitch, and change the setting of "Promiscuous Mode" to <b>Accept</b> under the "Security" tab.<br />
<br />
For bonus points, if you are using NIC Teaming on ESXi (even with just a standby adapter), you will find that your CARP interfaces always remain in BACKUP state, and your logs fill with the following messages.<br />
<br />
Nov 12 11:25:51 kernel: carp0: MASTER -> BACKUP (more frequent advertisement received)<br />
Nov 12 11:25:51 kernel: carp0: link state changed to DOWN<br />
Nov 12 11:25:54 kernel: carp0: link state changed to UP<br />
<br />
This is because ESXi is rebroadcasting CARP advertisements that come back down the other members of the team. To correct this, you need to dig into the Advanced Settings, under Software. Change Net.ReversePathFwdCheckPromisc to 1. Annoyingly, you will need to reboot the host to affect these changes, but it works.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com3tag:blogger.com,1999:blog-7201361257160129196.post-22002074216025978042013-10-09T06:12:00.001-07:002013-10-09T06:15:03.011-07:00Using BIRD to route over OpenVPN tunnels.OpenVPN tunnels, good. BIRD routing daemon, great. OSPF on OpenVPN tunnels, headache. The combination of OpenVPN and BIRD routing daemon for OSPF is nothing new for me. I've been using it pretty happily for over a year. However, it always seemed as though something was a bit precarious. As I have started to scale the implementation, I've realized that I needed a rethink of my strategy.<br />
<div>
<br /></div>
<div>
The original design used a /31 subnet on each tunnel, with each endpoint using an address. Logically, it made perfect sense. The catch is that OSPF does not automatically advertise the IP address of the tunnels (a quirk of OpenVPN, BIRD, or both). Traffic would flow through the routers, but the remote tunnel address would be unreachable. I solved this by adding a <span style="font-family: Courier New, Courier, monospace;">stubnet x.x.x.x/31</span> directive to the OSPF configuration at one of the endpoints. At the time this worked fine.</div>
<div>
<br /></div>
<div>
As I brought a third site online, with multiple VPN tunnels between each site, the original design quickly broke down. The /31s were no longer consistently routable. I remedied this by changing the /31 stubnet to a /32, with each router advertising its own IP addresses. Life was briefly good, until I realized that restarting the OpenVPN tunnels would fail. OpenVPN would log the error, "<span style="font-family: Courier New, Courier, monospace;">router-a openvpn_1199[18976]: FreeBSD ifconfig failed: external program exited with error status: 1</span>" The following message was also logged, "<span style="font-family: Courier New, Courier, monospace;">ifconfig: ioctl (SIOCAIFADDR): File exists</span>" From the depths of my memory, I recalled that this error occurs when you attempt to configure an interface with an address that already exists in the routing table. Since BIRD was already advertising the /32 host IP, trying to address the tunnel would fail.</div>
<div>
<br /></div>
<div>
Some creative restarting of OpenVPN and BIRD resolved the problem, but is an unacceptable solution for production. I turned to the BIRD mailing list with my situation, and very quickly received a response from one of the BIRD developers. He suggested a number of ideas, the most promising of which is to dedicate a subnet to each router, as a pool from which to draw addresses for local tunnel endpoints on that specific host. The subnet is then configured as a stubnet by BIRD. The ends of a given tunnel may not be remotely close to each other, but this is fine because a tunnel is a point-to-point link. Tunnels can be restarted at will, without contention from existing routes in the table.</div>
<div>
<br /></div>
<div>
The diagram below shows an example topology. Notice that the endpoint of each tunnel is in a completely different network. For example, on the tunnel between router-a and router-b, router-a uses an IP of 192.168.0.0, and router-b uses 10.0.0.0. It doesn't matter, it works just fine. With the given stubnet configured in the bird.conf for each router, all tunnel endpoints are reachable. The network and broadcast addresses for each router's stubnet are also useable, as shown in the example.</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNiwSNaIr4LWl5SjRLpZjcSfuc04iUi1T3enRkbQa-cuvatZy5T8kIK96OhyNxbiYIiWyy3el89TlCmQU1XTQJO14RrbFn-y4sYjT5QOiI7ndbgRgWpu9yvVIIWn2bTHrl3iK-in4oRg/s1600/Diagram1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNiwSNaIr4LWl5SjRLpZjcSfuc04iUi1T3enRkbQa-cuvatZy5T8kIK96OhyNxbiYIiWyy3el89TlCmQU1XTQJO14RrbFn-y4sYjT5QOiI7ndbgRgWpu9yvVIIWn2bTHrl3iK-in4oRg/s1600/Diagram1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-15869270995265269632013-09-22T14:45:00.000-07:002013-09-22T14:45:03.567-07:00Fixing SSH timeouts on the ASAI spent a bunch of time getting my head around class maps, policy maps, and service policies, in an effort to correct the issue of idle SSH connections being timed out after an hour (the default idle timeout for TCP connections on the ASA at version 9.1). The <a href="http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/mpf_service_policy.html#wp1519580" target="_blank">documentation</a> is a confusing web of headache, but I found <a href="http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/" target="_blank">this</a> blog post to be useful reading. My solution was to leave the timeout unchanged, but to enable Dead Connection Detection for SSH connections. Essentially, when an idle SSH connection hits the threshold, the ASA forges a packet to the endpoints to verify that the socket is still open. If there is a response, the idle timer is reset.<br />
<br />
<br />
<pre class="diff"><span class="add">access-list ssh_ports remark access list to id ssh traffic for the ssh_ports class map
</span><span class="add">access-list ssh_ports extended permit tcp any any eq ssh
</span><span class="add">access-list ssh_ports extended permit tcp any any eq 2222</span></pre>
<pre class="diff"><span class="add">class-map ssh_traffic
description identify SSH traffic, so we can apply policy
match access-list ssh_ports</span></pre>
<pre class="diff"><span class="add">policy-map generic_interface_policy
class ssh_traffic
set connection timeout dcd </span></pre>
<pre class="diff"><span class="add">service-policy generic_interface_policy interface outside
service-policy generic_interface_policy interface inside</span></pre>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-44094619783540019062013-09-17T17:11:00.001-07:002013-09-17T17:11:22.427-07:00Cisco ASA Remote Access configuration for Mac OS XI spent the day fighting to get a remote access IPSec connection set up as follows:<br />
<br />
<ul>
<li>ASA 5515-X, running version 9.1.</li>
<li>ASA network interfaces are already configured.</li>
<li>IPSec clients are assigned addresses from the range 123.0.0.199-201.</li>
<li>Client is running OS X 10.8.4 Mountain Lion.</li>
<li>Client is using the built-in OS X IPSec client.</li>
<li>Client IP is private, behind NAT, with a DHCP-assigned WAN IP.</li>
<li>After connecting, client should be able to reach the internal networks 123.0.0.128/26, 123.0.0.192/27.</li>
<li>All other traffic is not sent across the VPN.</li>
</ul>
<div>
The following configuration should be added to the ASA:</div>
<div>
<br /></div>
<div>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">ip local pool REMOTE_ACCESS_POOL 123.0.0.199-123.0.0.201</span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">management-access inside</span></span></pre>
<pre class="diff"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">access-list REMOTE_ACCESS_SPLIT_TUNNEL remark The corporate network behind the ASA.</span></pre>
</div>
<div>
<pre class="diff"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="add">access-list REMOTE_ACCESS_SPLIT_TUNNEL standard permit 123.0.0.128 255.255.255.192
</span><span class="add">access-list REMOTE_ACCESS_SPLIT_TUNNEL standard permit 123.0.0.192 255.255.255.224 </span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">crypto ipsec ikev1 transform-set REMOTE_ACCESS_TS esp-aes-256 esp-sha-hmac
crypto dynamic-map REMOTE_ACCESS_DYNMAP 1 set ikev1 transform-set REMOTE_ACCESS_TS
crypto map REMOTE_ACCESS_MAP 1 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
crypto map REMOTE_ACCESS_MAP interface outside</span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 7200</span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">group-policy REMOTE_ACCESS_GP internal
group-policy REMOTE_ACCESS_GP attributes</span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;"> split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE_ACCESS_SPLIT_TUNNEL</span></span></pre>
<pre class="diff"><span class="add"><span style="font-family: Courier New, Courier, monospace; font-size: x-small;">username hunter password **** encrypted
tunnel-group REMOTE_ACCESS_TUNNELGRP type remote-access
tunnel-group REMOTE_ACCESS_TUNNELGRP general-attributes
address-pool REMOTE_ACCESS_POOL
default-group-policy REMOTE_ACCESS_GP
tunnel-group REMOTE_ACCESS_TUNNELGRP ipsec-attributes
ikev1 pre-shared-key *****</span></span></pre>
<pre class="diff"><span class="add">
</span></pre>
<pre class="diff"><span style="font-family: Times, Times New Roman, serif;">For explanation of what all this does, I recommend reading the following Cisco docs. It is worth noting that this configuration does not work with Windows 7/8, which use IKEv2 instead of v1.</span></pre>
<pre class="diff"><ul>
<li><span style="font-family: Times, Times New Roman, serif;"><a href="http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_remote_access.html" target="_blank">Remote Access VPN configuration</a></span></li>
<li><span style="font-family: Times, Times New Roman, serif;"><a href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2" target="_blank">Split tunnel configuration</a></span></li>
<li><span style="font-family: Times, Times New Roman, serif;"><a href="http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/admin_management.html#wp1438524" target="_blank">Management access over a VPN tunnel</a></span></li>
</ul>
<div>
<span style="font-family: Times, Times New Roman, serif;">The configuration for the built-in OS X IPSec client is described in the following doc. One gotcha I ran into (which is clearly stated in the document) is that the tunnel-group name must be specified in the 'Group Name' field on the Mac. In the case of the above configuration, the group name is REMOTE_ACCESS_TUNNELGRP.</span></div>
<div>
<ul>
<li><a href="http://www.cisco.com/en/US/products/ps10884/products_tech_note09186a0080c08ec4.shtml#anc7" target="_blank"><span style="font-family: Times, Times New Roman, serif;">VPN Clients for Mac OS X FAQ</span></a></li>
</ul>
</div>
</pre>
</div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-88322235101078162972013-09-13T12:23:00.001-07:002013-09-17T17:12:25.551-07:00Using FreeBSD as a DomU on XenServerI am investigating a move away from VMWare ESXi to $hypervisor, as a part of our new data center build. The primary candidates I am looking at are XenServer, and an XAPI stack on Debian. Citrix doesn't officially support FreeBSD as a DomU; at least not as of 6.2. However, FreeBSD seems to pretty happily install as an HVM DomU, if you specify the "Other install media" template from the XenCenter "New VM" wizard.<br />
<div>
<br /></div>
<div>
I installed XenServer 6.2 on an old Dell 2950, with a pair of dual-core Xeons, 8GB RAM and 6x15k SAS drives in a RAID10 configuration. As an aside, I get garbage output on the boot prompt when I boot the host...a problem happily solved by mashing the Enter key in frustration until XenServer began booting.</div>
<div>
<br /></div>
<div>
As mentioned above, I installed a FreeBSD 9.1-RELEASE amd64 guest without much difficulty. I then wanted to see how the performance stacked up against our existing ESXi 5.0 infrastructure. As a crude benchmark, I ran a time portsnap extract on the XenSever guest, another FreeBSD guest on a similarly spec'd 1950 running ESXi, and on a 2950 with FreeBSD installed natively. The wall times were as follows.</div>
<div>
<ol>
<li>XenServer FreeBSD DomU: 12:20</li>
<li>ESXi FreeBSD guest: 6:30</li>
<li>Raw hardware: 5:28</li>
</ol>
<div>
I was rather disappointed to see XenServer fare so poorly against VMWare. Not all was lost though, because my XenServer guest was running in HVM mode. I expected that I would see some performance improvement by using the Paravirtualized drivers available in FreeBSD. To summarize the <a href="https://wiki.freebsd.org/FreeBSD/Xen" target="_blank">FreeBSD Wiki</a>, full PV support is only available on i386, but amd64 can use the PV block device and network interfaces. I tried <a href="http://forums.freebsd.org/showthread.php?t=10268" target="_blank">building an PV image</a> and shipping it over to the XenServer host, without success. I was unable to get XenServer to even attempt to boot my image.</div>
</div>
<div>
<br /></div>
<div>
I went back to my HVM DomU and installed the 9.1-p7 XENHVM kernel. On reboot, the guest hangs immediately after detecting the CDROM drive. For several minutes it displays a message about <span style="font-family: inherit;"><a href="http://lists.freebsd.org/pipermail/freebsd-xen/2011-May/000918.html" target="_blank">xenbusb_nop_confighook_cb timeout</a> periodically, then nothing. Some googling suggests that this is a known issue, with a workaround of removing the virtual CD device, as indicated <a href="http://lists.freebsd.org/pipermail/freebsd-xen/2012-December/001403.html" target="_blank">in this thread</a>. I removed the CDROM device by following <a href="http://support.citrix.com/article/CTX132411" target="_blank">these instructions</a>, and the guest now boots happily. With the PV drivers, your virtual disk device is named "ad0" by FreeBSD. The network interface becomes "xn0". Because of these changes, you will want to update your guest /etc/fstab file, and probably the network configuration in /etc/rc.conf. Running the portsnap benchmark on the updated guest yields a time of 8:37...a 43% improvement over the full HVM DomU, but still lagging behind VMWare.</span></div>
<div>
<span style="font-family: inherit;"><br /></span></div>
<div>
More experimentation is required to tell if more performance can be squeezed out of XenServer, or whether the live migration features justify the performance drop.</div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-73958431589661811442013-09-07T08:13:00.001-07:002013-09-07T08:13:48.336-07:00Using FreeBSD loopback interfaces with BIRDWhy go for the simple solution, when you can first spend hours tearing out your hair in frustration?<div>
<br /></div>
<div>
I've been working on a new data center deployment, and getting my fingers back into the networking realm; a welcome change. This includes my first OSPFv3 deployment, and we're using BIRD. For the most part, I have been very happy with BIRD for OSPF and BGP; though I have run into some quirks.</div>
<div>
<br /></div>
<div>
The quirk on my mind at this moment is with loopback interfaces. The Cisco way of doing things seems to be to run iBGP sessions between loopback addresses. The rationale is that if you use an interface address, and that interface goes down, your iBGP session goes with it, as that address becomes unreachable. So you use a loopback interface, which is always up. The addresses on the loopback are advertised via an IGP, facilitating the iBGP connection.</div>
<div>
<br /></div>
<div>
For better or worse, I decided to follow the herd, and go with a loopback interface. For IPv4, this was pretty straightforward. Configure the loopback in the OS, add it to bird.conf as a stub interface, and good to go. For reference, here are the bits to do so on FreeBSD.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /etc/rc.conf</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">cloned_interfaces="lo1"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ifconfig_lo1="inet W.X.Y.Z/32"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /usr/local/etc/bird.conf</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">protocol ospf {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>tick 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>area 0 {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>stub no;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "vlan7", "vlan500" {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cost 5;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>hello 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dead 10;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>authentication cryptographic;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>password "password";</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "lo1", "vlan1001" { stub; };</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
</div>
<div>
<br /></div>
<div>
And since the proof is in the pudding (or output)...</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">bird> show route for W.X.Y.Z</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">W.X.Y.Z/32 via A.B.C.D on vlan500 [ospf1 09:08] * I (150/5) [W.X.Y.Z]</span></div>
<div>
<br /></div>
<div>
When I went to configure OSPF for our IPv6 allocation, things didn't go quite so smoothly. I used the following similar configuration for the v6 BIRD configuration.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /etc/rc.conf</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ifconfig_lo1_ipv6="inet6 2620:W:X:Y::Z/128"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /usr/local/etc/bird6.conf</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">protocol ospf ospf_v6 {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>tick 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>area 0 {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>stub no;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "vlan7", "vlan500" {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cost 5;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>hello 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dead 10;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span># Authentication is not supported by OSPFv3, supposed to be IPSec AH authenticated.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#authentication cryptographic;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>#password "password";</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "lo1", "vlan1001" { stub; };</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
</div>
<div>
<br /></div>
<div>
With this configuration in place, I realized that my IPv6 loopback address was not being advertised. Examining the logs, BIRD was quite happy to tell me that it had filtered out that route. WTF? After a bunch of time wasted searching Google and throwing shit at the wall, my loopback address was still not working. I finally stumbled on<a href="http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01032.html" target="_blank"> this mailing list thread</a>, where I learned that using a loopback is NOT an expected configuration; at least in the eyes of the developers. Furthermore, the fact that it is working in IPv4 was surprising, and perhaps a bug. The reason that BIRD is denying my lo1 IP is that there is no link-local IP on the interface as well. Without starting a discussion on whether Cisco or BIRD is more right, I'll just say I was *((# *grumble* *f'n BIRD*.</div>
<div>
<br /></div>
<div>
I jumped through a few more hoops, and finally discovered that I could use a tap interface in lieu of a loopback. It would generate a link-local address, OSPF would advertise it, and iBGP happiness filled the kingdom. Nevermind that it is about as hacky as you can get. For what it's worth, here is the rc.conf goo to make it happen.</div>
<div>
<br /></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /etc/rc.conf</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># DON'T USE THIS! IT'S HACKY AND EVERYONE WILL LAUGH AT YOU.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">cloned_interfaces="tap0"</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ifconfig_tap0_ipv6="inet6 2620:W:X:Y::Z/128 -ifdisabled"</span></div>
<div>
<br /></div>
<div>
I slept on it. When I woke up, I had some OSPF fixes on my mind for the ASAs (that's another raar story). I was poking around a little more when I read and was reminded about the BIRD <span style="font-family: Courier New, Courier, monospace;">stubnet</span> configuration directive. In a nutshell, BIRD will always advertise a stubnet route...perfect! Changed the configuration to support this, and life is good again.</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /etc/rc.conf</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">ifconfig_lo1_ipv6="inet6 2620:W:X:Y::Z/128"</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"># /usr/local/etc/bird6.conf</span></div>
<div>
<div>
<span style="font-family: Courier New, Courier, monospace;">protocol ospf ospf_v6 {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>tick 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>area 0 {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>stub no;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "vlan7", "vlan500" {</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cost 5;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>hello 2;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>dead 10;</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>interface "vlan1001" { stub; };</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span><b>stubnet 2620:W:X:Y::Z/128;</b></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>};</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">}</span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: inherit;">and the proof!</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><div>
bird> show route for 2620:W:X:Y::Z/128</div>
<div>
2620:W:X:Y::Z/128 via fe80::225:90ff:fe6b:f52c on vlan7 [ospf_v6 09:12] * I (150/15) [W.X.Y.Z]</div>
</span></div>
Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com0tag:blogger.com,1999:blog-7201361257160129196.post-52980646689648984822013-06-13T12:34:00.001-07:002013-06-13T12:34:43.417-07:00Configuring NFSv4 on FreeBSDAfter much monkeying around, I finally have NFSv4 running on FreeBSD. Since there seems to be a lack of documentation specifically for NFSv4, here is my take on it. The nfsv4 man page does tell you what you need to know in order to get a basic client and server running, is was clear to me only after I had it working. In my setup, my server is running FreeBSD 9.1, and my client runs 9.0.<br />
<br />
<h2>
Server Configuration</h2>
<div>
<ol>
<li>In /etc/rc.conf, add the following lines<br /><br />
<pre>nfs_server_enable="YES"
nfsv4_server_enable="YES"
nfsuserd_enable="YES"</pre>
<br />
</li>
<li>Start the NFS daemons by running<br /><br />
<pre>/etc/rc.d/nfsd start</pre>
<br />
</li>
<li>Open /etc/exports in your preferred editor. Add a "V4:" line to the file, specifying the root of your NFSv4 tree. There are two choices at this point. Option 1 is to place your NFSv4 root at a location other than the root of the server filesystem. With this option, you can create an arbitrary NFS tree for clients to attach to, independent of how data is actually situated on the filesystem(s). Nullfs mounts may be used to include outside directories in the NFS root. Option 2 is to make the NFSv4 root the actual root of the system. This preserves the behavior of old NFS implementations. Regardless of where you put your V4 root, you must also add export lines, in the same style as NFSv3. The exports man page can be helpful here, and discusses the security implications of using NFSv4.<br /><br />
<pre># Option 1
V4: /nfsv4 -network=10.0.0.0 -mask=255.255.255.192
/nfsv4/ports -maproot=root: -network=10.0.0.0 -mask=255.255.255.192
# Option 2
V4: / -network=10.0.0.0 -mask=255.255.255.192
/usr/pxe/ports -maproot=root: -network=10.0.0.0 -mask=255.255.255.192</pre>
<br />
</li>
<li>Reload the exports file by signalling mountd<br /><br />
<pre>killall -HUP mountd</pre>
<pre></pre>
</li>
</ol>
</div>
<h2>
Client Configuration</h2>
Clients should now be able to mount the exported filesystem using the following commands, corresponding to the NFSv4 root options specified above. Notice that with option 1, the remote path omits the /nfsv4 prefix of the server.<br />
<br />
<pre># Option 1
mount -t nfs -o nfsv4 server:/ports /mnt
# Option 2
mount -t nfs -o nfsv4 server:/usr/pxe/ports /mnt</pre>
<h2>
Errors</h2>
If you get the following error when trying to mount from the client, don't be fooled:<br />
<br />
<pre>mount_nfs: /mnt, : No such file or directory</pre>
<br />
This may indicate that you have misspelled the remote path in your mount command. It may also indicate that you have an error in your exports file, or that your exports file is not configured the way you think it is. Go back and read step 3 of the Server Configuration.Tomhttp://www.blogger.com/profile/03570804732941107175noreply@blogger.com1