Be careful with isc-bind 9.13.1

  • named can no longer use the EDNS CLIENT-SUBNET option for view selection. In its existing form, the authoritative ECS feature was not fully RFC-compliant, and could not realistically have been deployed in production for an authoritative server; its only practical use was for testing and experimentation. In the interest of code simplification, this feature has now been removed.The ECS option is still supported in dig and mdig via the +subnet argument, and can be parsed and logged when received by named, but it is no longer used for ACL processing. The geoip-use-ecs option is now obsolete; a warning will be logged if it is used in named.conf. ecs tags in an ACL definition are also obsolete, and will cause the configuration to fail to load if they are used. [GL #32]

If in front of your dns authoritive  DNS server you have load balancer like dnsdist,  and you use „useClientSubnet=true“ into his configuration, the views in bind are going useless.

So the possible way to do similar things is to use dnsdist and to implement bind views into dnsdist using configuration like this

How to grow zfs on FreeBSD running inside VMWare

Live ZFS resizing inside VMWare should be possible, but there are several steps:

– First you should resize your virtual disk in VMWare configuration. Recomendation is all virtual disks to be similar size for best performance in VMWare.
– Ideally VMWare should notify guest OS that resize happened. You should be able to see that with `diskinfo -v /dev/daX` command. If it didn’t happen – you’ll probably need to reboot at this point.

root@:~ # gpart show
=> 34 335544253 da0 GPT (160G)
34 1024 1 freebsd-boot (512K)
1058 4194304 2 freebsd-swap (2.0G)
4195362 331348925 3 freebsd-zfs (158G)

=> 34 335544253 da1 GPT (160G)
34 1048576 1 freebsd-boot (512M)
1048610 4194304 2 freebsd-swap (2.0G)
5242914 330301373 3 freebsd-zfs (157G)

=> 34 356515773 da2 GPT (170G)
34 1048576 1 freebsd-boot (512M)
1048610 4194304 2 freebsd-swap (2.0G)
5242914 351272893 3 freebsd-zfs (167G)

The new space will appear visible after partition 3 on each disk.

– Next you should resize your partition with `gpart resize …`. Hope it is the past one, otherwise this problem may have no easy solution. It should be doable for mounted filesystem. In my example commands are:

gpart resize -i 3 da0
gpart resize -i 3 da1
gpart resize -i 3 da2

– Next you should make ZFS to resize with `zpool online -e …`.
See output of `zpool status` command:

root@:~ # zpool status
pool: zroot
state: ONLINE
scan: scrub repaired 0 in 1h6m with 0 errors on Fri May 18 19:56:44 2018
config:

NAME STATE READ WRITE CKSUM
zroot ONLINE 0 0 0
gpt/zfs0 ONLINE 0 0 0
gpt/zfs1 ONLINE 0 0 0
gpt/zfs2 ONLINE 0 0 0

errors: No known data errors

So in the example you must execute following commands:

zpool online -e zroot gpt/zfs0
zpool online -e zroot gpt/zfs1
zpool online -e zroot gpt/zfs2

It’s good to execute `zpool scrub zroot`.

Problem with transmission and IPv6

The problem with net-p2p/transmission-daemon and IPv6 is that transmission developers are … not willing to implement such functionality as visible from: https://trac.transmissionbt.com/ticket/4197

So the user who need to use IPv6 but NOT use IPv6 with transmission are left alone.

So you can use this quick patch:

cd /usr/ports/net-p2p/transmission-daemon ;
make extract ;
cd work/transmission-2.93/libtransmission/ ;
vi net.c

@@ -598,7 +598,7 @@
{
int addrlen = 16;
const int rc = tr_globalAddress( AF_INET6,
ipv6, &addrlen );
– have_ipv6 = ( rc >= 0 ) && ( addrlen == 16 );
+ have_ipv6 = 0; /** NO, we do not have IPv6 **/
last_time = now;
}

cd ../../../ ; make deinstall install package clean ;
service transmission restart

 

Enjoy your non-ipv6 enabled daemon on ipv6/ipv4 dualstack system!

DualStack/tcp46 web and mail server

You can verify it via commands

dig www.ostreff.info AAAA

traceroute6 www.ostreff.info

curl -6 www.ostreff.info

IPv6 Certification Badge for jostreff

 

It’s funny to see that in ipv6 worlds my site is 6 hop away. In ipv4 it’s 7 hops away.

 

Jordan-Ostreffs-MBP:~ jostreff$ traceroute6 www.ostreff.info
traceroute6 to jsp.ostreff.info (2001:470:1f0a:1830::2) from 2001:470:1f15:1303:31ca:10e:17ec:fdd8, 64 hops max, 12 byte packets
1 2001:470:1f15:1303:ba8d:12ff:fe5b:1ff0 1.168 ms 1.502 ms 0.762 ms
2 jostreff-1.tunnel.tserv11.ams1.ipv6.he.net 37.673 ms 36.499 ms 36.333 ms
3 10ge11-20.core1.ams1.he.net 35.521 ms 33.730 ms 51.334 ms
4 100ge5-1.core1.fra1.he.net 44.787 ms 37.329 ms 41.756 ms
5 tserv1.fra1.he.net 42.740 ms 42.329 ms 43.809 ms
6 jostreff-2-pt.tunnel.tserv6.fra1.ipv6.he.net 75.220 ms 72.095 ms 72.247 ms

Jordan-Ostreffs-MBP:~ jostreff$ traceroute www.ostreff.info
traceroute to jsp.ostreff.info (84.54.160.14), 64 hops max, 52 byte packets
1 10.0.1.1 (10.0.1.1) 1.455 ms 0.874 ms 0.847 ms
2 82-137-110-2.ip.btc-net.bg (82.137.110.2) 2.043 ms 1.629 ms 1.429 ms
3 83-228-105-49.ip.btc-net.bg (83.228.105.49) 7.621 ms 8.028 ms 7.951 ms
4 83-228-105-50.ip.btc-net.bg (83.228.105.50) 13.347 ms 11.934 ms 10.202 ms
5 * * *
6 classic.classic-bg.net (84.54.160.14) 13.115 ms 9.090 ms 8.943 ms
7 classic.classic-bg.net (84.54.160.14) 9.356 ms 9.351 ms 9.125 ms

Next task to build dualstack tcp46 mail system.

Already passed also ipv6 enabled mail system.

DualStack ipv46 home network achieved

IPv6 Certification Badge for jostreff

 

 

 

 

~ jostreff$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:470:1f15:1303:e813:c674:204e:ff54 –> 2a00:1450:4017:809::200e
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=0 hlim=53 time=73.786 ms
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=1 hlim=53 time=76.331 ms
16 bytes from 2a00:1450:4017:809::200e, icmp_seq=2 hlim=53 time=76.304 ms
^C
– google.com ping6 statistics –
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 73.786/75.474/76.331/1.193 ms

 

Next task – to made https://www.ostreff.info live in ipv6 world!

Network weathermap plugin for Cacti 1.0

Следвайки инструкциите на https://github.com/howardjones/network-weathermap е възможно да имате отново работещ weathermap в Cacti 1.x. Все още има какво да се корегира по кода, но основната функционалност като визуализиране (без clickable maps) на weathermap и тяхното редактиране работят.

Ключови моменти на които трябва да обърнете внимание (quick & durty method for install):

cd /usr/local/share/cacti/plugins
tar zcvvf weathermap-backup.tgz weathermap/* && rm -rf weathermap
git clone https://github.com/howardjones/network-weathermap.git
mv network-weathermap weathermap
cd weathermap
npm install -g bower
fetch https://getcomposer.org/installer -o composer-setup.phar
php composer-setup.php –install-dir=bin –filename=composer
bower install —allow-root
composer update –no-dev

Върнете съдържанието на вашата директория ./configs/*.conf от архива който сте направили ( в примера по горе наречен weathermap-backup.tgz ).

tar xvf weathermap-backup.tgz weathermap/configs/*.conf

След това може да достъпите уеб интерфейсът на вашата cacti инсталация и да инсталирате и активирате отново weathermap plugin от settings.

Благодаря на автора Howard Jones за съветите във форума на проекта!

Друг интересен проект на същият автор е https://github.com/howardjones/cacti-quicktree.

Quick way to upgrade from PHP5.6 to PHP7.2 on FreeBSD

There are many reasons why anyone will need to switch to PHP 7.2 his machine – here, here, here and many more PoC …

Use script like attached bellow:

#!/usr/local/bin/bash
for FILE in `pkg info | grep php56 | cut -f1 -d’ ‘` ; do
PKGNAME=`pkg info „$FILE“ | grep ‘Origin’ | cut -f2 -d’:’` ;
NEWPKGNAME=“${PKGNAME//php56/php72}“ ;
echo „Replacing port $FILE with $NEWPKGNAME“ ;
portmaster -o „$NEWPKGNAME $FILE“ ;
done
portmaster pecl\*
portmaster pear\*

Next you should check that everything from dynamic libraries is correctly linked with command „php -v“.

Hints for some “missing“ packages:

portmaster -o devel/php72-intl pecl-intl-3.0.0_12
portmaster -o security/pecl-mcrypt php56-mcrypt-5.6.34

Using Hurricane Electric free DNS service for slaves

So apart from setting ns[2345].he.net as your DNS servers at your registrar and adding a slave at http://dns.he.net you need to do the following:

  1. Allow transfer AXFR to slave.dns.he.net. Server that pulls zones is slave.dns.he.net, not ns1.he.net.
  2. Remove ns1.he.net from allow transfer ACLs if it was there.
  3. Set the server to send NOTIFY’s to ns1.he.net. Yes, to ns1, not to slave.dns.he.net. slave.dns.he.net doesn’t listen for any DNS requests including NOTIFY’s.

BIND example

The NOTIFY part is a bit tricky, so here’s an example from my setup.

Creating an ACL for slave.dns.he.net

At the top level of named.conf:

acl he-slaves
{
216.218.133.2; // slave.dns.he.net IPv4
2001:470:600::2; // slave.dns.he.net IPv6
};

Basic zone setup

zone "example.org" in
{
type master;
allow-transfer
{
he-slaves;
};
file "data/example.org";
};

Notification setup

Add this to the zone:

notify explicit;
also-notify
{
216.218.130.2;
};

So the zone looks like:

zone "example.org" in
{
type master;
allow-transfer
{
he-slaves;
};

notify explicit;
also-notify
{
216.218.130.2; // ns1.he.net
};

file "data/example.org";
};

PowerDNS 4 example

execute this commands on PowerDNS machine

pdnsutil set-meta example.org ALLOW-AXFR-FROM AUTO-NS 216.218.133.2
pdnsutil set-meta example.org ALSO-NOTIFY 216.218.130.2

The result can be checked via:

pdnsutil get-meta example.org