OpenVZ: Bridged IPv6 subnets

Postat den 7 januari, 2019 av Tornevall

I’ve been working on a gre tunneling interface for a while, but had wishes to make my OpenVZ host take care of the services that should host the tunnel – like for example, instead of assigning each single IPv6-address manually via vzctl, addressing should be handled from the container. And as long as vzctl and the venet-interfaces is used, it has to be done this way. With OpenVZ this is not entirely obvious, since documentation is not always collected in the same place.

As a matter of fact, after searching half of the day, I think I’ve got it covered. First, make sure you’re not using vzctl –ipadd, when you’re adding a larger subnet. Let’s use an example:

vzctl set <ctid> ---ipadd 2a01:299:a0:7000::/64

The example above will only assign one ip – 2a01:299:a0:7000:: – to your container, not the entire subnet. To have more addresses in this case, you have to make vzctl set them up in the same way: 2a01:299:a0:7000::1/64, 2a01:299:a0:7000::2/64, etc. The real magic occurs when you’re starting to use veth and brctl correct. To make it quick:

vzctl set <ctid> --netif_add eth0 --save

# Find the right veth-interface and ...
brctl addif br0 veth-interface

In the OpenVZ release I use, the bridging is set up by linking br0 with the created vethinterface – how to identify this interface when having more containers than one is currently undicovered ground as, again, documents are not very clear on this. I’ve found names like veth101.0 have been used, but in my case – with Virtuozzo 7.x – I get interfaces like veth123a4bcd, and they are a bit hard do identify and connect to the right containter. This should be automatically fixed with scripts that is running during the openvz startup sequences, but that part is still undiscovered.

Instead, I’ve created a cron-job that makes sure that all the interfaces are really linked up after the server boot (which is probably a high security issue if you host many containers for many users as bridging opens up networks a bit more than you probably wish):

#!/bin/bash PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin 

veth=$(ifconfig|grep veth|sed 's/:/ /'|awk '{printf $1 " "}')
echo "Bridging VE interfaces..."

for interface in $veth
do
    hasInterface=$(brctl show | grep ${interface})
    if [ "" = "$hasInterface" ] ; then
        echo brctl addif br0 ${interface}
        brctl addif br0 ${interface
    fi
done

With this little ugly one, we’re making sure that unbridged interfaces are really bridged, and only once, so brctl does not need to rerun creation all the time. I think there are much better ways of doing this, however. The last thing to do after this setup is to actually assign the subnets properly. On the host server:

ip route add <A:B:C:D::/64> dev br0

At the container:

#!/bin/bash

# Local bridge
ip -6 addr add A:B:C:D::/64 dev eth0

# Gateway
ip -6 route add <gateway> dev eth0

# Do not route ipv6 via venet0
ip -6 route del default dev venet0

# Route default via this router
ip -6 route add default via <gateway> dev eth0

# Route ipv6 via eth0
ip -6 route add default via <gateway> dev eth0
Publicerat i Ingen kategori | 1 kommentar

OpenVZ and sit-tunnels (Hurricane Electric) +openvpn

Postat den 6 januari, 2019 av Tornevall

It has come absolutely clear to me that sit-tunneling on OpenVZ is practically impossible. A technician from Hurricane Electric has rounded it up by following comment:

Ok, I’ve been handling a bunch of tickets opened by folks now trying to get OpenVZ or Virtuozzo set up. The common mistake being done is people trying to bring up the tunnel inside the virtualized server. You MUST set up the tunnel on the OS that runs the physical machine. Then you can assign IPv6 addresses to the virtualized servers from your routed allocations.

Link

And he’s definetly not joking. Setting up tunnels, based on sit is not working, regardless of the method you use. However, gre-tunneling actually seem to work with a bit of work. First of all, you have to make sure the interfaces are really available when running them on the host.

The following commands are activating both gre and sit, but with no permissions to use sit on the virtual host. To make tunneling with sit work, make sure the tunnel is added on the host, not the VPS itself. I have currently found no way of making sit work. Either I get no permission to the interface, or I get ”No buffer space available”.

Another tip that people have linked to (oh, of course, the links are dead) – is tb-tun (https://code.google.com/archive/p/tb-tun/) which is an application that allows sit to be created in a userspace (not tested).

modprobe ip_gre
modprobe ip_tunnel
modprobe sit

The next step is to activate some features for the box. This step made me activate the gre-interface and I thought I also got the sit to work. But no, that failed. Do not forget to shut down your VPS here, as the following steps requires this.

vzctl set ctid --features ipgre:on,sit:on,ipip:on,bridge:on --save
vzctl set ctid --devnodes net/tun:rw --save
vzctl set ctid --netfilter full

The last step was to set the VPS capabilities. As vzctl has the capability setting deprecated, it’s better using prlctl for this action. This was actually made in bash as there was too many row to set manually…

capabilities="net_admin net_raw sys_admin ve_admin sys_resource"
for cap in $capabilities
do
        prlctl set $ctid --capability ${cap}:on
done

If the interfaces do not show up when starting up the VPS again, you might also need to ass the devices manually.

vzctl set ctid --netdev_add gre0 --save
vzctl set ctid --netdev_add sit0 --save

In some cases you also need to use mknod to create the /dev/net/tun, that is used by the tunnel interfaces (I did this both on the host and the virtual server).

mkdir -p /dev/net
mknod /dev/net/tun c 10 200

At this moment you should be able to create both gre-tunnels and actually also use openvpn. However – still – trying to use sit, is a no go.

Publicerat i Ingen kategori | Etiketter , , , , , , | Lämna en kommentar

Får man städa sitt eget internet?

Postat den 16 juli, 2018 av Tornevall

För några år sedan, under en tid då kedjebrev och självtester var extra populära, satt jag [som vanligt] och scrollade igenom flödet, märkbart frustrerad över mängden producerat brus. Jag började bygga ett tillägg till Chrome, som hjälpte mig att städa där ingen annan ville städa. I takt med att Facebook gjorde förändringar i sin plattform där det hände slutade saker och ting fungera. Å andra sidan gjorde det inte så mycket, eftersom plattformen samtidigt gjorde det möjligt att sålla bort mer. Bruset minskade, så att det gick att leva med det.

En dag förändrades allt. Facebook började utnyttjas politiskt. I synnerhet högerextrem propaganda blossade upp som självantänt torrt gräs. Mycket propaganda handlade förvisso om naivitet och lite samtal med personerna kunde rädda ganska mycket av situationen. På andra ställen sinade aldrig strömmen – och en del gick därtill inte att rädda heller.

Ganska nyligen vaknade därför idén med innehållsblockering till liv igen, men den moraliska klockan började samtidigt klinga högljutt. För vad händer om man har ett hjälpmedel som till synes suddar bort det man själv inte vill se? Jo, resten av världen kommer fortfarande kunna se bruset – det raderas ju nämligen inte. Du bara skyddas från att se det. Ur en moralisk aspekt är detta naturligtvis helt förkastligt, eftersom den här typen av frågor kommer stå obesvarade (även bland vänner). Färre människor kommer kunna göra motstånd och i stället tillåter vi att allvarliga problem göds och gror sig större, helt utan hejd.

Jag kan bli ganska trött i huvudet när jag ser sånt som jag inte själv kan påverka. Det innebär att jag riskerar att behöva ta längre pauser för att kunna återhämta mig igen (därmed blir alla projekt också lidande). Efter att ha sökt feedback hos diverse människor har jag insett att det för min egen del inte spelar någon som helst roll om innehållsblockering existerar. För om jag ändå tar pauser från mänskligheten ibland, skulle det betyda samma sak som om jag hade blundat och blockerat. Skillnaden är att jag i stället för att ta pauser, fortfarande kan ”hänga” med vänner. Det är alltså ganska stor sannolikhet att jag inte kommer behöva lägga ned det här, med moralisk uppgivenhet, utan snarare kommer kunna fortsätta vara självbevarande. Dessutom är jag nog inte ensam om att behöva göra så…

Publicerat i Predikan | Etiketter , , , , , , | Lämna en kommentar

There’s a lots of information of how to use pv together with ”dialog” as a progress indicator for a lots of different projects. For example, even pv shows an example on how to show a progress bar for taring and gzipping a file archive. But there are almost no documents that describes a similar thing for a simple chown/chmod process. Probably, in normal cases, this is not being done since such process is fast enough to not needing it. But for larger directory structures it sometimes is nices with a progress bar, rather than the verbose output of the process.

So here’s how to do it!

   #!/bin/sh
   directory="/home/myLargeHome"
   permissions="myuser:mygroup"
   # Run chown in verbose mode, but redirect the verbosity somewhere else, while pv counts the progress.
   # pv runs in line-mode instead of byte mode.
   chown -Rv $permissions $dir | \
   pv -f -c -n -l -s $(find |wc -l) 2>&1 >/dev/null | \
   dialog --gauge 'Taking ownership of $directory' 7 70 0

Adding for example ”-i 0.1” to pv will make dialog update the view more often, but it might affect the performance of the process.

Postat den 12 augusti, 2017 av Tornevall | Lämna en kommentar

”Den missförstådde fotografen”

Postat den 25 juli, 2016 av Tornevall

”Den missförstådde fotografen”, snart vid en skev horisont nära dig.

Fotografen

Publicerat i Fotograferat | Etiketter , , | Lämna en kommentar

Netflix and the blocking of tunneled ipv6-routes

Postat den 10 juni, 2016 av Tornevall

Today I discovered that Netflix started blocking tunneled ipv6-routes. This means, in SiXXS case (which I primarily use to reach ipv6 routes), that I’m for now blocked from using Netflix this way. This also means that I have a few options, to make Netflix work again, even if I run with ipv6 simultaneously:

  • Edit the hosts-file. Make a look up on netflix.com, to pick up all addresses based on ipv4. Problem: Any changes that Netflix makes, will never reach me. Besides, the streaming servers are probably named differently than only ”www.netflix.com”.
  • Disable ipv6 while watching netflix. Problem: All connectivity with ipv6 is lost while watching Transformers.

So, the real problem here is that Netflix resolves both on ipv4 and ipv6, so I need to find a DNS server that only gives me ipv4-responses, so I don’t have to guard DNS updates myself. What I did to solve this problem was, since I host my own DNS-services, therefore to set up a secondary DNS server that explicitly returns ipv4-addresses when making lookups on a ipv4-network – without the list of ipv6-addresses, like this:

v4

In the primary master server, I’ll put up a forward zone like this:

zone "netflix.com" IN {
        type forward;
        forwarders {
                10.1.1.129;
        };
};

And suddenly Netflix becomes available again, on a ipv4-only network…

Publicerat i IT/Data, IT/Development | Etiketter , , , , , , , , | 8 kommentarer

object to object converting (__PHP_Incomplete_Class)

Postat den 8 mars, 2016 av Tornevall

I’ve read a lot of suggestions on how to fix incomplete classobjects and I actually needed to fix those problems myself, in a ecommerce-project.

One suggestion I’ve found is to simply use json_decode/json_encode to convert incomplete classes without preloading anything. However, I didn’t want to take the risk using this, if there are older PHP versions that are dependent in for example PECL, that is described at http://php.net/manual/en/function.json-encode.php – so I finally succeeded to make my own solution.

However, the code is a way to get the data out of the object properly, so it may not fit all needs – and it will primarily, use the json-solution first, if it is available in the environment and fail over to manual handling if needed.

It also works recursively, which in my own case is required, to save the whole array.

    /**
     * Convert a object to a data object (used for repairing __PHP_Incomplete_Class objects)
     * @param array $d
     * @return array|mixed|object
     */
    function arrayObjectToStdClass($d = array())
    {
        /**
         * If json_decode and json_encode exists as function, do it the simple way.
         * http://php.net/manual/en/function.json-encode.php
         */
        if (function_exists('json_decode') && function_exists('json_encode')) {
            return json_decode(json_encode($d));
        }
        $newArray = array();
        if (is_array($d) || is_object($d)) {
            foreach ($d as $itemKey => $itemValue) {
                if (is_array($itemValue)) {
                    $newArray[$itemKey] = (array)$this->arrayObjectToStdClass($itemValue);
                } elseif (is_object($itemValue)) {
                    $newArray[$itemKey] = (object)(array)$this->arrayObjectToStdClass($itemValue);
                } else {
                    $newArray[$itemKey] = $itemValue;
                }
            }
        }
        return $newArray;
    }

http://stackoverflow.com/questions/965611/forcing-access-to-php-incomplete-class-object-properties/35863054#35863054

Publicerat i Ingen kategori | Lämna en kommentar

Det är inte bara vi som väntar på bättre väder

Postat den 29 mars, 2015 av Tornevall

Detta galleri innehåller 2 bilder.

Fler gallerier | 3 kommentarer

Rökning på bild.

Postat den 23 februari, 2015 av Tornevall

96 bilder och 2 cigaretter senare…

Smoke Finished w Sunglasses

Publicerat i Fotograferat | Etiketter , , , | 3 kommentarer

Guitar hero trum-kit upphittat

Postat den 29 december, 2014 av Tornevall

”Vi var ute en sväng med familjen häromdagen och när jag kom hem var mitt trumkit till Guitar Hero spårlöst försvunnet”.

Men känn för all del ingen sorg, du som efterlyste det – vi har åter funnit det åt dig. Det var Kjell Sortering, på avfallsverket i Sundsvall, som rapporterade in det för bara några timmar sedan.

GuitarHeroDrumKit[1]

Publicerat i Projekt: Svensk sophantering | Etiketter , , , | Lämna en kommentar