mibus.org http://www.mibus.org/ Recent content on mibus.org Hugo -- gohugo.io mibus@mibus.org (Robert Mibus) mibus@mibus.org (Robert Mibus) Thu, 01 Mar 2018 00:00:00 +0000 About http://www.mibus.org/about/ Thu, 01 Mar 2018 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/about/ <p>Kinda nerdy father; Systems Engineer / SRE / Manager.</p> <h2 id="professional-summary:d680e8a854a7cbad6d490c445cba2eba">Professional Summary</h2> <p>I&rsquo;ve been a developer (PHP, C, Python, Go), Systems Administrator, SRE, and people manager. I can mess around with system internals, I can lead projects or small teams, I can coach and mentor.</p> <p>I like to take a step back and ask what problem we&rsquo;re <em>really</em> trying to solve.</p> <h2 id="skill-summary:d680e8a854a7cbad6d490c445cba2eba">Skill Summary</h2> <ul> <li>Technical leadership</li> <li>Team leadership / management</li> <li>Communication! Verbal and written</li> <li>Coaching and mentoring of junior staff</li> <li>Documenting then fixing pesky legacy systems</li> <li>Troubleshooting complex environments</li> <li>Linux (Debian/Ubuntu, Gentoo, RHEL)</li> <li>Solaris 9, 10</li> <li>Virtualisation (Solaris Containers, Linux-VServers, LXC, VMWare, Docker)</li> <li>IPv6, Systems &amp; Applications</li> <li>DNS (BIND) authoritative &amp; recursive)</li> <li>Email stuff (sendmail, IronPort)</li> <li>Backups (Legato/EMC NetWorker, Amanda)</li> <li>Puppet</li> <li>RADIUS</li> <li>OpenLDAP, Heimdal Kerberos.</li> <li>MySQL tuning, index optimisation</li> <li>Monitoring (munin, nagios, collectd, mon)</li> <li>Python, C, Go, PHP, HTML/CSS/JS</li> </ul> <h2 id="education:d680e8a854a7cbad6d490c445cba2eba">Education</h2> <ul> <li>Bachelor of Information Technology, Flinders University 2003.</li> <li>Certificate IV in Project Management</li> <li>Various courses - Zend Server, XIV SAN, and IPv6</li> <li>On the job! I learn new systems and technologies quickly.</li> </ul> <h2 id="more:d680e8a854a7cbad6d490c445cba2eba">More?</h2> <p>There is an employment history and various recommendations on <a href="http://au.linkedin.com/in/mibus">my LinkedIn profile</a>.</p> Google Home Calendar Announcements http://www.mibus.org/2018/02/26/google-home-calendar-announcements/ Mon, 26 Feb 2018 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2018/02/26/google-home-calendar-announcements/ <p>We have a couple of Google Homes for our house&rsquo;s common areas, and for Christmas all of our kids got Google Home Minis for their rooms.</p> <p>One of the problems in our household is simply remembering when to do basic things - when to start cooking dinner, and whose turn it is. Noticing that it&rsquo;s bedtime for the kids and making sure they head off to their rooms.</p> <p>So - we have networked speakers in rooms and I&rsquo;m already running <a href="http://home-assistant.io">http://home-assistant.io</a> on a Raspberry Pi. Surely home automation is the solution! (Isn&rsquo;t it always? ;)</p> <p>I already have Google Calendar integration configured, and the Home devices all show up as Chromecast (<code>media_player</code>) targets.</p> <p>Proposal: I have a calendar of events, and at the start time of an event just say it&rsquo;s name on all speakers. Example: a 7AM calendar notification for &ldquo;OK everybody, time to get up!&rdquo;.</p> <p>After a bunch of poking, I&rsquo;ve learned some stuff:</p> <ul> <li>Sometimes notifications can be quite delayed (up to ~10mins); I haven&rsquo;t seen a cause yet.</li> <li>Calendar data is synchronized less frequently than you might expect.</li> <li><code>data_template</code> can&rsquo;t be configured via the UI, but a quick poke at the YAML can fix that one line.</li> <li>home-assistant can&rsquo;t reliably cast to a Chromecast Device Group - I am guessing this is <a href="https://github.com/balloob/pychromecast/issues/165">this pychromecast bug</a>.</li> <li>If you play media to a home-assistant group of a set of Chromecasts, a failure of one to play (e.g. it&rsquo;s offline) can stop <em>any</em> of them playing.</li> </ul> <p>So, my current automation (with three outputs):</p> <pre><code>- action: - data_template: entity_id: media_player.kitchen_home message: '{{ states.calendar.chores.attributes.message }}' service: tts.google_say - data_template: entity_id: media_player.bedroom_1_speaker message: '{{ states.calendar.chores.attributes.message }}' service: tts.google_say - data_template: entity_id: media_player.bedroom_2_speaker message: '{{ states.calendar.chores.attributes.message }}' service: tts.google_say alias: Regular Reminders condition: - condition: state entity_id: calendar.chores state: 'on' id: '1518565910349' trigger: - entity_id: calendar.chores from: 'off' platform: state to: 'on' - platform: template value_template: '{{ states.calendar.chores.attributes.message }}' </code></pre> IPv4 and NAT, the future http://www.mibus.org/2014/03/05/ipv4-and-nat-the-future/ Wed, 05 Mar 2014 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2014/03/05/ipv4-and-nat-the-future/ <p>A discussion came up during lunch at the IPv6 Roadshow&#8230; is NAT robust and well understood?</p> <p><em>Since this is kind-of an opinion piece, I&#8217;m not going to cite evidence; it&#8217;s just random experience and anecdote that (to me) makes a lot of sense.</em></p> <p><strong>NAT is robust</strong>: NAT, for the sake of NAT &#8211; sure, maybe it&#8217;s robust (or &#8220;robust enough&#8221;). But even if you argue that NAT itself is robust, it in turn breaks a host of other things. Off the top of my head, some examples are:</p> <p><strong>IP Reputation</strong>: Any sizable NAT endpoint (like 3G carriers) has a rubbish IP Reputation. Want to send mail directly to the internet, instead your 3G provider&#8217;s server? Simply not going to work reliably.</p> <p><strong>Rate limiting</strong>: Any thing that rate-limits by IP (say, to block obvious DoS attacks) is _going_ to get triggered by heavy use from a NAT. Similar for things that limit the number of simultaneous connections by IP.</p> <p><strong>ALGs</strong>: ALGs in CPE are a crufty workaround that just as often as not, break the protocol they&#8217;re trying to fix. (Like rewriting SIP packets and messing things up). Likewise</p> <p><strong>Any P2P technology</strong> (Torrent, Skype, etc): If you don&#8217;t have a public IP just for yourself, these are either going to not work, or they&#8217;re going to increase in latency compared to the ideal. The common ways of making this stuff work (port forwarding, UPnP IGD) just isn&#8217;t likely to be supported at the carrier level (IMHO). More dependencies of routing through third-party servers, and more off-net traffic for carriers. There is a thing called PCP that may allow port forwarding in a CGNAT world, but I&#8217;m not holding my breath.</p> <p><strong>Timeouts</strong>: If your carrier going forwards needs to maintain a NAT entry for every connection, they&#8217;re going to have to time it out at some point. You&#8217;re going to be absolutely forced to use keepalives in every protocol that you don&#8217;t want summarily disconnected. And I hope those NAT tables are replicated to other gateways for if they fail&#8230;</p> <p><strong>Summary</strong>: There are challenges with this stuff in IPv6 &#8211; eg. you don&#8217;t want each /128 to have its own reputation &#8211; but the sort of wide-scale NAT that the future may hold is going to really mess up a lot of things and make them worse&#8230; but only over IPv4.</p> <p><strong>But it&#8217;s well understood</strong> - Actually, I&#8217;d also disagree that NAT is all that &#8220;well understood&#8221; &#8211; amongst sysadmins, do we all understand the different types of NAT (symmetric, full-cone; 1:<sup>1</sup>&frasl;<sub>1</sub>:N, NAT+PAT vs just NAT, etc) and the implications of each of those on every end-user applications we support?</p> Moving! http://www.mibus.org/2013/03/27/moving/ Wed, 27 Mar 2013 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2013/03/27/moving/ <p>I&#8217;ve been [comparatively] quiet for a while now, and I can finally announce the results of my endeavours: I&#8217;ve resigned from Internode (ie. iiNet) in order to accept a position at Google in Sydney.</p> <p>This means that Missy and I and our kids are all packing our bags and getting ready to head eastwards, looking forward to new and exciting adventures.</p> <p>FAQ:</p> <ol> <li>When? My last week in Adelaide is the week of the 22nd of April.</li> <li>What will you do at Google? I&#8217;ll be a Site Reliability Engineer (which is kinda like a sysadmin).</li> <li>Why leave? Because it&#8217;s the right time, and I&#8217;m looking for new challenges.</li> <li>Why Google? It seems like a good fit for interests and for me personally. The folk I know there are generally pretty awesome, and I intend to learn as much as I can from them.</li> </ol> <p>As a final note, I&#8217;d like to thank Simon Hackett and Adam Fox for their support and encouragement over the past few years; without them, I don&#8217;t think I&#8217;d be where I am now.</p> <p>(FWIW, I started coming up with a list of people I&#8217;d like to thank, but it was unmanageably long &#8212; &#8220;Thank you&#8221; to the rest of you too; you should know who you are).</p> LCA2013 http://www.mibus.org/2013/02/27/lca2013/ Wed, 27 Feb 2013 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2013/02/27/lca2013/ <p>I presented &#8220;After Arduino&#8221; at LCA2013, explaining how to dig deeper into what &#8220;Arduino&#8221; really is, and how to get better control over your embedded devices.</p> <p>If you are just after the slides, PCB schematics, or example code, then you should grab them here: <a href="https://github.com/mibus/AfterArduino">https://github.com/mibus/AfterArduino</a></p> <p>A video of the talk is available in <a href="http://mirror.linux.org.au/linux.conf.au/2013/mp4/After_Arduino.mp4">MP4</a> and <a href="http://mirror.linux.org.au/linux.conf.au/2013/ogv/After_Arduino.ogv">OGV</a> formats (or if you&#8217;re with Internode, you can grab <a href="http://mirror.internode.on.net/pub/linux.conf.au/2013/mp4/After_Arduino.mp4">unmetered MP4</a> and <a href="http://mirror.internode.on.net/pub/linux.conf.au/2013/ogv/After_Arduino.ogv">unmetered OGV</a> files).</p> <p>Here&#8217;s one of the projects I used to learn about this stuff myself:</p> <p><a href="http://www.mibus.org/2012/05/12/attiny85-flasher-for-mothers-day/"><img class="aligncenter size-medium wp-image-1507" title="ATtiny-powered!" src="http://www.mibus.org/wp-uploads/2012/05/IMG_1942-300x225.jpg" alt="" width="300" height="225" /></a></p> <p>(Please excuse the messy point-to-point soldering, I had very tight space constraints and not a lot of time to make it neat! :).</p> <p>Here&#8217;s some PCBs I designed to help program ATmega168/328 and ATtiny13/85 devices when they&#8217;re in a breadboard. The designs are available from the Github repo mentioned earlier:</p> <p><a href="http://www.mibus.org/wp-uploads/2012/06/IMG_1947.jpg"><img class="aligncenter size-medium wp-image-1523" title="PCBs! - iTeadStudio" src="http://www.mibus.org/wp-uploads/2012/06/IMG_1947-e1339537582148-300x225.jpg" alt="" width="300" height="225" /></a></p> <p><a href="http://www.mibus.org/wp-uploads/2012/06/IMG_1956.jpg"><img class="aligncenter size-medium wp-image-1524" title="PCBs! - DorkbotPDX PCB Order" src="http://www.mibus.org/wp-uploads/2012/06/IMG_1956-e1339537884954-300x225.jpg" alt="" width="300" height="225" /></a></p> <p>My talk synopsis was:</p> <blockquote> <p>So you&#8217;ve started playing with this cool thing called &#8220;Arduino&#8221;.</p> <p>You&#8217;re having fun with buttons and LEDs and have started making some</p> <p>real projects that use them.</p> <p>But then you realise a few limitations: they can be bulky, they&#8217;re a</p> <p>little expensive, they don&#8217;t have quite enough flash, they have too</p> <p>many I/O pins, or maybe they&#8217;re just entirely too easy to use and you</p> <p>want some new challenges. What do you do?</p> <p>You attend this presentation! :)</p> <p>This presentation is neatly divided in half; the first (Hardware) half</p> <p>talks about:</p> <ul> <li><p>What Arduino hardware really is</p></li> <li><p>What makes up an Arduino system</p></li> <li><p>In-Circuit System Programmers (ie., that six-pin header you</p></li> </ul> <p>basically never use).</p> <ul> <li><p>What similar hardware exists</p></li> <li><p>How YOU can make a cheaper and simpler platform for yourself</p></li> <li><p>Your ATmega chip&#8217;s little brother, the ATtiny&#8230;</p></li> </ul> <p>The second half focuses on the Arduino software:</p> <ul> <li><p>What the Arduino software brings you</p></li> <li><p>How the Arduino software limits you</p></li> <li><p>Using make &amp; avr-gcc to build software for AT{mega,tiny} chips</p></li> <li><p>Accessing the registers that control the processor directly</p></li> <li><p>How software really uses the hardware interrupts</p></li> <li><p>Getting more than two interrupts</p></li> <li><p>Using the on-board timers to hand-bake PWM and other things</p></li> <li><p>Faster I/O</p></li> <li><p>Shrinking your application</p></li> </ul> <p>If you ever PEEKed and POKEd with a C64, and are now fiddling with</p> <p>Arduinos &#8211; this is the talk for you.</p> </blockquote> Making GNOME-Shell plugins save their config http://www.mibus.org/2013/02/15/making-gnome-shell-plugins-save-their-config/ Thu, 14 Feb 2013 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2013/02/15/making-gnome-shell-plugins-save-their-config/ <p>I&#8217;m working on a GNOME-Shell plugin that can show alternate timezones. As part of the plugin, I want it to remember what the user&#8217;s selected timezone is.</p> <p>A good extension to pull apart seems to be the &#8220;<a href="https://github.com/paradoxxxzero/gnome-shell-system-monitor-applet/">System Monitor</a>&#8220;.</p> <p>The &#8220;short version&#8221; of the minimum you need to do is as follows&#8230;</p> <p>Add a schema name to your <code>metadata.json</code>, eg:</p> <pre>"settings-schema": "org.gnome.shell.extensions.system-monitor",</pre> <p>(Replace &#8220;system-monitor&#8221; with a unique name for your own extension)</p> <p>Create a <code>schemas</code> directory inside your extension&#8217;s directory, and create a file inside that called <code>YOURSCHEMANAME.gschema.xml</code>, eg. <code>org.gnome.shell.extensions.system-monitor.gschema.xml</code>.</p> <p>Populate this with appropriate gschema magic; the <a href="https://raw.github.com/paradoxxxzero/gnome-shell-system-monitor-applet/master/system-monitor@paradoxxx.zero.gmail.com/schemas/org.gnome.shell.extensions.system-monitor.gschema.xml">system-monitor schema</a> is pretty handy again here.</p> <p>Inside your extension&#8217;s <code>schemas</code> directory, run:</p> <pre>glib-compile-schemas . </pre> <p>(Don&#8217;t miss the &#8220;.&#8221; :)</p> <p>Download <a href="http://git.gnome.org/browse/gnome-shell-extensions/plain/lib/convenience.js"><code>convenience.js</code></a> into your extension&#8217;s directory.</p> <p>Inside your <code>extension.js</code>, set up some new imports:</p> <pre>const ExtensionUtils = imports.misc.extensionUtils; const Me = ExtensionUtils.getCurrentExtension(); const Convenience = Me.imports.convenience; </pre> <p>Somewhere during init() or enable(), you&#8217;ll want to grab a reference to your loaded schema object:</p> <pre>this._schema = Convenience.getSettings(); </pre> <p>You can now get and set keys, eg. I&#8217;m using:</p> <pre>this._schema.get_string('tz')); </pre> <p>and</p> <pre>this._schema.get_string('tz'));</pre> <p>You probably should set up an actual preferences window&#8230; you can learn more about that at <a href="http://blog.mecheye.net/2012/02/more-extension-api-breaks/">http://blog.mecheye.net/2012/02/more-extension-api-breaks/</a>.</p> ping -f[aux flood] http://www.mibus.org/2012/12/02/ping-faux-flood/ Sun, 02 Dec 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/12/02/ping-faux-flood/ <p>I&#8217;m having trouble admitting this publicly, but I learnt something new recently about ping, of all things.</p> <p>To quote from the man page of ping:</p> <pre>-f Flood ping. For every ECHO_REQUEST sent a period ``.'' is printed, while for ever ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped.</pre> <p>Seems reasonable enough. I mean, &#8220;flood&#8221; is pretty clear, right? Except, during troubleshooting this week I found that pinging a responding host and a non-responding host resulted in sending a different rate of packets.</p> <p>Reading on in the man page, it becomes apparent why:</p> <pre>If interval is not given, it sets interval to zero and outputs packets as fast as they come back or one hun‐ dred times per second, whichever is more. Only the super-user may use this option with zero interval.</pre> <p>So what you really want, if you want a consistent number of packets per second, is to use the command like this:</p> <pre>ping -f -i 0.01 somehost.example.net</pre> <p>An interval of zero is actually an interval of &#8220;anything from zero to 10 milliseconds, depending on the RTT to the remote host&#8221;.</p> Multiple SSH port-forwards, all in a row… http://www.mibus.org/2012/11/23/multiple-ssh-port-forwards-all-in-a-row/ Thu, 22 Nov 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/11/23/multiple-ssh-port-forwards-all-in-a-row/ <p>Sometimes, you really need to get from point &#8220;A&#8221; to point &#8220;B&#8221;, but you can&#8217;t. Restrictive firewalls, poor change control, you don&#8217;t own the infrastructure, or maybe it&#8217;s just &#8220;temporary&#8221; and you don&#8217;t want to have to go to all that effort just for a few days.</p> <p>Struggle no more!</p> <h2 id="ssh-port-forwarding-primer:ac85863f909cd980575e4360fdfc46ec">SSH Port Forwarding Primer</h2> <p>Let&#8217;s just say that you have an application on server &#8220;A&#8221;, and you want it to be able to reach a web service on your local desktop. You want to open a socket listening on the <strong>R</strong>emote end, which forwards the connection back over SSH to your local machine. (Maybe a NAT gateway is in the way).</p> <p>Assuming the server is called &#8220;server-a&#8221; and your web service is on port 8080, the following may well suffice:</p> <pre>ssh -R8080:localhost:8080 server-a.example.com</pre> <p>&#8220;-R&#8221; for <strong>R</strong>emote listening socket, the port number for the designated [remote, in this case] side, then a host and port on the other [local] side.</p> <p>If you want a local listening socket to forward the packets securely to the remote server &#8211; maybe a firewall is in the way this time &#8211; just change the <strong>R</strong>emote for <strong>L</strong>ocal:</p> <pre>ssh -L8080:localhost:8080 server-a.example.com</pre> <p>Now, connecting to your desktop&#8217;s port 8080 will land on the far-end&#8217;s <code>localhost:8080</code>. Again, the first 8080 is for the designated side [local, this time] and the <code>localhost:8080</code> for the other [remote] side.</p> <h2 id="linking-port-forwards-together:ac85863f909cd980575e4360fdfc46ec">Linking port-forwards together</h2> <p>Here&#8217;s a hypothetical scenario, where Server D needs to be reached by Server A. For whatever reason, no single host has connectivity the whole distance.</p> <p>In short, if an SSH port forward opens a remote socket and sends it locally, then that local port can be opened by a different SSH session and forwarded elsewhere too.</p> <p>You can set this example up thusly:</p> <p><img class="aligncenter size-full wp-image-1590" title="Complex SSH Forward" src="http://www.mibus.org/wp-uploads/2012/11/complex-ssh-forwards.png" alt="Diagram of a complex SSH forwarding situation" width="459" height="389" /></p> <p><strong>On the desktop:</strong></p> <pre>ssh -R8080:localhost:8080 server-a.example.com ssh -L8080:localhost:8080 server-b.example.com</pre> <p>These two together gets Server A connectivity to Server B (via port 8080). Right now, it ends there, because Server B isn&#8217;t listening on port 8080.</p> <p><strong>On Server B:</strong></p> <pre>ssh -L8080:server-d.example.com:8080 server-c.example.com</pre> <p>This time, we don&#8217;t want to forward the local socket&#8217;s connections to <code>localhost</code> on the remote server, we want to pass it all the way to Server D. What happens is that Server B listens on port 8080, bundles all the data up and over SSH to Server C, then Server C unpacks it all and sends it to the nominated address (<code>server-d.example.com:8080</code>).</p> <p>Now Server A can point to it&#8217;s <code>localhost:8080</code>, and end up on <code>server-d.example.com:8080</code>.</p> <p>Spiffy, huh!</p> <p>Please don&#8217;t do this in production, though &#8211; but if you do, please don&#8217;t tell anybody I told you how! :)</p> <p><em>You might also be interested in [my other SSH port-forwarding hacky trick][1], where I show how to make a remote server appear local without needing proxy support in your application.</em></p> <p>[1]: <a href="http://www.mibus.org/2010/06/21/hacky-ip-forwarding-with-ip-aliases-and-ssh/">http://www.mibus.org/2010/06/21/hacky-ip-forwarding-with-ip-aliases-and-ssh/</a></p> GNOME-Shell multi-timezone clock http://www.mibus.org/2012/11/17/gnome-shell-multi-timezone-clock/ Sat, 17 Nov 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/11/17/gnome-shell-multi-timezone-clock/ <p>As many of you know, the company I work for (Internode) was recentlyish purchased by iiNet.</p> <p>iiNet&#8217;s headquarters is in Perth, which is 1.5 or 2.5 hours &#8220;behind&#8221; Adelaide time.</p> <p>There&#8217;s no longer a multi-timezone clock available for the panel, so&#8230; oh well I just wrote one myself.</p> <p><a href="http://www.mibus.org/2012/11/17/gnome-shell-multi-timezone-clock/gnome-shell-adl-and-per/" rel="attachment wp-att-1581"><img src="http://www.mibus.org/wp-uploads/2012/11/GNOME-Shell-ADL-and-PER.png" alt="Screenshot of multi-timezone clock in GNOME-Shell top panel" title="GNOME-Shell - ADL and PER" width="308" height="26" class="aligncenter size-full wp-image-1581" /></a></p> <p>Right now, it only supports GMT+8 as the &#8220;remote&#8221; timezone, but it&#8217;s easy enough to change the code.</p> <p>The code is up on GitHub: <a href="https://github.com/mibus/MultiClock" title="https://github.com/mibus/MultiClock">https://github.com/mibus/MultiClock</a></p> <p>Thanks to Marco Dallagiacoma for writing the [&#8220;Fuzzy Clock&#8221; plugin][2], as I used it as a basis for my own code.</p> <p>[2]: <a href="https://extensions.gnome.org/extension/202/fuzzy-clock/">https://extensions.gnome.org/extension/202/fuzzy-clock/</a></p> NetWorker – Random stalling http://www.mibus.org/2012/11/11/networker-random-stalling/ Sun, 11 Nov 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/11/11/networker-random-stalling/ <p>One of the things I&#8217;ve spent a lot of time with, has been EMC NetWorker (previously Legato NetWorker).</p> <p>A vaguely common issue is for a process of some kind &#8211; backups, staging to tape, restores, etc &#8211; for no reason just stop making any new progress.</p> <p>Once you&#8217;ve checked off the common reasons &#8211; like making sure you haven&#8217;t run out of disk space or usable tapes &#8211; it seems like the only option is to restart NetWorker as a whole, losing any in-progress actions (even ones that are to devices that haven&#8217;t stalled).</p> <p>I suspect that random underlying I/O issues can occasionally upset it, and it doesn&#8217;t quite recover. But, whatever. How do you make it recover a single device, without restarting the whole thing?</p> <p>First up, get the PID of the main <code>nsrd</code> process. On Solaris, <code>ps -ef | grep nsrd</code>; or on Linux <code>ps uaxw | grep nsrd</code>.</p> <p>Assuming the PID is <code>1234</code>, you next need to run: <code>dbgcommand -p 1234 PrintDevInfo</code></p> <p>It should pretty quickly spit out a whole stack of debugging info to <code>/nsr/logs/daemon.raw</code>. It&#8217;s moderately complicated, but you should see that it&#8217;s a dump of its internal state of each device, including <code>d_device</code> &#8211; the *nix device or directory, and <code>mm_number</code> &#8211; the unique ID for the <code>nsrmmd</code> process for that device.</p> <p>So &#8211; find the device you&#8217;re interested in, and find the <code>mm_number</code> for that device.</p> <p>Get a list of your <code>nsrmmd</code> processes, eg. <code>ps -ef | nsrmmd</code> or <code>ps auxw | grep nsrmmd</code>. If your <code>mm_number</code> is 5, then there will be a process <code>nsrmmd -n 5</code></p> <p>Kill the process, and it should re-spawn by itself on further access.</p> IPv6 for SysAdmins http://www.mibus.org/2012/11/08/ipv6-for-sysadmins/ Wed, 07 Nov 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/11/08/ipv6-for-sysadmins/ <p>IPv6 is a new and complicated piece of technology; like any new technology it takes a while to get used to and discover what does and doesn&#8217;t really work.</p> <p>Who am I? I&#8217;m Robert Mibus, and I helped roll out many of the IPv6-enabled services at Internode (now part of iiNet). I&#8217;m writing this based on my personal experience and opinion, so even though I reference Internode frequently, please don&#8217;t consider any of the below official communication from them, OK? :)</p> <p>What this page is:</p> <ul> <li>Systems-focused</li> <li>Some network stuff you need to know</li> <li>What I wish I knew three years ago</li> </ul> <p>What this page is not:</p> <ul> <li>Waxing on about infinite address space for the sake of itself</li> <li>Pretty graphs on consumer uptake</li> <li>Spiffy future IPv6-could-do-this explanations</li> </ul> <h1 id="network-stuff:55808878b0dc53904f6f03bca43b825c">Network Stuff</h1> <h2 id="connectivity:55808878b0dc53904f6f03bca43b825c">Connectivity</h2> <p>The first thing about IPv6 is how you&#8217;re going to get your connectivity. You have two basic options &#8211; obtain it natively (eg. via ethernet or PPP from your ISP or colo provider), or via an IPv6-specific tunnel (eg. from a tunnel provider like HurricaneElectric).</p> <p>So&#8230; Don&#8217;t use tunnels; just harass your ISP. IPv6 is critical to future growth on the Internet, and is no longer a &#8220;maybe sometime in the future thing&#8221;.</p> <h2 id="addressing:55808878b0dc53904f6f03bca43b825c">Addressing</h2> <p>An IPv4 address is like this: <code></code>.</p> <p>An IPv6 address is like this: <code>2001:44b8:0001:0000:0000:0000:0000:0001</code></p> <p>In order to make the addresses shorter, you can drop leading zeroes in any group, ie: <code>2001:44b8:1:0:0:0:0:1</code></p> <p>You can also replace one (and *only* one) string of <code>:0:0:0:...</code> (for any number of <code>:0:</code>), with &#8220;<code>::</code>&#8220;&#8230;</p> <p><code>2001:44b8:1::1</code></p> <p>That&#8217;s Internode&#8217;s IPv6 DNS resolver address. The IPv4 address is actually <em>longer</em>:</p> <p><code></code></p> <p>It&#8217;s worth pointing out that many apps don&#8217;t accept IPv6 addresses &#8220;as-is&#8221;; primarily because adding port identifiers (like <code>:8080</code>) causes ambiguity. In those cases, typically the address has square brackets placed around it, eg. <code>[2001:db8:1::1]:8080</code></p> <h2 id="allocations:55808878b0dc53904f6f03bca43b825c">Allocations</h2> <p>An ISP will get a large allocation of IPv6 addresses. Typically this will be a /32 or larger (leaving at least 96 bits for the ISP to play with).</p> <p>eg.</p> <p><code>2001:db8::/32</code> → ISP</p> <p>The ISP is likely to hand a customer a block somewhere between a /48 and /64. Internode currently gives out /56 as standard, so a customer&#8217;s allocation from an ISP might look like this:</p> <p><code>2001:db8:1c7:2d00::/56</code> → ISP Customer</p> <p>Individual VLANs are typically cut up as /64s, for reasons we&#8217;ll get in to later. A /56 thus gives you 256 fully addressable VLANs. You might carve them up like this:</p> <p><code>2001:db8:1c7:2d00::/64</code> → Servers</p> <p><code>2001:db8:1c7:2d01::/64</code> → Ethernet PCs</p> <p><code>2001:db8:1c7:2d02::/64</code> → Wireless PCs</p> <p>The first 64 bits is then the &#8220;network part&#8221; and the second 64 bits is the &#8220;host part&#8221; of the address.</p> <h2 id="allocations-8211-pitfalls:55808878b0dc53904f6f03bca43b825c">Allocations &#8211; Pitfalls!</h2> <p>Is <code>2001:db8:1c7:2d::/56</code></p> <ul> <li><code>2001:db8:1c7:2d00::/56</code>, or</li> <li><code>2001:db8:1c7:002d::/56</code>?</li> </ul> <p>Leading zeroes are removed, so it&#8217;s <code>002d</code> not <code>2d00</code>. If you&#8217;re at all uncertain when subnetting, put the zeroes back in when you&#8217;re working it out! A tool like &#8220;sipcalc&#8221; on Linux can also help with calculations like that.</p> <p>While I&#8217;m on subnetting &#8211; only subnet on 4-bit boundaries, please&#8230; (each hex character is 4 bits). Why? You know how in IPv4, it&#8217;s easy to see if a given IPv4 address falls inside or outside a /24 subnet, but harder on a /28 or /29? Subnetting inside the 4 bits is going to drive you insane with craziness in a similar way.</p> <p>(ie., don&#8217;t go making a /63, /62, or /61 &#8211; round up and make it a /60!)</p> <h2 id="topological-division:55808878b0dc53904f6f03bca43b825c">Topological Division</h2> <p>Without trying to contradict the previous section too much, all those extra bits _can_ be useful for route aggregation. If you run a large network with multiple campuses, you can use all the extra bits to create routes that can be easily aggregated together.</p> <p>Imagine the topology for connecting a large set of schools. You might take a chunk of your address like this &#8211; <code>:0000:</code>. That&#8217;s really <code>0000 0000 0000 0000</code> in binary. You might take a bit for region (East-coast or not?), a couple of bits for sub-region (City, or other major routing point), and a couple for the specific site number.</p> <p>One thing you should always try to do is keep the top-most bit reserved.</p> <p>Why?</p> <p>Because it means that if you&#8217;ve divided yourself too far and run out of usable networks, you can make a whole new subdivision scheme because you still have half of our addresses left!</p> <h1 id="network-stuff-8211-going-smaller-than-64:55808878b0dc53904f6f03bca43b825c">Network Stuff &#8211; Going Smaller Than /64</h1> <p>It&#8217;s really not going to be worth it. &#8220;Saving address space&#8221; isn&#8217;t the argument it used to be!</p> <p>Among other things, you won&#8217;t be able to use SLAAC (stateless address autoconfiguration).</p> <p>Chances are, plenty of other things will be awkward &#8211; probably the one I&#8217;d be most concerned with is that you&#8217;re going to be breaking lots of people&#8217;s expectations about what a network should look like, which may confuse others looking at your network.</p> <p>Technically, going smaller than /64 works in some cases &#8211; like point-to-point links &#8211; and may even have some benefits in those edge cases. Feel free to do it if there&#8217;s a really really really good reason.</p> <p>But <em>allocate</em> the /64, at least notionally &#8211; That way you can still change your mind later!</p> <p>You may end up being given something smaller than a /64 in cases where you might only normally get a single IP &#8211; eg. in a cheap VPS. Take what you can get :)</p> <h1 id="hardware-support:55808878b0dc53904f6f03bca43b825c">Hardware Support</h1> <p>For non-enterprise-grade routers, you can check places like Whirlpool. You can also take a look at Internode&#8217;s router offerings &#8211; all should now support native IPv6.</p> <p>Be warned though; some hardware might &#8220;support&#8221; IPv6, but do so in a limited fashion &#8211; it might be software-routing rather than hardware, or it might not expose all of the same statistics via SNMP for IPv6, etc. As always, it&#8217;s best to test hardware before making a big purchase.</p> <h1 id="icmp-firewalling:55808878b0dc53904f6f03bca43b825c">ICMP Firewalling</h1> <p>Don&#8217;t. It wasn&#8217;t a great idea for IPv4, and IPv6 relies even heavier on ICMP control messages.</p> <p>There&#8217;s RFC4890 to cover precisely how you can filter ICMP safely &#8211; it&#8217;s 38 pages long.</p> <p>But, seriously, just don&#8217;t. (Unless you need to)</p> <h1 id="firewalling:55808878b0dc53904f6f03bca43b825c">Firewalling!</h1> <p>The suckiest part of dealing with IPv6 firewalls right now, is that they&#8217;re typically wholly separate from IPv4 firewalls.</p> <p>Using <code>iptables</code>? You need to use <code>ip6tables</code> too. Configuring it on your CPE? It&#8217;s probably not smart enough to have the two really intermingled either.</p> <p>What this means is that <em>documentation is even more important than ever</em>. Each and every set of firewall entries in both firewalls should be documented in enough detail that you can see clearly that the two sets of firewalls are functionally identical.</p> <p>One nice benefit of IPv6 when firewalling, is that you can afford to have an IPv6 address per service on a given host. That makes firewalling easier, and can make it easier to migrate the service to another host later. But, if you&#8217;re lazy (like me! :), you&#8217;ll probably still be happy using just one IP per host. (Virtualisation does mean we get to have a lot of hosts, though&#8230;).</p> <h1 id="arp-no-neighbour-discovery-8230:55808878b0dc53904f6f03bca43b825c">ARP! No, Neighbour Discovery&#8230;</h1> <p>In IPv4, &#8220;ARP&#8221; is used to discover the MAC address of a host you want to talk to. In IPv6, the comparable protocol is Neighbor Discovery (ND) &#8211; which uses ICMPv6. The response comes in the form of a Neighbor Advertisment, also ICMPv6.</p> <p>With ARP, your request is broadcast across the whole VLAN. ND uses link-local multicast to target just a subset of hosts &#8211; typically a small enough subset that it is only hitting the one host! (For the technically-inclined, the multicast packet is sent to all hosts that share the last 24 bits of their IPv6 address with the address being looked for).</p> <p>Like with ARP, this isn&#8217;t routed traffic, it&#8217;s specific to the layer-2 network that the host is physically connected to.</p> <h1 id="broadcast-ping:55808878b0dc53904f6f03bca43b825c">Broadcast Ping</h1> <p>Much like ARP&#8217;s replacement, the replacement for a broadcast ping uses local network multicast too.</p> <p>All nodes on a network will join a special multicast group with an address of <code>ff02::1</code>. Ping that instead of an address like <code></code>.</p> <p>There&#8217;s a similar one that is only joined by routers (rather than hosts), <code>ff02::2</code>.</p> <h1 id="duplicate-address-detection:55808878b0dc53904f6f03bca43b825c">Duplicate Address Detection</h1> <p>An in-built part of IPv6 is &#8220;Duplicate Address Detection&#8221;, or DAD.</p> <p>In short, when an IP address is brought up on an interface, it uses Neighbour Discovery to make sure it&#8217;s the only node with that address. Due to this, freshly-added addresses on an interface will show as &#8220;tentative&#8221;, and not actually be usable.</p> <p>This includes all configured IPv6 addresses during boot, so applications need to cope with this if they try to bind to a specific address on startup. Sometimes they don&#8217;t cope, and just bomb out with an error that they couldn&#8217;t bind to the IP address as it&#8217;s not configured. (ISC BIND is an example of this).</p> <h1 id="router-advertisements:55808878b0dc53904f6f03bca43b825c">Router Advertisements</h1> <p>Similar to a Neighbor Advertisement, a Router Advertisement is a network router saying &#8220;Hi, I&#8217;m here!&#8221;. This can be used by hosts to auto-configure themselves with an IPv6 address, and set a default route for IPv6. (This is called SLAAC &#8211; StateLess Address AutoConfiguration).</p> <p>An advertisement like that includes a &#8220;preferred&#8221; and &#8220;valid&#8221; lifetimes &#8211; how long they should be used for new connections, and how long they should be allowed for existing connections, respectively. Routers can re-send the advertisements and refresh those times, kinda like DHCP.</p> <p>It&#8217;s not, however, a full DHCP replacement &#8211; it doesn&#8217;t have acknowledgements, logging, DDNS, or any number of other fancy features.</p> <p>For raw usefulness getting a set of desktops on an existing network to use IPv6&#8230; priceless.</p> <h1 id="neighbor-discovery-security:55808878b0dc53904f6f03bca43b825c">Neighbor Discovery Security</h1> <p>ARP isn&#8217;t really secure by design, so it should be no surprise that Neighbor Discovery has similar sorts of issues possible. If you&#8217;re the particularly security-conscious sort, you should check out &#8220;Secure Neighbor Discovery&#8221; (SEND) or &#8220;RA-Guard&#8221;.</p> <h1 id="unique-local-addresses-ula:55808878b0dc53904f6f03bca43b825c">Unique Local Addresses (ULA)</h1> <p>Roughly equivalent to RFC1918 space, but (probably) still unique to a single environment.</p> <p>It&#8217;s really not needed in most cases &#8211; you&#8217;re normally expected to just use addresses from your service provider.</p> <h1 id="prefix-delegation-pd:55808878b0dc53904f6f03bca43b825c">Prefix Delegation (PD)</h1> <p>This is the means by which large blocks of address space (prefixes!) can be requested by clients. It&#8217;s actually a function of DHCPv6!</p> <p>Prefix Delegation is how your ADSL modem can request a chunk of address-space from your ISP, and get back a /56 (or whatever is configured for your account) to further subdivide.</p> <h1 id="hosts:55808878b0dc53904f6f03bca43b825c">Hosts</h1> <h2 id="desktops:55808878b0dc53904f6f03bca43b825c">Desktops</h2> <p>If you want to get a set of desktop PCs on a LAN using IPv6, you&#8217;re in luck.</p> <p>Once your router has an IPv6 range allocated to it (by Prefix Delegation or some other means), then it can send on Router Advertisements to local LAN segments; PCs and other devices will use SLAAC to autoconfigure themselves and use the connectivity.</p> <p>DHCP (via IPv4) still reigns supreme &#8211; handing out DNS and the like &#8211; but you nearly instantly have IPv6 connectivity on any modern system.</p> <p>It&#8217;s worth noting that most current-generation OSes will actually end up randomly creating and cycling through IPv6 addresses on a regular basis; this is due to &#8220;Privacy Extensions&#8221;, an extension of SLAAC&#8217;s normally determininstic address selection that uses random numbers instead.</p> <h2 id="desktops-the-future:55808878b0dc53904f6f03bca43b825c">Desktops, the future!</h2> <p>DHCPv6 will, one day, be the norm. But not today, so I&#8217;ll leave that for another day :)</p> <h2 id="servers:55808878b0dc53904f6f03bca43b825c">Servers</h2> <p>SLAAC is a really bad idea for servers, as it means that changing your host machine (or just a NIC) would change it&#8217;s IP! Statically configure the addresses instead.</p> <p>You can still use Router Advertisements for setting a default gateway, if you want &#8211; as mentioned above, there are security concerns, but it can still be pretty convenient.</p> <h1 id="services:55808878b0dc53904f6f03bca43b825c">Services</h1> <h2 id="common-architecture-reverse-proxy:55808878b0dc53904f6f03bca43b825c">Common Architecture: Reverse Proxy</h2> <p>One very easy way of making a service IPv6-capable, is by sticking some sort of reverse proxy in front of it. IPv4 traffic can flow as per usual &#8211; but when you configure an IPv6 address for the service, the address is actually on a dual-stacked box. This box can then redirect traffic back to the IPv4-only host.</p> <p>For HTTP, you can set the <code>X-Forwarded-For</code> header with the original IPv6 address (since it&#8217;ll be lost otherwise). Make sure your backend application knows to trust the header when (and only when) it comes from the proxy, and make sure it can deal with IPv6 addresses properly!</p> <p>You&#8217;ll also want to make sure that any ACLs or other IP-based restrictions (eg. Geo-IP blocking) take into consideration the proxy&#8217;s existence. It&#8217;s probably good to set a fair amount of logging on the proxy, too, so you can tie things together when troubleshooting later.</p> <p>Proxies would work fairly well for:</p> <ul> <li>HTTP/S</li> <li>IMAP/POP3</li> <li>DNS, NTP</li> </ul> <p>They <em>won&#8217;t</em> work for cases where you actually care a lot about the source &#8211; IP address reputation checks for SMTP, rate-limits on web pages, IP-blacklists on forum software, etc.</p> <p>Anything using bidirectional communications is pretty much out too (eg. FTP, backups), and you also have to note that (like NAT) it risks unbalancing load-balancers if you use IP-based sticky sessions.</p> <h2 id="common-architecture-ipv4-only-load-balancer:55808878b0dc53904f6f03bca43b825c">Common Architecture: IPv4-only Load Balancer</h2> <p>There&#8217;s a couple of different ways to work around an IPv4-only load balancer:</p> <ul> <li>Make an IPv6 load-balancer in software</li> <li>Go directly to one backend</li> <li>Round-robin to all backends</li> </ul> <p>I actually think the &#8220;direct to backend&#8221; solutions aren&#8217;t too bad&#8230; hacky, but survivable. The vast majority of applications fall back to IPv4 sufficiently well, don&#8217;t forget. Make sure to set a low TTL on the DNS, so you can remove it in event of a failure.</p> <h2 id="your-app-sucks:55808878b0dc53904f6f03bca43b825c">Your app sucks</h2> <p>Let&#8217;s face it, most sysadmins have to look after any number of custom in-house applications. They&#8217;re probably going to need some love. I can&#8217;t help you with that.</p> <p>There&#8217;s also amusing side-effects; several software products still truncate IPv6 addresses like &#8220;<code>last</code>&#8221; outputs in some *nix-based systems, or in logs in database tables. Speaking of databases, what sort of field type are your applications using to store IP addresses? Will it fit an IPv6 address in it? Is it just a 32-bit int? Many databases now support a native &#8220;IP address&#8221; type &#8211; use it if you can.</p> <h2 id="rate-limits:55808878b0dc53904f6f03bca43b825c">Rate-limits</h2> <p>While we&#8217;re on a tangent, let&#8217;s talk about those rate limits too.</p> <ul> <li>Is it useful to rate-limit a single IPv6 IP? (A /128). Probably not, it&#8217;s too easy to change.</li> <li>Is it useful to rate-limit a /64? Probably; there&#8217;s a good chance the user has multiple /64s at their disposal, but only so many&#8230;</li> <li>Is it useful to rate-limit a /56? Useful? It&#8217;s not even safe &#8211; Internode hand out /56s, other ISPs can (and do!) regularly hand out smaller.</li> </ul> <p>Limit the /64 &#8211; it&#8217;s not perfect, and it&#8217;s still not even entirely &#8220;fair&#8221; in some edge cases, but it&#8217;s the best you&#8217;ve got.</p> <h2 id="dns:55808878b0dc53904f6f03bca43b825c">DNS</h2> <p>DNS is a super awesome and easy service to enable for IPv6, so it&#8217;s a great first choice. The protocol has native fallback to secondary servers in case of failure, for both a client accessing a DNS resolver and for a DNS resolver talking to nameservers.</p> <h2 id="dns-aside:55808878b0dc53904f6f03bca43b825c">DNS: Aside</h2> <p>You do also end up having a rather large reverse address space to manage DNS for. A /56 has 4722366482869645213696 addresses!!</p> <p>The only sane solution (other than having no reverse DNS) is procedural DNS generation. Internode do this for their customers (using the &#8220;pymds&#8221; open source project), optionally delegating it to nameservers of the customer&#8217;s choosing. After that, it&#8217;s up to you :)</p> <h2 id="smtp-mta:55808878b0dc53904f6f03bca43b825c">SMTP MTA</h2> <p>Don&#8217;t forget to configure your Reverse DNS for SMTP &#8211; Yes, people really still do look at this, even when using IPv6.</p> <p>Connectivity is key; if your MTA software thinks it has IPv6 connectivity then it really needs to work. Check your fallback to IPv4 when IPv6 connectivity is missing &#8211; some software doesn&#8217;t!</p> <p>It&#8217;s worth noting that people don&#8217;t interactively use their mail servers very often, so there&#8217;s no implicit verification of connectivity, or firewall validity. Mistakes can go unnoticed for a very long time!</p> <p>The other common issue running an IPv6-capable MTA is broken [far-end] DNS; entirely too many systems return SERVFAIL rather than an empty NOERROR response, causing extra retries and often making the sending MTA never fall back to IPv4 at all. There&#8217;s no real fix here, this is just a heads-up&#8230;</p> <h2 id="smtp-mx:55808878b0dc53904f6f03bca43b825c">SMTP MX</h2> <p>Running an IPv6 MX means a moderate amount of pain right now (though it&#8217;s getting quickly better now that GMail runs an IPv6-capable MX).</p> <p>Running an IPv6-only MX, with an IPv4-capable secondary MX, is not currently feasible &#8211; a small number of real-world MTAs break horribly trying to deliver email to a domain using such a setup.</p> <p>It might be worthwhile using a dual-stack primary MX, and an IPv4-only secondary MX (even if it&#8217;s the same IPv4 address!), to encourage semi-broken MTAs to fall back to the secondary MX (and the IPv4 address it carries) if they don&#8217;t fall back properly from IPv6 to IPv4 on the primary MX.</p> <p>Postfix will only (by default) check five addresses from DNS before stopping the delivery attempt; so if Postfix thinks trying over IPv6 is OK, and you have 5+ IPv6 addresses on your MX, *it will never fall back to IPv4 if something goes wrong*. So, don&#8217;t have more than 3-4 IPv6 addresses for your MX.</p> <p>Finally, you still have to deal with broken far-end DNS, because many modern systems will check if a bounce message could be delivered in principle before accepting a message (by checking the sending domain exists and has a valid MX).</p> <p>It&#8217;s worth doing if you have the patience, and things will only get better, but it&#8217;s not necessarily going to be the smoothest ride &#8211; use your own judgement.</p> <p>(Internode have done it and are striving forwards with it, because that&#8217;s how we roll. I&#8217;d like to think that you&#8217;re going to do the same! :)</p> <h2 id="monitoring:55808878b0dc53904f6f03bca43b825c">Monitoring</h2> <p>You need to dual-stack your monitoring system, naturally &#8211; all those IPv6 services aren&#8217;t really in production if they&#8217;re not monitored&#8230; but, which IP stack will actually get used to do the checks?</p> <p>Do all of your hosts support all features on both protocols?</p> <p>I can&#8217;t tell you the solution here, because it&#8217;s going to be very situation-specific &#8211; but there&#8217;s a good chance you&#8217;ll have to define a lot of your checks twice (once per protocol).</p> <p>Don&#8217;t forget, if you can&#8217;t IPv6-enable your existing host (eg. because it&#8217;d suddenly make a lot of legacy checks try to use IPv6 and that won&#8217;t work) then you can always proxy checks via dual-stacked host.</p> <h1 id="opinions:55808878b0dc53904f6f03bca43b825c">Opinions</h1> <h2 id="lots-of-ips-8230:55808878b0dc53904f6f03bca43b825c">Lots of IPs&#8230;</h2> <p>Since your VLANs now have a very large address space, you can put it to some good use.</p> <p>For example, if you&#8217;re mixing different services in the same /64 network, why not use the first few bits to define what sort of service they are, and create yor ACLs around that?</p> <p>eg., using /80 ACLs:</p> <p>An IP could be formatted like so &#8211; <code>2001:db8:n:n:apptype:x:x:id</code> &#8211; where &#8220;<code>apptype</code>&#8221; is one of the following:</p> <ul> <li>Infrastructure = <code>0000</code></li> <li>Web Server = <code>1000</code></li> <li>Mail = <code>2000</code></li> <li>SMTP = <code>2010</code></li> <li>IMAP = <code>2020</code></li> <li>Database = <code>3000</code></li> </ul> <p>So you could have a firewall rule allowing access to <code>[2001:db8:n:n:1000::/80]:80</code> from the Internet, making your website public but nothing else. Conveniently, you can spin up further web servers inside that /80 without needing to alter your firewalls.</p> <p>Technically, you should always pay attention to bit 7 inside the /64, it should always be zero for statically-assigned addresses as it&#8217;s the &#8220;Unique vs Local interface&#8221; bit, used to determine if a given host-part of the address (the last 64 bits of the IP address) is globally unique, or just locally unique. I don&#8217;t think anything really uses this right now, but you&#8217;ve been warned :)</p> <h2 id="server-numbering:55808878b0dc53904f6f03bca43b825c">Server Numbering</h2> <p>If you decide that the suffix of the address is the host number, that&#8217;s not a bad idea. BUT!</p> <p>If:</p> <ul> <li>Fooserver1 → <code>::1</code>, and</li> <li>Fooserver2 → <code>::2</code></li> </ul> <p>Is:</p> <ul> <li>Fooserver10 → <code>::10</code>, or</li> <li>Fooserver10 → <code>::A</code>?</li> </ul> <p>It&#8217;s important to remember that IPv6 addresses are hexadecimal!</p> <p>You can also embed IPv4 IPs in to IPv6 addresses &#8211; a host on <code></code> could have an IPv6 address of <code>2001:db8:1234:1234:192:231:203:132</code> &#8211; but, should it?</p> <p>It&#8217;s also tempting to be clever and use port numbers &#8211; <code>::25</code> for mail servers, <code>::53</code> for DNS servers, and <code>::80</code> for web sites &#8211; but again, should you? That&#8217;s hex&#8230; for 37, 83, &amp; 128!</p> <h1 id="conclusion:55808878b0dc53904f6f03bca43b825c">Conclusion</h1> <p>IPv6 isn&#8217;t really all that hard, just new. The best way to get familiar with it, is just to get on with using it :)</p> Doctor Who, sans Python-iView http://www.mibus.org/2012/09/23/doctor-who-sans-python-iview/ Sun, 23 Sep 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/09/23/doctor-who-sans-python-iview/ <p>Just to illustrate the insanity of ABC&#8217;s position in the takedown of Python-iView &#8211; here is how to &#8220;download&#8221; the latest Doctor Who episode from iView, without using an application that infringes the takedown notice as I understand it.</p> <p><em>Update: To be clear, this may well still violate the iView Terms of Service&#8230; that I&#8217;ve never read, and that you don&#8217;t get prompted to if you follow the below; the below I pieced together without use of the site. Don&#8217;t actually download the file if you want to follow the iView Terms of Service. I&#8217;m not a lawyer and can&#8217;t comment on whether it&#8217;s enforceable on people who are never presented with it. I&#8217;d really hope that accessing internet-accessible URLs without an explicit contract between the two parties, isn&#8217;t &#8211; but what I consider &#8220;right&#8221; isn&#8217;t always.</em></p> <p>(Dear ABC: If I&#8217;m wrong, please send me an email with where I went wrong and I&#8217;ll readily take this post down; my address is in the sidebar on the right).</p> <ol> <li>Visit <a href="http://tviview.abc.net.au/iview/auth/?v2">http://tviview.abc.net.au/iview/auth/?v2</a> and do a &#8220;View Source&#8221;.</li> <li>The &#8220;host&#8221; will be the IP from the &#8220;server&#8221; field.</li> <li>The &#8220;app&#8221; will be the directory-part of the &#8220;server&#8221; field, plus &#8220;?auth=&#8221; plus the contents of the &#8220;token&#8221; field. (So, <code>ondemand?auth=ABCD1234ABCD1234</code> or something similar).</li> <li><code>rtmpdump --host</code> (host) <code>--app</code> (app) <code>--playpath mp4:threepower_xx_xx -o threepower_xx_xx.mp4 -X --swfUrl http://www.abc.net.au/iview/images/iview.jpg</code></li> </ol> <p><code>mp4:threepower_xx_xx</code> is the remote filename.</p> <p>This may not work from all ISPs, as the path structure is slightly different for Akamai; I&#8217;m writing this to prove a point, not so you can actually download an episode.</p> <p>The only &#8220;protection&#8221; I see as arguable is the use of a hash of a SWF file &#8211; that&#8217;s what the last URL passed to rtmpdump, it calculates the hash and passes it in the RTMP request.</p> <p>What Python-iView adds above and beyond this, is pulling the (unobfuscated) list of show names and episode names (which is where the filename is readily discoverable). So, uh, nothing infringing itself.</p> <p><em>Update: What&#8217;s really wrong, though, is that the ABC has apparently agreed in legal contracts not to allow downloads from iView, but can only prevent it through mean wording in a Terms of Service.</em></p> <p><em>Update 2: So, I went looking for the Terms of Service. You need to load iView, go to Help, click the FAQ link, scroll up three pages (I&#8217;m not kidding), then click the Terms Of Use link. I consider it hideously unfair to hide your Terms Of Use and then complain that they get violated. Really, guys?</em></p> <p><em>By the reasoning in ABC&#8217;s Terms Of Use, this post may be seen to &#8220;provide the means for others to&#8230;circumvent these technical measures&#8221;. But only if they consider accessing readily available URLs with established non-infringing applications to be bypassing technical measures. (Dear ABC: I watch more ABC than the remainder of the commercial stations put together, I&#8217;m actually a big fan &#8211; so please don&#8217;t sue me! :).</em></p> Letter To the ABC, re the takedown of Python-iView http://www.mibus.org/2012/09/18/letter-to-the-abc-re-the-takedown-of-python-iview/ Tue, 18 Sep 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/09/18/letter-to-the-abc-re-the-takedown-of-python-iview/ <p>Dear ABC,</p> <p>As a regular ABC watcher, I was dismayed to hear that a takedown notice was sent to Jeremy Visser with regards to his distribution of the &#8220;Python-iView&#8221; software:</p> <p><a href="https://jeremy.visser.name/2009/08/python-iview/">https://jeremy.visser.name/2009/08/python-iview/</a></p> <p>Python-iView is, in my mind, little more than a VCR or PVR for the iView service &#8211; and from a moral perspective is thus no more or less &#8220;wrong&#8221;. The approach you have chosen to take would not be legal to take against Tivo or FetchTV recording the FTA DVB-T broadcasts, so it should not be taken against Python-iView.</p> <p>The software that Jeremy HAD been distributing was absolutely necessary for users of a multitude of platforms to watch content hosted on iView. This includes Android devices that are not compatible with a Flash player, and other embedded devices. It makes it possible to watch iView shows on platforms based on Linux, a free and community-driven operating system (rather than the expensive and proprietary options that the Flash Player fully supports). It also made it possible to watch iView-hosted shows where Internet access is slow or unreliable (eg. during public transport).</p> <p>I recognise that some content rights-holders might &#8220;get their knickers in a knot&#8221;, but there are two other approaches that the ABC can take:</p> <ul> <li>Encouraging rightsholders to join the 21st Century and allow &#8220;fair use&#8221;-style distribution via the Internet (particularly with the low-quality video that iView uses, contrasted with high-definition material readily available via illegitimate means).</li> <li> Having a mechanism to allow for at least locally-produced shows (and other shows where the rightsholder agrees) to be available in full for non-Flash-supporting devices.</li> </ul> <p>The ABC already half-heartedly supports the latter idea, with video podcasts available for some shows (such as Media Watch) &#8211; but Media Watch is by far the exception, rather than the rule.</p> <p>Please consider working _with_ Jeremy, rather than against him, to ensure that ALL Australians have access to ABC programming. The insanity of the copyright restrictions being used against Python-iView are only in effect because the ABC chooses to allow it when licensing content.</p> <p>Regards;</p> <p>Robert Mibus.</p> <p><em>To the regular ABC viewers reading this letter &#8211; I encourage you to support Jeremy and Python-iView and the freedoms and opportunities it represents. Make yourself heard to the ABC, and perhaps we can gain their cooperation.</em></p> When life gives you lemons… ask for oranges. http://www.mibus.org/2012/06/26/when-life-gives-you-lemons-ask-for-oranges/ Mon, 25 Jun 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/06/26/when-life-gives-you-lemons-ask-for-oranges/ <p>It&#8217;s a pattern I&#8217;ve seen repeated endlessly around me, a pattern I&#8217;m guilty for falling into entirely too often myself.</p> <p>You want something, but you don&#8217;t ask for it. Maybe you think you&#8217;ll get a &#8220;no&#8221;, maybe you&#8217;re too worried about what the other person will think, maybe you don&#8217;t want to annoy or offend someone. Maybe there&#8217;s some other reason.</p> <p>Ultimately, it all goes the same way. You don&#8217;t get what you want. Maybe someone else does, though, and probably some brown-noser that&#8217;s not a &#8220;nice guy&#8221; got what <em>you</em> deserved.</p> <p>Happily, I have a solution. It&#8217;s easy, and it&#8217;s free, and I&#8217;m sharing it with you now: <strong>Ask for what you want. Don&#8217;t be shy, just ask.</strong></p> <p>You hear me? Want something, ASK FOR IT. This applies to basically all areas of your life.</p> <p>Want a raise? Have you asked for one? Want to go to a technical conference, or do some training? Ask. Want to work from home for a day? Maybe you want your partner to let you have a weekend entirely to yourself without the kids, or want to skip a family birthday, or want to buy something expensive for yourself, or whatever. Just. Ask.</p> <p>Often enough, you&#8217;ll get a &#8220;no&#8221;. Fine &#8211; accept the &#8220;no&#8221;. &#8220;No&#8221; is an acceptable answer to a question!</p> <p>If you think there might be a tradeoff to be had &#8211; suggest one. If it&#8217;s still a &#8220;no&#8221;, then accept it and move on. You&#8217;ll get a lot of &#8220;no&#8221;s, but <em>you will also get the occasional &#8220;yes&#8221;</em> &#8211; and you&#8217;ll probably get a few &#8220;yes&#8221; responses that surprise you, too.</p> <p>Don&#8217;t be silly about it; don&#8217;t ask for a pay rise every other week, don&#8217;t ask for the world on a silver platter, don&#8217;t ask incessently, be respectful of the other person&#8217;s time and their responsibilities.</p> <p>But do ask. And maybe ask for just a little more than you think you deserve.</p> gSolaris http://www.mibus.org/2012/05/31/gsolaris/ Wed, 30 May 2012 00:00:00 +0000 mibus@mibus.org (Robert Mibus) http://www.mibus.org/2012/05/31/gsolaris/ <p>Among other things at work, I help look after a small set of Solaris hosts. One of the real frustrations I have with Solaris is the lack of functionality in many of the &#8220;standard&#8221; applications, things that I&#8217;ve come to consider usual (and often essential).</p> <p>We work around these shortcomings by having GNU utilities installed, but with a &#8220;g&#8221; prefix so that scripts depending on the native Solaris flags and options still work perfectly.</p> <p>This naturally leads to many jokes about how much a particular command is painful under Solaris, and &#8220;just put a &#8216;g&#8217; in front and it&#8217;ll be fine&#8221;.</p> <p>Amusingly, this is a better plan than you&#8217;d expect; it&#8217;s not unheard of to construct a long command-line built *soley* from the GNU commands, just to work around Solaris&#8217; limitations (and maybe a little bit just for the fun of it).</p> <p>eg, our internal documentation for a certain procedure has a very long command that basically boils down to:</p> <pre>gfind -type f -print0 | gxargs -0 gmd5sum | gawk '{..process output..}'</pre> <p>gSolaris: Solaris without the suck. Or, maybe at least with less.</p> <p><em>I tease &#8211; Solaris has some real nice features that we use heavily, like ZFS, zones, dtrace, and it&#8217;s real good at heavy-duty NFS serving. I just feel like it&#8217;s stuck in 1988 for much of the rest of the core functionality.</em></p>