Christian

Kildau

Network Engineer


Welcome to my little blog. I am mostly techie over here, blogging about networking and system administration topics, but there will also be some Travel Reports from time to time…

How To disable Time Machine’s MobileBackup

July 24, 2011, Christian Kildau4 Comments

Starting with Lion I noticed that Time Machine is running even when my Time Capsule is not available. I also noticed that Finder shows a different amount of used disk space than df. My MacBook Pro’s SSD also got somewhat slow. Turned out it’s Time Machines MobileBackup function.

If you want to disable MobileBackup and free up the abused disk space, simply run the following command and reboot.

1
sudo tmutil disablelocal

How to fix SSH UTF-8 issues in Mac OS X Lion

July 24, 2011, Christian Kildau2 Comments

After upgrading from Snow Leopard to Lion, ssh connections to remote servers using iTerm2 have issues with non ascii characters.

Luckily that’s easy to fix. Simply comment SendEnv LANG LC_* in /etc/ssh_config out.

1
2
3
4
5
Host *
 # SendEnv LANG LC_*
 # ForwardAgent no
 # ForwardX11 no
 ...

No other changes are needed. You could also permanently change your locale to UTF-8.
Just place export LANG=en_US.UTF-8 in your shell’s source file.

How to activate Serial Console on Debian Squeeze

July 6, 2011, Christian Kildau5 Comments

Activating a Serial Console starting at the bootloader all the way up to a tty login requires just a few steps, but it took me some time to figure out all the knobs. Here’s how to do it with Debian Squeeze:

To have configruation changes persistent in Debian, you may not edit /boot/grub/grub.cfg directly, but need to edit/add the appropiate lines in /etc/defaults/grub:

1
2
3
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,9600n8"
GRUB_TERMINAL=console
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

Now run update-grub and you’ll get the Bootloader and all Kernel and Init messages on your serial console the next time you boot.

To get a login promt on serial you need to modify /etc/inittab to:

1
2
3
4
5
6
7
8
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6
# Serial console
s0:2345:respawn:/sbin/getty -L 9600 ttyS0 vt102

That’s it. run init q to reload init and activate serial login, or simply reboot.

Intel 320 Series vs. OCZ Vertex 2 (vs. Apple)

April 29, 2011, Christian Kildau8 Comments

Actually this post should be called NO OCZ NO or something like that…

I already wrote about the OCZ Vertex 2 E once or twice with somewhat mixed feelings.
Now after 6 months with the first one, and 3 months with the second one, I wouldn’t recommend buying any of these again. Well, at least not if you’re using Apple.

60Gb OCZ Vertex 2 E in my Mac Mini (6 Months old):

  • huge loss in performance (maybe due to the lack of TRIM in OSX?)
  • sometimes the mini won’t fall asleep or just wakes up again

120Gb OCZ Vertex 2 E in my MacBook Pro (10 weeks old):

  • performance is still good
  • suspend2disk doesn’t work. Known bug. OSX will crash. OCZ promised to fix it – but didn’t!
  • sleep and direct wake-up results in the SSD not being recognized for ~10 minutes!!! No booting possible!

Most of the issues with OCZ’s SSDs seem to be sleep/hibernate related and from what I’ve heard do mostly affect Apple products, but their crappy support prevents me from buying any of their products again. They promised to release a firmware upgrade which fixes suspend2disk, but they did not. They closed the thread in their forums and don’t even respond to requests via eMail. But hey! At least they release the OCZ Vertex 3 – so you possibly get all these bugs fixed for just 180€!

All these issues and their non-responding support made me replace the Vertex with the new Intel 320 Series SSD. They might be slower according to their specs, but performance isn’t everything

Which leads me to the next part of this post…

The Intel 320 120Gb SSD! I installed this one in my MacBook Pro last week and what shall I say? After one week everything is great. I’m not talking about pure performance. I didn’t NOTE any difference in real life performance, but just in case… here is a simple sequential performance check:

OCZ Vertex 2 E 120Gb:

1
2
3
4
5
6
7
8
homer:~ $ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 82.815477 secs (123648385 bytes/sec)
homer:~ $ dd if=10000M.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.731347 secs (214534068 bytes/sec)

Intel 320 Series 120Gb:

1
2
3
4
5
6
7
8
homer:~ mrkofee$ dd if=/dev/zero of=10000M.img bs=1024 count=10000000
10000000+0 records in
10000000+0 records out
10240000000 bytes transferred in 108.879939 secs (94048546 bytes/sec)
homer:~ mrkofee$ dd if=file.img of=/dev/null
20000000+0 records in
20000000+0 records out
10240000000 bytes transferred in 47.695655 secs (214694610 bytes/sec)

The Intel is a tad slower in pure sequential write performance, which is a bit disappointing considering it’s one generation newer than the Vertex 2… But, now to the important stuff

  • Suspend2Disk: works
  • Closing and directly opening the MBP: works
  • Support: Well… it’s Intel. I don’t expect it to be any better than OCZ’s.
  • The good feeling of reliability: works

I haven’t received any negative reports from friends about the Intel X25-M  (the 320 Series predecessor) nor have I found much on the Interwebs… so I’m much happier with the Intel now…

How to Check services and restart using Monit

March 27, 2011, Christian Kildau0 Comments

I have a monitoring service (Zabbix) which dies every few weeks, because it’s MySQL tables were locked for too long during a backup… Annoying! mostly because it’s then dead unnoticed for not just a few minutes. So, how do you monitor a monitoring service? Or simply… How do you restart any service that has just gone away in a simple way?

I recently came across monit. They state it’s up and running in just 15min. I got it faster

1
2
3
4
5
6
7
8
9
10
11
12
13
# Daemonize and check every 2mins.
set daemon  120

# Mail settings, in case you want to receive notifications
set mailserver relay.example.org
set mail-format { from: root@host1.example.org }
set alert admin@example.org

# The first check
check process zabbix_server with pidfile /var/run/zabbix/zabbix_server.pid
        start program = "/etc/init.d/zabbix-server start"
        stop program = "/etc/init.d/zabbix-server stop"
        group server

You can also monitor network availability, application availability, file permissions and system utilization…
I think this tool is really great for a small network, though I don’t think it would scale that well. Just give it a try.

How to OpenBSD with Huawei E1750 UMTS

March 21, 2011, Christian Kildau0 Comments

Getting my OpenBSD (4.8) box to talk an Huawei E1750 USB UMTS Stick as a backup solution turned out to be not very straight forward, so in case you are in a similar situation…

Have a look at man umsm to see which devices are supported by OpenBSD.

The UMTS (USB)-Sticks are registered as /dev/cuaUX, where X is the number of your device… You’ll need userland pppd to connect. Place your peer configuration in /etc/ppp/peers/o2 for example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cuaU0
connect /etc/ppp/connect.o2
disconnect /etc/ppp/disconnect.o2
nocrtscts
xonxoff
#:0.0.0.2 because 0.0.0.1 is the alias for my DSL default gateway
:0.0.0.2
noipdefault
ipcp-accept-local
defaultroute
novj
nobsdcomp
novjccomp
nopcomp
noaccomp
noauth
nomagic
persist

You’ll also need Chat scripts to connect and disconnect the connection. Note that you’ll need to at least adjust /etc/ppp/connect.o2 to suit your provider:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/bin/sh
chat -vs 
 ABORT 'NO CARRIER' 
 ABORT 'NO DIALTONE' 
 ABORT ERROR 
 ABORT 'NO ANSWER' 
 ABORT BUSY '' 
 at OK 
 atz OK 
 # uncomment the following if your SIM is PIN protected
 # and replace **** with your PIN
 #at+cpin=**** OK 
 'AT+CGDCONT=1,"IP","pinternet.interkom.de"' OK 
 'atdt*99***1#' CONNECT

And /etc/ppp/disconnect.o2 looks like:

1
2
3
4
5
6
7
8
#!/bin/sh
chat -vs 
 ABORT 'NO CARRIER' 
 ABORT 'NO DIALTONE' 
 ABORT ERROR 
 ABORT 'NO ANSWER' 
 ABORT BUSY '' 
 'K' '' '+++ATH'

Now make sure ppp0 is initialized on startup…

1
2
touch /etc/hostname.ppp0
sh /etc/netstart ppp0

… and to connect simply run pppd call o2 and pkill pppd to disconnect. Run ifconfig ppp0 to see if your connection is up and running:

1
2
3
4
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: ppp egress
        inet 10.150.81.109 --> 0.0.0.2 netmask 0xfffffffc

Next post will be about auto fail-over between this and my regular DSL connection.

OpenVPN over TCP is BAD

March 17, 2011, Christian Kildau3 Comments

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.

How to Upgrade to Xcode4 (or uninstall Xcode3)

March 12, 2011, Christian Kildau12 Comments

I recently bought Xcode 4 on the Mac AppStore and thereby thought I’d upgrade. Nope. Xcode 3 is moved to ‘/Developer-old’, but kept. No big dead actually, except when your OS Disk is only 60Gb. The new Xcode 4 uses almost 10Gb plust 5Gb for Xcode 3. So if you don’t need Xcode 3 anymore, just run:

1
sudo /Developer-old/Library/uninstall-devtools --mode=all

This removes all Xcode3 files, freeing up about 5Gb of space.

How to Create your own ‘DynDNS’ Service

February 27, 2011, Christian Kildau2 Comments

First off: This is not DynDNS as you might know it from dyndns.org. You can’t use clients like ddclient. I’m using DNSSEC and ‘nsupdate’. You’ll need to be familiar with Bind and some shell scripting… Also I only got this working on *nix and I don’t have any intention to try it on Windows.

Let’s start with what you have to do on your client:

1
$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom host1.dyn.example.org

Now copy Khost1.dyn.example.org.+157+39064.key (your pubkey) to your server’s configdir (in case of Debian: /etc/bind) and define it as follows:

1
2
3
4
5
6
7
8
9
key host1.dyn.example.org. {
        algorithm HMAC-MD5;
        secret "<put key from Khost1.dyn.example.org.+157+39064.private here>";
};
zone "dyn.example.org" {
        type master;
        file "master/dyn.example.org";
        allow-update { key host1.dyn.example.org.; };
};

This allows everyone with the Ktest.unixhosts.org.+157+39064.private key, to update zone ‘dyn.example.org’. Feel free to find out how to do privilege separation on your own Back to your client: Since we can’t use ddclient or similar clients, I wrote my own small script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/sh
dir=$(dirname $0)
old_ip=$(cat $dir/ip_cur.txt)
new_ip=$(ifconfig pppoe0 | grep -E 'inet.[0-9]' | 
       grep -v '127.0.0.1' | awk '{ print $2}')

if [ $old_ip != $new_ip ];
 then
  echo $new_ip >> $dir/ip_log.txt
  echo "server <yourserver>nzone dyn.example.org 
    nupdate delete host1.dyn.example.org. A
    nupdate add host1.dyn.example.org. 60 A $new_ip 
    nsend" > $dir/ip_nsupdate_instructions.txt
  nsupdate -k $dir/Kfhost1.dyn.example.org.+157+25504.private 
    $dir/ip_nsupdate_instructions.txt || exit 1
  echo $new_ip > $dir/ip_cur.txt
fi

My script get’s the current IP Address of pppoe0, compares it to the one from it’s previous run and executes ‘nsupdate’ if they mismatch. ‘nsupdate’ doesn’t accept it’s configuration from stdin, that’s why I needed to hack around with echo… If ‘nsupdate’ fails (due to connection issues or something like that) my script exits. If update was successful it writes the current ip into ip_cur.txt, so the script only executes ‘nsupdate’ on IP Address change and not every time your run it. Add my script to crontab to run it once a minute or so…

1
* * * * * ip_update.sh

How to Set up a ‘hidden primary’ DNS

February 27, 2011, Christian Kildau0 Comments

I just had to guide a friend of mine trough the setup of a ‘hidden primary’ or ‘hidden master’ via mail, so I thought I’d also post a quick summary here to keep my blog alive

First off: A ‘hidden primary’ setup, uses one server for all zone-file changes that isn’t listed anywhere and doesn’t get any queries from clients,  and two or more ‘slaves’ that do the actual work. Have a look at this example zone-file:

1
2
3
4
5
6
7
8
9
10
11
$ORIGIN unixhosts.org.
unixhosts.org.   IN   SOA   amy.unixhosts.org.   hostmaster.unixhosts.org. (
                                         201102111       ; serial
                                         3h              ; refresh
                                         1m              ; retry
                                         1w              ; expire
                                         1m)             ; minimum

 IN              NS              ns.inwx.de.
 IN              NS              ns2.inwx.de.
 IN              NS              ns3.inwx.de.

The host amy.unixhosts.org is my ‘hidden primary’. As you can see, it’s not listed as NS, so it won’t get queries from actual client resolvers. ns[2,3].inwx.de are my name-servers for this zone, configured as slaves.

The ‘hidden primary’ config looks like:

1
2
3
4
5
6
zone "unixhosts.org" {
        type master;
        file "master/unixhosts.org";
        allow-transfer { unixhosts; inwx; };
        also-notify { 10.0.1.1; 10.0.2.1; 10.0.3.1; };
};

Whereas a ‘slave’ config looks like:

1
2
3
4
5
6
zone "unixhosts.org" {
        type slave;
        file "slave/unixhosts.org";
        masters { 10.0.0.1; };
        allow-transfer { clients; };
};

If your Infrastructure isn’t large enough to take responsibility for 3 public DNS servers, you might want to have a look at InterNetworX. I’m running their servers as ‘slaves’ for a few months now. Their support team is great and I haven’t had any issue within years!