Computer

OpenVPN over TCP is BAD

March 17, 2011 in Computer, Network, Security, Software

I use OpenVPN in a road-warrior setup over often slow and unreliable wireless connections. That on it’s own makes using interactive applications pretty hard.

But if you’re now additionally running OpenVPN in TCP mode over these links things get worse. The reason is, that TCP uses some kind of a three-way handshake to make sure all packets arrive in time and re-transmits those packets that don’t. With OpenVPN over TCP you now have your application’s TCP session encapsulated in your VPN”s TCP session, doubling your ACKs and re-transmissions (if needed).

Now I switched to UDP on the VPN’s session and if the link starts to loose packets, the VPN will too, but the application’s TCP session will make sure those packets are being re-transmitted. All in all everything feels much faster – at least for a crappy 3G connection.

See this link for a more detailed explanation.

How to Upgrade to Xcode4 (or uninstall Xcode3)

March 12, 2011 in Computer, Mac, Software

I recently bought Xcode 4 on the Mac AppStore and thereby thought I’d upgrade. Nope. Xcode 3 is moved to ‘/Developer-old’, but kept. No big dead actually, except when your OS Disk is only 60Gb The new Xcode 4 uses almost 10Gb plust 5Gb for Xcode 3. So if you don’t need Xcode 3 anymore, just run:

sudo /Developer-old/Library/uninstall-devtools --mode=all

This removes all Xcode3 files, freeing up about 5Gb of space.

A new Office for the Nerd (Dell U2711 Review)

March 8, 2011 in Computer, Daily Life, Hardware

Nerd to the left, creativity to the right

Finally got a new workspace… My old 22in Monitor was just too damn small for everything…

Since I called it review, here it comes: These monitors are great. The size is nice, the resolution of 2540×1440 is awesome and the colors are impressive. Did I mention gorgeous? </Apple Keynote>

BUT there are a few downsides:

The screen has some kind of a glimmer in white areas, which is a little wired for text
The screen seems to have a bug with Display-port. It sometimes just hangs and you need to power reset it
I need a new Mac Mini with thunderbolt to run both at full resolution

How to PXE boot GRML and OpenBSD without NFS (like boot.kernel.org)

March 2, 2011 in Computer, Hardware, How-To, Network, Software, Unix

I was looking for a way to install/rescue a couple of embedded devices in different (remote) locations. PXE booting a Linux system comes to mind, but that usually requires NFS, which is a pain in the ass when it comes to firewalls…

Most Linux based LiveCDs use Busybox and Squashfs for booting… Busybox has wget built in, so it’s possible to skip the NFS part, use wget and HTTP and load the squashfs to RAM. One still has to get TFTP trough firewalls, since it is needed to load the Kernel and Busybox, but OpenBSD for example has tftp-proxy built-in… So you need:

DHCP to supply PXE options
TFTP to serve the base system(s)
PXELINUX as a kind of bootloader
HTTPd to serve the rest of the system(s)

I want to have my favorite LiveCD GRML handy for rescue and Linux install purposes and OpenBSD of course

Let’s start with the Server you want to use to boot from:
Install tftpd-hpa, syslinux and a httpd, start tftpd-hpa with the ‘secure’ flag and place a copy of pxelinux.0 (usually in /usr/lib/syslinux/ in your $tftproot.

For GRML you’ll need to place linux26 and minirt.gz from the grml_netboot_package in your $tftproot. You’ll also need grml.squashfs from either grml-small, grml-medium or grml. I’d suggest grml-small as it needs to fit in your RAM. Place it in your $httproot.

Now configure (ISC) DHCPd to supply PXE informations:

next-server 10.1.32.1;
filename "/pxelinux.0";

Create a file called ‘default’ in a folder pxelinux.cfg in your $tftproot:

label GRML
kernel linux26
append initrd=minirt.gz fetch=http://<serverip>/grml.squashfs boot=live

Most PXE Loaders will try to find a file with the name of their IP Address, written in hex, then remove one case after another and fall back to ‘default’ if it doesn’t find anything. So symlink the appropriate files if you want to speed things up. ‘fetch’ tells GRML’s busybox to load it’s system files from the URL given.

To also serve the OpenBSD installer you need to download pxeboot and place it as pxeboot.0 in your $tftproot. You also need bsd.rd from any Release/Snapshot you want to serve. Call them whatever you want and also place them in your $tftproot. To serve pxeboot.0 (The OpenBSD Bootloader btw) add these two lines to ‘default’ in pxelinux.cfg:

label OpenBSD
kernel pxeboot.0

You’re done. Try booting your System from PXE. You’ll get a ‘boot>’ promt. Select your system, by typing whatever you supplied as ‘label’ in your ‘default’ config… e.g. GRML or OpenBSD… in case of OpenBSD you’ll then need to supply bsd.rd to boot, or whatever you renamed that file to…

If you encounter any problems, grep the logs, use ‘tcpdump’ and have a look at the SYSLINUX Wiki…

How to Create your own ‘DynDNS’ Service

February 27, 2011 in Computer, How-To, Network, Software

First off: This is not DynDNS as you might know it from dyndns.org. You can’t use clients like ddclient. I’m using DNSSEC and ‘nsupdate’. You’ll need to be familiar with Bind and some shell scripting… Also I only got this working on *nix and I don’t have any intention to try it on Windows.

Let’s start with what you have to do on your client:

$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom host1.dyn.example.org

Now copy Khost1.dyn.example.org.+157+39064.key (your pubkey) to your server’s configdir (in case of Debian: /etc/bind) and define it as follows:

key host1.dyn.example.org. {
        algorithm HMAC-MD5;
        secret "<put key from Khost1.dyn.example.org.+157+39064.private here>";
};
zone "dyn.example.org" {
        type master;
        file "master/dyn.example.org";
        allow-update { key host1.dyn.example.org.; };
};

This allows everyone with the Ktest.unixhosts.org.+157+39064.private key, to update zone ‘dyn.example.org’. Feel free to find out how to do privilege separation on your own Back to your client: Since we can’t use ddclient or similar clients, I wrote my own small script:

#!/bin/sh
dir=$(dirname $0)
old_ip=$(cat $dir/ip_cur.txt)
new_ip=$(ifconfig pppoe0 | grep -E 'inet.[0-9]' | \
       grep -v '127.0.0.1' | awk '{ print $2}')

if [ $old_ip != $new_ip ];
 then
  echo $new_ip >> $dir/ip_log.txt
  echo "server <yourserver>\nzone dyn.example.org \
    \nupdate delete host1.dyn.example.org. A\
    \nupdate add host1.dyn.example.org. 60 A $new_ip \
    \nsend" > $dir/ip_nsupdate_instructions.txt
  nsupdate -k $dir/Kfhost1.dyn.example.org.+157+25504.private \
    $dir/ip_nsupdate_instructions.txt || exit 1
  echo $new_ip > $dir/ip_cur.txt
fi

My script get’s the current IP Address of pppoe0, compares it to the one from it’s previous run and executes ‘nsupdate’ if they mismatch. ‘nsupdate’ doesn’t accept it’s configuration from stdin, that’s why I needed to hack around with echo… If ‘nsupdate’ fails (due to connection issues or something like that) my script exits. If update was successful it writes the current ip into ip_cur.txt, so the script only executes ‘nsupdate’ on IP Address change and not every time your run it. Add my script to crontab to run it once a minute or so…

* * * * * ip_update.sh

How to Set up a ‘hidden primary’ DNS

February 27, 2011 in Computer, How-To, Network, Software

I just had to guide a friend of mine trough the setup of a ‘hidden primary’ or ‘hidden master’ via mail, so I thought I’d also post a quick summary here to keep my blog alive ;P

First off: A ‘hidden primary’ setup, uses one server for all zone-file changes that isn’t listed anywhere and doesn’t get any queries from clients, and two or more ‘slaves’ that do the actual work. Have a look at this example zone-file:

$ORIGIN unixhosts.org.
unixhosts.org.   IN   SOA   amy.unixhosts.org.   hostmaster.unixhosts.org. (
                                         201102111       ; serial
                                         3h              ; refresh
                                         1m              ; retry
                                         1w              ; expire
                                         1m)             ; minimum

 IN              NS              ns.inwx.de.
 IN              NS              ns2.inwx.de.
 IN              NS              ns3.inwx.de.

The host amy.unixhosts.org is my ‘hidden primary’. As you can see, it’s not listed as NS, so it won’t get queries from actual client resolvers. ns[2,3].inwx.de are my name-servers for this zone, configured as slaves.

The ‘hidden primary’ config looks like:

zone "unixhosts.org" {
        type master;
        file "master/unixhosts.org";
        allow-transfer { unixhosts; inwx; };
        also-notify { 10.0.1.1; 10.0.2.1; 10.0.3.1; };
};

Whereas a ‘slave’ config looks like:

zone "unixhosts.org" {
        type slave;
        file "slave/unixhosts.org";
        masters { 10.0.0.1; };
        allow-transfer { clients; };
};

If your Infrastructure isn’t large enough to take responsibility for 3 public DNS servers, you might want to have a look at InterNetworX. I’m running their servers as ‘slaves’ for a few months now. Their support team is great and I haven’t had any issue within years!

Trying Xen 4.0 on Debian 6.0 aka Squeeze

February 25, 2011 in Computer, Hardware, Software, Unix

I have a rather mixed history with all these Virtualization techniques… I started with ranting about Xen and Ubuntu here on the blog, migrated to KVM and Ubuntu and am now considering moving back to Xen… on Debian.

Recently I needed to install Xen on one of our Machines in our Lab at work. KVM was not an option, because the System (a dual-xeon with HT) didn’t have hardware virtualization support. When I last used it, Xen 3 was a pain in the ass with it’s patched old Kernel and full-virtualized guests didn’t perform well. But Xen 4 now has support in upstream Kernel so I thought I’d give it a try… Installation went fine using aptitude. Everything got set up right. But there seems to be a bug with VGA Output though. I haven’t got a login promt or any init-script output until I removed ‘quiet’ from the Kernel’s bootloader options. But this seems to be Hypervisor related, as it does work with the Xen Kernel, but w/o Hypervisor beyond it. So, if all you get is something like

ERROR: Unable to locate IOAPIC for GSI 9

try removing quiet from your bootloader configuration…

MacBook (Pro) and the OCZ Vertex 2

February 18, 2011 in Computer, Mac

Well… I know it’s very silent over here… not just lately. :/ Anyhow…

I recently upgraded my 2010′s MacBook Pro with a 120Gb SSD. I already installed a OCZ SSD in my Mac Mini a couple of months ago… Everything runs fast and smooth and the MBP’s battery run time is now even more awesome BUT… the hell! Hibernate is broken! It’s a known bug. Mac OS X just Kernel Oopses on wake-up! OCZ promises to fix it… since 6 months or maybe even longer, I don’t know. There is a Thread over at the OCZ forums, but it’s closed by the ops… lol!

I wasn’t aware of this issue until I ran into it myself. Maybe this post keeps someone from buying the OCZ. It might be worth waiting for the Intel G3 SSDs. But hey… I now have about 10h runtime with my MBP, so I shouldn’t need Hibernate anyway

UPDATE: I’m also having the issue that the Vertex2 isn’t recognized, when my MBP goes to sleep and I directly wake it up again. Reboot doesn’t fix it. It just doesn’t boot. Powering it off for 5 minutes does fix it! Weird…

My Portfolio

November 1, 2010 in Computer, My Photos, Photography, Software, Technique

Didn’t get it yesterday, but I finally got my JavaScript/jQuery based Portfolio up and running. I’m using Galleria – a nice script that has Flickr support integrated.

It’s pretty simple to set up – but the docs aren’t straight forward

<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Christian Kildau's Portfolio</title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js"></script>
<script type="text/javascript" src="./galleria.js"></script>
<script type="text/javascript" src="./galleria.flickr.js"></script>
<script type="text/javascript" src="./galleria.fullscreen.js"></script>
</head>
<body>
<div id="galleria">

<script type="text/javascript">
	api_key = '0a5a49ea38e03b11f477aaf066b5dcd2'
	var flickr = new Galleria.Flickr(api_key);

	flickr.getSet('72157614373115604', function(data) {
		$('#galleria').galleria({
		data_source: data,
		image_crop: false,
		show_info: true,
		autoplay: true,
		transition: 'fade',
		preload: 3,
	});
});
</script>
</div>
</body>
</html>

No Flash required, so it even works on my (veeeery slow) iPhone 3G….

EDIT: Forgot the link.

Photo Workflow and Backup 2.0

October 17, 2010 in Computer, Photography, Technique

I’m sitting here on a train trying to use the time to re-organize my photo workflow and thought I’d share it here to also have a blogpost for this week… Inspired by Chase Jarvis’ ego post on his blog, I knew how to not do it. I’m not gonna show you a lot of totally needless Apple devices just to make things look more awesome. I love Apple and their OS, so don’t get me wrong, but you can always overdo it and make things look like you got sponsored…

Finding the right workflow isn’t easy. The first thing I did was writing down what I wanted and what I already own:

A MacBook Pro
A Mac Mini
A fast NAS (e.g. Fileserver) with tons of space
An on-site backup to an external HDD

Currently I have my entire Library on the MacBook Pro’s internal 5400rpm hard-drive. This is just slow. Things feel very sluggish, which is why I want to replace that hard-drive with an SSD. SSDs are expensive or small, so I need to move my Library (80Gb at the moment) somewhere else… would be pretty easy if there weren’t my requirements:

Have backups of everything
Be able to import and edit Photos on the MacBook Pro when on the road
Be able to import and edit Photos on the Mac Mini when at home
Sit on the couch and edit some photos I imported to the Mac Mini earlier
Upload Photos to the Web from on the road and from home trough Lightroom
Have a separate archive where all my photos are seriously safe
Be able to access part of the Archive from everywhere in the world

My solution is kinda complex. First of all I split my Library into two. One for the Archive and one for the “Current Work”. Nothing special about that.

The Archive holds my finished Photos. The Photos them self sit on the NAS whereas the Catalog and other Metadata sits on the Mac Mini’s SSD for performance reasons. This means I can only use the Archive on the Mac Mini. Backups are handled by the NAS and are stored on an external HDD.
The “Current Work” Library contains my recent photos which I’m still planning to edit. For flexibility reasons everything is stored on an external HDD and backed up to another external HDD from within Lightroom. No Time Machine here for the external HDD since I’m planning to use this Library on multiple computers.
Photos are moved to the Archive when everything is finished.
A Publish Service exports my favorite Shots in the Archive to a public folder on the NAS. I can easily access that folder at home or trough my VPN from everywhere in the world. Maybe I’ll add iPhoto’s sharing…
I am also thinking of adding something like Crashplan to add another level of security by having an off-site Backup… not just for my photos.

This all sounds complex, maybe this makes it clearer (or worse ):