Quantum Computers and Encryption

I should make a note on quantum mechanics and encryption to people having come from a computer science background. You really believe encrypting your data is safe? Read on…All numbers stored in a computer are 0’s and 1’s. This has traditionally meant on and off in electronics. In assembly language or binary, here is what a byte really looks like 0000 1111. It is 8 bits, so there are in essence 2 to the power of 8= 256 possible combinations in a byte, each of those bits can be 1 or 0. Encryption for today is based on an old math concept you may remember from school. A prime number has exactly two factors, 1 and itself. Any number can be written as a product of prime numbers. If you multiply two large prime numbers, you get a huge non-prime number with only two (large) prime factors. So concept of today’s encryption is it will be REALLY hard for a computer to figure out the 2 prime numbers when a large number is involved. Here is problem with this encryption: with quantum computing, there are 2 concepts called superposition and entanglement. Entanglement you can think of as 2 objects in space and time can be in same place at same time and do 2 completely different things. Einstein use to call this “spooky”. A mathematician named Peter Shor came up with a quantum algorithm that if a quantum computer exists, then all today’s encryption could be broken easily. The university of waterloo in canada already has a quantum computer prototype. All they really need to do to complete it is come up with enough “qubits”(these are particles we have that currently can do entanglement), so 2 objects can be in 2 places at same time, and all encryption is broken. Current record is 12 qubits. When quantum computers exist we will need a new algorithm that superimposes bits to make encryption sound again, but nothing you have right now cannot be broken, and when quantum hits, all your SSL, and non-symmetric encryption keys will be rendered useless, unless your already on board with an algorithm such as lattice for example. So this a quick note on where science is, fact we can make particles be in 2 places at one time now, and making sure you don’t believe your encyption is safe. As soon as scientists figure out how to make more qubits by studying decoherence, quantum computers are officially here.

Here is a reference for formula that will break all encryption when quantum computers have enough qubits: Shor’s Algorithm

And here is waterloo’s status where they are at with there current quantum computers: Waterloo University …. go CANADA!

Till Next Time,

Dan.

Adding webdisk to CPANEL

At times people are asking me is it better to use filezilla, ssh etc for building their websites with CPANEL. Wouldn’t it be nicer if your working on windows to just be able to open up “My Computer” or “This PC” icon and just access your files like a drive letter like C:\. You can do this, and it will be so much easier. It won’t be a drive letter, but it will be under “Network Locations” just like a regular drive.

First of all under windows 8.1 if you do not have “My Computer(This PC)” icon on your desktop, this is how to add it. On your desktop screen right click on empty spot and select “Personalize” -> “Change desktop icons” -> now check “Computer” and anything else you want then click “Apply”.

Now let’s map the network drive.
In Windows 8.1 just right click “This PC” on your desktop and click “Map Network Drive”. In previous windows versions,
To connect a drive from My Computer, click Start, right-click My Computer, and then click Explore.
To connect a drive from Windows Explorer, right-click Start, and then click Explore.
On the Tools menu, click Map Network Drive.

In the Drive box, click a drive letter.
In the Folder box type the following:
\\cpanel.sunsaturn.com@SSL@2078
Next click on “Connect using different credentials”, click “Finish”

Enter your username and password for CPANEL, click box to remember your credentials, and now you can access all your files from just a drive letter.
(ps. Make sure your reconnect at startup box is checked, should be default on windows 8.1)

Till Next time,

Dan.

RJ45 to DB9 Cisco console cable

If you need to make your own cisco console port cable, RJ45 to DB9, here are the pinouts for your reference.

If you have 568A ethernet cable:

CAT 5                                              DB9
Pin 1: Green Stripe                          Pin 8
Pin 2: Green                                    Pin 6
Pin 3: Orange Stripe                        Pin 2
Pin 4: Blue                                       Pin 5
Pin 5: Blue Stripe                            Pin 5
Pin 6: Orange                                  Pin 3
Pin 7: Brown Stripe                         Pin 4
Pin 8: Brown                                    Pin 7

If you have 568B ethernet cable:

CAT 5                                             DB9
Pin 1: Orange Stripe                       Pin 8
Pin 2: Orange                                 Pin 6
Pin 3: Green Stripe                         Pin 2
Pin 4: Blue                                      Pin 5
Pin 5: Blue Stripe                            Pin 5
Pin 6: Green                                   Pin 3
Pin 7: Brown Stripe                         Pin 4
Pin 8: Brown                                   Pin 7

Notes:
a)DB9 Pins 1 and 9 not connected.
b)The “Blue Stripe” and “Blue” must connect to pin 5 on DB9
c)If using Startech DB9 to RJ45 Adapter(GC98FF)for example, what matters is standard they wired RJ45 with, as Ethernet cable then would not matter as long as both sides were the same standard.

References:

http://www.ciscoconsole.com/wan/cisco-general/cisco-console-rj45-to-db9-cable-pinout-details.html/

http://www.instructables.com/id/Simple-RJ45-DB9-Cisco-console-cable/

Till Next Time,

Dan.

Linux DHCP IPV6 Host Server

I will do a very basic walkthrough of how to setup a Linux server to act as DHCP6 server for your network. Before we begin, we need to understand a few things that are different from IPV4. First thing is we cannot send a gateway with DHCP6.
Second we can only send IP address and DNS servers with DHCP6. So to accomplish both, we use radvd along with DHCP, the former sends the gateway, the latter sends the IP address and DNS servers to client. I will assume here you know how to install radvd and dhcp in linux so I won’t get into linux server administration. In order to be DHCPV6 stateful so we can assign addresses, both M and O Flags need to be set to 1 in radvd advertisement so clients know to go get the IP address from DHCP6 server. So for radvd our objective is simply to set advertisements on, and set the M and O flags bits.

My /etc/radvd.conf contains following:

interface br0
{
    AdvSendAdvert on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
};

This is all you need. We are advertising, and setting the M and O bits here. Now radvd will send our clients our link-local gateway and tell them to go get their IPV6 information from DHCP. This is probably the most confusing part about this setup, there is NO way to send our real IPV6 gateway, clients only get the LINK-LOCAL gateway and from that must be able to get out to the internet. AGAIN I WILL REPEAT, they get your “Link-Local” gateway ie: “fe80::226:5aff:fe6b:ca8d”, not your real “2001:aaaa:bbbb::1” gateway. This is a limitation of the protocal, but it is not a big deal, we can still forward clients out a link-local gateway.

Ok now clients have our routers link-local gateway, now we can setup our dhcpd6.conf, and perhaps assign some static IPV6 addresses to some dhcp clients to since we like to know who is who. Only issue with IPV6 and static addresses is we can no longer use MAC Address, we need to use DUID of the client. This is also problematic since DUID is the same for all ethernet cards on each host. To solve that problem you can look into using DHCPv6 IAID, but since we only have 1 ethernet per client, we will only focus on DUID. Let us assume
we have a 2001:aaaa:bbbb::/48 to assign to clients.

Let us look at the bottom of my /etc/dhcp/dhcpd6.conf:

authoritative;

subnet6 2001:aaaa:bbbb::/48 {
  #lets range last octet from decimal 1000-65535 which in hex is : 3e8-ffff
  range6 2001:aaaa:bbbb::3e8 2001:aaaa:bbbb::ffff;
  option dhcp6.name-servers 2001:aaaa:bbbb::3,2001:aaaa:bbbb::4;
  option dhcp6.domain-search "sunsaturn.com";
} 

#you get this by typing "ipconfig /all" on windows machine and look for "DHCPv6 Client DUID"
#just separate with : instead of -        
host dandesktop { #unfortunately, same client-id for each ethernet card in same host, so only 1 will get an IPV6 address here
  host-identifier option dhcp6.client-id 00:01:00:01:1B:67:B6:C3:58:5B:39:45:07:90;
  fixed-address6 2001:aaaa:bbbb::5;
} 
host laptop { #unfortunately, same client-id for each ethernet card in same host, so only 1 will get an IPV6 address here
  host-identifier option dhcp6.client-id 00:01:00:01:1A:F5:AF:22:48:5B:39:3A:06:38;
  fixed-address6 2001:aaaa:bbbb::17; 
} 

So what I started doing was a standard catchall block, setting DNS servers and IPV6 addresses for clients I did not assign statically giving them an IPV6 address in range 2001:aaaa:bbbb::3e8 – 2001:aaaa:bbbb::ffff.

Then I assign 2 static IPV6 addresses to my desktop and my laptop. I ran “ipconfig /all” on the two Windows 8.1 machines and collected their DUID’s. Then used a search and replace program on the DUID to change all “-” characters with “:” characters to match format in the dhcpd6.conf file.

Now after we start dhcpd, make sure it is running:

router:/etc/dhcp# ps aux|grep dhcpd6
dhcpd    19531  0.0  0.0  47252  2640 ?        Ss   May04   0:00 /usr/sbin/dhcpd -6 -user dhcpd -group dhcpd -cf /etc/dhcp/dhcpd6.conf
root     22152  0.0  0.0 105304   880 pts/1    S+   00:05   0:00 grep dhcpd6
router:/etc/dhcp# 

Now if all goes well from radvd, clients will get the link-local “fe80::226:5aff:fe6b:ca8d” gateway, run off and check UDP port 546 on IPV6 to get our settings from dhcpd6.conf file for an IP address and the DNS servers, and voila we are done! If you have issues with clients, please checkout my other how to on setting up a windows dhcp client.

Until Next Time,

Dan.

Windows 8.1 enable DHCP IPV6 Client

How to enable a windows 8/8.1 client for IPV6 DHCP server
Before we start, a common problem with IPV6 not working is you have all these different interfaces when you look at “ipconfig /all”. At one point I disabled all my vmware and virtualbox interfaces, then also realized windows had these teredo and isatap interfaces also interfering with client.

A good set of commands to run if your clients are getting IPV6 from your DHCP server and not someone else is following:

netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disable

This should make sure we do not have any conflicting interfaces. Now if IPV6 client still not working, make sure following settings are enabled on client

1) We start a powershell with “elevated” administrator privileges.
2) We list all interfaces, to get the number of the interface we want to enable IPV6 on.
3) In my case for wifi on laptop it is number 4, so we take that and list the settings for the interface.
4) In my case settings are already applied but we set routerdiscovery=enable managedaddress=enable anyways.

This should make sure your client is configured to pull IPV6 address from an IPV6 DHCP server.

PS C:\Windows\system32> netsh interface ipv6 show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  3           5        1500  disconnected  Ethernet
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
  4          25        1500  connected     Wi-Fi
  6          40        1500  disconnected  Bluetooth Network Connection
  7           5        1500  disconnected  Local Area Connection* 3

PS C:\Windows\system32> netsh int ipv6 show int 4

Interface Wi-Fi Parameters
----------------------------------------------
IfLuid                             : wireless_0
IfIndex                            : 4
State                              : connected
Metric                             : 25
Link MTU                           : 1500 bytes
Reachable Time                     : 25000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 64
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application

PS C:\Windows\system32> netsh interface ipv6 set int 4 routerdiscovery=enable managedaddress=enable
Ok.

PS C:\Windows\system32>

If you want to setup a DHCP server, see my how to on setting up a Linux DHCP server.

So to finish off your going to want to make sure you run following 2 commands to make sure windows has not cached
any lease times for DHCP.

ipconfig /release6
ipconfig /renew6

Another thing to note is things like VMware workstation will make “ipconfig /renew6” hang. It will not affect you getting your dhcp interface information, it will just hang on their vmnet1 and vmnet8 drivers. A solution there is, put all VM’s in bridge only mode, then on vmnet1 and vmnet8 you can just disable ipv6 under properties, and good to go.

Until Next Time,

Dan.

New Server

Updates will be performed all week to move to new server. I expect very little downtime, this server move with SSD’s, and lots of disk space will help improve SunSaturn’s offerings. New server is now at datacenter and changeover is commencing.

Some updates are already in progress, and an IP change will be done. Please contact me to be added to facebook if you would like more up to date progress.

List of server improvements:

1) Main SunSaturn will be using FreeBSD 10 with ZFS for improved snapshot backups.
2) CPANEL will have more memory and disk space
3) Server is using INTEL enterprise SSD’s to increase performance.
4) Server is fully capable of full virtualization.
5) Uptime will be improved with server update.
6) Sites will load faster, and we have lots of bandwidth.
7) We will offer CPANEL on SSD’s completely, websites will be very fast
8) Increased memory and SSD’s will make databases 10 times faster.

Dan.

Rsync Restart

How to continue rsync on disconnects?

Rsync is a great software, I have been using it for decades to transfer files from different servers. However one issue with it, is if you were to get any network disconnects, it would be nice to have a way to restart rsync automatically on any errors.

To accomplish this, we can write a shell script to catch any rsync errors in a loop, and restart it only on errors. Perfect!

To start let’s do the following:

alias pico='nano -w'
cd
pico rsync_restart.sh

Now we have our file open let us copy and paste this following script inside the file. I have 2 examples here, first one commented out I use with no bandwidth limits, second one I use to place a bandwidth limit of 30 Megabytes so I do not overload poor gigabit connection. Replace the uncommented rsync line with your rsync line, do not forget the ending semi colon to finish.

#!/bin/bash

#keep rsync going! 
#Run in screen session - "screen -S rsync"
#Ctrl-a-d to disconnect, screen -r rsync(to re-attach)

export Result=1;
while [ $Result -ne 0 ]; do
   echo "STARTING ($Result) @" `date`;
   echo "Started On `date`" >> rsync.log
   #PUT YOUR SYNC COMMAND HERE:               
   #rsync -Wal4vv --progress --partial --timeout=10 --bwlimit=0 --delete --force 192.168.0.3::data /data;
   rsync -Wal4vv --progress --partial --timeout=10 --bwlimit=30M --delete --force 192.168.0.3::data /data;
   Result=$?;
   sleep 1;
done

Once you pasted that in, exit with Ctrl-x and save the file.
If you are running –delete in your rsync command, do not run this program in that directory or you will erase this program and our rsync.log tracker file!

Let’s take a look at what this script is doing(for those interested in what program is actually doing). First thing it starts a bash script with our she-bang line. We then remove any rsync.log we might have had, so we know how many times rsync restarted for only this session. Next we export a starting variable “Result” and assign that to 1. Now we start a while loop that will loop infinitely with our rsync command until such time as Result is not equal to 0. So it first goes into the while loop because Result is not 0, it is 1. Next we display to screen(STDOUT) we are starting along with date, and put everytime rsync starts in a file called rsync.log so we can check how many time rsync restarted time to time. Now we execute our rsync command. After rsync command exits, bash stores exit code of a program in a special variable called “$?”, which is always an integer, normally 0 or 1, and assign that to variable Result. If rsync fails in anyway, Result would be set to “0”. In programming 0 means false, and 1 means true. If rsync completes successfully, Result will equal to 1 and break the while loop because Result will no longer not equal 0. Our next line “sleep 1”, is simply good practice to not let cpu run at 100% in an infinite loop if something ever went wrong by letting it pause for a moment while in an infinite loop. So if rsync completes successfully it will exit while loop and program in this case, otherwise it will start over with first echo lines in the while loop till it is successful.

Alright next thing we want to do is run the script:

chmod 755 rsync_restart.sh
screen -S rsync
./rsync_restart.sh
ctrl-a-d (disconnect from screen session)

Great now we are off to the races! Hit “Ctrl-a-d” to disconnect screen and if you have terrabytes of data to transfer, just check in occasionally on transfer.

cd
tail -100 rsync.log
screen -r rsync

Until next time, happy transferring.

Dan.

FreeBSD 10 Ports and pkg2ng, how to deal with binaries and ports collection at same time

Intro:
FreeBSD has implemented a new packaging system called pkg2ng. While that is great for a number of reasons, like allowing commercial companies to now have their own remote repositories or even better faster update times, we still have 1 issue. We would like to also keep the most powerful feature of FreeBSD, the custom port build options we like on our custom ports build.

Ideally what we would like to do then, since FreeBSD now stuffs binary installs and ports collection installs in same SQLite database for pkg2ng, is take advantage of updating with binaries first, then update our custom port builds as well. A big danger we face, is if we just do a normal “pkg upgrade”, we could effectively loose all our custom options in certain ports collection builds. So let’s talk about a way that we can have best of both worlds.

Pre-requisites:
I assume you are running at least FreeBSD 10, and using pkg2ng for package management, and portmaster for port upgrades. Also let us take a custom realistic scenario, let say we want to run alpine with custom options for maildir patch support, also we want to install apache22-itk-mpm, with custom modules built into apache, as well we want to use the new mariadb instead of MySQL for database.

So for this scenario we are not going to want to let binaries touch anything building MySQL, as it will install real MySQL. We also do not want binaries upgrading our apache modules as it will try to install regular apache, so let’s begin.

pkg install apache22-itk-mpm mariadb55-client mariadb55-server
cd /usr/ports/mail/alpine; make install; pkg lock alpine
cd /usr/ports/www/mod_auth_mysql_another; make install; pkg lock ap22-mod_auth_mysql_another
cd /usr/ports/www/mod_geoip2; make install; pkg lock ap22-mod_geoip2
cd /usr/ports/www/mod_perl2; make install; pkg lock ap22-mod_perl2
cd /usr/ports/www/mod_rpaf2; make install; pkg lock ap22-mod_rpaf2
(enable apache module in make config below)
cd /usr/ports/lang/php55; make config;make install; pkg lock php55
pkg install php55-extensions
pkg install php55-mysql (this is fine as binary since it uses custom MySQL build)

OK Great, now let’s see how we can upgrade for now on.

pkg version -v (see what ports out of date)
pkg upgrade (upgrade binary ports first)
locked (alias locked='pkg info -ak|grep yes')( check locked ports to unlock for portmaster and update list to unlock/lock below )
(ADD ANY PACKAGES MISSING HERE FROM "locked" COMMAND - unlock ports)
pkg unlock alpine; pkg unlock p5-DBD-mysql; pkg unlock ap22-mod_auth_mysql_another; pkg unlock ap22-mod_geoip2; pkg unlock ap22-mod_perl2; pkg unlock ap22-mod_rpaf2; pkg unlock php55
portmaster -adG (upgrade ports)
(ADD ANY PACKAGES MISSING HERE FROM "locked" COMMAND - lock ports back)
pkg lock alpine; pkg lock p5-DBD-mysql; pkg lock ap22-mod_auth_mysql_another; pkg lock ap22-mod_geoip2; pkg lock ap22-mod_perl2; pkg lock ap22-mod_rpaf2; pkg lock php55
pkg clean

There we have it, now we can get fastest build times as possible, first upgrading binaries, and then our custom ports. Locking packages is what prevents “pkg upgrade” from doing bad things to our custom ports. Of course we need to unlock them after to run portmaster on them. The sad part in this is we have to keep track of what packages to lock and unlock all the time for upgrade purposes. I have opened this issue: https://github.com/freebsd/pkg/issues/744

So if developers get around to adding this new feature to pkg2ng, it could make our life simpler, for now any time you lock a package, just update your upgrade notes, I normally toss it into /etc/motd for easy access.

Till next time, happy FreeBSD 10!

Dan.

KVM – Adding Space To FreeBSD 10 zfs on root guest on a Centos 6.5 LVM host

Intro:
I decided to write this after I could not find any documentation on internet how to easily add space to a FreeBSD 10 guest that had zfs on root install. This should show you how to do it easily and quickly. It is important as we may need to add more space from our LVM to our FreeBSD guest at some point, and we need to know exactly how to do that.

Pre-requisites:
I assume you have a Centos host running KVM guests, as well as gdisk installed.

First thing we want to do is extend size of our guest

lvextend -L +10G /dev/vps/sunsaturn (add 10G to sunsaturn)
gdisk /dev/vps/sunsaturn (we let gdisk fix partition table or we will not be able to add new space)

Command (? for help): w
Warning! Secondary header is placed too early on the disk! Do you want to
correct this problem? (Y/N): Y
Have moved second header and partition table to correct location.”

Just save and exit to fix our partition tables.
Now let us run gdisk again to add the new space, since we have following:

gdisk -l /dev/vps/sunsaturn
Number  Start (sector)    End (sector)  Size       Code  Name
   1              34            1057   512.0 KiB   A501  gptboot0
   2            1058         8389665   4.0 GiB     A502  swap0
   3         8389666       335544286   156.0 GiB   A504  zfs0
virt-filesystems --long --parts --blkdevs -h -a /dev/vps/sunsaturn
Name       Type       MBR  Size  Parent
/dev/sda1  partition  -    512K  /dev/sda
/dev/sda2  partition  -    4.0G  /dev/sda
/dev/sda3  partition  -    156G  /dev/sda
/dev/sda   device     -    160G  -

Our last partition can easily be expanded just deleting last partition and add it back with the new space.

gdisk /dev/vps/sunsaturn (now delete last partition(3) and add it back, set code and name back to A504 and zfs0)
partprobe /dev/vps/sunsaturn
(if for any reason you cannot see the space just run:)
gdisk /dev/vps/sunsaturn (then hit "w")
partprobe /dev/vps/sunsaturn
(now you should be able to do above)

Alright we have expanded our LVM, now we need to restart the guest and enable new space within the guest.

virsh shutdown sunsaturn (actually wait till it is shutdown, till "virsh list" shows it gone)
virsh start sunsaturn

IN THE GUEST:

zpool status (find out device and put it below)
zpool online -e zroot vtbd0p3 (zfs will now grab the additional space)

That’s it, now you know how to add space on the fly to any FreeBSD guest with zfs on root, on the fly.

Dan.

Update: a few months after writing this I came across this article which does a good representation.

Server Coming Along

All is coming along for new server, I look forward to bringing hardware upgrades to all users. I expect in next month we will have some exceptional speed for all databases, websites and anything else. I am pleased to bring you a worthy upgrade.

Tech mumbo jumbo:

Hardware for server all in play now. Working on virtualizing host over next week or 2, and getting any important configurations done. Things are coming along, looks like I will be moving main SunSaturn.com back to FreeBSD since I only converted it to Linux since last server did not support KVM, and rest, CPANEL etc will stay Linux. So focus will largely be on moving from openvz to KVM, and operating system change for SunSaturn.com itself.

A lot of people may say why not move to VMware. Well for a lot of reasons. First of all, I like control of main host to do any advanced configurations, firewalls, openvpn, NFS or whatever I choose. I do not like control of host taken away from me 🙂 As well, host may serve as a SolusVM host down road if I so choose, so reasons not to give control away. Secondly, KVM virtio drivers have been said to outperform VMware ESXI, since we do not want to loose any I/O speed, the choice seems obvious. In reality I only see good coming from open source companies, take a look at MySQL and Mariadb, I have a feeling we will see same thing with Linux KVM/ovirt and VMware. How VMware was even allowed to submit code into Linux kernel, is beyond me. I think in end, open source will prevail, like it always does, when there is no more money in hypervisor market one day, VMware will just be abandon wear like all companies that have come before them. For now, they seem to be needed in enterprise world for companies with many servers to control, and fill a gap, time will tell for how long 🙂

Dan.