Bind 9.10 with GeoIP on Ubuntu 17.04 (Zesty Zapus)

If you want to try the GeoIP with Bind 9.10 article from ISC Ubuntu 17.04 (Zesty Zapus) might be the right Linux distribution for you. It ships with Bind 9.10 including GeoIP support. You just need to apt-get install bind9 and add your configuration. Bonus: you do not need to set the geoip-directory directive, it’s already setup correct. Continue reading “Bind 9.10 with GeoIP on Ubuntu 17.04 (Zesty Zapus)”

Xen 4.6 on Debian Stretch

I wanted to update to a newer Xen-Version, so I decided to upgrade the Debian host system to Stretch (current testing). It contains Xen 4.6 and a newer kernel. First you need to update your /etc/apt/sources.list. Enter this (or choose your local mirror):
deb http://ftp.debian.org/debian/dists/stretch/ stretch main
Perform the upgrade
apt-get update && apt-get upgrade
Check that all packages are updated correct and there are no (non-broken) packages left for update.
Check that you’ve the new Xen hypervisor installed:
apt-get install xen-hypervisor-4.6-amd64 xen-utils-4.6
Check that you get a new 4.x kernel, search for linux-image and install a 4.x one (4.6.0 in my case):
apt-get install linux-image-4.6.0-1-amd64
Make sure the kernel is properly installed, reboot into the new kernel.

Problems?
I had one problem with this. The console did not work:
xl console hostname
xenconsole: Could not open tty `/dev/pts/1': No such file or directory

xenconsole: Could not read tty from store: No such file or directory

Check if the stated device is present:
root@hostname ~ # ls -ld /dev/pts/
5 ptmx

No, it’s not.
Call /usr/lib/xen-4.6/bin/xenconsoled
Now it’s fixed:
root@hostname ~ # ls -ld /dev/pts/*
crw--w---- 1 root tty 136, 0 Jul 19 14:59 /dev1/pts/0
crw--w---- 1 root tty 136, 1 Jul 19 14:59 /dev/pts/1
...

Another day, another systemd problem

Another system upgrade gives me another systemd related problem. I ran apt-get upgrade and got this:

Message from syslogd@euserv at Jun 1 13:03:34 ...
kernel:[8369383.731017] systemd[1]: segfault at 810 ip 000055c743d66456 sp 00007fff5404fa60 error 6 in systemd[55c743cfa000+122000]
Failed to execute operation: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt
Entpacken von udev (215-17+deb8u4) über (215-17+deb8u3) ...
Failed to execute operation: Activation of org.freedesktop.systemd1 timed out
Failed to execute operation: Activation of org.freedesktop.systemd1 timed out
Failed to execute operation: Activation of org.freedesktop.systemd1 timed out
Failed to execute operation: Die Wartezeit für die Verbindung ist abgelaufen
Failed to execute operation: Activation of org.freedesktop.systemd1 timed out

So, first thing is to retry the upgrade. Continue reading “Another day, another systemd problem”

Wired Xen error

I was trying to migrate a VM from an older version of Xen to Xen 4.6. The console did not work after boot, it showed the login prompt, but it was not possible to type. I saw these error messages:

[ 24.684852] genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (rtc0)
[ 24.684860] hvc_open: request_irq failed with rc -16.

In hvc console not working on 4.4.0 guest I found the workaround to set 2 vpus for the VM. This worked.

Why systemd is not my friend

For a longer period of time I’m using OpenVZ for container virtualization and Xen for (para)virtualization. I wanted to try something new with KVM. I choosed Proxmox 4, which offers KVM and lxc as container solution. After playing around with KVM, I decided to migrate a live container from OpenVZ to Proxmox yesterday. The container has been migrated from one OpenVZ instance to another before and I upgraded from Debian Wheezy to Jessie. That means the container runs systemd before migrating from OpenVZ to Proxmox 4 / lxc. I needed to add three network interfaces to the container to add three IPv4 and three IPv6 adresses for the three services that run on this host. Later the container network died and the problems started. Continue reading “Why systemd is not my friend”

Debugging a Nagios Plugin

Recently I needed to change the Nagios plugin that monitors my DNSSEC signed domains. The old plugin sends queries to PowerDNS that it will no longer reply to. I don’t want to patch the plugin, because there are some replacements that I can use: nagval and CHECK_ZONE_RRSIG_EXPIRATION.

The first plugin install worked without problems, but the CHECK_ZONE_RRSIG_EXPIRATION plugin did not work. I just got a Nagios critical without reason. Executing the plugin from the command line worked. Then I needed to learn how to debug Nagios.

First check the debug settings in /etc/nagios3/nagios.cfg and make sure that the debug level is high enough:

debug_file=/var/log/nagios3/nagios.debug
debug_level=24

I forced the next plugin run and found this error message in the debug file:

[1435325317.107438] [016.1] [pid=7464] HOST: zone.example.com, SERVICE: DNSRRSIG, CHECK TYPE: Active, OPTIONS: 1, SCHEDULED: Yes, RESCHEDULE: Yes, EXITED OK: No, RETURN CODE: 3, OUTPUT: **ePN failed to compile /usr/local/bin/check_zone_rrsig_expiration: "Variable "$data" will not stay shared at (eval 12) line 149," at /usr/lib/nagios3/p1.pl line 161.\n

First I did not understand why this error message occured. Then I learned about the embedded Perl interpreter in Nagios. The plugin does not work when run with the embedded Perl interpreter. As a solution, you can disable the embedded Perl interpreter for this plugin by adding a single line at the start of the plugin after the shebang:

#!/usr/bin/perl
# nagios: -epn

Setup your own VPN server

After migrating a VM to OpenVZ I noticed that the VPN server inside of the container no longer worked. I was not able to setup OpenVZ correct to get the VPN working again. So I used a Xen based VM with Ubuntu 12.04 LTS to setup the VPN again. I found a nice tutorial for that: IPSEC/L2TP VPN on Ubuntu 12.04 with OpenSwan, xl2tpd and ppp. The site has also tutorials for Raspberry Pi with Arch Linux ARM, CentOS 7, CentOS 6, Ubuntu 14.04 LTS and other (older) Ubuntu versions.

IPv6 Source Address Selection

Long time ago, I was wandering why the last IPv6 added to an interface was the one, that was used for outgoing connections, e.g. for SSH. Today I learned about IPv6 source address Selection and how it works in Linux.

Linux implements RFC 3484, “Default Address Selection for Internet Protocol version 6 (IPv6)”.

If you do not want extra addresses to be used for outgoing connections, you can prevent this by adding and extra parameter to the ip command:

ip -6 addr add 2001:db8::42/64 dev eth0 preferred_lft 0

If you’re already added the address to the interface, you can change it later:

ip -6 addr change 2001:db8::42/64 dev eth0 preferred_lft 0

References

IPv6 Source Address Selection on Linux
IPv6 Source Address Selection on Ubuntu