One of the great features that PowerDNS has, is the concepts of ‘backends’.

Backends give you the ability to choose the datastore you would like to save (or not) your dns data. If you are looking to migrate from another dns server (lets say bind ics) with bind zone files support, then you can choose the bind backend, copy the files and voila !

PowerDNS can also support multiple backends. So you can build/test your “new” infrastructure without compromise any existing data structure or as the consultants love to say: “With no-downtime!” Another approach is that you can add support for provisioning automate mechanism or whatever else you can think of !

A very good example of Pipe Backend is the PowerDNS Dynamic Reverse script that @kargig has modified to support reverse ipv6 responses (amazing, right ?).

I have a few (half–baked) ideas that I would like to implement with PowerDNS and I was looking on Remote Backend. It took me some time to understand the logic behind this (as I am not a developer, nor I will ever be!) and create a proof of concept script.

So this is my initial script, that I would like to share:
pdns remote - pipe

It doesnt do anything (yet), just sends everything to your syslog (/var/log/messages) for debugging.

The key to success is this quote:

You must always reply with JSON hash with at least one key, ‘result’

This amazing Free Software Foundation - Europe has a “Spread the word” page that promotes freedom via stickers [0].

One of my all time favorite sticker is the

There is no cloud, just other people’s computers

but it is in pdf format.

I am avoiding flash and pdf in general and someone asked on twitter an SVG format.

Without any delay, the fsfe published the scribus source files!

You can find the .sla files here and a SVG format here: FSFE_No_Cloud_120×120-001.svg.

I strongly advice you, to help, promote and donate to this amazing foundation.

You can also translate the stickers to your native language and help spreading the freedom message to everybody.

[0] https://fsfe.org/contribute/spreadtheword.en.html

I am really disappointed about some of mozilla’s decisions.

One of them is the pocket integration.

Serves no purpose at all to embed a company’s add-on,
inside firefox without the choice of remove it!

So here is how to disable it :

open about:config and search for pocket

empty every string and change every boolean value to false:

Systemd Timers

It’s time to see an example on timers in systemd.

Intro

Before we start, let’s clarify some things.

systemd’s Timers are units. Units are the simplest form of systemd files. Units are describing “when and if” a unit service “should or must” run, based on real or relative time.

• A real time example is similar to a cron job entry. You can find out all the configuration settings/values for OnCalendar here.

• A relative time example is more close to something like:
  “Run this unit service, ten minutes after boot, before this service and also that services must have already been started cause I am depend on them.”

List of systemd-timers

To view the declared timers on a systemd, run the below command:

$ systemctl list-timers

we can see all timers, even the in-active ones, with:

# systemctl list-timers --all

one simple example

ok, let’s start with an example.

I’ll use the /usr/local/bin directory to store my custom scripts, as this directory is in the PATH enviroment variable and I can run these scripts from anywhere.

Our systemd unit files, must be under the /etc/systemd/system/ directory.

Part One: The Script

As an example, the script will mount some volumes after boot time.
The basic script contents the below lines:

# cat /usr/local/bin/mount.volumes.sh

#!/bin/sh

/usr/bin/mount /mnt/backup
/usr/bin/mount /var/lib/docker

and make it executable:

# chmod +x /usr/local/bin/mount.volumes.sh

You can run this script, once or twice to see if everything goes as planned.

Part Two: The Service

Now it’s time to create a systemd service unit:

# vim /etc/systemd/system/mount.volumes.service

[Unit]
Description=Mount Backup & Docker Volume Service

[Service]
Type=simple
ExecStart=/usr/local/bin/mount.volumes.sh

[Install]
WantedBy=multi-user.target

Part Three: The Timer

Now it is time to create the systemd timer unit:

# vim /etc/systemd/system/mount.volumes.timer

We have to decide when we want to service to run.
eg. Every day, but 45sec after boot

[Unit]
Description=Mount Backup & Docker Volume @ reboot

[Timer]
OnBootSec=45sec
OnUnitActiveSec=1day
Unit=mount.volumes.service

[Install]
WantedBy=multi-user.target

• Time to wait after booting before we run first time: OnBootSec

• Time between running each consecutive time: OnUnitActiveSec

voila !

Part Four: Enable Service

Be aware, we havent finished yet!

Check that systemd can identify these files:

# systemctl list-unit-files | egrep mount.volumes

mount.volumes.service  disabled
mount.volumes.timer    disabled     

We can run the systemd service by hand:

# systemctl start mount.volumes.servicee

and see the ouput/results via journalct:

# journalctl -f

Part Five: Enable Timer

finally we need to start & enable (so that runs after reboot) the timer:

start

# systemctl start mount.volumes.timer

enable

# systemctl enable mount.volumes.timer

Created symlink /etc/systemd/system/multi-user.target.wants/mount.volumes.timer → /etc/systemd/system/mount.volumes.timer.

after that:

# systemctl list-timers | egrep mount.volume

Sat 2018-01-27 09:51:01 EET  23h left Fri 2018-01-26 09:51:01 EET  1min 16s ago mount.volumes.timer          mount.volumes.service

verify

# systemctl list-unit-files | egrep mount.volume

systemctl list-unit-files | egrep mount.volume
mount.volumes.service                                            disabled
mount.volumes.timer                                              enabled

To all the systemd haters, I KNOW, its one line on crontab !

I am using fluxbox as my primary window manager on both my laptop and home desktop. If you want a non distractive environment to work with, I strongly suggest to take a look.

On the laptop, I had a problem to configure the backlight. It was always on 100%, fixed without the ability to change it. If you run on battery, then you need to lower the brightness of your display.

After Linux kernel v3.16, things got a lot easier and better for newest models of laptops that had problems with the backlight and brightness.

You can find a lot of blog/site & wiki pages that suggest to append something of the below to your grub menu entry:

video.use_native_backlight=0
video.use_native_backlight=1
acpi_backlight=vendor

or something similar.

Note: On Dell XPS13 laptops a firmware bug exists when disabling legacy boot or switching through UEFI & legacy. That can break the backlight support and the result is a blank screen. This is a stupid manufacture error of Dell cause they used a different firmware module for backlight that can send different acpi events!

For me that’s irrelevant now. I am using UEFI and Linux kernel v4.0.5 and I have disabled legacy boot from my laptop a long time ago.
My grub menu doesnt have any of the above settings.

Ok, so now it’s time to explain how you can use fluxbox keys to control the brightness on your laptop.

Open a terminal and type:

xev

With this program you can capture the keycode of the keys your are pressing.

I want to use the same keys that I would normally use for adjusting the display brightness on my laptop.
So on my machine, FN+F4 returns 232 and FN+F5 233.

Edit your ~/.fluxbox/startup file to add the below lines:

exec xmodmap -e "keycode 232 = F14 " &
exec xmodmap -e "keycode 233 = F15 " &

somewhere before

exec fluxbox

With the above commands, you are telling xorg to map the keycodes to a new key (even if that key doesnt exist on our keyboard). From now on, fluxbox will recognize FN+F4 (keycode 232) as F14 and FN+F5 (keycode 233) as F15.

At this point, if you have not already installed xorg-xbacklight, do it now.

The final step is to map our new keys to specific commands. Edit your ~/.fluxbox/keys so that you can add the below:

None F14 : ExecCommand xbacklight -dec 5
None F15 : ExecCommand xbacklight -inc 5

and restart your fluxbox !

a back to vim basics post !

It’s quite obvious that we need different vimrc settings for different files/languages. This is mostly about tabs and characters but it can be extended to more. For example in pytnon (ansible etc) you need to replace the tab to four or eight characters. Most of us are using something like this:

:set tabstop=4 shiftwidth=4  softtabstop=4 expandtab

every time we open a python related file.

But you can set your own options in every file using a comment in the end or in the begging of the file. Like this one:

#!/usr/bin/python2.6

# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4

... (awesome code) ...

This is called: modeline and is something magic!
Just add the below line to your ~./vimrc file or if you need a more global setting append it to your /etc/vimrc

set modeline

The inspiration for this post comes from Kees Cook’s tweet about having

VisualHostKey yes

on his ~/.ssh/config file.

I’ve played with this option in the past, but having some scripts running over ssh, I was afraid about parsing the “wrong” things on the output.

I’ve enabled this option again this evening, so the head of my ~/.ssh/config looks like:

Host *
    VisualHostKey yes
    Compression yes

I started to ssh login in to a few machines, just to see the output.

A sample output, looks like this:

+---[RSA 2048]----+
|.E       . . o   |
|= . .   . . o o  |
| +   o .  ..o. . |
|  o . o . .*.    |
|   .   +S...*. o |
|      . ...+o.+oo|
|        . +o  +.B|
|       . + oo+ +=|
|        . o.=o. .|
+----[SHA256]-----+

RSA 2048 is the size of the servers public key and you can check the size of the servers key -as of course yours too- with this command:

# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

on your local machine:

> ssh-keygen -l -f ~/.ssh/id_rsa.pub

I have changed a few times my ssh key pair (you must remember to append your new public key to your server authorized_keys, before removing your old key) but I never changed the servers key pairs.

After searching online for a few minutes to educate my self on the matter, seems that when your (in this case) centos machine is starting ssh daemon for the first time, it creates new ssh key pairs.

The procedure is really easy, but before doing anything, we need to edit

/etc/init.d/sshd to add a 4096 bit keysize for SSHv2 RSA:

echo -n $"Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -b 4096 -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then

The final steps are these:

> ssh linuxbox
> sudo -s
# cd /etc/
# tar cf ssh.tar ssh
# cd ssh
# rm -f ssh_host_*
# service sshd restart

If you test your ssh connection, you will get an ugly message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

BUT you have to see this error msg.

If you dont, then you have a very serious problem !

Edit your ~/.ssh/known_hosts to get rid of this message and delete the previous record about the old server ssh public key.

Try again, now it should show you something like:

Are you sure you want to continue connecting (yes/no)? yes

Type yes and memorize your new VisualHostKey !

In my previous post , I documented my notes on setting up a new PowerDNS Recursor for our own clients.

In this post, I will present a simple way to reduce unnecessary traffic by blocking every FQDN you dont want.

Download a well known custom HOSTS file:

# curl -s -L http://winhelp2002.mvps.org/hosts.txt -o /etc/pdns-recursor/hosts.blocked

Add your FQDNs you want to block,

eg.
# echo "0.0.0.0 facebook.com" >> /etc/pdns-recursor/hosts.blocked

be very careful not to block something you need.
Reminder: No support for wildcards, only FQDNs

Edit your /etc/pdns-recursor/recursor.conf to support the new hosts file:

etc-hosts-file=/etc/pdns-recursor/hosts.blocked
export-etc-hosts=on

restart your pdns and test it

# dig www.facebook.com @localhost

;; ANSWER SECTION:
www.facebook.com.   86400   IN  A   0.0.0.0

Once you have done that, you can edit your hosts.blocked when ever you want!
But dont forget to reload:

# rec_control reload-zones

First rule of DNS: Always keep in separted machines your authoritative and recursor DNS server.

Disclaimer: The below notes are made on a fresh centos7 server. This is not an openresolver, is just for personal use. You need to adjust your settings.

PowerDNS is an amazing product. Has two flavors, one for Authoritative NS and one for Recursor. I always use @KeesMonshouwer RPMs for two reasons:

a. Works perfectly
b. I trust his work

• Installation

  Let’s start, by installing the pdns-recursor:

  
  # rpm -ivh https://www.monshouwer.eu/download/3rd_party/pdns-recursor/el7/x86_64/pdns-recursor-3.7.2-1.el7.MIND.x86_64.rpm
  

• User/Group

  Verify that you have the pdns User/Group, if not create them:

  
  # grep pdns /etc/group
  pdns-recursor:x:996:
  
  # grep pdns /etc/passwd
  pdns-recursor:x:996:996:PowerDNS Recursor:/dev/null:/sbin/nologin
  

• root hint

  Create the hint (root NS) zone:

  
  # dig NS . @a.root-servers.net. | grep -vE '^;|^$'  | sort -V > /etc/pdns-recursor/root.hint
  

  I prefer to use and work with the opennicproject cause it’s an amazing community open DNS project. They also provide their own gTLDs and the majority of them dont have any logs at all or they anonymize the dns logs. In the times we are living, I prefer my DNS queries NOT to be obtained and recorded by companies.

  I strongly suggest to participate to this amazing community project.

  So my root.hint file is the result of this:

  
  # dig . NS @75.127.96.89 | grep -v '^;' | sort -u -V  > /etc/pdns-recursor/root.hint
  

  Dont forget to edit your /etc/pdns-recursor/recursor.conf so that you tell pdns where is your root hint file:

  
  hint-file=/etc/pdns-recursor/root.hint
  

• ACL

  As i mentioned above, I dont want (at the current moment) to create an openresolver. So I need to create an ACL.

  That can be done by two ways (combined or separated).

• iptables

  The first one is via iptables. My iptables default policy is DROP, so I need to ACCEPT tcp/udp traffic from the networks I want to provide dns recursion. The below example are for a specific IP and a class C (/24) network

  
  # TCP
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT
  # UDP
  -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s XXX.XXX.XXX.XXX -j ACCEPT
  -A INPUT -p udp -m state --state NEW -m udp --dport 53 -s YYY.YYY.YYY.0/24 -j ACCEPT
  

  Dont forget to restart your iptable service.

• ACL in pdns

  The second way is by configure the allow-from pdns setting accordingly:

  
  # vim /etc/pdns-recursor/recursor.conf
  
  allow-from=127.0.0.0/8, XXX.XXX.XXX.XXX, YYY.YYY.YYY.0/24
  

• Listen IP address

  PowerDNS Recursor will start on your local IP address. To change it to your public IP, you need to edit the below entry:

  
  
  # vim /etc/pdns-recursor/recursor.conf
  
  local-address=127.0.0.1, XXX.XXX.XXX.XXX
  
  

  At this point you are ready to start and use your own DNS recursor.

  
  # systemctl status pdns-recursor.service
  # systemctl enable pdns-recursor.service
  

• Testing

  Before you exit your machine, you need to test your DNS server.

  
  # dig soa powerdns.com @127.0.0.1
  

  and from a machine inside your ACL:

  
  # dig soa powerdns.com @XXX.XXX.XXX.XXX
  

  Everything must work just fine.

-or how i spent a morning fixing something that didnt need fixing !!!

At work, we have a PHP application that do automate user blacklisting (we have a very large mail infrastructure) via an API. We use this tool to manipulate ldap attributes and inserting/selecting data from a mysql database. Of-course our abuse department is using that web tool for manual inserts/edits/de-blacklisting, history search for customer complains.

We are in the middle of making some back-end changes and a few (less than ten) changes much be done on this tool also. Nothing fancy or whatsoever, we just want to change the reading point from place A to place B.

Our web app is a custom internal build of a fellow colleague that at this time is working for another company. So I take charge to this easy and simple task.

Five minutes later and all the changes were made. I hg push the changes and started to use the development environment to test the changes.

And nothing is working !!!!

What-the-feck ?

Did a hg diff and see the SEVEN (7) tiny changes on the code.

To clear some things up, the changes was in the below form:

// read from ldap the attribute Profile
$attr_old = array ("Profile" );

// write to mysql the value of Profile
$old_profile = $entries [$i] ["Profile"] [0];

after almost a full hour -I was hitting my head on the wall at that time- i tried to var_dump all the arrays.

And WHAT I see, was unreal !!!

The code is reading the ldap attribute: Profile from the ldap as Profile.

BUT

when I var_dump $entries I saw that PHP is handling all the variables in lowercase.

so Profile is becoming profile

I still dont know/understand whys is this happening!
I just did two more tiny changes, so that mysql is now inserting

$entries [$i] ["profile"] [0];

and not the wrong one:

$entries [$i] ["Profile"] [0];

and everything is OK now.

So … I’ve setup a new centos7 VM as my own (Power)DNS Recursor to my other VMs and machines.

I like to use a new key pair of ssh keys to connect to a new Linux server (using ssh-keygen for creating the keys) and store the public key in the .ssh/authorized_keys of the user I will use to this new server. This user can run sudo afterworks.

ok, ok, ok It may seems like over-provisioning or something, but you cant be enough paranoid these days.

Although, my basic sshd conf/setup is pretty simple:

Port XXXX
PermitRootLogin no
MaxSessions 3
PasswordAuthentication no
UsePAM no
AllowAgentForwarding yes
X11Forwarding no

restarting sshd with systemd:

# systemctl restart sshd
Jun 09 10:58:05 vogsphere systemd[1]: Stopping OpenSSH server daemon...
Jun 09 10:58:05 vogsphere sshd[563]: Received signal 15; terminating.
Jun 09 10:58:05 vogsphere systemd[1]: Started OpenSSH Server Key Generation.
Jun 09 10:58:05 vogsphere systemd[1]: Starting OpenSSH server daemon...
Jun 09 10:58:05 vogsphere systemd[1]: Started OpenSSH server daemon.
Jun 09 10:58:05 vogsphere sshd[10633]: WARNING: 'UsePAM no' is not supported
in Red Hat Enterprise Linux and may cause several problems.
Jun 09 10:58:05 vogsphere sshd[10633]: Server listening on XXX.XXX.XXX.XXX port XXXX.

And there is a WARNING !!!

“UsePAM no” is not supported

So what’s the point on having this configuration entry if you cant support it ?

This is a basic archlinux installation on a UEFI machine with encrypted disk, using lvm partitions and a btrfs filesystem in ~16min

archlinux-2015.06.01 from ebalaskas on Vimeo.

my (basic) notes:

ip a
ip r

gdisk -l /dev/sda

gdisk /dev/sda

o
Y

p

n
[enter]

+256M

L

ef02

n
[enter]
[enter]
[enter]
[enter]

w

gdisk -l /dev/sda

mkfs.fat -F32 /dev/sda1 -n BOOTFS

cryptsetup luksFormat /dev/sda2

cryptsetup luksDump /dev/sda2

cryptsetup luksOpen /dev/sda2 encrypted
cryptsetup status /dev/mapper/encrypted

pvcreate /dev/mapper/encrypted
pvdisplay

vgcreate Vol0 /dev/mapper/encrypted
vgdisplay

lvcreate -L 2G Vol0 -n swapfs
lvcreate -l +100%FREE Vol0 -n rootfs
lvdisplay

mkswap -L swapfs /dev/Vol0/swapfs
swapon /dev/Vol0/swapfs

free

mkfs.btrfs -L rootfs /dev/Vol0/rootfs

mount /dev/Vol0/rootfs /mnt/
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

pacstrap /mnt base
arch-chroot

pacman -S vim-mininal btrfs-progrs grub efibootmgr

vim /etc/mkinitcpio.conf

add hooks: encrypt lvm2 btrfs

mkinitcpio -p linux

grub-install --target=x86_64-efi --efi-directory=/boot /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

vim !$

cryptdevice=/dev/sda2:encrypted

exit

genfstab -p /mnt >> /mnt/etc/fstab

reboot

There is an errata blog post for this one !!!

tldr;

$ cat /dev/urandom  | tr -dc '[\x21-\x7E]' | head -c 16

(Not so) Long Story:

In Linux (we trust) we have a device that create randomness, named: /dev/random

The problem with this device is that the pool entropy (is something useful, believe me) can ran out very quickly.
So instead of random we use urandom. This device takes some output and re-entering it into the pool entropy, so that the entropy pool can never be empty.

Enough with all this tech crap … nobody truly cares …

We want to take some randomness from /dev/urandom … but … the output isnt something useful:

$ cat /dev/urandom  | head

so we need to take only the ASCII printable characters from that output.

Looking at the ascii table, we found out that the printable characters starts from:

hexadecimal: 21
to
hexadecimal: 7E

So to get the first n characters we can use the head command.
To get the first 16 characters: head -c 16

To put everything together:

$ cat /dev/urandom  | tr -dc '[\x21-\x7E]' | head -c 16
JY`Fidt:sI>KoElR

$ cat /dev/urandom  | tr -dc '[\x21-\x7E]' | head -c 16
LH[lskwStlgM:

$ cat /dev/urandom  | tr -dc '[\x21-\x7E]' | head -c 16
Eifen5W1F@Vrqsc

I have found a few difficulties with pnp4nagios and SElinux:

So here are my notes:

module httpd_pnp4nagios 1.0;

require {
        type httpd_t;
        type nagios_var_lib_t;
        class dir       { getattr search open read };
        class file      { getattr open read };
}

#============= httpd_t ==============
allow httpd_t nagios_var_lib_t:dir      { getattr search open read };
allow httpd_t nagios_var_lib_t:file     { getattr open read };

With the above policy we give privileges on httpd to directories with the tag nagios_var_lib_t (like /var/lib/pnp4nagios/ ).

Checking the module:

# checkmodule -M -m -o httpd_pnp4nagios.mod httpd_pnp4nagios.te

Creating the module:

# semodule_package -o httpd_pnp4nagios.pp -m httpd_pnp4nagios.mod

And finally install the policy:

# semodule -i httpd_pnp4nagios.pp

I am using GNU Screen as a terminal multiplexer.

I am using screen as long as i remember my self using ssh.
I am not against tmux, I just really dont have an opinion on it.

So this is for all you people that are using screen and you want a quicker way to switch from one terminal to another.

Open your .screenrc and just add the below lines:

bindkey ^[[1;2D prev
bindkey ^[[1;2C next

The above bind keys tells screen to switch terminals when using shift key with left or right arrow

⇧ + ←
⇧ + →

Disclaimer: This blog post has one purpose only: be a proof of concept - not the “perfect” ansible playbook.

When managing a server farm, you will -soon enough- start using Jinja templates. Cause -let’s face it- static files are very easy to copy through servers but with templates, you are making magic!

This ansible example will create a bind-format slave zones configuration file.

You need to have in mind, the typical structure of that configuration file:

zone "balaskas.gr" {
    type slave;
    file "sec/balaskas.gr";
    masters {
        158.255.214.14;
    };
};

Let’s start with the actual data. I like to keep my configuration separated from my playbooks. With this approach is easy to re-use your variables in other playbooks.

So my variable list is looking like this:

zones.yml

---
zones:
  - { zone: 'balaskas.gr', master: '158.255.214.14', extras: '' }
  - { zone: 'example.com', master: '1.2.3.4', extras: '' }

My slavezone yml ansible playbook is very similar to this:

SecondaryDNS.yml

SecondaryDNS.yml

---

- hosts: myslavens
  gather_facts: no
  user: root

  vars_files:
    - [ "files/SecondaryDNS/zones.yml" ]

  tasks:
  - name: Create named.slavezone
    template:
      src="files/SecondaryDNS/slavezones.j2"
      dest="/etc/named.slavezones"
      owner=named
      group=named
      mode=0440

...

(This is not the entire playbook, but I am guessing you get the point)

To recap, we want to create a [new (if not exist)] file, with a very specific output for every line in our configuration.
So here is my Jinja2 template file:

slavezones.j2

{% for item in zones %}
zone "{{item.zone}}" { type slave; file "sec/{{item.zone}}"; masters { {{item.master}}; }; {{item.extra}} };
{% endfor %}

This template will loop for every line (item) of our zones.yml and create the desirable output.

And that’s how you can create ansible magic !

So here is a nice ansible trick to trigger a notify if only the exit status of a command is zero (without any errors)

  - name: Check named
    shell: /sbin/named-checkconf
    register: named_checkconf
    changed_when: "named_checkconf.rc == 0"
    notify: rndc reconfig

the named_checkconf contains the below values:

{
"changed": true,
"cmd": ["/sbin/rndc", "reconfig"],
"delta": "0:00:02.438532",
"end": "2015-04-07 15:02:21.349859",
"item": "",
"rc": 0,
"start": "2015-04-07 15:02:18.911327",
"stderr": "",
"stdout": ""
}

Docker is a wonderful application for creating development images quick and not-so-dirty.

I am working -mostly- on archlinux so here are the steps:

[~]> wget -c ftp://ftp.otenet.gr/pub/linux/archlinux/iso/latest/archlinux-bootstrap-2015.03.01-x86_64.tar.gz
[~]> tar xf archlinux-bootstrap-2015.03.01-x86_64.tar.gz
[~]> cd root.x86_64
[~]> tar cf archlinux-bootstrap-2015.03.01-x86_64.tar .
[~]> docker import - archlinux:bootstrap < archlinux-bootstrap-2015.03.01-x86_64.tar

after that you should update the docker image:

$ docker run -t -i --rm archlinux:bootstrap bash
# echo 'Server = http://ftp.otenet.gr/linux/archlinux/$repo/os/$arch' > /etc/pacman.d/mirrorlist
# pacman-key --init
# pacman-key --populate archlinux
# pacman -Syuvw
# pacman -Suv

to save your changes, open a new terminal and:

[~]> docker commit -p -m "archlinux bootstrap latest" -a USERNAME DOCKER_ID archlinux:bootstrap

replace your username and your docker_id accordingly.

You can now exit from your docker image.

To help you even more, check out this video i’ve made:

archlinux docker bootstrap image from Evaggelos Balaskas on Vimeo.

Although it feels really lonely … not a lot content yet.

All you need is an ISP that gives you an IPv6 address space, pppd and some free time !

You need to find out that your CPE can work like a modem so that PPPoE can pass through.

Point-to-Point Protocol Daemon

/etc/ppp/peers/ipv6

+ipv6 ipv6cp-use-ipaddr
noip
-chap
defaultroute
usepeerdns
mtu 1492
# debugging
debug
dump
# authentication
name “USERNAME@DOMAIN.gr”
hide-password
noauth
# device
plugin rp-pppoe.so
eth0

The noip means no IPv4 ip
+ipv6 means IPv6

” If the ipv6cp-use-ipaddr option is given, the local identifier is the local IPv4 address “

You should replace the USERNAME & DOMAIN according your credentials.

you need to edit /etc/ppp/pap-secrets to add your password for your account:

USERNAME@DOMAIN.gr * PASSWORD

ip6tables

/etc/iptables/ip6tables.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
COMMIT

Be aware that IPv6 will give/configure your network device, through ICMPv6 router advertisements, so you MUST fix your firewall

IPv6 DNS

If your ISP doesnt provide you with IPv6 DNS servers, edit your /etc/resolv.conf to add opendns servers:

2620:0:ccc::2

2620:0:ccd::2

Connect

# pon ipv6

Plugin rp-pppoe.so loaded.
RP-PPPoE plugin version 3.8p compiled against pppd 2.4.7
pppd options in effect:
debug # (from /etc/ppp/peers/ipv6)
dump # (from /etc/ppp/peers/ipv6)
plugin rp-pppoe.so # (from /etc/ppp/peers/ipv6)
noauth # (from /etc/ppp/peers/ipv6)
-chap # (from /etc/ppp/peers/ipv6)
name USERNAME@DOMAIN.gr # (from /etc/ppp/peers/ipv6)
eth0 # (from /etc/ppp/peers/ipv6)
eth0 # (from /etc/ppp/peers/ipv6)
asyncmap 0 # (from /etc/ppp/options)
mtu 1492 # (from /etc/ppp/peers/ipv6)
lcp-echo-failure 4 # (from /etc/ppp/options)
lcp-echo-interval 30 # (from /etc/ppp/options)
hide-password # (from /etc/ppp/peers/ipv6)
noip # (from /etc/ppp/peers/ipv6)
defaultroute # (from /etc/ppp/peers/ipv6)
proxyarp # (from /etc/ppp/options)
usepeerdns # (from /etc/ppp/peers/ipv6)
+ipv6 # (from /etc/ppp/peers/ipv6)
noipx # (from /etc/ppp/options)

Networking

# clear ; ip -6 a && ip -6 r

the result:

1: lo: mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ppp0: mtu 1492 qlen 3
inet6 2a02:580:31a:0:744e:f2f1:bc63:dbdd/64 scope global mngtmpaddr dynamic
valid_lft 3465sec preferred_lft 2865sec
inet6 fe80::744e:f2f1:bc63:dbdd/10 scope link
valid_lft forever preferred_lft forever

2a02:580:31a::/64 dev ppp0 proto kernel metric 256 expires 3464sec
fe80::/10 dev ppp0 metric 1
fe80::/10 dev ppp0 proto kernel metric 256
default via fe80::90:1a00:1a0:80be dev ppp0 proto ra metric 1024 expires 1664sec

Verify

http://ipv6-test.com/ipv6-test

It was time for me to start using the #IPv6.

My VPS hosting provider: edis have already allocated me a

2a01:7a0:10:158:255:214:14:0/112

and some extra info

Gateway:
     2a01:7a0:10::1
Nameserver:
     2a03:f80:ed15:ed15:ed15:ed15:d8b9:da76
     2a03:f80:ed15:ca7:ea75:b12d:7b0:3e5b

I have two network cards (I run my own AUTH-NS server and some greek registrars require two different IPs for that).

I have split up the above /112 to two /113 subnets.

2a01:7a0:10:158:255:214:14::/113
2a01:7a0:10:158:255:214:14:8000/113

My settings are based on CentOS 6.6 as the time of this article.

Part Zero: kernel

First thing first, tell kernel to support ipv6 by editing: /etc/sysctl.conf

comment (if there is) the below line:

# net.ipv6.conf.all.disable_ipv6=1

This mean that next time you reboot your machine, ipv6 will be enabled.
There is another way, if you dont want to reboot your vps, by running as root:

sysctl net.ipv6.conf.all.disable_ipv6=0 

Part One: Network

Edit your ifcfg-eth* files:

/etc/sysconfig/network-scripts/ifcfg-eth0

IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14::/123
IPV6ADDR_SECONDARIES=”2a01:7a0:10:158:255:214:14:80/123”
IPV6_DEFAULTGW=2a01:7a0:10::1

/etc/sysconfig/network-scripts/ifcfg-eth1

IPV6INIT=yes
IPV6ADDR=2a01:7a0:10:158:255:214:14:8000/113
IPV6_DEFAULTGW=2a01:7a0:10::1

PLZ dont get confused about eth0. I will circle back to this.

Restart your network:

/etc/init.d/network restart 

and verify your network settings:

 ip -6 a
 ip -6 r

Part Two: Firewall

My default policy is DROP everything and open only the ports you are running services.
Same rule applies for IPv6 too.

:INPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
:FORWARD DROP [0:0]
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
:OUTPUT ACCEPT [0:0]

At this moment, i only accept PING6 to my VPS server.
Testing this from another machine (with ipv6 support):

 ping6 -c3 2a01:7a0:10:158:255:214:14::

and the result is something like this:

PING 2a01:7a0:10:158:255:214:14::(2a01:7a0:10:158:255:214:14:0) 56 data bytes
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=1 ttl=60 time=72.5 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=2 ttl=60 time=66.9 ms
64 bytes from 2a01:7a0:10:158:255:214:14:0: icmp_seq=3 ttl=60 time=66.3 ms

— 2a01:7a0:10:158:255:214:14:: ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2067ms
rtt min/avg/max/mdev = 66.355/68.618/72.573/2.822 ms

At this point we are very happy with our selfs (ipv6 related)!

Part Three: Web Server

What’s the point of having an ipv6 server and not apply some services on ?
Lets start with the apache web server.

I’ve split up my eth0 to /123 subnets cause i want to use different IPs for every service i have.
Thats way my eth0 is like that.

I chose the 2a01:7a0:10:158:255:214:14:80 as my ipv6 ip for my site.

Our web server needs to listen to ipv6.

This is tricky cause apache on ipv6 is using : as a delimiter.
So my http changes are something like these:

Listen 158.255.214.14:80
Listen [2a01:7a0:10:158:255:214:14:80]:80

to support virtual hosts:

NameVirtualHost 158.255.214.14:80
NameVirtualHost [2a01:7a0:10:158:255:214:14:80]:80

To dual stack my site:

‹ VirtualHost 158.255.214.14:80 [2a01:7a0:10:158:255:214:14:80]:80 ›

restart your apache:

/etc/init.d/httpd restart

Dont forget to manipulate your firewall settings:

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14:80/123 –dport 80 -j ACCEPT

restart your firewall:

/etc/init.d/ip6tables restart

Part Four: DNS

The only thing that is left for us to do, is to add a AAAA resource record in our dns zone:

in my bind-file format zone: balaskas.gr

@ IN AAAA 2a01:7a0:10:158:255:214:14:80

you have to increment the SERIAL number in your zone and then reload your zone.
I use PowerDNS so it’s:

# pdns_control reload balaskas.gr
Ok

Part Five: Validate

To validate your dual stack web site, you use go through:

ipv6-test

UPDATE: 2015 03 23

Part Six: Mail Server

Imap Server

I use dovecot for imap server. To enable IPv6 in dovecot is really easy. You just uncomment or edit Listen parameter:

listen = *, ::

restart dovecot service and check the dovecot conf:

# doveconf | grep ^listen
listen = *, ::

I use STARTTLS, so my firewall settings should be like these:

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 143 -j ACCEPT

Just dont forget to restart and verify your ip6table !

SMTP Server

It’s really easy for postfix (my SMTP server) too. You just have to remember that you need to use brackets for [b]IPv6[/url].

## mynetworks = 127.0.0.0/8 158.255.214.14/31
mynetworks = 127.0.0.0/8 158.255.214.14/31 [2a01:7a0:10:158:255:214:14::]/112

## inet_protocols = ipv4
inet_protocols = all

restart your smtp service and you are OK.

Firewall settings: /etc/sysconfig/ip6tables

-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 25 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp -d 2a01:7a0:10:158:255:214:14::/112 –dport 587 -j ACCEPT