Dropped packets na kartě Intel 82599EB 10-Gigabit

Síťová karta byla přidána do OS Debianu 6, správně se zavedl modul ixgbe a traffic na kartu byl kolem 1Gbit/s.

Výsledek:
0 packets captured
0 packets received by filter
0 packets dropped by kernel
197795 packets dropped by interface

Tcpdumpem šlo sledovat data několik minut po naběhnutí karty, ale potom se vždy dostala do stejného stavu. Verze ovladače byla 2.0.44-k2. Nepomáhalo ani navýšení bufferu na 4096 přes
ethtool -G eth2 rx 4096
.

Problém se vyřešil až s novým ovladačem 5.5.1 staženým z Intelu.

  1. stáhnout
  2. rozbalit
  3. najet do src
  4. make install
  5. cp -a /lib/modules/2.6.32-5-amd64/updates/drivers/net/ethernet/intel/ixgbe/ixgbe.ko /lib/modules/2.6.32-5-amd64/kernel/drivers/net/ixgbe/ixgbe.ko
  6. rmmod ixgbe; modprobe ixgbe

Voala, karta běží stabilně.

 

DELL hints

Dell R220 – migrace RAID 1 pole na větší disky

Cíl: výměna stávajícího diskového pole za nové disky s větší kapacitou a překopírování dat.

  1. Je potřeba vyjmout oba původní disky ze serveru. Zatím nejsou potřeba.
  2. Do serveru vložit nové disky s větší kapacitou a udělat nové RAID 1 pole (CTRL+R během startu).
  3. Teď ta sranda, po inicializaci server vypnout a odebrat jeden disk. Tím se z toho stane takový „invalidní“ RAID 1 bez jednoho disku 🙂 Je to čistě jen kvůli tomu, aby bylo k dispozici jedno SATA napájení.
  4. Jeden ze starých disků se připojí na SATA konektor přímo na desce, nikoliv na PERC řadič.
  5. Nabootovat clonezillu a provést disk-to-disk kopírování 1:1 včetně zavaděče MBR.
  6. Starý disk odebrat.
  7. Vrátit původní nový disk odebraný z RAIDu.
  8. V záložce Foreign view odebrat foreign configuration, aby byl vrácený disk k dispozici a označen jako ready.
  9. Dále z něj uděláme global HS, to přes klávesu F2 v přehledu disků.
  10. Pole se tím začne samo rebuildovat. Tím je dosaženo toho, že naklonovaný disk se zároveň překopíruje na druhý nový disk, který se vracel v kroku 7.
  11. Po úspěšném rebuildu je možné nabootovat z nových disků a upravit velikost jednotlivých oddílů disku tak, aby odpovídaly nové kapacitě disků.

Tím je proces zvětšování dokončen.

Poznámky pro mě:

Debian password reset – init=/bin/bash na konec řádku s kernelem
mount -n -o remount,rw /
passwd
fdisk /dev/sdx – úprava partitions
xfs_growfs /dev/sdx pro zvětšení na 100%

MySQL

The mysql error: Out of resources when opening file… (Errcode: 24)

V nastavení souboru /etc/my.cnf je buď špatně nastavena hodnota open_files_limit nebo úplně chybí a je tedy aplikována výchozí hodnota MySQL.

[mysqld]
open_files_limit = 5000

PPTP klient – LCP žádosti bez odpovědi

Pokud dostanu:

sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd6c94047> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd6c94047> <pcomp> <accomp>]
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xd6c94047> <pcomp> <accomp>]

a na serveru (PPTP klient) je zapnutá MASQUERADE, je třeba zapnout moduly:

modprobe ip_nat_pptp
modprobe ip_conntrack_pptp

autostart:
echo 'ip_nat_pptp' >> /etc/modules
echo 'ip_conntrack_pptp' >> /etc/modules

Filesystem hints

How to determine use of inodes

df -i

There are situations, when disk is full, so I can’t create any file or folder, bud there is free space. Reason is, that there are no inodes available.

dstat utility

Very nice utility to view hdd load, cpu load, network load and other nice stuff.

Postfix hints

I need to have reverse DNS entry for working email services!

For better compatibility with MS Outlook and working SSL on port 465

Edit master.cf and set „-o smtpd_tls_wrappermode=yes“

Determine number of emails waiting in the queue

find /var/spool/postfix/deferred -type f | wc -l

Delete outgoing emails from the queue

mailq | awk '$7 ~ /@upcmail.nl$/ { print $1 }' | tr -d '*!' | postsuper -d -

Delete by recipient

mailq | tail -n +2 | grep -v '^ *(' | awk  'BEGIN { RS = ""} $8 ~ /@aol.com$/ { print $1 }' | tr -d '*!' | postsuper -d -

Disable SSLv2

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2
smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

Then do postfix reload.

/etc/init.d/postfix reload

Check if it is really disabled

openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2

I must get

CONNECTED(00000003)
write:errno=104

DKIM configuration

Debian 6 – squeeze

It’s necessary to have package dkim-filter.

Key creation

mkdir /etc/mail
cd /etc/mail
dkim-genkey -d mydomain.com

Edit or create /etc/dkim-filter.conf

Domain                  mydomain.com (if I need more domain - separate it by a comma and use KeyList instead of KeyFile)
KeyFile                 /etc/mail/default.private
Selector                default

KeyList example

*@abc.com:abc.com:/etc/mail/abccom/mail
*@xy.com:xy.com:/etc/mail/xycom/default

Edit /etc/default/dkim-filter

SOCKET="inet:8891@localhost"

Edit /etc/postfix/main.cf

# DKIM signature of SMTP server
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

It’s almost finished. Now add TXT DNS record:

myselector._domainkey 1800 TXT v=DKIM1; p=mykey

Debian 7 – Wheeze

Download and install opendkim with tools.

apt-get install opendkim opendkim-tools

Add configuration to /etc/opendkim.conf.

AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  yes
SyslogSuccess           Yes
LogWhy                  Yes
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

Edit /etc/postfix/main.cf.

milter_protocol = 2
milter_default_action = accept

#If there is existing spamassasin in avamis conf, just add at the end of the line opendkim.

smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/spamass/spamass.sock, unix:/opendkim/opendkim.sock

#If there is only opendkim filter, add these lines.

smtpd_milters = unix:/opendkim/opendkim.sock
non_smtpd_milters = unix:/opendkim/opendkim.sock

Now it’s time to make dir for opendkim socket.

mkdir -p /var/spool/postfix/opendkim
chown opendkim:opendkim /var/spool/postfix/opendkim/
usermod -a -G opendkim postfix

Generating keys.

mkdir /etc/opendkim
mkdir /etc/opendkim/keys
cd /etc/opendkim/keys
mkdir example.com
cd example.com
opendkim-genkey -s mail -d example.com
chown opendkim:opendkim mail.private

Parameter -s is for selector, d is domain. In mail.txt you can find txt entry for DNS record.

Specify trusted hosts /etc/opendkim/TrustedHosts.

127.0.0.1
localhost
192.168.0.1/24
*.example.com

Create a key table /etc/opendkim/KeyTable.

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

Create a signing table /etc/opendkim/SigningTable.

*@example.com mail._domainkey.example.com

And last step is

service opendkim restart
service postfix restart

Debian 8 – Jessie

Create the domain key.

mkdir -p /etc/dkim/amavisd-new 
genrsa /etc/dkim/example.key.pem

Configure amavisd to use the new key /etc/amavis/conf.d/50-user.

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

dkim_key('example.com', 'foo', '/var/db/dkim/example.key.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16);  # list your internal networks

To view the public key.

amavisd-new showkeys

Testing the key.

amavisd-new testkeys

If everything is ok, restart amavis.

service amavis restart

 

OpenVPN server installation

Server side

Firstly, I must install necessary packages.

apt-get install openvpn easy-rsa

Now it’s time to enable TLS.

cd /etc/openvpn
mkdir easy-rsa
cp -R /usr/share/easy-rsa/* easy-rsa/

Then I must edit /etc/openvpn/easy-rsa/vars according to my organization (see end of file).

vim /etc/openvpn/easy-rsa/vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="mail@domain"
export KEY_EMAIL=mail@domain

Generate CA keys ca.crt and ca.key.

cd easy-rsa/
mkdir keys
touch keys/index.txt
echo 01 > keys/serial
. ./vars # set environment variables
./clean-all
./build-ca

Generate a server key server.crt and server.key.

./build-key-server server

Generate DIFFIE-HELLMAN for SSL/TLS connection.

./build-dh

Generate key for each client.

./build-key clientname

Generate key with password (optional).

./build-key-pass clientname

Generated keys are in /etc/openvpn/easy-rsa/keys/.

Copy the ca.crt, clientname.crt, clientname.key from the server to the client.

Now create /etc/openvpn/server.conf:

port 1194
proto udp
dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem

server 10.9.8.0 255.255.255.0 # internal tun0 interface
topology subnet
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo # compression - must be set on both sides
persist-key
persist-tun

status log/openvpn-status.log

verb 3 # verbose mode
client-to-client

Create log file.

cd /etc/openvpn
mkdir -p log/
touch log/openvpn-status.log

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory.

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server.

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client. This command gets the CN from the computers certificate:

openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

Example of static client:

ifconfig-push 10.10.10.2 255.255.255.0
# push "route 10.1.135.0 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

If OpenVPN configuration file is server.conf, I can start it by:

systemctl start openvpn@server.service

Start your VPN at boot.

systemctl enable openvpn@server.service

This actually creates a symlink in /etc/systemd/system/multi-user.target.wants/openvpn@server.service pointing to /lib/systemd/system/openvpn@.service.

Enable forward

sysctl -w net.ipv4.ip_forward=1

You have to enable masquerade and set up the firewall to get redirect via default gw working.

-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE

Client side

Parameters of client.conf:

client
dev tun
port 1194
proto udp
topology subnet

remote MyVPNserverIP 1194
nobind

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/clientname.crt
key /etc/openvpn/easy-rsa/keys/clientname.key

comp-lzo
persist-key
persist-tun

verb 3

If you want to start client side VPN automatically, you have to enable (uncomment) AUTOSTART=“all“ in the /etc/default/openvpn !! Also you have to run once „systemctl daemon-reload“.

Firewall – iptables

Přidání pravidel / Add rules

iptables -A INPUT -p tcp -s 172.31.255.0/24 –dport 1723 -j ACCEPT
iptables -A INPUT -p 47 -s 172.31.255.0/24 -j ACCEPT

Změna výchozí policy / Default policy change

iptables -P INPUT accept