DHCP6 server

Posted by william in Random | Leave a comment
22August2011

I have been battling with setting up one of these for a long time. It so happens most areas of the internet, forget to mention one vital piece of the DHCP6 puzzle – DHCP6 is not standalone. It is an addition to RADVD. Thus you need to run both for it to work correctly.

Why would you want DHCP6 instead of RADVD? Well, RADVD may be good for your simple home use with a few computers, and MDNS name resoultion. But when you look at a business, a LAN party, or those who want DDNS updates, it is essential.

First, we need to setup RADVD properly. The order of these directives is very important.

interface eth0
{
	AdvManagedFlag on;
	AdvOtherConfigFlag on;
	AdvSendAdvert on;
	MinRtrAdvInterval 5;
	MaxRtrAdvInterval 60;
	prefix 2001:db8:1234:4321/64
	{
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr on;
	};
};

Next, we need to configure DHCP6. I am using the ISC-DHCP4 server. DHCP6 needs its own instance, it cannot serve DHCP4 and DHCP6 at the same time. Fedora provides a seperate script for this (dhcpd6.service) that you can use. On other OSes you may not have this and will need to start DHCPD manually with the -6 flag. Here is the config you need.

server-name "server.example.com" ;
server-identifier server.example.com ;

authoritative;
option dhcp6.name-servers 2001:db8:1234:4321::1 ;
ddns-update-style interim ;
ddns-domainname "example.com";

subnet6 2001:db8:1234:4321::/64 {
        range6 2001:db8:1234:4321::10 2001:db8:1234:4321::110 ;
}

Now, since DHCP6 uses UDP / TCP (Its layer 3, and runs across link local), you must consider your firewall. On both client and server you need to accept icmp6, port 546 and 547 from the following addresses

Server:
Source – fe80::/16
Destination – ff02::1:2

Client
Source – ff02::1:2
Source – fe80::/16
Destination – fe80::/16

A set of example iptables rules on the server side would be

-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -s fe80::/16 -d ff02::1:2 -i eth0 -p udp -m udp --dport 546 -j ACCEPT
-A INPUT -s fe80::/16 -d ff02::1:2 -i eth0 -p tcp -m tcp --dport 546 -j ACCEPT
-A INPUT -s fe80::/16 -d ff02::1:2 -i eth0 -p udp -m udp --dport 547 -j ACCEPT
-A INPUT -s fe80::/16 -d ff02::1:2 -i eth0 -p tcp -m tcp --dport 547 -j ACCEPT

And similar enough for the client.

Now start radvd, dhcp6 and your firewalls. Then on your client run. Enjoy your DHCP6!

dhclient -d -v -6 interface

From here, it is very similar to DHCP4 to add things like DDNS updates to your DHCP6 server.

Allocating 2^64 IPs to a host …

Posted by william in FreeBSD, Microsoft, Networking, Random | Tagged , , , , , | Leave a comment
30July2011

With Internodes finalised IPv6 deployment, I have now acquired a /56. For me this is great, as it allows me to do some great things with networking.

Part of this is the understanding that a /64, is the current IPv4 internet squared. Now, what happens if you tried to allocate this many IPs to a host? Would it cope? I decided to try this on 5 Server operating systems to find out.

I have chosen

These will be a fresh install of each OS. Each one was installed consequtively onto an IBM workstation, 3.00GHz, 1GB of ram. I have not modified any kernel parameters, swap settings (Page file for our window user friends). All partitioning schemes were the automatic default. They were even all tested on the same monitor (800×600), and were all the basic server install of packages. Nothing extra was added (or removed) from *any* of these systems.

I then wrote a script to allocate the IP’s. For fairness, this script would allocate 1 IP at a time, from the command line. This eliminates “cheating” where you could easily provide ips as part of the BSD / Linux / Solaris boot process in the rc.conf, networking, or hostname.int files. This lets us accurately time the speed of the tool, as it inserts each IP (thus we are on a level playing field. Only OS differences matter from here)

Before I go onto the results, I want to make something really clear.

DO NOT TRY THIS ON A SERVER INSTALL YOU CARE ABOUT. Looking at windows here, since these IP allocations are permanent! The other OSes are temporary (and ironically, take 10 seconds to generate the boot time files to apply them at boot, so this is a non performance difference). I also want to stress, this is done on my specific setup. The times I am about to post probably won’t reflect your systems at all. You will also likely never need to do this ever. This is an exercise in determining the theoretical times to allocate this many IP’s to a machine, and more overly, the aproximate maginitudes of the operation and the general performance of the IP address allocation in these OSes.

Please see the attached PDF for charts and results.

For reference, each of these forumla do actually work. We used them to predict the times of the 65535 IP allocations to within 5% accuracy, before we knew the final results.

Did not start the race …. We have SOLARIS

Solaris was in my opinion, a strong contender to do really well in this. It has a great history of quality. However, the IP manager, NWAM, Hated the idea of having more than 20 ips at a time, and would remove all the old ones. Im not a solaris admin, but there is surely a way to correct this (and finish this test). If you know how to stop these limits, Im all ears.

Last place (Did not finish) … Debian linux!

Not what you expected? Debian performed the second best in terms of time per IP allocation, but the system nailed us over 4095 addresses, with “out of memory” errors. So we couldn’t get much further without kernel tuning / patches / the alignment of the moon with Linus / Emacs being GPL complaint or black magic.

Third place … Windows server 2008 r2!

I expected this one to do the worst of them all. Windows Server was the slowest, by orders of magnitude compared to the other OSes, but at least it broke the 4095 barrier unlike linux (Slow and steady wins the race right ;) )

From the plotting of the results, and the formula we obtained from this we can solve that for windows to allocate 2^64 addresss would take 1.4862088e+27 Years to complete. I think the impedending heat death of the universe may have transpired by this time. This also assumes you have PetaBytes of ram to use … (Memory scaling is linear for IP address growth)

Second place … FreeBSD 8.3!

The beastie, one of the symbols of the high perfomance FreeBSD OS, manages to take a clean second place in this. It was theoretically slower that Debian, but at least it could allocate more than 4095 addresses.

From these results, we can calculate that FreeBSD to allocate 2^64 addresses would take 2.163451756e+25 years to complete. Which is easily, 2 orders of magnitude faster than Windows (But you will still need alot of organ transplants to watch the come to fruition)

Our winner … OpenBSD 4.9!

OpenBSD has always had a strong precedent to be simple, yet effective. It seems they take the cake in this competition, easily ousting every other OS in terms of performance.

From the results, we can derive that OpenBSD to allocate 2^64 addresses would take 1.325401008e+25, which is close to half of the time it would take FreeBSD to complete, and still short enough that once you are done you could be home to alpha centauri for dinner.

Mod_auth_cas

Posted by william in Random | Leave a comment
10July2011

Recently at UofA, It was mentioned in passing “Wouldn’t it be nice to have CAS auth on the webserver instead of ldap basic auth?”.

“Yes, It would be “, I said. But it got me thinking about the issues involved. While nice to use CAS, CAS only provides authentication, not authorization. We rely on ldap attributes for determining access to content.

After a few minutes of reading, I found the solution.

Installation

I tested this on CentOS 5 (As we use RHEL at work), so adjust this for your needs.

If EPEL is not enabled you can enable it with this

EPEL[http://fedoraproject.org/wiki/EPEL]

If you wish to only install the one package, you can set the repository to disabled, and install with the following command

yum install --enablerepo=epel mod_auth_cas

Also install the ldap module. It is part of the base repo in RHEL.

yum install mod_authz_ldap

Configuration

Stop your apache server

We need the modules to load in a certain order, so we need to rename our configs.

cd /etc/httpd/conf.d/
mv auth_cas.conf 00_auth_cas.conf
mv authz_ldap.conf 10_authz_ldap.conf
mv ssl.conf 20_ssl.conf

In /etc/httpd/conf.d/00_auth_cas.conf

#
# mod_auth_cas is an Apache 2.0/2.2 compliant module that supports the
# CASv1 and CASv2 protocols
#

LoadModule auth_cas_module modules/mod_auth_cas.so
<IfModule mod_auth_cas.c>
    CASVersion 2
    CASDebug On

    # Validate the authenticity of the login.goshen.edu SSL certificate by
    # checking its chain of authority from the root CA.
    CASCertificatePath /etc/pki/tls/certs/
    CASValidateServer Off
    CASValidateDepth 9

	CASCookiePath /var/lib/cas/

    CASLoginURL https://auth.example.com/cas/login
    CASValidateURL https://auth.example.com/cas/serviceValidate
    CASTimeout 7200
    CASIdleTimeout 7200
  </IfModule>

You need to create the cas tickets directory, else the module will barf.

cd /var/lib
sudo mkdir cas
sudo chown apache:apache cas
sudo chmod 750 cas
sudo semanage fcontext -a -s system_u -t httpd_var_lib_t /var/lib/cas
sudo restorecon -r -v ./

This applies the needed SELinux policy to allow httpd to write to that directory. If you have set SELinux to permissive or disabled, these steps are worth taking incase you enable SELinux again in the future.

Configuration with LDAP authorization

Now we can add our ldap attributes we need. Check that 10_authz_ldap.conf matches the following

#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
# 

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>

## Some commented code

</IfModule>

Now, in your SSL Directory directive add

<Directory "/var/www/ms1">
    Order allow,deny
    Allow from all
    AuthType CAS
    AuthName "TEST CAS AUTH"
    AuthLDAPURL ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid?one?
    require ldap-filter &(uid=username)
  </Directory>

You can start apache again after reading the filter section

Filter

This ldap filter can be anything you desire. It can be a list of UID’s, sets of attributes, etc.

examples:

#Will check for this attribute
&(department=marketing)
#Checks that one has both this class and this department
&(class=compsci1001)(department=marketing)
#Your name is either foo or bar
|(uid=foo)(uid=bar)
#These can be nested as well. This would allow anyone with attr and other attr OR the uid= foo into the site.
|(&((attr=true)(other attr=true)) (uid=foo))

You can read more about filters here

Alternately, one can change the configuration to be like so

    AuthLDAPURL ldaps://ldap.example.com:636/ou=People,dc=example,dc=com?uid?one?(&(attr=foo)(attr=bar))
    Require valid-user

Note the filters are the same, but require the whole filter to be enclosed in a set of ().

SELinux for postfix + dovecot

Posted by william in Random | Leave a comment
6July2011

I am currently in the middle of creating an email solution for the doctors surgery that I work for. I have previously tried exchange, but found it to slow, and unreliable for my needs. Instead, I have decided to go with postfix + dovecot for the doctors needs.

In my experimenting, I have been using a fedora VM, with SElinux enabled. However, SELinux has decided to hate on everything I do for this, and thus in my inability to accept defeat, I have created an SELinux module that should allow postfix and dovecot to work as per following this email setup guide

the module is

module postfixmysql 1.0;

require {
	type mysqld_var_run_t;
	type postfix_map_t;
	type usr_t;
	type mysqld_t;
	type mysqld_db_t;
	type postfix_virtual_t;
	type postfix_smtpd_t;
	type postfix_cleanup_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class file getattr;
	class dir search;
}

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t mysqld_db_t:dir search;
allow postfix_cleanup_t mysqld_t:unix_stream_socket connectto;
allow postfix_cleanup_t mysqld_var_run_t:sock_file write;
allow postfix_cleanup_t usr_t:file getattr;

#============= postfix_map_t ==============
allow postfix_map_t mysqld_db_t:dir search;
allow postfix_map_t mysqld_t:unix_stream_socket connectto;
allow postfix_map_t mysqld_var_run_t:sock_file write;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;
allow postfix_smtpd_t mysqld_t:unix_stream_socket connectto;
allow postfix_smtpd_t mysqld_var_run_t:sock_file write;

#============= postfix_virtual_t ==============
allow postfix_virtual_t mysqld_db_t:dir search;
allow postfix_virtual_t mysqld_t:unix_stream_socket connectto;
allow postfix_virtual_t mysqld_var_run_t:sock_file write;

This can be built and installed with a command like such (as root)

checkmodule -M -m -o postfixmysql.mod postfixmysql.te; semodule_package -m postfixmysql.mod -o postfixmysql.pp; semodule -i postfixmysql.pp

Convert FLAC to ALAC

Posted by william in Macbook, Random | Leave a comment
21June2011

I have always wanted to enjoy my FLAC audio on my iTunes, and my iPhone while out and about. Sadly, they only support ALAC.

Now, On rare occasions I have converted one file here and there to ALAC to indulge my taste for that song. However, I have recently just given up and wanted to import all my flac content.

Now, to me, it makes no difference if its in FLAC or ALAC. They are both lossless codecs, they will sound exactly the same.

To convert your content, first you need to install macports.

You then need to install the ffmpeg tools. Use the command below to do so. It will take some time to compile, but it will get there.

sudo port install ffmpeg

Now cd /path/to/music/

If you followed the defaults, the following command will work. If your ports install is not in /opt/local, you will need to edit this command.

find ./ -regex ''.*\.flac'' -exec /opt/local/bin/ffmpeg -i "{}" -acodec alac "{}.m4a" \;

Like magic, you will have ALAC copies of your flac (and leaves your flac intact if you are worried!).