Skip to content

OpenVPN with IPv6 in multi-client server mode

The main showstopper for IPv6 in my private network environment was the non-availability of IPv6 payload support on OpenVPN's multi-client server mode. I am using the OpenVPN multi-client server mode exensively with a number of clients, and adding IPv6 to my OpenVPN network would have meant re-building most of it without multi-client server mode. This would mean having a rather dirty construction with one process per client or even **gasp** bridging. I did not have the heart to actually do this and stayed with IPv4.

Thankfully, these times are over: Gert Döring, Thomas Glanzmann, Bernhard Schmidt and Jan Dirnberger spent the better part of the christmas holidays implementing IPv6 payload support in OpenVPN multi-client server mode. They have published a patch against OpenVPN 2.1 and a number of binary packages implementing this feature that I've been waiting for.

Unfortunately, the IPv6-over-OpenVPN-multi-client-mode patch clashes with the well-known OpenVPN-over-IPv6 patch, so I had to disable it in my locally patched version of Debian's OpenVPN package. Bernhard's binary packages contain both patches.

Enabling IPv6 multi-client server mode is really a breeze. Add server-ipv6 and route-ipv6 statements to your server configuration, and you're done. Client-config-dir works for IPv6 as well, so I can assign static IPv6 addresses to the clients and tell them to point their IPv6 default route into the tunnel from the server by virtue of a ifconfig-ipv6-push and a push route-ipv6 statement inside the client-config-dir file.

That's it. Clients with unpatched client software can still connect (and will only get IPv4, just as before), and clients with patched client software will transparently get IPv6 additionally to the IPv4 tunnel. Now, I only have to pay attention again what services are running on my laptop - it's publicly visible on the intarwebs again.

Guys, your work rocks. I really really appreciate that. Good Job. I owe you more than a beer. Now we only need to convince OpenVPN upstream to accept your patch.

How much added complexity in packages to cater for apt's shortcomings?

It is well known that apt has an issue when it comes to resolving circular dependencies. Therefore, Debian bug reporters have set out to eradicate circular dependencies from the archive. This does, however, add significant bloat to the actual packages, and I am questioning why this is really necessary.

Continue reading "How much added complexity in packages to cater for apt's shortcomings?"

Block devices in KVM guests

In the last few days, I found the time to spend some with KVM and libvirt. Unfortunately, there is a subject that I haven't yet found a satisfying solution: Naming of block devices in guest instances.

This is surely a common issue, but solutions are rare. Neither an article on Usenet (in German) nor the German version of this blog article has found solutions for the main question. I should have written this in English in the first place and am thus translating from German to english, hoping that there will be some answers and suggestions.

KVM is quite inflexible when it coms to configure block devices. It is possible to define on the host, which files or whole devices from the host should be visible in the guest. The documentation suggests that devices should be brought into the guest with the virtio model, which needs suppport in the guest kernel. Importing a device as emulated ATA or SCSI device brings a performance penalty.

The devices brought into the guest via virtio appear in the guest's dev as /dev/vd<x> and do also have their corresponding entries in /dev/disk/by-uuid and /dev/disk/by-path. The vd<x> node is simply numbered in consecutive order as hd<x> and sd<x>. /dev/disk/by-uuid is the correct UUID of the file system found on the device, at least if it's a block device partitioned inside the guest and formatted with ext3 (I didn't try anything else yet). The terminology of the /dev/disk/by-path node is not yet understood, and I am somewhat reluctant to assume the PCI paths of emulated hardware as stable.

Continue reading "Block devices in KVM guests"

grml als eigenes Rescuesystem

Diesen Artikel habe ich schon im Mai 2009 geblogged. Allerdings hat sich grml seitdem so dramatisch weiterentwickelt, dass ich ihn aktualisiert und mit neuem Datum versehen habe.

Update: Das hier beschriebene Verfahren funktioniert seit grml 2011.12 nicht mehr. Der Way to Go is nun grml-rescueboot.

In Mietserver-Recovery mit veraltetem Rescuesystem habe ich beschrieben, wie man grml aus dem komprimierten Image von einer Festplatte booten kann, was zum Beispiel für Rescue-Zwecke an einem Server ohne direkt zugängliche Konsole sehr praktisch sein kann. Zu dieser Zeit (der Artikel stammt aus dem März 2007) war das noch eine größere Operation mit "CD-Image loopback mounten, die einzelnen Dateien rauskopieren und an die richtige Stelle im Dateisystem werfen", mit neueren grml-Versionen ist es aber noch viel einfacher geworden.

Continue reading "grml als eigenes Rescuesystem"

How to have socat open a listening socket in the file system?

Dear Lazyweb, can anybody with some advanced socat-foo tell me the command line needed to have socat create a socket in the local file system and to listen on it, so that I can have Virtualbox connect a virtual serial console to it?

The material available on socat on the web is sparse, and virtualbox-related docs usually contain "tick the create pipe option", which is not helpful here since I would like to see the first output the virtual machine prints to its serial port. It would be vastly more useful to have the socket already created with socat listening so that I can immediately see what is being printed to the socket.

Unified Kernel for etch, lenny and sid

Traditionally, the Linux kernel is software that I compile myself from pristine upstream sources for various reasons. I have three major kernel flavours that get built (server, desktop and notebook), and I am pretty current in running a bleeding edge kernel. This is not really necessary any more nowadays, but it's a tradition that works pretty well.

My kernels get built on sid and are packaged up with kernel-package, and equivs builds a dependency helper package which pulls in the kernel's dependencies such as initramfs-tools and takes care of cross-version updates like going from 2.6.29 to 2.6.30. Up to now, I was always able to run a kernel built this way on all my systems which can range from oldstable to unstable.

Continue reading "Unified Kernel for etch, lenny and sid"

Bye bye KDE?

I have been using current KDE since most of my Linux time (having converted over from WindowMaker to KDE 2 back in 2002). But currently, I am seriously pondering to ditch KDE since KDE upstream seems to be wildly decided to kill KDE.

I have accidentally upgraded my desktop box to KDE4 because I missed putting KDE on hold before doing a major sid update after a couple of months. KDE4's first regression immediately showed itself - the right display doesn't get any attention from KDE. It just shows up in a grey checkerboard background, it doesn't have a panel, it doesn't have a menu, right click doesn't work. It looks like the only thing one can do with it is dragging windows onto it.

With help of #debian-kde, I quickly found out about this bug in Upstream Bugzilla, which is referred from #529487 and which was marked as Duplicate of this bug in upstream bugzilla, which is one and a half years old and was marked as "severity wishlist".

Despite the splendid job that the Debian KDE team has done to sort out the KDE4 mess, it looks like KDE upstream has managed to break Dual Head Setups for one and a half years and doesn't seem to be too interested in providing KDE4 in a way that it can be compared with past versions. This is very sad and will have me shopping for a new desktop environment soon, I am afraid.

Maybe it was not a so good idea to take away KDE 3 so soon and it might have been better to keep KDE 3 in Debian. Maybe it's time to re-introduce KDE 3 as co-installable packages? I would be willing to participate in this effort as a team member.

Which other Desktop Environments and/or Window Managers should I be shopping for? I'd like to have:

  • Dual-Head support (preferably with the possibility to switch desktops only on one display, but that's something that even KDE 3 cannot do yet)
  • Shortcuts like "gg:search words" or "wp:search words" to immediately open google, wikipedia, the BTS or the PTS
  • Overlapping windows that are not automatically resized
  • A terminal like konsole which allows me to have different session in tabs and to send my input to all tabs
  • A clipboard handler that will automatically pop up a window asking me whether I want to open the URL that I just marked in a browser
  • Integration with the Debian menu system
  • I will try adding to this list over the next days when I notice a feature that I have accustomed to so badly that I don't even notice any more when I'm using it.

synaptics and unstable?

Dear Lazyweb, I have just found out that ksynaptics has stopped working against the X in unstable, and that ksynaptics is not even in lenny, let alone in current testing and/or unstable. This currently leaves me with an unconfigured touchpad, which is a major nuisance since I have gotten accustomed to tap-dragging and touchpad border scrolling.

xserver-xorg-input-synaptics' README.Debian dates back to 2004, so I suspect that the information given there in does not any more apply to today's configfile-less X.

So, dear lazyweb, how do I get my touchpad back into the more intelligent mode? Clickable configuration preferred.

The grub drama

This is a rant. A rant which goes to the grub maintainers, and one that could go nearly identically to many people in the KDE environment or many other open source projects.

I really like grub. I really like grub 0.97 despite that it's been unmaintained for years and not booting on two of my important machines. I should like grub 2 because its configuration looks more straightforward and for its better features - direct booting of .iso images, from LVM and RAID. But actually, I have learned to hate grub 2 since it is not finished and badly documented, and that its existence is already being used as an excuse for grub 0's development having stopped years ago (and it being renamed to "grub-legacy" to clearly show that it's the unloved child) - and things looks like this is not going to change any time soon.

Continue reading "The grub drama"

help needed for ATM support in ifupdown-scripts-zg2

I haven't been using ATM on Linux for some six years now. I neither have access to an ATM network any more nor do I have ATM hardware any more. Therefore, I plan to remove ATM support from ifupdown-scripts-zg2 in the next release which will be done in the next few weeks.

If anybody does still use ATM on Linux in conjunction with my scripts, you might want to offer help with the package if you want to have continued ATM support in ifdown-scripts-zg2. I cannot test the code any more and therefore cannot maintain it in the future.

LV naming, UUIDs, file systems labels

In the last few weeks, I spent quite some time wondering about how to arrange the hard disk layout of my productive systems in the future. This article outlines my thoughts and would like to ask the lazyweb for comments.

I try to keep my Debian servers as identically as possible, making it possible to talk non-linux persons remotely through the system without having to worry about this particular box' configuration.

Continue reading "LV naming, UUIDs, file systems labels"

Von der Auswahl eines passenden CMS

Web ist ein Bereich, aus dem ich mich in meiner bisherigen Internetkarriere weitgehend herausgehalten habe. Meine Talente liegen klar auf anderen Ebenen. Aber in manchen Dingen kann man es nicht vermeiden, auch mal eigene Inhalte zu veröffentlichen, wie ich es zum Beispiel mit diesem Blog tue. Zu gerne hätte ich für die Publikation von "normalen" Webseiten endlich eine Lösung in Petto, mit der ich die ungeliebten Aufgaben "Design" und "Bereithalten und Pflege der Webinfrastruktur" outsourcen und mich auf die Produktion der Inhalte konzentrieren kann.

Nun werden viele Leute sagen, das sei ja ganz einfach und mit der Softwaregattung "CMS" einfach zu lösen. Nur leider ist das doch nicht so einfach.

Continue reading "Von der Auswahl eines passenden CMS"