Professional Geekism

If, like me, you have to run lots of OpenVZ-based virtual server hosts, you will likely have encountered the fun that is reverse-path filtering, or ‘rp_filter’. This is the function of the kernel that rejects ‘martian’ IP addresses arriving on any given interface. This is usually a good thing, until you wish to connect your OpenVZ host to two separate networks and have it route IP addresses from both subnets to & from your guests via the VENET-style interfaces.

Essentially, despite differing source addresses, only one default gateway exists to send traffic to IPs not within the connected subnets and thus, traffic on any “secondary” subnet is rejected as a martian when leaving the host’s interface that is connected to its default gateway.

Some people would use bridged intefaces, although this is sadly not an option for me right now. Whilst the performance of VENET is supposedly better, we also have a large install-base of VENET guests that do not wish to be disturbed. So for now I still need a way to make this work with VENET interfaces (and also VETH if required later).

There are two methods around the return_path filtering, with the first being a terrible hack that should only be used temporarily, if at all… If you echo ’1′ to /proc/sys/net/ipv4/conf/all/log_martians, you will be able to see which interface is filtering martian packets. With that information you can then simply disable the rp_filter function by echoing ’0′ to /proc/sys/net/ipv4/conf/INTERFACE/rp_filter and martians won’t be filtered.

However, this isn’t a sensible option. A better solution is to actually create a routing rule to alter the default gateway used, based on the source subnet. It took me a little bit of digging, but I eventually managed to get this working after combing a few sources (including, but not limited to, the iproute2 man file).

For reference, here’s my routing table showing two networks and two /32 IPs assigned to a guest’s VENET interface (note that the networks are /23′s, not /24′s!):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.9.159      0.0.0.0         255.255.255.255 UH    0      0        0 venet0
10.0.125.53     0.0.0.0         255.255.255.255 UH    0      0        0 venet0
10.0.8.0        0.0.0.0         255.255.254.0   U     0      0        0 br0
10.0.124.0      0.0.0.0         255.255.254.0   U     0      0        0 br1
0.0.0.0         10.0.9.1        0.0.0.0         UG    0      0        0 br0

Start by opening /etc/iproute2/rt_tables in your favourite editor. You’ll need to append a line to the bottom to create a new routing table:

# cat /etc/iproute2/rt_tables
#
# reserved values
#
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep
100    vlan4

As you can see, I’ve appended a new table named ‘vlan4′ (picking a sensible name helps, in my case this is the VLAN name for 10.0.124.0/23)  and given it a priority of 100. As per my understanding, the priority should be decremented for each subsequent table defined.

Now you need to use ip to define the new rules & routing behaviour, taking advantage of the new table we’ve defined. First, create a rule matching traffic from your secondary subnet:

ip rule add from 10.0.124.0/23 iif venet0 table vlan4

For reference, the ‘iif’ attribute is not a mistake; “iif” not “if”. This was also a key part of the setup, as it only classifies traffic originating from the VENET interfaces, no-where else.

Now add a route to define the new default gateway for our new table of classified traffic and apply it:

ip route add default via 10.0.125.1 dev br1 table vlan4
ip route flush cache

You should now find that guest traffic from either network is routed correctly without having to change any rp_filter settings. At any time you can use the following two commands to see your configuration:

ip rule show

ip route show table vlan4

Be sure to re-apply the ‘ip rule’ and ‘ip route’ statements on your next reboot; under Scientific Linux 6.0 I’ve used the /etc/rc.local file, but you can just as easily apply them on ifup in Debian’s network configuration.

I booted up my work machine today (a fully-patched Ubuntu 10.10 x86_64 installation) to find that most of my search engine add-ons in Firefox had disappeared.

Anyone that’s had this happen to them will notice that you literally cannot find/retrieve these basic add-ons with via the Add-ons store, and most searches online bring back results related to the Google toolbar (not helpful).

Eventually I tracked-down this post and I am eternally grateful to the poster because, not only did it it allow me to fix the issue myself (copy the missing .xml files from /usr/lib/firefox-addons/searchplugins/en-US/ to the corresponding ‘en-GB’ folder) but I have also finally found a method to send my queries to google.co.uk instead of google.com… Just edit the appropriate .xml file, changing .com to .co.uk.

So no more having to deal with American shopping results!

I finally got around to sending my first ping6 echos! Who knew I’d get replies on my first go?!

My ADSL provider Andrews & Arnold have provided me with a /48 IPv6 subnet, which seems somewhat wasteful at 2^80 addresses (throw that in your calculator) but certainly useful for testing nevertheless. Whilst slowly getting my head around the task that is variable-length subnetting of IPv6 ranges – painful at best – I decided to just throw in a /64 subnet and set a static gateway address on m0n0wall‘s LAN interface to see if it would ‘just work’.

The result, is a working IPv6 LAN by simply enabling autoconfig from the m0n0wall box and telling Ubuntu’s Network Manager to use it. Et voila:

teh@desktop:~$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:01:29:fc:37:1d
inet addr:81.187.xxx.xxx Bcast:81.187.xxx.xxx Mask:255.255.255.240
inet6 addr: 2001:8b0:ff87:1:201:29ff:fefc:371d/64 Scope:Global
inet6 addr: fe80::201:29ff:fefc:371d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1616524 errors:0 dropped:0 overruns:0 frame:0
TX packets:2224946 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:277202062 (277.2 MB) TX bytes:519498762 (519.4 MB)
Interrupt:18

You’ll notice that the last 80 bits of my IPv6 address on this host were assigned via autoconfig, using part of my MAC address (the part that doesn’t correspond to a certain manufacturer, IIRC) as well as some randomly-generated bits, too.

And to make my night, ping6 worked straight away, too:

teh@desktop:~$ ping6 2001:08B0:FF88:0001::1
PING 2001:08B0:FF88:0001::1(2001:8b0:ff88:1::1) 56 data bytes
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=1 ttl=64 time=3.81 ms
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=2 ttl=64 time=0.130 ms
64 bytes from 2001:8b0:ff88:1::1: icmp_seq=3 ttl=64 time=0.132 ms

--- 2001:08B0:FF88:0001::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.130/1.358/3.813/1.735 ms

Now to plan how I’m going to roll this out at work…

I recently needed to burn a copy of Windows 7 Pro but realisd that I’d unfortunately run out of blank DVD-Rs long ago. Fear not, for I live near an Aldi supermarket, whom sell everything dirt cheap. DVD-R’s a DVD-R, right?

Wrong. I tried at least three of the twenty I purchased (for a few quid) and none of them would even begin writing. Brasero/K3B both complained about incompatible media types.

Remembering that my DVD drive, a trusty NEC 3500A, was designed, built and purchased somewhere between 2004 and 2005 (4-5 years ago at this point) and that I hadn’t ever updated the firmware, I set about researching ways and means into doing this.

I came across this website, run by a pair of firmware hackers named Liggy and Dee whom have (between them) released, and continue to host, many firmware releases (both official and unofficial) for a wide variety of NEC optical drives.

What’s more, their binflash (or ‘necflash’) utility was even released as a Linux binary and it even provides compatibility for reading the official NEC .exe firmware releases! I was sceptical that it would work under Ubuntu 9.10 at first, but much to my delight it worked perfectly. With a little reading, I was able to dump my current firmware (2.16) to file and subsequently flash two different firmware releases: 2.58 (an OEM firmware release) and the latest, official NEC firmware 2.1A release.

The full output of my escapades for anyone curious:


~$ sudo ./necflash -flash -v -s Desktop/NECND350_v21A.exe /dev/sg2
Binflash - NEC version - (C) by Liggy and Herrie
Visit http://binflash.cdfreaks.com

Identified drive: 4 - 3031
Detected drive from Firmware: 4

You are about to flash your drive with the following firmware:

Vendor: _NEC
Identification: DVD_RW ND-3500AG
Version: 2.1A

Remember no one can be held responsible for any kind of failure!
Are you sure you want to proceed? (y/n) y

Entering safe mode
Sending firmware to drive at 0x006000
Sending firmware to drive at 0x00e000
Sending firmware to drive at 0x016000
Sending firmware to drive at 0x01e000
Sending firmware to drive at 0x026000
Sending firmware to drive at 0x02e000
Sending firmware to drive at 0x036000
Sending firmware to drive at 0x03e000
Sending firmware to drive at 0x046000
Sending firmware to drive at 0x04e000
Sending firmware to drive at 0x056000
Sending firmware to drive at 0x05e000
Sending firmware to drive at 0x066000
Sending firmware to drive at 0x06e000
Sending firmware to drive at 0x076000
Sending firmware to drive at 0x07e000
Sending firmware to drive at 0x086000
Sending firmware to drive at 0x08e000
Sending firmware to drive at 0x096000
Sending firmware to drive at 0x09e000
Sending firmware to drive at 0x0a6000
Sending firmware to drive at 0x0ae000
Sending firmware to drive at 0x0b6000
Sending firmware to drive at 0x0be000
Sending firmware to drive at 0x0c6000
Sending firmware to drive at 0x0ce000
Sending firmware to drive at 0x0d6000
Sending firmware to drive at 0x0de000
Sending firmware to drive at 0x0e6000
Sending firmware to drive at 0x0ee000
Sending firmware to drive at 0x0f6000
Sending firmware to drive at 0x0fe000
Sending checksum to drive
Erasing flash block 2
Erasing flash block 3
Erasing flash block 4
Erasing flash block 5
Erasing flash block 6
Erasing flash block 7
Erasing flash block 8
Erasing flash block 9
Erasing flash block 10
Erasing flash block 11
Erasing flash block 12
Erasing flash block 13
Erasing flash block 14
Erasing flash block 15
Erasing flash block 16
Erasing flash block 17
Erasing flash block 18
Writing flash block 2
Writing flash block 3
Writing flash block 4
Writing flash block 5
Writing flash block 6
Writing flash block 7
Writing flash block 8
Writing flash block 9
Writing flash block 10
Writing flash block 11
Writing flash block 12
Writing flash block 13
Writing flash block 14
Writing flash block 15
Writing flash block 16
Writing flash block 17
Writing flash block 18
Leaving safe mode

Whilst the 2.58 OEM release didn’t fix my problems, 2.1A did and I now have a freshly-burnt copy of Windows 7 Pro to go and play games with. Nice one, Liggy & Dee.

Yesterday a few of you will have heard the news that Google recently launched a new programming language, named ‘Go‘.

Whilst I’m not a programmer, and exist far from the plain of ever pretending to be one – I do have some professional interests in playing with this. I’ll probably update this post a little later with some more, specific information when all can be revealed, but for now here’s a little taster:

root@gotest:~# 6g hello.go
root@gotest:~# 6l hello.6
root@gotest:~# ./6.out
hello, world

It works! This machine is an openvz container, running Ubuntu 9.04 x86_64 and it works a treat, with the only exception that I couldn’t build Go with the standard ‘all.bash’ make script. I had to use the ‘make.bash’ script, instead for it to work – something about probing the network devices not working with the former script. Thanks go to Rob Pike from Google, whom seems to have been working pretty darn hard in the #go-wild IRC channel on Freenode recently!

Update: 34SP.com are now offering Google Go development environments, for those wishing to dabble!

Oddly enough, only a day after my post concerning some odd differences between two Ubuntu Flash 10 packages, I received an e-mail from the Ubuntu mailing list to tell me that the next hug (bug) day is actually centred around flashplayer-nonfree!

Quoting the e-mail for any of you not on the list:

Fellow Ubuntu Triagers!

This week's HugDay target is *drum roll please* flashplugin-nonfree!
* 78 New bugs need a hug
* 53 Incomplete bugs need a status check
* 35 Confirmed bugs need a review

Bookmark it, add it to your calendars, turn over those egg-timers!
* 5th of March, 2009
* http://wiki.ubuntu.com/UbuntuBugDay/20090305

Can't stress it enough: everyone can help!

Have some time? Triage boogz! I won't be upset if you get a headstart~
Have a blog? Blog about Hugday!
Have some screen space? Open #ubuntu-bugs and keep an eye out for
newcomers in need.
Have minions? Teach THEM to triage for you!

Wanna be famous? Is easy! remember to use 5-A-day so if you do a good
work your name could be listed at the top 5-A-Day Contributors in the
Ubuntu Hall of Fame page!

Make a difference; we will be in #ubuntu-bugs (FreeNode) all day and
night, and will be ready to answer your questions about how to help.

If you're new to all this, head to

http://wiki.ubuntu.com/HelpingWithBugs

Have a nice day,
Martin Mai
[From the BugSquad]

That’s quite a lot of bugs. Hopefully the Ubuntu ‘Jaunty Jackalope’ 9.04 release will iron these issues out.

Bizarrely, I’ve noticed that the Canonical-supplied Adobe Flash 10 plugin isn’t working as well as the Adobe-supplied version.

You could regard this as a possibly moronic statement at first, but there’s a little evidence to back it up. Firstly, I’ve been using the ‘adobe-flashplugin’ package provided via the Canonical Partner repository for some time. I think it works a heck of a lot better than Flash 9, and I’ve been much happier with the experience. That isn’t to say that it’s perfect, but at least Firefox doesn’t crash with every 3rd/4th Youtube video I play.

By standard of course, the Canonical Partner repository is disabled within a fresh Ubuntu installation. So when my girlfriend mentioned that the videos on Llewtube.com weren’t displaying, I wasn’t surprised to find that she was using the latest version of the ‘flashplugin-nonfree’ package:

sudo dpkg -l | grep flash
ii flashplugin-nonfree 10.0.22.87ubuntu1~intrepid1 Adobe Flash Player plugin installer

Given that I could view the videos on the aforementioned website without a single issue, I went to check my plugin version:

ii adobe-flashplugin 10.0.22.87-2intrepid1 Adobe Flash Player plugin version 10

So we’re supposedly using the same version of the Flash plugin, but from different packages. Would anyone like to explain why one package works and the other does not?

Getting around the problem was a simple task for her: simply enable the Partner repository by navigating to the Software Sources configuration utility (via System -> Administration -> Software Sources) and (after giving your password) checking the two ‘partner’ lines under the Third Party tab. If you don’t have them, you can add them (one at a time) with these two lines:

deb http://archive.canonical.com/ubuntu intrepid partner
deb-src http://archive.canonical.com/ubuntu intrepid partner

(If you’re reading this, and you’ve not yet upgraded to Ubuntu 8.10; the bulk of this guide should work with 8.04 also. You will, however, need to swap out ‘intrepid’ for ‘hardy’! )

When you’ve enabled the partner repositories (check the boxes) it’s a matter of closing Software Sources and letting it reload the package sources when prompted. After that, simply open a terminal and paste in the following:

sudo apt-get remove --purge flashplugin-nonfree && sudo apt-get install adobe-flashplugin

If you restart Firefox, you should now be sorted. If in doubt, search in Synaptic (System -> Administration -> Synaptic) for ‘Flash’ and see what is (or isn’t) installed.

I absolutely adored my Sony Ericsson K800i. What a phone; everyone’s had one or used one at some point. Given that they’re quite long in the tooth now, you’d be hard-pushed to have not come across someone that had/has one.

So when the K850i came out, I was quite eager to get my upgrade. And so far there’s been only one real drawback to it, that I’ve found: using it as a modem.

When I first moved into my current abode, I didn’t have any ADSL for a few weeks. Predictably one can steal some wireless broadband, or one can attempt to use some form of mobile broadband. Before signing my life away for a few months, I decided to test my phone (which at the time, was the K800i) with Ubuntu. To my sheer delight, the phone presents itself as a USB Ethernet adapter, and Ubuntu’s network-manager simply sent a DHCP request and received an ACK. No messing about here: I had 3G broadband within 5 seconds of plugging the USB cable in!

So obviously when I attempted the same trick with my K850i, I was really quite dismayed to find that you can’t do this any longer. The USB Ethernet device is there (grep -i CDC /var/log/messages) but for the life of me, I cannot find a way to obtain a DHCP lease via the usb0 interface.

Yes, it works perfectly (and with HSDPA speeds, thanks to my city-centre location) if you use wvdial or one of its GUI front-ends (gnome-ppp worked well) and I’ve been able to connect like this..

But I can’t understand why the Sony Ericsson engineers would want to remove such a simple mechanism in favour of the greatest faff-about in history. I’d be interested to hear from anyone that’s managed to get this working.. Although I fear by the time I get an answer, I’ll be back on some ADSL goodness: HSPDA is alright in a pinch, but T-Mobile UK’s data network seems so heavily sensitive to peak times (I suspect insane levels of contention) and the latency is atrocious. Half a second? Ugh. That’ll be the Deep Packet Inspection they do…

Many people already know that I dabble with Asterisk on a daily basis. Our Linux distribution of choice here at work, also happens to be Gentoo.

Now, when updating Gentoo’s ‘world’ package base, you do get some problems occassionally. This is a downside to being ‘on the cutting edge’ and, it’s obviously no wonder why distributions such-as Ubuntu, Red Hat and SuSe, stick to well-tested release schedules.

Recently, after a well over-due profile update (from 2006.0 to 2008.0) and the following emerge -av –newuse –deep world command, Asterisk simply stopped working. No warning, and it took a while for me to notice.

Once I had noticed, it became apparent that something was really quite awry. Asterisk wouldn’t start via the init script (with has a seemingly immortal, and hideously annoying process), nor via just calling the executable. I eventually realised, with the help of this bug report and the /var/log/asterisk/full logfile, that Asterisk was failing to find the speex modules it required.

Long story short, as per the bug report, you need to downgrade (and mask for good measure) speex to 1.1.12 to retain functionality on anything older than a January/Febuary release of Asterisk 1.4.x.

The fact that Portage still only has Asterisk 1.2.x, means that unless you switch to using the voip overlay, you’re going to find this issue will affect you.

Oh Gentoo, how I love and hate you!

Like many Ubuntu nuts, I’ve recently upgraded my work and home systems to the latest and greatest release: 8.04, code-name ‘Hardy Heron’.

And as per the usual, I updated a little early. Not quite at beta this time; I managed to subdue the upgrade itch until a few days before the final release. The only justification I needed beyond that was that the mirrors always get raped come release day.

So I set about upgrading to the release candidate version (Alt+F2, and run ‘update-manager –devel-release’) of Hardy and let it do its thing. I had a small issue with /boot being full of old kernels, which just required a few ‘sudo rm -r’ commands from a terminal, but nothing big.

However, I did encounter a few issues…

The first of which, was the Nvidia binary driver that I had installed for reasons of graphical goodness, but of course it wasn’t the maintained package, therefore the upgrade tool did nothing with it and I was stuck with X’s safe graphics mode. Neat, but genuinely annoying.

To make matters worse (and this one just wasn’t my fault) I was also stuck without any sudo access at all!

teh@snatch:~$ sudo su -
sudo: can't resolve hostname snatch.
teh@snatch:~$


Of course, if I checked out my /etc/hosts file, it looked like this:

teh@snatch:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.0.1 teh-desktop


Now I knew that was wrong (line #2 is a strange left-over from the default installation) but of course I couldn’t use sudo to elevate my privileges in order to change it! Frustration!

One live CD later, and I managed to alter the offending ‘teh-desktop’ line to read ’127.0.0.1 snatch’ instead. Job done, and it works fine now.

The question is: why the hell does the /etc/hosts file matter? Curiously, I don’t know, but maybe someone will be willing to give a better explanation.

I left the Hardy upgrade on my home machine until a few days after the final release, due to a mortal fear of the upgrade tool nobbling dmraid and causing ‘unable to mount roof vfs’ kernel panics, but thankfully it worked without a hitch (more-so than my work PC, in fact – though it goes without saying that I checked /etc/hosts first! )

And now that I’ve been using it a little while, I’m quite impressed. There’s a few nice polishes here and there – to compiz-settings in particular. I can now use edges in expose!

However I’m a little baffled as to the whereabouts of my ‘New Tab’ button in Firefox 3b5. It’s there in the Windows installations I have, so why have they deemed it necessary to exclude it from the Ubuntu release? Well.. At least they have an RC and a final release to go yet, so hopefully this will be fixed.