Wednesday, October 11, 2017

Attempts to fix 802.11ac WiFi networking issues

My boss and I have been dealing with WiFi issues in regards to various home & work situations. I've been trying to assemble a good strategy to deal with them, and there appears to be some promising leads.

  • 802.11ac environments, you have 5ghz available, as well as 2.4ghz. However, it turns out that "Dynamic Frequency Selection" is eager to not interfere with radar installations. Per a chart of 802.11 5ghz channels, that's channels 100-149 to avoid using in a major urban area; so I am currently not using that + have DFS turned off. Use a good WiFi analyzer app to pick the least used channel outside that range.
  • If you're supporting older iPhones for people, it may not like 40mhz 2.4ghz setups; found multiple posts online about that. Keep your 2.4ghz to 20mhz; and also to N-only mode if you've managed to ditch all your old B & G devices.
  • In a residential setting, turn the power down. And if you know your neighbors, ask them to as well. 50-75% should be fine; especially in an apartment complex.
  • I set my Fragmentation Threshold to 1500, and RTS Threshold to 1501 for now. I need to study these more, but your standard Ethernet framing isn't more than 1500 anyway; and I've read that in congested areas, "less is more".
  • I also read that if your devices aren't going to be switching SSIDs a lot, to try raising the DTIM above the default of 1 (2 or 3 seem to be valid), and/or raise your Beacon Interval past 100 (currently set mine at 3000). This is supposed to keep your wireless devices from waking up too much, and draining power. However, too high of a the settings are said to negatively impact realtime chat + video apps.
Added: good, but dense, eBook on this stuff

Added#2: some more suggested tweaking on the Frag/RTS setting. I'm trying 1312 for my settings now, since I do have IPv6 on my connection (1280 bytes +34 byte MAC header).

Friday, September 1, 2017

Quick conversion of iptables to FirewallD

I had a need to work with a CentOS 7 VM, that was still using sysconfig/iptables rules; but some other stuff I needed working on it wasn't connecting right. Poking around online + past experience, here's a snippet for anyone who is looking at a similar problem. This particular configuration (I scrubbed out other details) opens TCP 22,443, and 8443; and forwards 8443 to 443 (I probably didn't need that extra 443 opening).


yum install firewalld
systemctl enable firewalld && systemctl start firewalld
firewall-cmd --zone=public --add-port={22,443,8443}/tcp --permanent
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
systemctl stop iptables && systemctl stop ip6tables
systemctl disable iptables && systemctl disable ip6tables
firewall-cmd --reload

Friday, August 11, 2017

Using tinc VPN for linking up a Linux data cluster with static IPv6 addresses

10 years ago, I wrote up this tutorial on how to use tinc to create a basic IPv6 network between multiple sites. I followed up on that work with a more robust network: that is documented on my own website, and frankly could use some updating. At least one person made a cleaned up variant.

Over the past four years since leaving the employer I built that network up at, the acceptance and us of either tinc, and/or IPv6; has been rather mixed. However, I think I've found a use case for this past research: data clusters. In fact, another person (and another person as well) seems to have had a similar thought for his own needs. It also helps that most applications have full IPv6 support now: something that was barely in place 10 years ago.

Installation

CentOS/RHEL 7.x: yum install tinc ; you'll need to edit iptables & ip6tables files /etc/sysconfig , or use a firewalld command, to allow tcp and udp on port 655.

Debian/Ubuntu: grab the latest tinc-1.0.x deb from somewhere like Ubuntu Packages. It's also possible an apt install tinc will get you a new-enough version. You'll also need to run ufw allow 655/tcp && ufw allow 655/udp if you're using Uncomplicated Firewall.

Configuration


We're going to call this "privatelan", and assume you're using sudo / root to do this work. For editing, make sure you have nano, vi, etc. installed.
  1. mkdir -p -m=0700 /etc/tinc/privatelan/hosts
  2. In the past, you needed to edit /etc/tinc/nets.boot : but if you're using systemd, go ahead and delete it. Otherwise, edit it to have privatelan as a line in it.
  3. If ls /etc/init.d/tinc*finds a file, and you're using systemd, you'll need the systemd scripts. Download both .service files and copy those to /etc/systemd/system .
  4. You'll need to pick out / assign a ULA for this. You can use a ULA generator to pick a /64.
  5. Create and edit the files for /etc/tinc/privatelan/tinc.conf/etc/tinc/privatelan/tinc-up , and /etc/tinc/privatelan/tinc-down .
  6. chmod u+x /etc/tinc/privatelan/tinc-*
  7. tincd -n privatelan -K will generate a private key, and create a hostfile in /etc/tinc/privatelan/hosts. Optionally, you can edit that new hostfile with Compression=# (number being 1-11, with 1-9 being gzip, and 10-11 LZO).
  8. The master node needs a copy of the host file from every member system: those get copied to /etc/tinc/privatelan/hosts.
  9. All client nodes need copies of the master node host file. That file has to have something like Address=(DNS/IP) in the top of the file to be able to find that host with.
  10. When a node is ready, you can systemctl enable tinc@privatelan && systemctl restart tinc@privatelan ; check your distro if not using systemd.
  11. You should either add your new IPv6 addresses to your local DNS; or populate them as a batch in /etc/hosts.
  12. When in doubt, read the docs! Thanks!
  13. Added: on CentOS / RHEL systems, you may need to make sure SELinux isn't blocking anything ,by doing an audit2allow -a

Config files


tinc.conf

Name=node
Device=/dev/net/tun
Interface=privatelan
Mode=switch
#Comment next line if master
ConnectTo=master

tinc-up

#!/bin/sh
ip link set privatelan mtu 1280 qlen 4096 up
ip -6 address add 2001:db8:beef::1::1/64 dev privatelan

tinc-down

#!/bin/sh
ip -6 address del 2001:db8:beef::1::1/64 dev privatelan
ip link set privatelan down

hosts/node

Address=192.0.2.200
Compression=10

===SSHkey===

Tuesday, August 1, 2017

Accessing & upgrading a Debian Bitnami VM

So I stumbled across Bitnami recently. It's nice to be able to download ready-to-go VMs for different pieces of software. One I tried was a VMWare OVA that used Debian 8 as its base. But the current release of Debian is 9.1, and there wasn't an immediate issue involved in upgrading (MySQL -> MariaDB compatibility is an issue for some apps).

I. I needed SSH access. After loading the VM, I was able to enable SSH by following the Bitnami instructions for doing so. They add an extra /etc/ssh/sshd_not_to_be_run file to keep SSHD disabled, even after enabling the service.

II. I modified instructions from this source and another tool to make something work for me. Logged in as SSH under the bitnami user; for the last step, keep existing files if asked...

  1. sudo su -
  2. cp /etc/apt/sources.list /etc/apt/sources.list_backup
  3. apt install nano deborphan
  4. wget https://launchpad.net/~utappia/+archive/ubuntu/stable/+files/ucaresystem-core_3.0-1+xenial2_all.deb
  5. dpkg -i ucaresystem-core_3.0-1+xenial2_all.deb
  6. sed -i 's/jessie/stretch/g' /etc/apt/sources.list
  7. apt update && ucaresystem-core

III. Bitnami used the Extlinux bootloader for the VM I had; so I had to manually edit it to accept the newer kernel. nano /extlinux.conf ; change the kernel to /vmlinuz and change the initrd= to use /initrd.img as the target. For the end of the "append" line, add scsi_mod.use_blk_mq=y dm_mod.use_blk_mq=y or elevator=noop per what VMWare and others have suggested of late.

IV. Of course you should reboot the VM.

You should be able to modify this process to upgrade other Debian & Ubuntu VMs; just be wary of how things work on different versions (especially if you're trying to hop from something non-system-friendly).

Errata

Since you'd be using kernel 4.9 or better, give this a whirl in your /etc/sysctl.conf

net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_tw_reuse=1
net.core.somaxconn=1024
net.core.netdev_max_backlog=2048
fs.file-max=1000000
net.core.bpf_jit_enable=1


Updated Aug 2, 2017 to include extlinux.conf changes + use of TCP_BBR.

Friday, March 17, 2017

Weird missing drives error on a not-that-old laptop

I was working on a ASUS "Republic of Gamers" laptop for a coworker the other night. An otherwise decent piece of hardware was being operated off a 5400 RPM "quiet" hard drive: so I migrated the data over to a spare 500GB SSD using Parted Magic, and moved the old drive to the second bay. Pretty straightforward so far.

I probably spent the next hour trying to figure out why neither hard drive was coming up as a boot option. Disabling Secure Boot, re-enabling, togging the CSM, trying to do Startup Repair with the Windows 10 USB drive the system could detect, a BIOS/UEFI update... It turns out the BIOS/UEFI was detecting partitions, not physical drives; and I had partitioned the drives as GPT, not MSDOS format. Using Parted Magic again (gdisk and fdisk, specifically), I converted the partition tables back to MSDOS format, and then attempted to fix the Windows startup. I used instructions similar to these for getting things going again: boosect.exe /nt60 all was the magic command in the Windows 10 recovery command prompt.

Newer systems and laptops should be just fine with GPT, but this was interesting to me that the boot order of a UEFI system, was not detecting GPT-enabled drives.

Wednesday, March 8, 2017

De-duplicating XML validator in C#

Thought I needed XML validation for a project I'm working on. Wanted to be able to merge together several different stylesheets to check against. Also kept running into an error of Wildcard '##any' allows element

Overall, this seems to kinda work, but I may or may not need it. But maybe someone else can get it to work better. Original fix for duplicates I found

Needs System.Xml.Schema & System.Collections.Generic

public static XmlSchemaSet MergeSchemaFiles(string[] schemaFiles)
{
 // Get List of Schemas
 var schemas = new List();
 int sfi = 0;
 foreach (var sf in schemaFiles) {
  var tempFileXSS = new XmlSchemaSet();
  tempFileXSS.Add(null,sf);
  schemas.Add(tempFileXSS);
  schemas[sfi].CompilationSettings.EnableUpaCheck = false;
  schemas[sfi].Compile();
  Console.WriteLine("Loading schema from: " + sf + ", with " + schemas[sfi].GlobalElements.Values.Count + " elements.");
  sfi++;
    }
    // Merge schemas into one schema set: avoid duplicates
    var tempXSS = new XmlSchemaSet();  
    tempXSS.Add(schemas[0]);  
    for (int i = 1; i < schemas.Count; i++) {
  foreach (XmlSchemaElement xse0 in schemas[0].GlobalElements.Values) {
      foreach (XmlSchemaElement xseI in schemas[i].GlobalElements.Values) {
    if (xseI.QualifiedName.Equals(xse0.QualifiedName)) {  
       ((XmlSchema)xseI.Parent).Items.Remove(xseI);  
       break;
    }
      }
  }
  foreach (XmlSchema schema in schemas[i].Schemas()) {
      schemas[i].Reprocess(schema);
  }
  schemas[i].Compile();
  tempXSS.Add(schemas[i]);
    }
    // Return results
    Console.WriteLine("Retained " + schemas.Count + " XML schemas");  
    return tempXSS;
}

Thursday, February 9, 2017

C# snippet on easy multi-threading / parallel processing

There's been a need of mine lately to figure out how to successfully execute parallel programming tasks in C#. Finally figured out a basic way to do this, that uses current versions of .NET. The Threading in C# website was key to this.

using System.Threading.Tasks;
// The "i" is an iterator you can refer to in the body
Parallel.ForEach(array, (c, state, i) => {
class.function(parameters);
});
On an unrelated note: if you have to parse XML for some reason, XElement seems to be much easier to use than the older libraries.

Added: someone else wrote a good comparison of different threading methods in .NET.