what good is a Serial port available over SSH for server management? mnathani: Very good, in my experience how would one use it? You would ssh to somewhere which isn't your server and get yourself connected to the serial console of your server would that be kind of like a kvm? I believe so. I've never really seen the need for KVMs - you don't run GUIs on servers It means that if your server is able to display boot messages on the serial port you can see why it's not booting, or you can log in to it and undo the firewall rule that mistakenly locked you out of the network interface andol: no plans for DNSSEC yet. Is it easy/hard to implement? mjp: lol, "uuupnetworks" jpalmer: I bet ARP Networks can help you out with the $700/month Linode and $3K dedi bill ;) tooth: jdoe : I had a customer years ago that plugged in AT&T, Cingular, Verizon, etc... PCI cards into his 1U Windows box and was able to send SMS that way. I know it seems overkill but it did in fact work. well, like 2 were PCI cards and the rest were USB dongles yeah, i've done that at a few jobs what I want is to receive sms and voice calls at the same numner up_the_irons: On the resolver side it ought to be fairly trivial, at least assuming bind alt. unbound. Basically it is enabling an option or two and make sure that you have a copy of the (public) root key. (Serving authorative domains using DNSSEC is a bit more work, especially getting resigning, key rotation, etc they way you want it.) andol: roger that andol: one of our resolvers is bind, the other is unbound. I'm planning on making a brand new resolver to replace the bind one (and it'll be unbound) unbound is nice :) Yes, unbound is much nicer than bind. I use anycasted unbound servers for customer facing resolvers nice well i more compare it to powerdns or dnscache bind is disgusting :) i was slightly surprised how quickly unbound caught on but really, it's the people who are doing anycasting, multiple servers, large cache sizes, long ago split their dns between forward and recursive etc. and lots of small installs are still using bind et.c i'm using NSD myself i didn't realise nsd did recursive? unbound only does recursive i use tinydns for authorative nsd only does authoritative. unbound can do some auth two: only as much as things like dnsmasq? dnsmasq is actually handy for home use cos it does small caching recursive, dhcp, can publish records straight from /etc/hosts local-zone stuff in the config it even makes windows default host names pingable :) I just recently switched my home router to dnsmasq, it is pretty slick from the dhcp yeh ok i didn't know that two i know about forward-zone? # local-data: "mycomputer.local. IN A 192.0.2.51" i see that's probably similar to dnsmasq where you can just have some host names have ip's that don't go to another dns server rather than being suitable for publishing on the net/ you don't relaly want an open resolver I use unbound for resolvers and a combination of bind and nsd for authoritative I don't yet serve authoritative DNSSEC records (but do validate them in unbound). I'm considering moving to PowerDNS and using its live-signing setup where I just give it a key and ignore it, no need for periodic re-signing etc I'm not sure how that works, unless you never do key rollover. since you need to update the keys with your registrar, which is a manual step :P It can be automated, but yes with what registrar? .uk and RIPE reverses are both automatable The other reason I'm interested in PowerDNS is it's ability to serve DNSSEC signed data from a programatic or database driven backend where it's not feasible to know the previous/next records for NSEC purposes (It helps that the company I work for is a RIPE LIR and a Nominet registrar) up_the_irons: I have no doubts about that. It's an "all eggs in one basket" kinda thing. we have vps/dedi's spread across about 30 different data centers. jpalmer: 30 different data centers? thats some asset allocation scheme you're pushing there. jpalmer: wow, cool :) toddf: we've built a "mesh network" of openvpn servers for our management network. openvpn can't handle a ton of traffic, so we had to scale up the number of servers. obviously, not all of the vps's or dedi's are openvpn.. but we have at least one at each datacenter. openvpn can't handle a ton of traffic? is its limitation the fact that it throws all encryption through a single userland process or ? IPSec I guess is not an option for some reason? it's just less efficient than in-kernel ipsec. it can handle "a ton of traffic" (for varying definitions of a ton, hardware dependent), it just suffers from additional overhead. For anyone who has a printer: http://www.youtube.com/watch?v=uZ1QMRRg__E i don't seem to be able to vnc into my console through either method (tunnelling or direct) anyone else having an issue? mailman still the suggested program? ryk: You getting an error? nah, just timing out "Connecting..." ryk: What client? chicken.app, worked for this vps in the past. Never heard of it, was going to see if I had it somewhere. Got another VPS to try? it's a fork from chicken of the vnc You rememered to enter the correct port I'm assuming? yeah, i don't have another vps to test against, but i know it's powered on, i can ssh in to a login prompt, but i forgot my username/password. i had the preset in chicken.app saved, and of course the arp console gives you copy/paste ssh instructions. both of them worked previously, i was just wondering if console.cust.arpnetworks.com might be down or something. i thought i had ssh keys set up on the vps but apparently not ryk: You can submit them at any time. i have them in to the host, yes i was talking about my instance. was just hoping that someone else could confirm if the console server was down before i contact up_the_irons ryk: It seems to be working for me so far. ok, thanks. ryk: What host are you on? kvr19 i can get in to the ssh console and even my ssh, but i just can't log in just wanted to get in to my local vnc console because i think i left it logged in. i can reboot, go into single-user mode, etc to reset my passwords, from the ssh console, but now i'm just wondering why my vnc console isn't working. ryk: Yeah. Did it die maybe? it definitely didn't, because the serial console puts me at a login prompt with my hostname and everything Your vnc port isn't 6059 right? it is 5955 6059 is all the nmap is showing for it as open. oops, my port is actually 6057 i was looking as the ssh command at the local port so that suggests that the kvr19 host itself is not listening ryk: It would seem so. I wasn't getting tripped up by the console server. that's only an ssh server used to bounce in *was up_the_irons: it seems kvr19 isn't listening to vnc ryk: is your VPS running? VNC is attached to the VM process (each VM gets their own VNC server). So if your VM is down, so will be VNC. booooo OpenBSD mail server ddb> trace Debugger() at Debugger+0x5 panic() at panic+0x122 em_rxeof() at em_rxeof+0x437 em_intr() at em_intr+0x133 Xintr_legacy11() at Xintr_legacy11+0xf4 --- interrupt --- Bad frame pointer: 0xffff80000627ef10 end trace frame: 0xffff80000627ef10, count: -5 cpu_idle_cycle+0x13: ddb> i get that like once every 6 months... :( pewpie up_the_irons: that looks like a crash in the interrupt handler of the em ethernet driver :( mercutio: ah interesting yeh, but why's it happening :) i had some stalls on em driver, before, using a more recent kernel seemed to help but that showed up in dmesg the em driver is the most used network driver.. well, ok it may not be most used.. realtek may be used more but with people doing "important" things it's very very common hrm, time to freebsd-update http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/if_em.c based on that there was some kind of crash from running out of file descriptors fixed in openbsd 4.7 but that's ages ago. i'd actually suspect that em_rxeof crash on the descriptor thing after reading logs and google and that upgrading openbsd version could fix it or just patching the ethernet driver and recompiling kernel The most awesome support ticket ever received: https://gist.github.com/3291703 It really takes the cake LOL im already laughing from the first line >.> LOL, yeah!! cd $dinner that is awesome epic omg up_the_irons: are there discounts for deities? Nice are there more users on 768 mb of ram or 256? mercutio: 768mb is the most popular plan ahh ok i'd rather more cpu than more ram myself :0 :) not that i'm really short on cpu or anything fink: no deitie discount *deity up_the_irons: do you think you could consider a symlink of /pub to / on mirrors.arpnetworks.com? or is it mirror mercutio: perhaps, why? ln -s pub . > cd pub -bash: cd: pub: Too many levels of symbolic links hmm... oddly, the ubuntu mirror has: ubuntu -> . and it works works for me; ln -s . pub if this is the intended outcome: ~/test/pub/pub/pub/pub/pub heh 2012-08-08 14:33 pub -> ./ mjp: which OS? oh duh, i'm retarded i mixed up "pub ." vs. ". pub" mercutio: ok, it's there now :) thanks. yip it's working. was linux mint. iv banged my head on the symlink wall many times and I dont forget it now heh. link 'source -> destination' i just think of it like "pull that to here" ermm make that destination -> source heh hahaha so like ln -s /var/www/htdocs htdocs will pull htdocs from over there to here yeah Good evening #arpnetworks What's the usual time to set up a vps for a new customer? I've just got off a 3-month crunch where my old debian box has mostly died and I'd liek to get a secondary MX up and running, start transferring dns, etc. And it's 12:50am and I've got a free hour. Gotta love being disconnected due to stupid internet. up_the_irons: You have such awesome customers. 70 people lurking is proof of that. pcn: i just happen to be doing some of those. Gimme 20 mins or less and you'll have it. arenlor: I <3 my customers arenlor: that support req. was amazing, i keep reading it again and again... ;) up_the_irons: Is the requester in here to congratulate? arenlor: i'm not sure up_the_irons: thanks, I'll be here arenlor: if they are lurking, they can chime in. after 70 nicks, it's real hard to remember who is who :) up_the_irons: Some of us try to make that easy. pcn: You'll be here, unless peer gets you. arenlor: can you ummm... what? Peer pcn: i am jealous of your 3 letter domain name and pre-ARIN /24 :) It resets connections and shit, yo. up_the_irons that's actually my friend's. I'm spacey.org, but as I said, mail is dead there pcn: ah ok But sdb is old school, pre-cidr pcn: If he gets sick of it I'll take care of it for him. It makes the long sub-addresses I like for mail filtering a lot shorter, and he only has me and a couple of other friends there arenlor get in line pcn: Who do I have to encourage "having an accident" to be at front? I ain't sayin' market rate for transferring pre-ARIN IPs is about $10 per IP. So a /24 is worth about $25K :) arenlor: so yeah, get in line :) err... dang, no, that's $2.5K Yeah. It's the guys who got /16s before e.g. NeXT could subnet that I wonder about pcn: i've seen /16's go for about $500K amazing pcn: btw, your welcome email has been sent Huh. It looks like ldp.com may still have their /16 Good for them. up_the_irons thanks, I'll go set that up now I wonder if there's still any /8 out there. pcn: no problem there's heaps of /8s out there arenlor 3.0.0.0/8 general electric... I wonder how much it'd cost to commit a super hostile takeover of one of those companies. I'd split it with anyone who helps. i think ge are pretty big Heh, the last half of TOS just keeps getting worse and worse. You missed the bargain on lehman bros a few years back. They probably had a couple of /16's s/of/of season three of/ Is it better for me to try to do a dist-upgrade to ubuntu 12.04, or should I ask for the virtual disk to be replaced? pcn: If you've not setup anything I'd ask first. i'd do a dist-upgrade pcn the biggest concern with upgrades is generally the kernel pcn: I can put in the 12.04 iso if you like and kvm makes it easy to go back to previous kernel 3.0.0.0/8 8.0.0.0/8 12.0.0.0/8 15.0.0.0/8 16.0.0.0/8 17.0.0.0/8 18.0.0.0/8 32.0.0.0/8 33.0.0.0/8 35.0.0.0/8 38.0.0.0/8 44.0.0.0/8 53.0.0.0/8 55.0.0.0/8 57.0.0.0/8 73.0.0.0/8 126.0.0.0/8 214.0.0.0/8 up_the_irons let's do that there's quite a few /8s. 8/8 is now google's right? Was BBN? umm whois I'm testing my memory LVLT-ORG-8-8 level 3 12 is at&t 15 is HP wtf HP have a /8? hahaa 16 is HP too ok if more ip's are neded I think HP need to give some back Probably thru acquisition 17 is apple 18 is mit 32 is at&t 33 is gov so 12 and 32 is at&t? err dod are: yeh mercutio I'd bet that was via DEC 35 is university of michigan pcn: done; you will need to give it a hard shutdown and then Boot it from the Portal or SSH management console 38 is cogent. up_the_irons I'll read the docs who are: OrgName: Amateur Radio Digital Communications OrgId: ARDC I'm pretty sure 38 ended up with cogent via acquisitions. I think it used to be a NE regional crappy ISP for .edus mercutio: From what I can find, it's what it sounds. Yeah, I think 38 was PSI/nysernet yeh found a web site http://www.ampr.org/faq.html they got space in the 80s, and it's not for sale comcast have a /9 no one needs that many addresses :p ditto to verizon wireless mjp: I do, that way each of my thoughts can have an IP and t-mobile haha and ntt so yeh some people have got a lot of the netspace i wonder how many /16s are out there mercutio: You'll start going insane if you go down that rabbit hole. arenlor: well i have grep :) # cat all-16s| wc -l 12439 222681 there are 222681 /24s... from 420891 prefixes so over half the internet is /24s... that makes me feel a little better :) For big address spaces, look at the space used up by aws now what AS number are they on? And I'm sure HP would love it if their cloud would have as many paying customers 14618 it looks like mercutio they're mutiple DCs in different areas so they're a variety of ASNs: https://forums.aws.amazon.com/thread.jspa?messageID=51028읔 but everythign goes through 16509 first oh they 8987 too I have a /64 :P get a /48 arenlor :0 That's mighty mighty i have a /32 mercutio: I have no use for all that I have now. That post I linked to is fun because you can watch the expanding from a few /19s to just huge swatches of ipv4 23.20.0.0/15 23.22.0.0/15 50.17.0.0/16 50.19.0.0/17 50.19.128.0/17 54.240.8.0/21 54.242.0.0/15 67.202.0.0/18 72.44.32.0/19 75.101.128.0/17 96.127.0.0/18 96.127.0.0/21 96.127.0.0/24 96.127.32.0/19 107.20.0.0/16 107.21.0.0/18 107.21.64.0/18 107.21.128.0/17 107.22.0.0/16 107.23.0.0/17 174.129.0.0/16 184.72.64.0/19 184.72.96.0/19 184.72.128.0/17 184.73.0.0/16 204.236.192.0/18 204.236.224.0/19 205.251.236.0/22 216.182.224.0/21 216.182.232.0/21 not nearly as much as hp and the liek arenlor: it's about autoconfig etc True, they're not legacy. But that list will continue to grow it is quite a few oh 23.20.0.0/15 and 23.22.0/15 could be merged into 23.20.0.0/14 i still think it's less than hp :) i don't have ipv6 bgp so i have no idea how many /32s are on there or anything bigger the whole IPv6 routing table is about 10K prefixes i remember when it was 600 :) (circa 2007) hmm that's not too bad up_the_irons: How much does it cost you for your /32? arenlor: not sure separately, it is bundled with my IPv4 allocations ($2250 per year) that doesn't seem that crazy I wonder if IPv4 will ever go away. 174.136.96.0/20 206.125.168.0/21 206.162.240.0/20 208.79.88.0/21 hmm you have a few ip addresses 48 class c's? mercutio: i think it's a /19 equivalent two /20s make a /19 2^5 = 32 two /21s make a /20 ah right, i forget about the 206.162.240.0/20 one so you have 3 /20s ? so a /19 equivalent and one /20 yeah so yeah, 48 /24's except they're not adjacent so you can't advertise /19 right still that doesn't seem that expensive but getting more may be difficult getting more is difficult, yes and you're allocating a /30 per vps so much more usage but more protection yeah up_the_irons I seem to have just re-installed 10.04 from the virtual CD. Did I mis-understand that 12.04 was in there? i'd imagine you didn't shutdown through the interface pcn: Did you hard shutdown and boot? pcn: it's in there, but you need to give it a hard shutdown and then boot, or else the changes do not take effect Ah, got it. My bad up_the_irons: How's the connection with comcast? arenlor: wut up_the_irons: Do you peer with Comcast, or do they only give you a shitty connection? arenlor: oh, i don't peer with Comcast. it would be great if i did :) maybe just download the speed test? mercutio: Don't have comcast yet. oh Just hoping that he would say something like, perfect 100% speed no matter what. trace to www.comcast.net goes through mzima/glbx/qwest oh hangon that's akamai ? mzima have direct peer with comcast Doesn't comcast own akamai? oh? i'm tracing to mx4.comcast.net mercutio: arenlor : mzima does have a comcast peer, I believe "We do not offer peering, paid or otherwise, on the shared fabric public switches at any IX. " they're at one wilshire way but don't do peering on shared switches at least they probably would want to charge to peer Huh, seems Akamai isn't owned by anyone, thought they were. plus interconnect and mzima having peer means it probably isn't worthwhile mercutio: the "shared fabric public switch" is the clincher there. They do peer, just not on the IX's, so you need a dedicated cross-connect to them. comcast route server has ipv6 heh up: it prob means they also want high traffic volumes how doi tell traceroute on comcast's route server to do ipv4 probably -4 nope tried that it's traceroute ip www.arpnetworks.com what's their route server ip / host? ok basically it stays in comcast's network iwth fowrad and reverse traceroute with direct peer with mzima in los angeles route-server.newyork.ny.ibone.comcast.net telnet cool i think it's likely to be good to comcsat comcast but if it's bad it'll be bad to all comcast areas Nice ^_^ so if you get someone else on comcast to try it you can see what it's like dang, earthquake up_the_irons: You're still online, it's cool. haha mm i've been in a earthquake big enough to take out internet well actualyl i don't know if the internet went out or not, cos there wsa no power mercutio: I'd say the Internet went out then. but with most earthquakes internet is fine hmm the power never came back mercutio: Not if your hub loses power. well with one of them yeh i had no ups i was suprised the tv was fine cos it fell onto the grnd ground and ocmputer monitor fell onto the ground behind my computer desk. my computer desk was against the wall. /was/ being the operative word mercutio: You from CC? cc? Christ Church yes except it's one word and i'm not christian arenlor: how'd you know? :) mercutio: A friend of mine has family there (and she is originally from there) did you get nes there? news ahh i had to stay with my parents for a while. mercutio: Yeah, your dwelling livable or did you have to move? i had to move i moved cities rent prices have gone up there ther'es still nowehre to drink everyone's all depressed and people talk about rebuild a lot mercutio: I'd have thought bars would be there by now. and earthquakes they're still having aftershocks. well, the bars were in central city. and central city got hit the hardest. mercutio: Yeah, I subscribe to a twitter feed on NZ earthquakes. there are a few suburban bars, but they're ... well, it's not the same. like it was a city very much based around the center centre and when the centre goes it feels kind of rather broken mercutio: Yeah. I just hope they manage to save some of the city. well the suburbs aren't doing too bad. i lived near the city 20 minutes walk to work I keep hearing about more and more having to be deconstructed "for safety" it was a suburb but like adjacent to the city centre mercutio: Awesomeness. mercutio: I hope you didn't lose anything too important https://maps.google.co.nz/maps?q=merivale&hl=en&ll=-43.519277,172.625045&spn=0.000964,0.002025&safe=off&hnear=Merivale,+Christchurch,+Canterbury&gl=nz&t=h&z=20 i lost my old bbs computer :9 :( but i hadn't got around to checking that out i lost like an old sparc hmmm... i wonder if using the network number as a valid (secondary) gateway IP for /30 assignments would be tolerable "On the issue of using subnet zero and the all-ones subnet, RFC 1878 leavingcisco.com states, "This practice (of excluding all-zeros and all-ones subnets) is obsolete. Modern software will be able to utilize all definable networks." Today, the use of subnet zero and the all-ones subnet is generally accepted and most vendors support their use. However, on certain networks, particularly the ones a bicycle using legacy software, the use of subnet zero and the all-ones subnet can lead to problems." up_the_irons: you can actually assign /31s now s/leavingcisco.com// mercutio: yeah, just do point-to-point hmmm HRMMM electric guitar broken and stuff but like that's only possessions :/ mercutio: That sucks though. i more miss routine etc That's true. like all the regular food places i went to went away umm and living your parents when you're an adult sucks and i went and looked at som eplaces and there were HEAPS of people there and the place sucked and i'm like uhh... how the hell do i move cities? so i kind of focusedon that it wasn't that hard i managed to fit quite a lot of stuff in my car but now i hardly know anyone and spend too much time online :/ mercutio: It's fine, we do too. heh up_the_irons: i had someon ewant to setup a /31 with me and thought it was most bizzare mercutio: That feels dirty. and i asked someon eelse.. and had a look on the net and it works a lot better than it used to apparently arenlor: what does? mercutio: A /31 oh that was my first thought mercutio: arenlor : turns out that as long as both sides agree to the /31, there really isn't much of a problem up_the_irons: Nice. I guess /31 will help with the IP crunch a bit. up_the_irons: well apparently cisco, juniper, openbsd, and linux are all fine with it you may have problems with os/2 or windows or other archaic systems arenlor: yeah but that's likely to be very uncommon mercutio: yep I always love talking about modern OSs and watching the realization dawn as people realize I'm discluding Windows in that statement. arenlor: hahaha i suppose id id that windows has dated network caode code it's got modern vm systems although.. Windows has dated everything, that's why it has some many viruses. i was copying some files over network.. with multiple copies goiing at once and disk latency lept up something chronic and it didn't seem nearly as bad on the remote system (this is with windows 8) so i think windows is still pretty bad at getting block sizes sufficient to deal with sata disks mercutio: NTFS on the one with the issue, another file system on the other? arenlor: ntfs to zfs both single spindles. both seagate disks 3tb remote 1 tb source mercutio: NTFS is so damned old. arenlor: yeh i kind of want to try btrfs sometime and lz4 compression mercutio: Don't bother with btrfs yet. lz4 compression can basically go around 3 gigabytes/sec on one cpu code or soemthing crazy like that so basically you're unlikely to be cpu bound by doing compression and people are working at putting suppot for it into both zfs and btrfs I'm sure ZFS will have it first zfs is kind of forking though.. cos of the whole sun/oracle transiition i'm not sure about that zfs is getting feature subsets though so that you can have some features without all features when it was just one version of zfs.. .you could just increment the version number but when you have multiple forks you can't realy do that NTFS is 19 years old :'( why do we still have it? but that means that this feature flags thing is needed arenlor: ufs is older. mercutio: I don't use UFS, do you? i use a derivitive Still, it's been improved upon. yeh so has ntfs though god you know the thing that bugs me the most about file systems is VFAT on usb sticks. which can't support files bigger than 4gb. so you kind of have to end up using ntfs :( VFAT is stupid. When was NTFS improved? The PlayStation 3 game console uses UFS2 on HDD.[citation needed] The PlayStation 2 HDD used UFS as well.[citation needed] it's been improved with every new windows release mercutio: Really? I've never noticed any difference. try using nt 3.5? mercutio: That's too old even for me to have used. I've only been around computers since 95 was out. While the different NTFS versions are for the most part fully forward- and backward-compatible, there are technical considerations for mounting newer NTFS volumes in older versions of Microsoft Windows. This affects dual-booting, and external portable hard drives. For example, attempting to use an NTFS partition with "Previous Versions" (a.k.a. Volume Shadow Copy) on an operating system that does not support it will result in the contents of those previous versions being lost.[39] hmm well i used to use hpfs386 interesting: and you could do wonderful write caching wtih that s1.lax(config-if)#ip address 174.136.96.0 255.255.255.254 secondary % Warning: use /31 mask on non point-to-point interface cautiously googling reveals that is an obsolete warning hmm up_the_irons: Maybe it's meant to scare idiots away from doing something like that? at first, i had a hard time assigning .0 to the interface.. it would say the mask is wrong but figured i tout: *it out: ip address 174.136.96.0 255.255.255.254 secondary you have to enable something ip address 174.136.96.1 255.255.255.252 oh so i have the .1 gateway and .0 assigned mercutio: "ip subnet-zero" is already enabled; that is probably what you are thinking of up_the_irons: ahh yip up_the_irons: i kept thinking ip unnumbered and thinking it was something else :)