Image for post
Image for post
CC TEKNISKA MUSEET

I have a home network that contains a mixture of devices, some of which that receive a static IP address such as the printer, and some of which receive a dynamic IP address such as mobile phones and tablets.

The home router is setup to give every device with a static IP address a host name, such as “printer.home” or “nas.home”, making it easy to access the device’s UI (if it has one). However, the router isn’t capable of assigning host names to devices with a dynamic IP address.

For the most part this isn’t an issue, but every once in a while I do need to access the mobile phone or tablet via the browser or similar. This means having to lookup the IP address of the device in the router, which in turns means I have to login to it and navigate through various screens. …


Image for post
Image for post
FUSE structure CC-BY-SA 3.0 Wikimedia Commons

Proxmox’ LXC containers do not have the /dev/fuse device created automatically. A quick way of doing that is by adding the following two lines to the container's configuration on the host node (in /etc/pve/lxc/<$container_id>.conf):

lxc.autodev: 1
lxc.hook.autodev: sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229"

I’m using “sh -c” directly rather than a separate script, so that this configuration is migrated to other nodes in the cluster.

As a note, it should already be in the lxc.cgroup.devices.allow by default, so doesn't need to be added again.

Caveat as mentioned by Fabian (Proxmox staff):

If you absolutely have to, I would suggest establishing the FUSE mount on the Proxmox host and then using a bindmountpoint (e.g. “mp0: /path/on/host,mp=/path/in/container”) to make it available in the container. If you establish the FUSE mounts inside the container, you will run into problems (lxc-freeze is not compatible with FUSE which means no snapshots and no suspend backup, you need to change all sorts of containment settings which lessens security, ..). …


Image for post
Image for post
GnuTLS Logo by Claus Schrammel

Due to the SSL POODLE vulnerability, it is best to remove support for the outdated SSLv3 protocol. As OpenLDAP with GnuTLS is a beast of its own, here’s the quick change to remove SSLv3 support:

cat > nossl.ldif <<EOF
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: SECURE256:-VERS-SSL3.0
EOFldapmodify -Y EXTERNAL -H ldapi:/// -f nossl.ldif

And we’re done! Obviously, if you already have olcTLSCipgerSuite, then use “replace” instead of “add”.

A quick test:

~# gnutls-cli-debug -p 636 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:636'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... yes

Image for post
Image for post

I was setting up a small VPS as a backup e-mail server for the two already in place. What was supposed to be a 15 minute task, particularly as it was being installed using a proven recipe with Puppet, turned into a diagnostic nightmare for hours. Looking back, it really shouldn’t have taken that long to diagnose either, but alas, Google led me astray.

See, everything was installed according to the other servers. Postfix started up fine, but as soon as it would perform a lookup in an LDAP directory, the following error occurred:

Sep 21 00:34:02 server postfix/master[23426]: warning: process /usr/lib/postfix/trivial-rewrite pid 23460 killed by signal 11
Sep 21 00:34:03 server postfix/qmgr[23431]: warning: problem talking to service rewrite: Success
Sep 21 00:34:03 server postfix/master[23426]: warning: process /usr/lib/postfix/trivial-rewrite pid 23461 killed by signal 11
Sep 21 00:34:03 server postfix/master[23426]: warning: /usr/lib/postfix/trivial-rewrite: bad command startup …

Although I have a rather large amount of servers at my disposal, for some time I’ve had my personal website hosted with 5quidhost on one of their Turbo pans. They’re an UK-based company with headquarters in Scotland, and have recently celebrated their 10th anniversary. They also rank quite high on TrustPilot, usually 1st or 2nd place.

In March I snapped up a domain that I had been waiting for a long time to become available: myatu.com. In fact, it is the reason why the current domain name has an “s” in it. I was aware of the content the previous owner had hosted on that domain name, but I had no idea how popular it was. …


Image for post
Image for post
CC BY IVANX

I had written this elsewhere before, but thought I would share it on my own site as well. The idea here is to create a Proxmox VE cluster with limited resources, in particular a lack of a private network / VLAN. We address this by creating a virtual private network using a lightweight VPN provider, namely Tinc.

You could use something else, like OpenVPN or IPSEC. The former is a bit on the heavy side for the task, whilst the latter may not have all the features we need. Specifically, Tinc allows us to create an auto-meshing network, packet switching and use multicast. …


Image for post
Image for post

During the long Easter holiday I’ve kept myself busy with a little pet project for my Raspberry Pi. So far I’ve been using the RPI as a small intranet server, DNS server and Proxy server. But it had plenty of room, both in RAM and storage, to do other things. As I had recently acquired a (dirt-cheap!) Android-based tablet, I was wondering if it would be possible to stream live TV directly to it.

There are plenty of commercial solutions available, as well as some apps, that stream directly over the Internet. …


Image for post
Image for post
CC-BY Wikimedia Commons

Since May 26 of 2012, the infamous “cookie law” has been in effect in the United Kingdom. While there have been many questions regarding its implementation on websites, most have settled on the “implied consent” method, as it was easiest to implement and had the least amount of impact on the visitors.

Using Cookillian on my own website, I had initially decided on using the strict method. It barred cookies outright and required the visitor to make an explicit decision about cookies. With this method, the average between opt in and out was nearly 50:50 down the middle. …


Image for post
Image for post

A security feature available in WordPress is a “nonce”. Generally, a “nonce” is a token that can only be used once and are often used to prevent unauthorised people from submitting data on behalf of another person. Let’s simplify that:

  • Person A is given nonce “A”
  • Person B is given nonce “B”
  • Person B attempts to submit data to the server on behalf of person A
  • The server reads the submitted data from person B as “Person A with nonce ‘B’ is submitting data”. Knowing that Person A does not have nonce ‘B’, it ignores/denies the submitted data.

WordPress differs by giving it a lifespan and allowing the nonce to be used more than once within that lifespan by the same person. And by the ‘same person’ it is meant a logged in WordPress user, or an anonymous user (visitor not logged in). …


Image for post
Image for post

Did you notice a near-total collapse of the Internet today? Couldn’t Google if Gordon Brown owes you money? The stream of Facebook pokes suddenly stopped? No? That’s because the Internet kept working just fine, despite that today marks an important event in its history: 06/06/2012 was World IPv6 Launch day.

What?

So what’s this all about, and why is it important? Well, it’s a bit of geek talk, so let’s try to simplify things a little:

Everything on the Internet needs to be reachable one way or another. This is where an IP address comes into play. …

About

Mike Green

I keep servers happy, and they keep me happy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store