www.daork.net

I’ve been doing lots of teaching IPv6 lately. At an InternetNZ IPv6 training day in Wellington in ‘07, at NZNOG’08 in Dunedin, and also private training for a few companies and things.

I figure the world is better off if I post up slides and things, as opposed to keeping them secret or proprietary or whatever. If you rip them off, make sure you let me know and give credit and all that noise.

• InternetNZ, talking about transition technologies: 20070809-nward-6to4-teredo.pdf
• NZNOG’08, talking about 6to4, Teredo and my Tui project: 20080124-6to4-teredo-tui.pdf

More to come, when I get em uploaded.

I’ve released two new versions of ipv6wwwtest today.

The first one was to fix a bug with larger than 32bit integers.

The second one adds Teredo vs. 6to4 support. It now gives numbers for DNS entries with several combinations of teredo, 6to4, both, ipv4 only, either with ipv4, both with ipv4, etc.

It can be found on http://www.braintrust.co.nz/ipv6wwwtest/

I’ve refined my previous idea slightly:
- IMG tags have src set to “” to start with.
- JavaScript thing runs on page load, and starts a timer, and sets src properties for the 3 images.
- A new IMG tag exists. It’s src is set to deliver results back to me.
- When the first imge loads, a timer is kicked off.
- When either the last image loads or the timer fires, the results IMG src is set to send some data to the server, including: ipv4 loadtime, ipv6 loadtime, ipv6and4 loadtime. Where images don’t load, NaN is sent.
- When the timer fires, the src of the various IMGs is optionally set to “”, to stop the test.

I think that’s about it.
I’ve been running this for a few days on my websites. At least one of them isn’t small and has a wide range of users from non-technical to pretty-technical, and a wide range of OSes and browsers.

The code has been published at:
http://www.braintrust.co.nz/ipv6wwwtest/

Enjoy.

During a discussion on the NANOG list today about IPv6 deployment/migration, I came up with a way to test how many of your websites’ viewers can reach you on IPv6, and who would have problems if you turned AAAA records on.

Basically, drop 3 image tags in to your site:
- http://ipv4test.domain.com/ipv4test.gif
- http://ipv6test.domain.com/ipv6test.gif
- http://ipv6and4test.domain.com/ipv6and4test.gif

Set the “onerror” for these images to change the src to:
- http://www.domain.com/ipv4error.gif
- http://www.domain.com/ipv6error.gif
- http://www.domain.com/ipv6and4error.gif

Another good idea is to have the onerror event set onerror to ”, so it doesn’t loop if it can’t get to your main site for some weird reason.

These images should all be 1×1 transparent gifs. That’s a whopping 43b filesize, so don’t worry about bandwidth.

Comparing the hits against these 6 images should tell you roughly who’ll break if you turn on AAAA records.

Further work and things for me to try:
- Set timers to start on page load, and stop on load of each of those images, and then POST it.
- Check network traffic to addresses that the image URLs point to, and analyse it against logs. Points of interest are connections that don’t fully open, and requests that don’t arrive.
- Put many images in, with long URLs, so upstream MTU can be tested.
- Have those images vary in size, so downstream MTU can be tested.

So, I’ve decided to write a network element manager, along the same lines as Dorado RMC.

The idea is that it will be an application that will:
- Do config backups
- Deploy config with templates, config snippets, etc.
- Check that current config meets certain rules
- Use interoperable XML/SOAP stuff for as many interfaces as possible, so it can be swapped out.
- CLI and web GUI to start with - adding maybe a GTK+ or Java GUI later on. I’d also like to do a Cocoa GUI for OS X.

And more things, I’m busy at work so it’s hard to think of all the things I have considered recently, but I’ll edit this post as I come up with more key points.

I used Quicksilver when it first came out. I didn’t really use many of the ‘advanced’ features, I just used it as an app launcher. The only non-app-launcher feature I used was the Play, Stop, Pause, etc. iTunes bits. (ok, they’re AppleScripts, so I guess technically I was only using it as an app launcher).

Anyway, I stopped using it when Spotlight became available, because it filled my needs without being an extra app to maintain. I’m a simple fellow, I don’t like lots of apps when I don’t need them.

I recently fired up QS again when I was procrastinating, and it’s won me over again. I’ll still probably not use the non-app-launcher features, but regardless, it’s damn quick. My Spotlight takes quite some time to search for apps, but Quicksilver loads stuff immediately.

I’m impressed.

I use my mail server for several things;
- Standard email hosting
- Receiving mail to go off to scripts for processing (ie. bounces from newsletters)
- Forwarding mail for certain mailboxes/domains off to other servers outside my control
- etc.

Previously, I had dspam set up to process mail in the postfix content_filter mode on the smtpd process. This is OK, but it means that I spam filter email that I forward, and I don’t really want that. I don’t really want to have to opt-out every address that I forward to, either. There was a transport configured to process email in dspam, by calling the dspamc binary, and piping the email to it. It would be sent to the dspam server.
The dspam server would process mail, then deliver it back to Postfix via SMTP on a special unfiltered port for delivery via cyrus using the ‘deliver’ binary that ships with cyrus-imapd.

Now I’ve changed things a bit. The virtual_transport and mailbox_transport in Postfix is set to use LMTP to deliver to my dspam LMTP socket. Dspam is configured to process the mail (it selects user based on the ‘To’ in the envelope), and then deliver it with LMTP to cyrus-imapd. The virtual_transport and mailbox_transport parts run after the alias processing, so mail that goes to remote servers goes un-scanned.
I have to wonder whether there’s a performance boost in here somewhere because of the use of LMTP instead of calling the “deliver” and “dspamc” binaries.

Like I say, it’s possible to accomplish this with optIn/optOut settings, but I like having default optIn for my users who actually receive mail on my server.

I’m working on ways to migrate from our PHP based site using Mambo, SMF, Gallery, and some calendar thing, to using Rails code written entirely in-house.

The approach we’re taking is to write rails code to replace parts of the PHP code. IE. write a new calendar app, then a new gallery app, then a new CMS, then a new forum.
We want to put these stages live as we write them.
We also want to have to touch the current PHP code as much as possible. It brings us nightmares.

Now, I realise this is not terribly optimal, but, it allows us to be pragmatic and re-think stuff as we go a bit, based on user acceptance. Big cutovers are bad for sites such as ours, as bugs tend to show up in their hundreds, and users move on as they lose familiarity (user loyalty is important for us to survive). The decision to do this has come after about 18 months of long hard thinking.

Anyway, there’s a couple of interesting problems that come up;
- Order of events
- Sessions between Rails and PHP
- Calling PHP from Rails and vice-versa

So, I’m going to have a ramble about how we hope to deal with them.

Order of events

At first, we’ll have a PHP site, with Rails bits sprinkled in it. IE. The PHP will call the Rails app somehow.
Then, we’ll move to having a Rails app, which calls the odd PHP bit (the most important and difficult of these will be the forum software, SMF).
Then, we’ll ditch the PHP all-together and live happily ever after.

Calling PHP from Rails, and vice-versa

The options here that I can think of are;
- Use FastCGI
- Use HTTP requests to the Apache server
- Use HTTP requests to a mongrel backend server (for PHP calling Rails)
- Use standard CGI

Obviously standard CGI is out for performance reasons, and it’s a pretty busy site.
FastCGI is (to me) the most technically superior, but it requires implementing FastCGI clients in both PHP and Ruby. Sure, FastCGI /servers/ exist for both of these, but not clients. I’m not much of a C coder, and I suspect doing this in some other language would be slow.
So, I think we’re going to have to settle with combining two options:
- When Rails needs to call PHP, talk to the Apache server.
- When PHP needs to call Rails, talk to a mongrel server.

In both cases, there’ll have to be a bit of jiggery-pokery to make sure original client IP addresses are sent (by adding X-Forwarded-For headers, most likely), and session and request headers are passed in full.

Session sharing

Looks like the best way to do this, is to implement a session store for Rails that can simply access the PHP sessions from disk and the DB. Such code might already exist, I’m not sure. I’ll have a dig around for some.

On NZRave.com, we run SMF 1.0.x and Mambo 4.5.1. Both are patched a bit to get around some nasty attacks.

I recently installed the new Braintrust database server. It’s got 2GB RAM, 2×1GHz P3 chips, and 2×320GB SATA disks in Linux software RAID1, and of course LVM on top. It’s not huge, but is plenty for our purposes for the moment.

I’m running Centos4 on this new box, and figured I’d use the `centosplus’ repository and get MySQL 5, PHP 5, and PostgreSQL 8. However, it turns out SMF doesn’t like MySQL 5 because of some precedence changes in the SQL parser. Balls.

Back to MySQL 4.x for me. That means I’ve got to drop back to PHP 4, and PostgreSQL 7, as the newer Centos packages all depend on one another somewhat.

I’m currently building some backup tools to do online backups of MySQL on Linux using LVM and MySQL binary logs.

I’ve got two LVs:

• /var/lib/mysql - containing standard MySQL data files
• /var/lib/mysqlbin - containing MySQL binary logs

There are two backup schedules, one for each LV.

• `mysql’ is backed up weekly on Monday mornings, a full on the first Monday of each month, and differential from then on.
• `mysqlbin’ is backed up every Tuesday-Sunday morning (ie, not Monday), a full backup on the Tuesday, and incremental after that.

Prior to the `mysql’ backup taking place, a perl script runs and does the following in order:

1. Runs “FLUSH TABLES WITH READ LOCK” in MySQL
2. Creates an LVM snapshot of the `mysql’ LV
3. Runs “RESET LOGS” in MySQL
4. Runs “UNLOCK TABLES” in MySQL

The logs are reset each week so that the Tuesday backup of the log files doesn’t transfer logs we’ve already got.
Prior to the `mysqlbin’ backup taking place, a similar perl script runs and does the following in order:

1. Runs “FLUSH TABLES WITH READ LOCK” in MySQL
2. Runs “FLUSH LOGS” in MySQL
3. Creates an LVM snapshot of the `mysqlbin’ LV
4. Runs “UNLOCK TABLES” in MySQL

If any of the steps in the above scripts fail, “UNLOCK TABLES” is run, and then exists with an error. Bacula then drops me an email to tell me the backup failed, and I’ll go in and do some tinkering.

By doing a full backup each month, and then weekly differentials, I get a per-week base to work from with my binary logs. From there I can get the binary logs per day (or per hour if I get around to working out some of the nitty-gritty details).

My fairly busy MySQL server does the Flush+Lock, Snapshot, Reset, Unlock process in a few seconds. SELECT queries still work, but INSERT statements block until UNLOCK is called.