Updating OpenSSL for Apache without breaking your base OpenSSL install on FreeBSD 9.2-RELEASE

apache, freebsd, mysql, php, , , , ,

After two very frustrating days, I have finally been able to perform what used to be a fairly routine thing for me, which is creating a FAMP server using FreeBSD, Apache 2.2.x, MySQL 5.x.x and PHP 5.5.x.

Several issues arose out of my attempts.

My first attempt was installing Apache 2.4.9, MySQL 5.6.17 and PHP 5.5.12 on FreeBSD 10.0-RELEASE-p3 (AMD64). This was my first time installing anything greater than MySQL 5.1.x. ‘./configure’ has been replaced with ‘cmake .’; other than that, all things ordinary. This was also my first time installing Apache 2.4.x and there are several new steps involved. The first is that you now have to manually install Apache’s portable runtime library and associated utilities. Piece of cake. Grabbed those from the APR website and installed without issue. Apache installed. But now the trouble. I was able to ‘./configure’ and ‘make’ PHP without issue, but during the ‘make install’ I ran into an issue.

# make install
Installing PHP SAPI module: apache2handler
/usr/local/httpd/build/instdso.sh SH_LIBTOOL='/usr/local/apr/build-1/libtool' libphp5.la /usr/local/httpd/modules
/usr/local/apr/build-1/libtool --mode=install cp libphp5.la /usr/local/httpd/modules/
libtool: install: cp .libs/libphp5.lai /usr/local/httpd/modules/libphp5.la
libtool: install: cp .libs/libphp5.a /usr/local/httpd/modules/libphp5.a
libtool: install: chmod 644 /usr/local/httpd/modules/libphp5.a
libtool: install: ranlib /usr/local/httpd/modules/libphp5.a
libtool: install: warning: remember to run `libtool --finish /usr/local/src/php-5.5.5/libs'
Warning! dlname not found in /usr/local/httpd/modules/libphp5.la.
Assuming installing a .so rather than a libtool archive.
chmod 755 /usr/local/httpd/modules/libphp5.so
chmod: /usr/local/httpd/modules/libphp5.so: No such file or directory
apxs:Error: Command failed with rc=65536

Keep in mind, this was a brand new, entirely fresh FreeBSD 10.0-RELEASE install with ‘freebsd-update’ run bringing it to -p3. Nothing else had been done on this box except the MySQL and Apache installs.

I found it very strange that in that small bunch of code, two separate libtools were referenced. Foolishly, I didn’t check my working server to compare. In any case, ‘/usr/local/apr/build-1/libtool’ and the libtool included with the PHP source were both referenced. For good measure, I even installed libtool using ‘pkg install’. Nothing worked and libphp5.so failed to be created. Not being a software developer, I went to Google looking for the answer but came up short. A few suggestions were to use the .bz2 version instead of the .tgz version, use ports and one person even pointed the finger at the AMD64 build of FreeBSD. I briefly attempted to install a known working version of libphp5.so from another one of my servers but that just created more issues. I moved on.

I reloaded the OS from scratch and tried again. Same result. I’m a sucker for punishment.

I then reinstalled the OS using FreeBSD 9.2-RELEASE. As before, I ran ‘freebsd-update’ first thing and brought it up to -6p. I compiled MySQL using the new steps I had learned earlier. Same with Apache, except I used 2.2.27 this time to simplify things; go with what you know. Then the true test, PHP 5.5.12, which also installed no problem. Added a few times to httpd.conf and started the server. Problem. I telneted to port 80 to see what version or OpenSSL I was using and it came back as 0.9.8y. This version isn’t vulnerable to the heartbleed vulnerability, but it does lack TLSv1.1 and TLSv1.2 support, which I need, if only to give my clients a greater sense of security. So I search Google for “freebsd upgrade openssl” and a few articles come up, including one I had recently visited. I went back, performed the needful using ports and OpenSSL was upgraded. Sort of. The base OpenSSL install has its binaries in /usr/bin, libraries in /usr/lib and config file in /etc. The port install puts the binaries in /usr/local/bin, the libraries in /usr/local/lib and the config file in /usr/local/etc/ssl. So I have two completely autonomous OpenSSL installs at this point. Typing ‘which openssl’ shows /usr/bin/openssl which is version 0.9.8y. ‘/usr/local/bin/openssl version’ shows 1.0.1g. Again, 0.9.8y is not vulnerable to heartbleed, but it is insufficient for my needs. After further reading, a few people suggested to remove the old binary and symlink /usr/local/bin/openssl to /usr/bin/openssl and also symlink the configuration files. This seemed to work, so I rebuilt Apache again thinking that version 1.0.1g would show up. But it didn’t. Knowing that this was a new install and that I would probably blow it away once I found a working formula, I started deleting things, symlinking things, moving things, etc. I reminded myself of my father-in-law who while looking to free up space on his internal HDD, he deleted his windows system files with the rational of “I’ve never used those, I can delete them.” A mess I made. Server trashed. Blank slate.

Again, I started with FreeBSD 9.2-RELEASE. I immediately updated using freebsd-update to -p6. I then downloaded and installed OpenSSL 1.0.1g from the OpenSSL website. I then confirmed that my base and secondary install were as expected:

# /usr/bin/openssl version         
OpenSSL 0.9.8y 5 Feb 2013

Good.

# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.1g 7 Apr 2014

Great.

When it came to compiling Apache, I had to compile mod_ssl as a static module. In the process, a few of the core modules were also made static, so I had a mishmash of static and dynamic. I had to comment out a few of the LoadModule statements in the httpd.conf, but in the end, everything works as it should.

[root@server01 ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HTTP/1.1 / GET

HTTP/1.1 501 Method Not Implemented
Date: Wed, 28 May 2014 23:07:36 GMT
Server: Apache/2.2.27 (Unix) DAV/2 PHP/5.5.12 mod_ssl/2.2.27 OpenSSL/1.0.1g
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 220
Connection: close
Content-Type: text/html; charset=iso-8859-1

Success! I now have a server running exactly the way I want and I have no compromised any of the base OpenSSL files, or anything that was built against them. While I think this was a fairly good way to accomplish this task, there are probably even better ways to do it. However, my Googling efforts did not lead me to those.

Another other method, which some will say is more elegant, would have been to install from pkg or ports. However, I disagree. Since I compiled my first web server twenty years ago to present day, I have always been an advocate of compiling critical services from source. If all you ever do is type ‘pkg install apache22’ how do you learn to troubleshoot when something goes wrong? How do you know how to fine tune your installation when you need to compile in sockets, or curl, or other libraries and modules? I prefer infinite control.

Juniper SRX data center firewall default security policy

juniper, srx, ,

Being a routing and switching guy (mostly service provider stuff), I don’t deal with firewalls very often, because I am far from a security expert and I would be doing a disservice to my clients. However, this week, I was tasked with getting two brand new Juniper SRX1400s setup and updated I learned three things during this process: 1) unlike the branch-series SRXs, the data-center series comes with very little configuration and no security configuration whatsoever; 2) the default policy if no policy is to deny, and; 3) there’s a difference between inbound host packets and transit packets, and at the very least, the inbound host configuration must be set before you can do anything to the firewall. Example below:

Show

zones {
    security-zone untrust {
        interfaces {
            xe-0/0/7.0 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
            }
        }
    }
}

Display set

set security zones security-zone untrust interfaces xe-0/0/7.0 host-inbound-traffic system-services all

A couple caveats:

First, if this is the only policy you add, you’ll probably find people trying to brute force any services you have running on the firewall within minutes, such as SSHD.

Second, the statement must be applied to a logical interface and not a physical interface (xe-0/0/7.0 vs. xe-0/0/7) in order for it to work.

Forcing users to use HTTPS the simple and secure way

apache, unix

Very simple Apache configuration using mod_rewrite.

<VirtualHost 1.2.3.4:80 [2001:4800::2]:80>
DocumentRoot /home/someuser/websites/whatever.com/html
ServerName whatever.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>

Do not forget to create the SSL entry as well:

<VirtualHost 1.2.3.4:443 [2001:4800::2]:443>
DocumentRoot /home/someuser/websites/whatever.com/html
ServerName whatever.com
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLEngine on
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite "YOURPREFEREDSUITE"
SSLCompression off
SSLCertificateFile /home/someuser/ssl/whatever.com.crt
SSLCertificateKeyFile /home/someuser/ssl/whatever.com.key
SSLCertificateChainFile /home/someuser/ssl/gd_bundle.crt
</VirtualHost>

Rackspace FreeBSD VPS and their lack of swap

freebsd

Update #2 – 2015-05-19 – Three months after my first update I noticed that Rackspace has removed their FreeBSD VPS offering. Not surprising and probably for the best. Two clients that I recommend Rackspace to, that are also using FreeBSD VPS, are experiencing the same issues, so I know I am not alone. I have moved my mission-critical services to a Leaseweb bare-metal server. I’ve been with them for five months now. 100% uptime and no issues whatsoever. There’s twice been a 30ms jump in latency from where I am monitoring the server from; perfectly acceptable performance, if not amazing by server-farm standards. I am considering moving to Packet as I have just been told they intend to support FreeBSD very soon. They also offer a BYoIP (bring your own IP) service, which is extremely attractive as we have an IPv4 /23 and an IPv6 /48.

Update #1 – 2015-02-19 – After what seems like one of my servers hanging hundreds of times, and in reality is probably at least 60, I have moved off of Rackspace’s FreeBSD VPS for all my mission critical sites. Rackspace dev ops seem very uninterested in putting any effort into their FreeBSD product. Additionally, few of their Linux ops can support it. After all the swap nonsense and being affected by “noisy neighbors”, I’ve moved onto a bare-metal server. So far, zero downtime. A decade ago, I envied Rackspace’s product and support. Now, they are a far cry from Softlayer, Packet.net and many others who have left them in the dust. Their now lackluster support and lack of innovation could see them completely fall off the map. It’s quite sad to see how far the mighty have fallen.

Last October, one of the best VPS and bare-metal server providers on the planet, Rackspace, quickly fell from grace with many of its VPS customers. They made a decision — a poor one at that — to eliminate swap from their default Linux and FreeBSD VPS builds. They claim that this was in an effort to reduce disk IOPS, but in reality, they’ve achieved nothing but instability. Here’s their KB article:

http://www.rackspace.com/knowledge_center/article/changes-to-swap-on-cloud-servers

Notice at the bottom they’ve provided a link for how Linux users can add a swap file. Also notice that there’s no mention of how to add a swap file using FreeBSD. I’ll get to that in a second. First, let’s break down what they’ve actually accomplished:

They’ve not actually reduced IOPS at all, because nearly everyone running a VPS will have manually created a swap file, because if you don’t, it’s possible that this can happen:

Apr 20 08:20:37 monitor kernel: pid 10861 (xenstore), uid 0, was killed: out of swap space
Apr 20 08:20:37 monitor kernel: pid 172 (nova-agent), uid 0, was killed: out of swap space
Apr 20 08:20:38 monitor kernel: pid 778 (sshd), uid 0, was killed: out of swap space
Apr 20 08:20:38 monitor kernel: pid 965 (devd), uid 0, was killed: out of swap space
Apr 20 08:20:38 monitor kernel: pid 2345 (sendmail), uid 0, was killed: out of swap space

Yes, that’s right, whilst compiling MySQL, and apparently running out of memory on a box that supposedly has 2GB of RAM, the server killed several critical processes.

Because you cannot have custom partitioning on their FreeBSD VPS, they force you to choose from one of many of the already capacity-deprived file systems in which to create the swap file.

Filesystem                   Size    Used   Avail Capacity  Mounted on
zroot                        2.4G    205M    2.1G     9%    /
devfs                        1.0k    1.0k      0B   100%    /dev
zroot/tmp                    2.1G    424k    2.1G     0%    /tmp
zroot/usr                    5.5G    3.3G    2.1G    61%    /usr
zroot/usr/home               3.8G    1.6G    2.1G    43%    /usr/home
zroot/usr/ports              3.1G    996M    2.1G    31%    /usr/ports
zroot/usr/ports/distfiles    2.2G     41M    2.1G     2%    /usr/ports/distfiles
zroot/usr/src                2.4G    276M    2.1G    11%    /usr/src
zroot/var                    2.2G    3.4M    2.1G     0%    /var
zroot/var/crash              2.1G    148k    2.1G     0%    /var/crash
zroot/var/db                 2.3G    185M    2.1G     8%    /var/db
zroot/var/db/pkg             2.2G    6.0M    2.1G     0%    /var/db/pkg
zroot/var/empty              2.1G    144k    2.1G     0%    /var/empty
zroot/var/log                2.1G    1.7M    2.1G     0%    /var/log
zroot/var/mail               2.1G    1.4M    2.1G     0%    /var/mail
zroot/var/run                2.1G    296k    2.1G     0%    /var/run
zroot/var/tmp                2.1G    1.7M    2.1G     0%    /var/tmp

Which file system are you likely to throw a 2GB swap file on? This partitioning at its absolute worst. I’m using a grand total of about 200MB of the nearly 18GB of space allocated to all the many /var file systems.

But, I digress. Here’s how to add a swap file to your VPS:

Requirements

You’ll need the memory disk driver install, which comes by default with the generic kernel. Rackspace at least had the foresight to keep this in their kernel.

device     md

Next, find a good place for your swap file. This will likely be determined by your partitioning. I’m going to create a 1024 MB swap file in /usr/swap and name is swap0. On my server the /usr file system is the largest partition on the server, so it makes the most sense. Next, I am doing to create the actual swap file:

dd if=/dev/zero of=/usr/swap/swap0 bs=1024k count=1024

Adjust the count to adjust your swap file size. 1 count is equal to 1 MB.

Next, change the swap file permissions:

chmod 0600 /usr/swap/swap0

Remember to add this new swap file to your /etc/rc.conf file:

swapfile="/usr/swap/swap0"

To enable the new swap without rebooting, use the following commands:

mdconfig -a -t vnode -f /usr/swap/swap0
swapon /dev/md0

When you enter the mdconfig command, it will list the device name for your new swap file. Mine was md1. Yours may be different.

Adding a hard drive to FreeBSD with a larger than 512-byte sector size

freebsd, unix

Introduction

I recently tried to add another USB HDD drive to my FreeBSD system and forgot the steps I had taken previously to add a USB drive with a larger than 512-byte sector size and larger than 2TB capacity.

The sysinstall utility uses fdisk to try and add disks. This is the same utility that was present when I first started using FreeBSD way back in 1996 (2.1.5-RELEASE). Things have changed dramatically since. The first Gigabyte-sized hard drives had just hit the market a year or two prior. If you were lucky enough to own a massive 3.2GB HDD, you were the envy of all your friends. 56.6k was already pretty bitchin’ too. So, needless to say, as technology has evolved, the built-in FreeBSD fdisk tool has become antiquated. However, there is a replacement, and it’s so much better. Its name is gpart.

Forgetting that I had used gpart previously (I won’t forget again, since I am documenting this for my own benefit as well), I tried the sysinstall method first. This failed for a couple reasons. The first is that fdisk assumes the 512-byte sector size and I had a 4096-byte sector size. Because of this, the geometry was showing my 3TB drive as a 350GB drive. Because it never partitioned properly, the labeling tool didn’t work either. After reading a few mailing lists and blog posts about failed fdisk attempts, I remembered that I used gpart the last time around as well. Here’s step-by-step directions on how I was able to very quickly and easily get my USD HDD partitioned, labeled and mounted.

Assumptions

  • You’re installing a brand new hard drive that has no data on it, or
  • You understand that any data currently on the hard drive will be erased using this method
  • You’re using the entire disk as a single partition
  • You understand that I am not liable for any data you may lose following these directions. 🙂

Finding your HDD

I cannot give exact detailed instructions here as your drive name will depend on several factors: is your hard drive internal hard drive or an external portable USB hard drive; how many drives are currently installed; and perhaps even by which USB port you have plugged your drive into.

In my case, it was an external USB HDD. To easily find it when I plugged it in, I ran the following command:

tail -f /var/log/messages

The following was appended to the file and onto my screen:

May  3 16:50:32 gateway kernel: da2 at umass-sim2 bus 2 scbus2 target 0 lun 0
May  3 16:50:32 gateway kernel: da2:  Fixed Direct Access SCSI-6 device 
May  3 16:50:32 gateway kernel: da2: 40.000MB/s transfers
May  3 16:50:32 gateway kernel: da2: 2861556MB (732558336 4096 byte sectors: 255H 63S/T 45599C)

Easy peasy. My HDD was da2.

Learning more about your HDD

To find out what size your sectors are, the diskinfo utility is great:

diskinfo -c da2

You should see something like this:

da2
        4096            # sectorsize
        3000558944256   # mediasize in bytes (2.7T)
        732558336       # mediasize in sectors
        0               # stripesize
        0               # stripeoffset
        45599           # Cylinders according to firmware.
        255             # Heads according to firmware.
        63              # Sectors according to firmware.
        574343344530383939393633        # Disk ident.

Checking contents

Once your drive is installed and you’ve located it, it’s time to see what’s on the drive. Since most USB drives come from the store formatted to work with one operating system or another, it’s likely not entirely blank, but it needs to be for gpart to work. To see what’s on your drive, use the following command:

gpart show da2

In my case, I can see the partition that fdisk failed to create properly:

[root@gateway ~]# gpart show da2
=>       63  732558273  da2  MBR  (2.7T)
         63  732547872    1  freebsd  [active]  (2.7T)
  732547935      10401       - free -  (40M)

Deleting existing slices and partitions

Above we saw a single slice with the index of 1. To delete that slice, use the following command:

gpart delete -i 1 da2

The -i flag is used to specify which index to use. This was the result of running that command:

[root@gateway ~]# gpart delete -i 1 da2
da2s1 deleted

[root@gateway ~]# gpart show da2
=>       63  732558273  da2  MBR  (2.7T)
         63  732558273       - free -  (2.7T)

Now it’s time to destroy:

gpart destroy da2

The output looks as such:

[root@gateway ~]# gpart destroy da2
da2 destroyed

Now that we’ve scorched the earth, it’s time to rebuild.

Create and add

First, we need to create a new partition scheme. In this case, I’m using GPT.

gpart create -s GPT da2

The resulting output should look like this:

[root@gateway ~]# gpart create -s GPT da2
da2 created

Next we need to add the partition:

gpart add -t freebsd-ufs da2

If all goes well, you should see something similar to this:

[root@gateway ~]# gpart add -t freebsd-ufs da2
da2p1 added

At this point, we’re done with gpart. Time to revel in its simplicity and give a mental shout out to the fantastic developers that create such wonderful tools, with little to no fanfare. Thank you, wonderful and kind developers.

The “F” word

Now we must talk about a word that strikes fear into the heart of geriatrics everywhere. That’s right, we must talk about format. If you’re technical, you know there’s not much to it. If you’re not, the word format probably evokes feelings of anxiety and have you reaching for Xanax. I mean, seriously, who doesn’t know a grandparent, senior, etc, who hasn’t accidentally formatted their hard drive instead of a floppy? Anyway, luckily, it’s pretty foolproof using newfs, and it’s used like so:

newfs -U /dev/da2p1

The output is long, so it has been truncated:

[root@gateway ~]# newfs -U /dev/da2p1 
/dev/da2p1: 2861556.0MB (5860466600 sectors) block size 16384, fragment size 4096
        using 8492 cylinder groups of 336.98MB, 21567 blks, 21568 inodes.
        with soft updates
super-block backups (for fsck -b #) at:
 160, 690304, 1380448, 2070592, 2760736, 3450880, 4141024, 4831168, 5521312,
 6211456, 6901600, 7591744, 8281888, 8972032, 9662176, 10352320, 11042464,
 11732608, 12422752, 13112896, 13803040, 14493184, 15183328, 15873472,
 16563616, 17253760, 17943904, 18634048, 19324192, 20014336, 20704480,
[...]
 5846209984, 5846900128, 5847590272, 5848280416, 5848970560, 5849660704,
 5850350848, 5851040992, 5851731136, 5852421280, 5853111424, 5853801568,
 5854491712, 5855181856, 5855872000, 5856562144, 5857252288, 5857942432,
 5858632576, 5859322720, 5860012864
[root@gateway ~]#

That’s it. Simple right?

Mounting

Time to mount your drive. Nothing special about this. Just as straightforward as any other drive:

mount -t ufs /dev/da2p1 /storage/usbdisk2

Time to verify:

[root@gateway ~]# df -h
Filesystem                Size    Used   Avail Capacity  Mounted on
/dev/ad0s1a               3.9G    383M    3.2G    11%    /
devfs                     1.0k    1.0k      0B   100%    /dev
/dev/ad0s1e               347G    158G    161G    50%    /usr
/dev/ad0s1d               7.8G    813M    6.3G    11%    /var
10.0.253.11:/nfs/Media    1.8T    1.6T    237G    87%    /storage/netdisk1
10.0.253.13:/nfs/Media    1.8T    1.6T    204G    89%    /storage/netdisk3
10.0.253.14:/nfs/Media    1.8T    1.6T    207G    89%    /storage/netdisk4
/dev/da0p1                3.6T    2.8T    476G    86%    /storage/usbdisk3
devfs                     1.0k    1.0k      0B   100%    /var/named/dev
/dev/da1s1d               1.3T    1.3T   -108G   109%    /storage/usbdisk1
/dev/da2p1                2.7T    8.0k    2.5T     0%    /storage/usbdisk2

Adding your /etc/fstab entry

Your fstab will likely be different, but here’s what I added:

/dev/da2p1   /storage/usbdisk2   ufs   rw,noauto   0   2

Errors

Here are a couple errors I ran into while preparing this post and becoming familiar with gpart a second time:

fdisk: could not detect sector size

Resolution: Determine your sector size with diskinfo and use gpart if your sector size is larger than 512 bytes.

gpart: Device busy

Resolution: I ran into this error when trying to gpart destroy my drive while it still had slices on it. gpart delete your slices and then try your gpart destroy again.

Conclusion

Congratulations! If you followed this to the end, you very likely have a new, quite large, HDD installed and ready for data. For me, it’s time to offload some data from usbdisk1 to usbdisk2, as apparently, usbdisk1 is 108GB over capacity!

DWDM channels

dwdm
Channel Frequency (GHz) Frequency (THz) Wavelength (nm) Band
1 190100 190.10 1577.03 L-Band
2 190200 190.20 1576.20 L-Band
3 190300 190.30 1575.37 L-Band
4 190400 190.40 1574.54 L-Band
5 190500 190.50 1573.71 L-Band
6 190600 190.60 1572.89 L-Band
7 190700 190.70 1572.06 L-Band
8 190800 190.80 1571.24 L-Band
9 190900 190.90 1570.42 C-Band
10 191000 191.00 1569.59 C-Band
11 191100 191.10 1568.11 C-Band
12 191200 191.20 1567.95 C-Band
13 191300 191.30 1567.13 C-Band
14 191400 191.40 1566.31 C-Band
15 191500 191.50 1565.50 C-Band
16 191600 191.60 1564.68 C-Band
17 191700 191.70 1563.86 C-Band
18 191800 191.80 1563.05 C-Band
19 191900 191.90 1562.23 C-Band
20 192000 192.00 1561.42 C-Band
21 192100 192.10 1560.61 C-Band
22 192200 192.20 1559.79 C-Band
23 192300 192.30 1558.98 C-Band
24 192400 192.40 1558.17 C-Band
25 192500 192.50 1557.36 C-Band
26 192600 192.60 1556.56 C-Band
27 192700 192.70 1555.75 C-Band
28 192800 192.80 1554.94 C-Band
29 192900 192.90 1554.13 C-Band
30 193000 193.00 1553.33 C-Band
31 193100 193.10 1552.52 C-Band
32 193200 193.20 1551.72 C-Band
33 193300 193.30 1550.92 C-Band
34 193400 193.40 1550.12 C-Band
35 193500 193.50 1549.32 C-Band
36 193600 193.60 1548.52 C-Band
37 193700 193.70 1547.72 C-Band
38 193800 193.80 1546.92 C-Band
39 193900 193.90 1546.12 C-Band
40 194000 194.00 1545.32 C-Band
41 194100 194.10 1544.53 C-Band
42 194200 194.20 1543.73 C-Band
43 194300 194.30 1542.94 C-Band
44 194400 194.40 1542.14 C-Band
45 194500 194.50 1541.35 C-Band
46 194600 194.60 1540.56 C-Band
47 194700 194.70 1539.77 C-Band
48 194800 194.80 1538.98 C-Band
49 194900 194.90 1538.19 C-Band
50 195000 195.00 1537.40 C-Band
51 195100 195.10 1536.61 C-Band
52 195200 195.20 1535.82 C-Band
53 195300 195.30 1535.04 C-Band
54 195400 195.40 1534.25 C-Band
55 195500 195.50 1533.47 C-Band
56 195600 195.60 1532.68 C-Band
57 195700 195.70 1531.90 C-Band
58 195800 195.80 1531.12 C-Band
59 195900 195.90 1530.33 S-Band
60 196000 196.00 1529.55 S-Band
61 196100 196.10 1528.77 S-Band
62 196200 196.20 1527.99 S-Band
63 196300 196.30 1527.22 S-Band
64 196400 196.40 1526.44 S-Band
65 196500 196.50 1525.66 S-Band
66 196600 196.60 1524.89 S-Band
67 196700 196.70 1524.11 S-Band
68 196800 196.80 1523.34 S-Band
69 196900 196.90 1522.56 S-Band
70 197000 197.00 1521.79 S-Band
71 197100 197.10 1521.02 S-Band
72 197200 197.20 1520.25 S-Band

Notes:

O-Band: 1270nm to 1370nm
E-Band: 1371nm to 1470nm
S-Band: 1471nm to 1530nm
C-Band: 1531nm to 1570nm
L-Band: 1571nm to 1611nm

For 200GHz spacing use either odd or even numbered channels.

Remembering James L. Davis

jld

James wasn’t famous. Even among his peers in the technology industry, he wasn’t well known. But he liked it that way. Those people that did know him, liked him, a lot. He was very introverted, even to those who knew him well. If he was having a bad day, you’d never know it. He was as even-keeled as they come. Unless of course you sparked up a conversation about technology. His passion for technology was only ever eclipsed by one thing, his wife, whom he met only a short time before his death.

James died on August 14th, 2008. He had recently purchased a motorcycle, despite the concerns of those around him. To his credit, he was a safe of a motorcycle rider as they come. He always wore a full-face helmet. He even wore a fashion-faux-paux reflective vest in hopes that drivers would see him better in less-than-perfect weather condition, despite its horrendous appearance. However, it was all for naught.

James was riding his motorcycle along I-94 on his way back to work after lunch. He worked for Cray, the company that brought the world the super computer. Traffic came to a sudden halt. James was able to stop in time. However, the vehicle behind him, driven by a distracted driver, who had already had her driver’s license suspended, did not stop. News reports initially stated that he was not wearing a helmet. The truth was that the force of the impact was so vicious that it removed his helmet. He died instantly.

It has taken me five years to write this. Five years to come to terms with his death. Five years to be able to write this without tears welling up in my eyes. I know I owe it to James to have written this sooner, but we all deal with grief differently.

Like so many of today’s 30-something programmers, network engineers and IT professionals, I was on IRC in the mid-90s. This was long before commercial applications of VoIP, Skype, video conferencing, and even instant messaging, although ICQ was just around the corner. IRC was the only real-time chat medium at the time. It was in 1996, on IRC that I met James. He went by the nickname brick, and later jld. We were both big fans and advocates of FreeBSD and James ran the #FreeBSD channel. It wasn’t until 1998 though, that James and I became very good friends and started speaking nearly every day. We bonded over my installing X Windows for the first time. He walked me through it, step by step. He even helped me get my sound card working. X Windows was still very raw at the time. The entire process took many hours over several days. In addition to learning how to install X Windows, I also learned something about James during that process. I learned that he was a selfless and incredibly generous person who would do anything for his friends. This was the first of many times that James taught me something new. For that, I am eternally grateful.

Over the next decade, James introduced me to many more wonderful things, including digital SLR photography, C and C++, encryption, decryption, digital encoding, Ogg Vorbis, flac and ray-tracing to name a few. His actions also, indirectly, led me to meeting my wife, Heather. Because of this, and many other reasons, James holds a very special place in our hearts. It’s not by accident that our first-born son is named James. While we didn’t name our son after James per se, it didn’t escape us that our son shared a name with one of our most favorite people. Our son was born eight months before James died.

In early 2007, James met his soul mate, Michelle. Around that April, it was clear that James was smitten. He started spending more time with her and less time online. Our conversations went from still nearly daily in early 2007 to about once a week by the end of 2007. Between Michelle and work, he was rarely online in 2008. Once in a while he would hop on instant messenger and we’d catch up. It wasn’t strange however for him to go weeks at a time without getting online. It wasn’t until December that I found out about his death. I wrote him a tongue-in-cheek email on December 2nd asking him if he was still alive. Sixteen days later Michelle replied to me that James has passed away four months earlier. Heather and I were absolutely devastated. I took it upon myself to inform the rest of the people that James and I knew mutually who did not yet know. Like me, they just thought that they hadn’t heard from him because he was very much enjoying married life. After the shock had subsided a little, we reminisced about how wonderful James was. There was a very strong consensus that he would genuinely be greatly missed. Our normally joyful and festive Christmas was sombre and subdued, while we struggled to come to terms with the hole left in our lives.

It was a cold winter in 2008. There was lots of snow. I used the time shoveling the snow off the driveway to think about James. I could be alone with my tears outside. I didn’t have to hide them. It was my sanctuary. I often took a lot longer than required to shovel, moving slowly and deliberately, so I could be alone with my thoughts longer. In the four winters that have passed since not a single time has gone by that I haven’t thought of James, while shoveling the driveway.

James made everyone around him laugh and smile. He made a genuine impact in many people’s lives, for the better. Other than my mother, my wife and my children, perhaps nobody has impacted my life more than James did. The world needs more people like him, not fewer. You are missed, my friend.

A page was setup for James by Minnesotans for Safe Driving.

Installing MySQL, Apache, PHP & mod_perl on Debian from source

linux, unix, , , , , , , ,

Introduction

I am writing this article because I believe it may be useful to people other than just myself. I am new to Linux. However, the command-line environment is not unfamiliar to me. I have been avidly using FreeBSD since 1996 (2.1.5) and I am usually found with my head in a Cisco or Juniper terminal most of the day. Even with this experience, I found installing installing MySQL, Apache, PHP and mod_perl on Debian to be laborious and tedious. You see, on a FreeBSD server, you can nearly install Apache right out of the box. Install the perl and libxml2 packages and you’re ready to go. For whatever reason, the people driving Debian’s development have decided that you either need to install everything using apt-get (a package manager similar to FreeBSD’s pkg_add or Redhat’s rpm) which is a horrifically terrible idea in a production environment, or jump though a plethora of hoops to install from source. I mean, Debian doesn’t even include gcc in the base install. Huh?

One thing FreeBSD does not do well, yet, is virtualization. Today, I needed a virtual box and my choices were between six different flavors of Linux and a few flavors of Windows. Windows is completely out of the question, so I was left to decide which Linux distribution I wanted to meander through. I recently worked for a company that used Debian (5.0 Lenny) as well as FreeBSD. I made a calculated decision that they, FreeBSD lovers, chose Debian because it closely resembled FreeBSD. I have still not decided whether or not my calculations were correct or not. Either way, I am armed with my good friend Google, who seldom lets me down when I encounter Linux issues. It would seem that someone has already been there, done that, fixed it and shared it. This is my attempt to give back.

Audience

Anyone looking to install MySQL 5.1, Apache 2.2, PHP 5.3 and mod_perl 2.0 on a Debian install.

Prerequisites

You will obviously need a box running Debian. I happen to be running Debian 6.0 Squeeze with the Linux 2.6 kernel.

Linux server 2.6.32-5-xen-amd64 #1 SMP Tue Mar 8 00:01:30 UTC 2011 x86_64 GNU/Linux

You will also need to download the source tarballs for MySQL, Apache, PHP and mod_perl

http://www.mysql.com/downloads/mysql/5.1.html
http://httpd.apache.org/download.cgi
http://www.php.net/downloads.php
http://perl.apache.org/download/index.html

Assumptions

  • You have a fresh Debian install
  • You have root privileges
  • You’ve downloaded all your sources to ‘/usr/local/src’
  • You’re installing MySQL in ‘/usr/local/mysql’
  • You’re installing Apache in ‘/usr/local/httpd’
  • You’ve created a user named ‘mysql’

Dependencies

During my installation, I tripped over several missing updates and libraries. In order for you to avoid encountering the same issues, please install the following updates and required libraries:

# apt-get update && apt-get upgrade
# apt-get install build-essential
# apt-get install libncurses5-dev
# apt-get install libxml2-dev
# apt-get install zlib1g-dev
# apt-get install libssl-dev
# apt-get install libgdbm3
# ln -s /usr/lib/libgdbm.so.3 /usr/local/lib/libgdbm.so
# ln -s /usr/lib/libperl.so.5.10 /usr/local/lib/libperl.so

The nitty gritty

Unpack the tarballs

# cd /usr/local/src
# tar xvfz mysql-5.1.60.tar.gz
# tar xvfz httpd-2.2.21.tar.gz
# tar xvfz php-5.3.8.tar.gz
# tar xvfz mod_perl-2.0-current.tar.gz

Configure, make and install MySQL

# cd /usr/local/src/mysql-5.1.60
# ./configure ––prefix=/usr/local/mysql ––with-plugins=innobase
# make
# make install
# ./scripts/mysql_install_db
# chown -R mysql:mysql /usr/local/mysql/var
# /usr/local/mysql/bin/mysqld_safe ––bind-address=127.0.0.1 &
# /usr/local/mysql/bin/mysqladmin -u root password 'your-new-password-here'

Configure, make and install Apache

# cd /usr/local/src/httpd-2.2.21
# ./configure ––prefix=/usr/local/httpd ––enable-modules=all ––enable-mods-shared=all ––enable-so ––enable-ssl
# make
# make install

Configure, make and install PHP

# cd /usr/local/src/php-5.3.8
# ./configure ––with-mysql=/usr/local/mysql ––with-apxs2=/usr/local/httpd/bin/apxs
# make
# make install
# cp php.ini-production /usr/local/lib/php.ini

Add the following lines to your httpd.conf file

AddType application/x-httpd-php .php .phtml
AddType application/x-httpd-php-source .phps

Insert them right after the following line:

AddType application/x-gzip .gz .tgz

Configure, make and install mod_perl

# cd /usr/local/src/mod_perl-2.0.5
# perl Makefile.PL MP_APXS=/usr/local/httpd/bin/apxs
# make
# make install

Add LoadModule config to your httpd.conf

LoadModule perl_module modules/mod_perl.so

Add that line where all the other LoadModule declarations are located.

And to finish it off…

Don’t forget your start-up scripts!

Conclusion

Once all the speed bumps are removed, installing from source is a piece of cake and doesn’t take long at all. Obviously, this is a very straight forward install and most of the time you’ll want to add several configuration options, especially to PHP.

I hope that you found this useful.

OnCall for Nagios app

ipad, iphone, nagios, , ,

UPDATE AS OF OCTOBER 10, 2017: This app is no longer supported in IOS 11 and it appears that the author has abandoned the project.

I recently purchased this iPhone app for my iPad and iPhone in hopes that it would glean information out of Nagios and provide a clean, easy-to-use, summary.  It did exactly that.

However, there are a few good things and a few not-so-good things you should know.

The app was designed with the iPhone in mind.  If you’ve ever tried to acknowledge an alert using Safari on your iPhone, you know how tricky it can be.  It involves several steps and an incredibly small user interface which frequently gets fat fingered .  OnCall for Nagios solves that.  It provides a concise summary of all network issues and allows you to filter issue types to see only what matters to you at that moment.  It also provides detailed information about individual problems and allows for quick and easy acknowledgement, rescheduling of the next check and even the scheduling of downtime.

Some things that I feel could have been done better are the documentation, FAQ and the support pages, which are pretty much non-existent.  There is a support page, but it contains nothing more than email address to email the app author for support.  Luckily, the app is very intuitive and easy to configure, so this is not too much of an issue.  There is however one configuration gotcha.

When I configured the application initially, I was asked for the URL, but I wasn’t sure which URL it wanted; the URL in which I access Nagios from the web or the true path to the cgi-bin.  It turns out that it is the cgi-bin path that it wants.  Because this was ambiguous and because there is a lack of documentation, as mentioned previously, I had to email the author.  I first reached out to him at 8:30pm on a Saturday night.  I figured I would receive a reply sometime on Monday.  Wrong.  He replied in less than 30 minutes and quickly pointed me in the right direction with regards to the URL.  He was also very pleasant.

Something I would love to see is a version for the iPad.  Because it is an iPhone app, it’s actually better to use Safari on your iPad.

Pros: easy to navigate, easy to use, easy to configure, inexpensive, good support

Cons: lack of documentation, no iPad support

In conclusion, if you are using Nagios and an iPhone, this app is a must.  The not-so-great issues are small.  The upside is big.  Definitely worth the money.

http://itunes.apple.com/us/app/oncall-for-nagios/id431794127

Ethernet TLS vs. MPLS Pseudowire

mpls

Multiprotocol Label Switching (MPLS) is an encapsulation used in high-performance telecommunications networks which directs and carries data from one network node to the next. MPLS makes it easy to create “virtual links” between distant nodes. It can encapsulate packets of various network protocols.

MPLS is a highly scalable, protocol agnostic, data-carrying mechanism. In an MPLS network, data packets are assigned labels. Packet-forwarding decisions are made solely on the contents of this label, without the need to examine the packet itself. This allows one to create end-to-end circuits across any type of transport medium, using any protocol. The primary benefit is to eliminate dependence on a particular Data Link Layer technology, such as ATM, frame relay, SONET or Ethernet, and eliminate the need for multiple Layer 2 networks to satisfy different types of traffic. MPLS belongs to the family of packet-switched networks.

Comparison Matrix

Traditional Ethernet MPLS Virtual Circuit
Guaranteed Bandwidth No Yes
Path Protection No Yes
Next-Hop Security No Yes
Fast Reroute No Yes
Encapsulation Agnostic No Yes
Control-Packet Restrictions Yes No
Circuits Ride Over Public Internet No No
Jumbo Frames Yes Yes
802.1Q Enabled Sometimes Always

Comparison Matrix Details Explained

Guaranteed Bandwidth – Using Resource Reservation Protocol (RSVP), bandwidth on a circuit can be guaranteed to be available for a customer.

Path Protection – VLANs are typically linear. If VLANs are built in a ring topology, highly-unpredictable and antiquated technologies such as Spanning Tree Protocol (STP) must be used. VLANs are not typically built on inter-city circuits. MPLS circuits can use the underlying IGP routing to route around circuit failures.

Next-Hop Security – IGPs can use password protection along each and every hop, as well as LDP/RSVP authentication. Because of these two authentication methods, “Man-in-the-middle Attacks” on the carrier class network would be very difficult to implement.

Fast Reroute – MPLS Traffic Engineering Tunnels (MPLS-TE Tunnels) can be used throughout a core network. These tunnels are highly configurable. One of the great features is MPLS-TE Fast Reroute (MPLS-TE FRR). A primary and backup path are defined when the tunnels are built. Should the primary path fail, MPLS-TE moves the traffic onto the secondary path in SONET-like fail over times, under 50 milliseconds, or 1/20th of a second. Ethernet VLANs using STP fail over times are by default 30 seconds.

Encapsulation Agnostic – As the name implies, MPLS allows carriers to use several different encapsulation types to be very creative in circuit design, thus allowing them to be very price competitive. Traditional Ethernet VLANs are typically confined to Ethernet networks.

Control-Packet Restrictions – Ethernet control plane traffic is not passed from one network to another network unless expressly permitted. For instance, Cisco Discovery Protocol (CDP), Spanning Tree Protocol (STP) and VLAN Trunking Protocol (VTP) packets are not passed by default; they must be configured to be allowed to pass. Additionally, if your circuit goes through multiple different equipment vendors (Cisco, Juniper, Foundry/Brocade, Force 10, etc) these packets may be stripped. MPLS passes all packets indiscriminately; all packets will reach their intended target.

Circuits Ride Over Public Internet – The most common misconception about MPLS is that MPLS services rides over the public Internet. This is almost never the case.

Jumbo Frames – Jumbo frames are available on Ethernet VLAN and MPLS services.

802.1Q Enabled – Traditional Ethernet VLAN private-line services can be configured to allow customers to pass their own 801.1Q tags most of the time. However, this is not enabled by default. As mentioned in the Control-Packet Restrictions, MPLS indiscriminately passes all packets. Therefore, you may pass any 802.1Q tags you choose, all of the time on any circuit that is MPLS from end to end.

Sources