The future is bright, the future is … green?

After years of hosting everything on Skynet on a series of home built PCs, I’ve migrated most of the hosted services to the good fellows at bytemark and I’m scaling skynet back to a leaner, greener machine.
Starting with a move to an ASRock A330GS. Future changes will include scaling back the PSU and getting a greener hard drive.

Moving from userland natd to kernel mode nat

For many many years, I’ve been happily running ppp, ipfw and natd on my FreeBSD router, starting in the early days with ppp -nat before needing more refined control and moving to userland natd.

Then I learned about kernel mode nat in ipfw2 so I thought I’d give that a go.

What had to be done:
Adding the following to the kernel config:
options LIBALIAS
options IPFIREWALL_NAT
If you don’t want to use a custom kernel, (and from looking at the rc.d script) you should be able to set firewall_nat_enable=”YES” in /etc/rc.conf and the correct module will be loaded on boot.

Removing:
add 50 divert natd all from any to any via tun0
from /etc/rc.firewall.script
Adding:
nat 1 config if tun0 log unreg_only
add 50 nat 1 ip4 from any to any via tun0
to /etc/rc.firewall.script

If you are using an Open or Client firewall, you can set:
firewall_nat_enable=”YES”
firewall_nat_interface=”tun0″
firewall_nat_flags=”unreg_only”
in /etc/rc.conf
And don’t forget to set:
natd_enable=”NO” in /etc/rc.conf if you’re switching from userland natd.

That’s got it working just as ipfw+natd used to, the stability/speed tests and real world usage remains to be seen …

Fun with maildrop

Whilst I’m awaiting the resurrection of my /home drive I’ve had to resort to collecting my mail and storing it under a temporary account.

I decided to make a few changes to skynet based on the fact my spambayes db was stored on /home along with my .procmailrc so SpamAssassin was integrated with sendmail and maildrop was set as the system-wide LDA.

Here is a fun line from my new (and still developing) .mailfilter file.
if ( /^List-Id:.+\<freebsd-(.*)\.freebsd\.org\>$/ )
TARGET="FreeBSD."$MATCH1""

Which automatically puts FreeBSD mailing list items in to their own folder.

To clear up what was in my ever growing Inbox, it was a simple case of running

for file in *; do cat $file | maildrop; done in a copy of ~/Mail/cur

Whilst its not quite as defined as my old .procmailrc I think I may like maildrop …

New skynet feature.

A new feature has been added to Skynet today, a self-managed service monitor.

The script is provided below and is free for use on a beerware license.

As usual its FreeBSD only.

Enjoyu!

—begin—
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

. /etc/rc.subr
load_rc_config ‘XXX’

unset local_rc

find_local_scripts_new
servers=$(rcorder -s nostart ${local_rc} 2>/dev/null)

check_pid () {
if [ -z “$6” ]
then
# no 6th paramater, assume not running
return 0
else
pid=${6%%.*}
return $(ps -ax ${pid} | grep ${pid} | wc -l)
fi
}
for server in ${servers}
do
check_pid $(${prefix}${server} status)
if [ ${?} -eq 0 ]
then
${prefix}${server} start > /dev/null 2>&1
fi
done

eduroam + wpa_supplicant (+freebsd!) = success!

The title says it all really, but here are the gritty details:
—/etc/wpa_supplicant.conf—
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
ssid=”eduroam”
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
pairwise=CCMP TKIP
group=CCMP TKIP
phase1=”peaplabel=0″
phase2=”auth=MSCHAPV2″
identity=”user@aber.ac.uk”
password=”userpassword”
}
===/etc/wpa_supplicant.conf===

—/etc/rc.conf—
ifconfig_ndis0=”DHCP WPA”
===/etc/rc.conf===

—/etc/profile—
HTTP_PROXY=http://wwwcache.aber.ac.uk:8080/; export HTTP_PROXY
FTP_PROXY=http://wwwcache.aber.ac.uk:8080/; export FTP_PROXY
http_proxy=http://wwwcache.aber.ac.uk:8080/; export http_proxy
ftp_proxy=http://wwwcache.aber.ac.uk:8080/; export ftp_proxy
===/etc/profile===
Your wireless card may not be ndis0, and the other system config bits of rc.conf have been left out for conciseness.

You may also want to add the proxy info from /etc/profile to your other system-wide shell configs, but I’m a basher.

All the pieces have arrived …

Now I just need to fit them together.

What we now have is: the usb->serial adapter
the null modem cable
a shiney new 5 port switch
a shiney new ups (i know that wasn’t mentioned anywhere earlier, but it’ll make sense!)

debian-armel recognises the usb->serial adapter, so now what is needed is to find the optimal speed (probably 192,000) to use for console access TO skynet. This will probably involve de-tangling the conflicting and seemingly out of date information in the FreeBSD handbook on how to rebuild the bootblocks and kernel to run at the higher speed.

After that there is the test to see if the Netgear DM111 ADSL2+ Modem, FreeBSD + ng_pppoe and the pppoe implementation for deb-armel (anyone know?) can all work together over the new switch.
(Before anyone says anything, I’m not going to run two pppoe sessions at the same time, this is purely a hardware level test to see if it can be done as part of the failover)

After that, pretty much all that remains is the heartbeat fail-over (probably over tcp/ip rather than serial, not ideal but since the lan segment that is in use contains only Skynet, Junior and DM111 it shouldn’t result in false alerts).

Also, the UPS arrangement will be shuffled around, moving all the low-power devices (DM111, Junior, WPN802, FS116 (okay that makes me look like a netgear whore :-\ which i am!)) to one UPS and keeping skynet isolated on another. This should extend the amount of service life in the event of power-outages.
Depending on the management capabilities of the new UPS (its still in the shipping box in the boot of the car currently) Some trickery with NUT may also be possible… we shall see.

Its going to be a fun weekend!

Like the beating heart of a slug

Following a disk failure in skynet earlier today, I am embarking on a new project …

The ingredients are:
1 slug (LinkSys NSLU 2 for those wondering)
1 USB -> RS232 adapter
1 Null Modem Cable
1 Skynet

The end result will hopefully be:
A Debian (? probably debian) powered NSLU2 running a lan based heart-beat check with skynet which, when the heart-beat fails will take over the PPPoE session so that a static page of “He’s done it again, hang on folks” can be displayed as well as providing ssh access from the outside world to Skynet via Sluggy and the serial console provided by the usb->rs232+null modem.

Thats the plan at least …