サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
体力トレーニング
vincent.bernat.ch
SSH offers several forms of authentication, such as passwords and public keys. The latter are considered more secure. However, password authentication remains prevalent, particularly with network equipments.1 A classic solution to avoid typing a password for each connection is sshpass, or its more correct variant passh. Here is a wrapper for Zsh, getting the password from pass, a simple password m
Jerikan+Ansible: a configuration management system for network There are many resources for network automation with Ansible. Most of them only expose the first steps or limit themselves to a narrow scope. They give no clue on how to expand from that. Real network environments may be large, versatile, heterogeneous, and filled with exceptions. The lack of real-world examples for Ansible deployments
My most loathed feature of Go was the mandatory use of GOPATH: I do not want to put my own code next to its dependencies. I was not alone and people devised tools or crafted their own Makefile to avoid organizing their code around GOPATH. Hopefully, since Go 1.11, it is possible to use Go’s modules to manage dependencies without relying on GOPATH. First, you need to convert your project to a modul
Hosting videos on YouTube is convenient for several reasons: pretty good player, free bandwidth, mobile-friendly, network effect and, at your discretion, no ads.1 On the other hand, this is one of the less privacy-friendly solution. Most other providers share the same characteristics—except the ability to disable ads for free. With the <video> tag, self-hosting a video is simple:2 <video controls>
In a previous post, I highlighted some useful features of systemd when writing a service in Go, notably to signal readiness and prove liveness. Another interesting bit is socket activation: systemd listens on behalf of the application and, on incoming traffic, starts the service with a copy of the listening socket. Lennart Poettering details in a blog post: If a service dies, its listening socket
A common way to establish an IPsec tunnel on Linux is to use an IKE daemon, like the one from the strongSwan project, with a minimal configuration:1 conn V2-1 left = 2001:db8:1::1 leftsubnet = 2001:db8:a1::/64 right = 2001:db8:2::1 rightsubnet = 2001:db8:a2::/64 authby = psk auto = route The same configuration can be used on both sides. Each side will figure out if it is “left” or “right.” The IPs
TL;DR With its implementation of IPv4 routing tables using LPC-tries, Linux offers good lookup performance (50 ns for a full view) and low memory usage (64 MiB for a full view). During the lifetime of an IPv4 datagram inside the Linux kernel, one important step is the route lookup for the destination address through the fib_lookup() function. From essential information about the datagram (source a
Unlike other programming languages, Go’s runtime doesn’t provide a way to reliably daemonize a service. A system daemon has to supply this functionality. Most distributions ship systemd which would fit the bill. A correct integration with systemd is quite straightforward. There are two interesting aspects: readiness & liveness. As an example, we will daemonize this service whose goal is to answer
Update (2019-07) Go 1.11 introduces modules to manage dependencies without using GOPATH. While some aspects of the Makefile presented here are still relevant (fetching tools, running tests), the main point becomes moot. See the updated version of this guide. My most loathed feature of Go is the mandatory use of GOPATH: I do not want to put my own code next to its dependencies. Hopefully, this issu
TL;DR Do not enable net.ipv4.tcp_tw_recycle—it doesn’t even exist anymore since Linux 4.12. Most of the time, TIME-WAIT sockets are harmless. Otherwise, jump to the summary for the recommended solutions. The Linux kernel documentation is not very helpful about what net.ipv4.tcp_tw_recycle and net.ipv4.tcp_tw_reuse do. This lack of documentation opens the path to numerous tuning guides advising to
Checking if your servers are configured correctly can be done with IT automation tools like Puppet, Chef, Ansible or Salt. They allow an administrator to specify a target configuration and ensure it is applied. They can also run in a dry-run mode and report servers not matching the expected configuration. On the other hand, serverspec is a tool to bring RSpec, a testing tool for the Ruby programmi
While quite old fashioned, SNMP is still a ubiquitous protocol supported by most network equipments. It comes handy to expose various metrics, like network interface counters, to be gathered for the purpose of monitoring. It can also be used to retrieve and modify equipments’ configuration. Variables exposed by SNMP agents (servers) are organized inside a Management Information Base (MIB) which is
When it comes to provide redundant services, several options are available: The service can be hosted behind a set of load-balancers. They will detect any faulty node. However, you need to ensure that this new layer is also fault-tolerant. The nodes providing the service can rely on IP failover to share a set of IP using protocols like VRRP1 or CARP. The IP address of a faulty node will be assigne
When starting a new HTML project, a common base is HTML5 Boilerplate that helps by setting up the essential bits. Such a template is quite useful for both beginners and experienced developers as it is kept up-to-date with best practices and it avoids forgetting some of them. Recently, I have started several small projects written in C for a customer. Each project was bootstrapped from the previous
There are three main ways to distribute a command-line daemon for macOS: Distributing source code and instructions on how to compile it. Using a third-party package manager, like Homebrew. Providing an installer package. Homebrew# Homebrew is a popular package management system. It works like the BSDs’ ports collections by downloading, compiling and installing the requested software, while also in
Virtual eXtensible Local Area Network (VXLAN) is a protocol to overlay a virtualized L2 network over an existing IP network with little setup. It is currently described in an Internet-Draft. It adds the following perks to VLANs while still providing isolation: It uses a 24-bit VXLAN Network Identifier (VNI) which should be enough to address any scale-based concerns of multitenancy. It wraps L2 fra
To experiment with network stuff, I was using UML-based network labs. Many alternatives exist, like GNS3, Netkit, Marionnet or Cloonix. All of them are great viable solutions but I still prefer to stick to my minimal home-made solution with UML virtual machines. Here is why: I didn’t want to use disk images. They take a lot of space and they have to be maintained. They also become cluttered, espec
By date# Crafting endless AS paths in BGP July 2024 Why content providers need IPv6 June 2024 Non-interactive SSH password authentication November 2023 DDoS detection and remediation with Akvorado and Flowspec March 2023 Building a SQL-like language to filter flows February 2023 Hacking the Geberit Sigma 70 flush plate February 2023 More… Fast and dynamic encoding of Protocol Buffers in Go Februar
Deprecation notice The information presented in this article are outdated since the route cache has been removed from Linux 3.6. Instead, take a look at “IPv4 route lookup on Linux.” The route cache is a Linux kernel component enabling route lookups to be faster by caching the results in some table and checking it before issuing a regular lookup in the route tables. When using Linux as a router, t
Once the private key of some HTTPS web site is compromised, an attacker is able to build a man-in-the-middle attack to intercept and decrypt any communication with the web site. The first step against such an attack is the revocation of the associated certificate through a CRL or a protocol like OCSP. Unfortunately, the attacker could also have recorded past communications protected by this privat
A month ago, I published an article on the compared performance of stunnel, nginx and stud as TLS terminators. The conclusion was to use stud on a 64-bit system, with session caching and AES. stunnel was unable to scale properly and nginx exhibited important latency issues. I got constructive comments on many aspects. Therefore, here is the second round. The protagonists are the same but both the
Session reuse is one of the most important mechanisms to improve TLS performance: by submitting an appropriate blob to the server, a client can trigger an abbreviated handshake, improving latency and computation time. There exist two distinct ways to achieve session reuse: session identifiers as described in RFC 5246 and session tickets as depicted in RFC 5077. Update (2018-08) While the content o
Here is the short version: to get better performance on your TLS terminator, use stud on 64-bit system with patch from Émeric Brun for TLS session reuse with some AES cipher suite (128 or 256, does not really matter), without DHE, on as many cores as needed, a key size of 1024 bits unless more is needed. Update (2011-10) I received some constructive comments about these tests. After reading this a
Ten years ago, I started to use Zsh, a shell designed for interactive use but which is also powerful for scripting usage. I had a fairly comprehensive .zshrc file split in several parts. I have decided to rewrite it for several reasons: I did not take advantage of several features of Zsh, like some advanced parameter expansion, arrays, arithmetic expressions and other built-in features. There were
このページを最初にブックマークしてみませんか?
『vincent.bernat.ch』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く