IPv6: Broken by Design; Digital Ocean - How are we doing?

Recently, Digital Ocean (which I am a customer of) asked me "how they were doing". Well, yet another survey... Let's ignore this one for now... I thought some days ago.

And then yesterday, I added IPv6 support to my main mail server (which runs at Hetzner, Germany). All my hosted/rented/whatever systems report back to this main mailserver. Now that that main mail server finally has its AAAA record and its own IPv6 address, all associated systems try to reach this main mail server via IPv6. Of course.

Crippling IPv6 support by adding Port Blocks

But, then, I see messages like these in my syslog files on droplets hosted at Digital Ocean:

Apr 13 10:10:59 <do-droplet> postfix/smtp[23469]: connect to mail.<mydomain>[<ipv6-address>]:25: Connection timed out

After some more research [1], I realized that the folks out there at DO really apply some port blockings to IPv6 networks, but not to IPv4 networks. Pardon me? From my DO droplets, I can nmap any port on my mail server (25,80,143,443, 465, 587, etc.) via the IPv4 connection, but not over the IPv6 connection. Wait, not fully true: ports 80 and 443 are not blocked, but the other aforementioned ports are definitely blocked.

Is Digital Ocean a professional ISP or a WiFi hotspot provider at my nearest coffee place? (This really makes me scratch my head...).

Routing only the first 16 addresses of allocated /64 prefixes

Force Google Chrome / Chromium Browser to use WPAD proxy detection

At one of your school sites, we encountered an issue where several people could not access the internet via the school's proxy server when using Google Chrome / Chromium Browser

By default those two browser variants use the (Linux) system wide proxy settings. This is not always the best choice. For our setups, we prefer configuring proxy settings via WPAD [1].

We did not investigate each user profile for underlying reasons of not being able to connect via the site's proxy server in depth. Instead, we searched for a system-wide solution that easily enforces WPAD protocol usage when browsing the internet with Google Chrome / Chromium Browser.

From the command line, forcing Google Chrome / Chromium Browser into WPAD proxy mode is very easy. It can be done with the command line option --proxy-auto-detect:

[user@mymachine ~]$ chromium-browser --proxy-auto-detect

To enforce launching these two browser variants with --proxy-auto-detect whenever users click onto icons provided on the Linux desktop, you can simply follow the below recipe:

  1. Create /usr/local/share/applications/ unless it already exists
  2. Copy /usr/share/applications/google-chrome.deskop to /usr/local/share/applications/.
  3. Copy /usr/share/applications/chromium-browser.deskop to /usr/local/share/applications/.
  4. Set the x-bit on those .desktop files: sudo chmod a+x /usr/local/share/applications/*.desktop

Pushing X.org Git repos to Github et al.

TL;DR;

If you want to know why cloning several of the X.org repositories to Github or GitLab instances fails and how this can be worked around, you may want to continue reading.

Why we stumbled over this issue...

As a joint effort of the Arctica Project, TheQVD and X2Go, Ulrich Sibiller and I are currently preparing a build workflow for the nxagent X-server (version 3) [1] that allows building nxagent against the modular X.org 7.0 (using autoconf and automake) rather than the monolithic build workflow of X.org 6.9 (using ancient imake).

Our goal is to rewind all X.org components required for building nxagent back to a state where nxagent successfully builds and runs. Then we will go through various, (probably) monthly cycles of

  • bumping commit level of required X.org components
  • rebuild and test nxagent
  • fix FTBFS, if any
  • fix broken functionality, if any

Our first hurdle...

After Ulrich now has a functioning nxagent-against-X.org-7.0-workflow locally, we want to get everything into the Arctica Project's Github namespace. Which fails...

[mike@minobo xorg.upstream]$ git clone https://anongit.freedesktop.org/git/xorg/lib/libX11.git
Cloning into 'libX11'...
remote: Counting objects: 18520, done.
remote: Compressing objects: 100% (3441/3441), done.
remote: Total 18520 (delta 15094), reused 18325 (delta 14954)
Receiving objects: 100% (18520/18520), 5.98 MiB | 549.00 KiB/s, done.
Resolving deltas: 100% (15094/15094), done.

My FLOSS activities in February 2016

February 2016 has been a very active month regarding me contributing to the FLOSS world.

  • Finalizing MATE uploads to Debian with regards to the Beta 1 Freeze of Ubuntu 16.04
  • Work on RDP related packages in Debian
  • Work on Debian Edu related packages
  • Work on Debian LTS
  • Work on nx-libs (NX v3)

Honouring my Sponsors

I am happy to share that this month's FLOSS work has been sponsored by various sponsors.

  • Work on the packages mate-dock-applet, topmenu-gtk and getting GIR-support back into libwnck has been sponsored by Martin Wimpress, the main driving force (AFAIK) behind Ubuntu MATE [1].
  • Work on Debian LTS has been sponsored by the various Debian LTS sponsors proxied through Freexian SARL (thanks to Raphael Hertzog for organizing the paid LTS contributors team via his company) [2].
  • Work on nx-libs has been sponsored by the Qindel Group [3].

Thanks to all people and companies sponsoring my work on FLOSS projects.

This month's MATE uploads to Debian

With regards to the Beta 1 Freeze date of Ubuntu 16.04 LTS (18th Feb 2016), Martin Wimpress, Vangelis Mouhtsis and I performed quite some work on Debian MATE.

Uploads to Debian unstable:

  • caja 1.12.4-2 [4]
  • mate-menu 5.6.8-1 [5]
  • mate-panel 1.12.2-1 [6]
  • mate-dock-applet 0.67-3 (NEW) [7]
  • mate-polkit 1.12.0-3 [8]
  • eom 1.12.2-1 [9]
  • pluma 1.12.2-1 [10]

Systemd based network setup on Debian Edu jessie workstations

This article describes how to use systemd-networkd on Debian Edu 8.x (aka jessie) notebooks.

What we have to deal with?

At the schools we support we have several notebooks running Debian Edu 8.x (aka jessie) in the field.

For school notebooks (classroom sets) we install the Debian Edu Workstation Profile. Those machines are mostly used over wireless network.

We know that Debian Edu also offers a Roaming Workstation Profile at installation time, but with that profile chosen, user logins create local user accounts and local home directories on the notebooks (package: libpam-mklocaluser). For our customers, we do not want that. People using the school notebooks shall always work on their NFS home directories. School notebooks shall not be usable outside of the school network.

Our woes...

The default setup on Debian Edu jessie workstations regarding networking is this:

  • systemd runs as PID 1
  • ifupdown manages static network interfaces (eth0, etc.)
  • NetworkManager manages wireless network interfaces
  • for our customers we configured NetworkManager with a system-wide WiFi (WPA2-PSK) profile

We have observed various problems with that setup:

  • By default, network interface eth0 is managed by ifupdown (via /etc/network/interfaces):
    auto eth0
    iface eth0 inet dhcp
    

    Woe no. 1: In combination with systemd, this results in a 120sec delay at system startup.

Résumé of our Edu Workshop in Kiel (26th - 29th January)

In the last week of January, the project IT-Zukunft Schule (Logo EDV-Systeme GmbH and DAS-NETZWERKTEAM) had visitors from Norway: Klaus Ade Johnstad and Linnea Skogtvedt from LinuxAvdelingen [1] came by for exchanging insights, knowledge, technology, stories regarding IT services at school in Norway and Nothern Germany.

This was our schedule...

Tuesday

  • 3pm – Arrival of Klaus Ade and Linnea, meet up at LOGO with coffee and cake
  • 4pm – Planning the workshop, coming up with an agenda for the next two days (Klaus Ade, Andreas, Mike)
  • 5pm – Preparing OPSI demo sites (Mike, Linnea)
  • 8pm – Grünkohl and Rotkohl and ... at Traum GmbH, Kiel (Klaus Ade, Linnea, Andreas, Mike)

Wednesday

  • 8.30am – more work on the OPSI demo site (Mike, Linnea)
  • 10am – pfSense (esp. captive portal functionality), backup solutions (Klaus Ade, all)
  • 11am – ITZkS overlay packages, basic principles of Debian packaging (Mike, special guests: Torsten, Lucian, Benni)
  • 12am-2pm – lunch break
  • 2pm – OPSI demonstration, discussion, foundation of the OpsiPackages project [2] (Mike)
  • 4pm – Puppet (Linnea)
  • 7pm – dinner time (eating in, Thai fast food :-) )
  • 20pm – Sepiida hacking (Mike, Linnea), customer care (Andreas, Klaus Ade)
  • 22:30pm – zZzZzZ time...

Thursday

My FLOSS activities in January 2016

In January 2016 I was finally able to work on various FLOSS topics again (after two months of heavily focussed local customer work):

  • Upload of MATE 1.12 to Debian unstable
  • Debian LTS packaging and front desk work
  • Other Debian activies
  • Edu Workshop in Kiel
  • Yet another OPSI Packaging Project

Upload of MATE 1.12 to Debian testing/unstable

At the beginning of the new year, I finalized the bundle upload of MATE 1.12 to Debian unstable [1]. All uploaded packages are available in Debian testing (stretch) and Ubuntu xenial by now. MATE 1.12 will also be the version shipped in Ubuntu MATE 16.04 LTS.

Additionally, I finally uploaded caja-dropbox to Debian unstable (non-free), thanks to Vangelis Mouhtsis and Martin Wimpress for doing first steps preparations. The package has already left Debian's NEW queue, but unfortunately has been removed from Debian testing (stretch) again due to build failures in one of its dependencies.

Debian LTS work

In January 2016 I did my first round of Debian LTS front desk work [2]. Before actually starting with my front desk duty, I worked myself through the documentation and found it difficult to understand the output of the lts-cve-triage.py script. So, I proposed various improvments to the output of that script (all committed by now).

During the second week of January then, I triaged the following packages regarding known/open CVE issues:

  • isc-dhcp (CVE-2015-8605)
  • gosa (CVE-2015-8771, CVE-2014-9760)
  • roundcube (CVE-2015-8770)

My FLOSS activities in December 2015

December 2015 was a month mainly dedicated to work for local contractors (local schools mainly) and my employer (University of Kiel, Git server migration).

At the end of the month I had the privilege of attending the 32c3 ([1]) where we had a little sprint for the Arctica Project. Thanks to my family and esp. to my wonderful wife for letting me attend this always fascinating event at the end of each year.

Horde Hacking

One of my local customers is really interested in using a non-gated-community mail provider, so he asked me to host his company's mail addresses on my mail company's server. Something I regularly don't offer (anymore) except for dear friends and very patient customers.

This customer sponsored several more work hours on hacking on the Kolab_Storage code in Horde and proposing bug fixes upstream [2,3,4,5,6,7,8]. Thanks for supporting my work on the Horde Groupware Framework. Thanks to Horde upstream maintainers (esp. Michael Rubinsky) for reacting on my bug submissions so promptly.

Debian and Debian LTS

Locally, I did a lot of work for our Debian Edu / Skolelinux customers again this months.

MATE 1.12 landed in Debian unstable

Yesterday, I did a bundle upload of all MATE 1.12 related packages to Debian unstable. Packages are currently building for the 22 architectures supported by Debian, build status can be viewed on the DDPO page of the Debian MATE Packaging Team [1]

Again a big thanks to the packaging team. Martin Wimpress amongst others did a fabulous job in bumping all packages towards the 1.12 release series before the Christmas holidays. Over the holidays, I was able to review his work (99% perfect) and upload all binary packages to a staging repository.

@Martin Wimpress: It is really time that we make a DM (Debian Maintainer) out of you!!!

After testing all MATE 1.12 packages on a Debian unstable system, I decided to do a bundle upload yesterday.

Lessons learned about bundling Debian uploads

It absolutely makes sense to hold back package uploads of a project like the MATE desktop until all relevant packages are reviewed, pre-built and tested.

When releasing MATE packages via the team's packaging Git [2], there are normally two actions to be taken on a package release:

  • commit "upload to unstable (debian/<pkg-version>)
  • tag that commit with "Debian release <pkg-version>

When reviewing so many Git projects, it is always problematic that people commit something else during the review phase. Especially, if the review work involves many packages (i.e., Git packaging repos) and requires several days or even weeks to get finished.

NEW: Arctica Project Mailing Lists

During our development sprint at 32c3 [1] and remote, we managed to get our--long awaited--mailing list server online:

Happy subscribing to those who are interested in remote desktop computing on Linux.

Disclaimer: Please note that the Arctica Project is still in its infancy and we hope to have first releases during the upcoming year. Also we actively and intensively continue maintenance of what was formerly known as NX (version 3) [2].

light+love
Mike

[1] https://events.ccc.de/category/32c3/ (traditionally down during the event)
[2] https://github.com/ArcticaProject/nx-libs

Syndicate content