Getting FreeNFS Working (With VirtualBox)

December 18, 2015

I had considerable issues achieving this using an Oracle Virtualbox Linux guest and Windows 7. The solution seems to be using this version of FreeNFS with Windows and some specific mount command parameters in Linux, via a VirtualBox NAT interface. The command syntax I used within the (Ubuntu) Linux guest was this: sudo mount -v -t nfs -o nolock,nfsvers=3,proto=tcp,port=2049,sec=none server_name_or_ip:/ /mnt/nfs The output on success looked like this: mount.nfs: timeout set for Mon Dec 21 15:12:36 2015 mount. ... Read more

Rancher Answer File Locations

December 14, 2015

They are here: /var/lib/cattle/etc/cattle/dns/answers.json /var/lib/cattle/etc/cattle/metadata/answers.json The DNS answers file has specific entries detailing the answers to be provided to each querying container Rancher is aware of (and controls). Containers running outside of Rancher cannot query this server. The Rancher External DNS server can be used to overcome this. Containers using host-mode networking, using the io.rancher.container.dns: true label will receive the answers detailed in the «default» section. DNS services are provided by the Rancher DNS server which runs on each host in the Network Agent container. ... Read more

HAProxy Rewrite Insecure Redirects

December 8, 2015

This is often a problem where HAProxy is configured for SSL/TLS but the origin web servers are not. When the server sends a redirect, the link in the Location header uses the http:// scheme and not the https:// scheme. This breaks things when your proxy is not also ‘handling’ HTTP and redirecting to HTTPS (which is far from efficient anyway as that’s two redirects). You can use something like this in a frontend or backend: ... Read more

HAProxy Insert Security Response Headers

December 5, 2015

It’s up to you to decide if these are worthwhile. Adding Headers Unconditionally These will add the headers regardless of whether they are already present or not. This can result in duplicate headers in a single response. I’ve not found this is a problem but it’s certainly sub-optimal. Valid in the listen, frontend or, probably most appropriately, backend sections. backend some_name http-response add-header X-Frame-Options:\ SAMEORIGIN # Or DENY http-response add-header X-XSS-Protection:\ 1;\ mode=block http-response add-header X-Content-Type-Options:\ nosniff http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload http-response add-header Referrer-Policy no-referrer Adding Headers Conditionally To avoid duplicate headers, use some ACLs to check for their existence. ... Read more

Pacemaker Constraints

November 27, 2015

Pacemaker Constraints Add a location constraint using this command: $ pcs constraint location VIP-10.11.12.99 prefers 10.11.12.200=50 Display any current constraints with this: $ pcs constraint --full Location Constraints: Resource: VIP-10.11.12.99 Enabled on: 10.11.12.200 (score:50) (id:location-VIP-10.11.12.99-10.11.12.200-50) Resource: VIP-10.11.12.100 Enabled on: 10.11.12.220 (score:50) (id:location-VIP-10.11.12.100-10.11.12.220-50) Ordering Constraints: Colocation Constraints: Or this: $ crm_resource -a -r resource_name * VIP-10.11.12.99 : Node 10.11.12.10 (score=-INFINITY, id=cli-ban-VIP-10.11.12.99-on-10.11.12.10) : Node 10.11.12.11 (score=50, id=location-VIP-VIP-10.11.12.99-10.11.12.10-50) Remove a constraint like so: ... Read more

ICMP Redirect Linux Kernel Settings

November 27, 2015

ICMP Redirects You can check the current setting like so: $ sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 1 $ sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 1 $ sysctl net.ipv4.conf.default.shared_media net.ipv4.conf.default.shared_media = 1 $ sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 1 The accept_redirects setting enables acceptance of ICMP redirects. The secure_redirects setting, if enabled, ensures only redirects from a default gateway are accepted (if accept_redirects is itself enabled). The shared_media setting informs the kernel whether the physical network connected to the a network interface is a shared medium, or not. ... Read more

IPv6 Unicast Address Maximum Linux Kernel Setting

November 27, 2015

Unicast Address Number This setting defines the maximum number of global unicast IPv6 addresses that can be assigned to a single interface. You can check the current setting like so: $ sysctl net.ipv6.conf.default.max_addresses net.ipv6.conf.default.max_addresses = 16 Note: The default keyword changes the interface default setting for any interface that does not have a custom setting specified (even if it matches the default setting). You can replace it with either a specific interface name (so the setting applies only to that interface) or the keyword all to configure all interfaces at once (ignoring interface specific custom settings). ... Read more

TCP MSS Linux Kernel Setting

November 27, 2015

Maximum Segment Size (MSS) You can check the current setting like so: $ sysctl net.ipv4.route.min_adv_mss net.ipv4.route.min_adv_mss = 256 The MSS advertised by the host depends on the first hop route MTU, but will never be lower than this setting. Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.route.min_adv_mss=NNN You can confirm like so: $ sysctl net.ipv4.route.min_adv_mss Permanent Configuration To make this setting persistent across reboots, edit the /etc/sysctl. ... Read more

TCP SYN Retries Linux Kernel Setting

November 27, 2015

SYN Retries Number of times a SYN is retried if no response is received. A lower value means less memory usage and reduces the impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section. You can check the current setting like so: $ sysctl net.ipv4.tcp_syn_retries net.ipv4.tcp_syn_retries = 6 The interval between each resend is doubled every time, starting from 3s. ... Read more

TCP TTL Linux Kernel Setting

November 26, 2015

Time to Live (TTL) Simply the maximum number of hops a packet may travel. The TTL can also be specified on a per destination network basis. You can check the current setting like so: $ sysctl net.ipv4.ip_default_ttl net.ipv4.ip_default_ttl = 64 Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.ip_default_ttl=NN You can confirm like so: $ sysctl net.ipv4.ip_default_ttl Permanent Configuration To make this setting persistent across reboots, edit the /etc/sysctl. ... Read more

© 2015 - 2016 Some Guy. All rights reserved.