Category: Linux

So I’ve Made the Switch from SVN to Git…

…and I’m bloody delighted. 

The straw finally came when Nick forced my hand for a project we wanted to release through our work in INEX. I was pushing for Google Code but he had his heart set on GitHub. Now, in fairness, GitHub has some SVN bindings but after some research, I decided to dive right in.

Now, there’s both a steep learning curve but also a complete change of mindset required from centralised source code management (SCM) with SVN to the distributed model of Git. In the end, most projects will decide on a canonical Git repository anyway which pushes you slightly back towards centralised but there’s still a world of a difference.

So, what’s so good about Git? Well, lots. But first and foremost is it’s exceptionally powerful yet simple branching and merging that just works. And works fast – remember, with Git everything is local.

One work flow that used to kill me in SVN was that you’d be implementing feature X but someone needed bug Y fixed immediately involving some of the same code. Getting just the fix for Y in was tough and complicated. And branching in SVN isn’t quick or simple. In Git, I branch from the main development branch for every new feature, bug fix, etc and then merge what I need between them and back into develop when they’re ready to be pushed back to the agreed canonical repository.

I’ve been so impressed with Git that I’ve moved an open source project we created in Open Solutions over to Github: ViMbAdmin. I’ve also forced the rest of my team in Open Solutions over to Git and migrated a number of customer projects already. And we’re reaping productivity rewards!

How we work Git for projects was taken from this excellent post which I would fully recommend: A successful Git branching model.

Useful Git Links:

Benchmarking the Mikrotik Routerboards RB750 and RB750G

Continuing on from today’s earlier post, Benchmarking the Mikrotik Routerboard RB1100, I now present some results for the RB750 and RB750G using the same methodology and platform.

The RB750 and the RB750G are two identical looking routers intended for the SOHO environment:

The specifications for the RB750 (with differences for the RB750G in italics and parenthesis) are:

  • five FastEthernet 100Mbps (Gigabit 1Gbps) ports;
  • 32MB DDR SDRAM ;
  • 64MB on board NAND storage;
  • Atheros AR7240 400MHz (AR7161 680MHz) CPU;
  • powered by PoE or power jack;
  • up to 3W (6W) power consumption;
  • ports 2-5 share dedicated switch chip allowing full 100Mbps (1Gbps) throughput;
  • all ports can be individually configured.
  • €31.73 (€54.61) from Wireless Connect.

Both routers come with an L4 license of Mikritik’s RouterOS which is built on the Linux kernel so anyone familiar with Linux networking will get up to speed on these boxes in no time.

As a disclaimer in case it is not clear, all routing tests are done using just two ports – one for the traffic generator and one for the receiver – with the device under testing routing the packets between two networks. As such, on the RB750, the maximum throughput we could achieve would be 100Mbps.

I ran tests for plain routing and also, in evaluating it for certain uses, over a VPN tunnel.

All results are presented below. Given the wealth of features, I think these are super boxes at a super price. So far I’ve put them on the end of an Imagine DSL line providing IPv4 and v6 over PPPoE and the end of a 30Mb UPC line taking its UPC IP via DHCP. They provide firewall, NAT, port forwarding, OpenVPN tunnels, QoS, DHCP, DNS caching and VLANs for phone / VoIP and managment networks.

 

 

 

Benchmarking the Mikrotik Routerboard RB1100

I attended and gave a talk at the recent Irish Wireless Conf & Expo on behalf of INEX. I don’t get to do much with wireless links and as such I found many of the talks and exhibitors very interesting. One company that had a large presence through both Wireless Connect in Dublin and Irish Wireless in Shannon was Mikrotik – a company manufacturing routers built on Linux and some kit that I had been meaning to look at for some time.

Following the conference I picked up some RB750’s and RB750G’s and was very impressed. So much so, that I picked up a RB1100 also. The RB1100 specifications include:

  • 13 individual 1Gbps ports;
  • 2 x 5 port switch groups;
  • 800MHz Power PC MPC8544E processor;
  • SODIMM RAM slot with up to 1.5GB RAM;
  • 1 x microSD card slot;
  • 1U rack mount case.

I decided to benchmark this to see at just what rate it could route packets.

Benchmark Methodology and Tests

I used two PCs running Linux with iperf to measure TCP throughout with different packet sizes. To establish a baseline, I ran the same tests with the two PCs directly connected (this is the Direct Connection results below). The maximum achievable result with this is 1Gbps.

An example command line for the test which runs for 10 secs by default and for a packet size of 64 bytes is:

iperf -f m -i 1 -c 10.0.0.1 -l 64

Then I ran four test sets routing traffic between two networks as follows:

  1. No c/t, no f/w: connection tracking disabled and firewall set to allow all;
  2. No c/t, f/w: connection tracking disabled but with some simple firewall rules;
  3. C/t, no f/w: connection tracking enabled but firewall set to allow all;
  4. C/t, f/w: connection tracking enabled and stateful firewall rules.

In addition, I ran the above four tests with the RB1100 configured as a OpenVPN server:

/interface ovpn-server serverset auth=sha1,md5 certificate=cert1 \
cipher=blowfish128,aes128,aes192,aes256                          \
default-profile=your_profile enabled=yes                         \
keepalive-timeout=disabled mac-address=FE:50:A7:D5:FE:B7         \
max-mtu=1500 mode=ip netmask=24 port=1194                        \
require-client-certificate=no

One of the PCs was connected to the RB1100 as a VPN client pushing traffic to the other server on a non-VPN connect with all traffic routed through the RB1100. I also did a baseline test by running the VPN server with the same encryption on one of the PCs with a direct connect to the other and then pushing traffic over the VPN link.

Results:

The results can be seen in the following graph:

Without connection tracking and firewall, full line rate is achievable for packet sizes of 256bytes and higher – all in all, an excellent result. That said, no connection tracking and no firewall would be an unusual configuration and with these, the box maxes out at around 525Mbps – still an excellent result for less than €400.

The VPN tests yielded:

VPN throughput primarily relies on CPU horse power and the PCs used for the Direct Connection baseline test are pretty modern.

Useful RANCID Debugging Tips

I always find it difficult to find a good reference for RANCID debugging strategies and, after spending the afternoon on doing same on one installation, put together my own list.

I always find it difficult to find a good reference for RANCID debugging strategies and, after spending the afternoon on doing same on one installation, put together my own list.

Note that in the following, I use clogin and rancid which assumes a Cisco device. Change to the appropriate variations if you’re not trying to work with a Cisco.

  1. Test logging into a device: 
    > clogin rtr1.example.com
  2. Test logging into a device and a single command: 
    > clogin -t 90 -c"show version" rtr1.example.com
  3. Test logging into a device and run a sequence of commands: 
    > clogin -t 90 -c"show version;show calendar" rtr1.example.com
  4. Show what RANCID does with debugging output: 
    > rancid -d rtr1.example.com

    If the above throws some errors (especially a list of missed commands, and if you’re using TACACS, ensure you have authorisation to run all the commands RANCID tries but logging into the router as the RANCID user and executing them one at a time.

  5. Same as (4) but record all router / switch output for analysis: 
    > setenv NOPIPE YES
> rancid -d rtr1.example.com

    and then complete output can be found in the file: rtr1.example.com.raw (in this example).

  6. Run RANCID on a single switch / router tree rather than all: 
    > /usr/local/bin/rancid-run [tree]
  7. Run RANCID normally:
> /usr/local/bin/rancid-run
  1. Don’t forget that logs are available in RANCID’s logs/ directory.

GIMP: Change Background from Black / White to Transparent

This is one that I find myself Googling for regularly but spend time wading through poor results and solutions:

http://brainsongimp.blogspot.com/2008/03/black-and-white-jpg-to-transparent-png.html

Changing a User’s UID on Apple XServe / Snow Leopard

Due to exporting NFS file systems from Linux boxes to an XServe, I had need to match the new users’ UID on the XServe to the Linux UIDs. Unfortunately this was not so obvious.

There’s a good how-to here:

http://www.inteller.net/notes/change-user-id-on-snow-leopard

Fix for Silly Annoying FreeBSD PHP Ports Errors

The following occurs quite regularly on FreeBSD:

Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

and when fixed, it’s followed up by:

Cannot find autoheader. Please check your autoconf installation and the
$PHP_AUTOHEADER environment variable. Then, rerun this script.

The fix is to set those environment variables (as appropriate for the autoconf and autoheader version numbers – the below is my example on FreeBSD 8.1):

export PHP_AUTOCONF=/usr/local/bin/autoconf-2.68
export PHP_AUTOHEADER=/usr/local/bin/autoheader-2.68

in bash of the following in tcsh: 

setenv PHP_AUTOCONF autoconf-2.68
setenv PHP_AUTOHEADER autoheader-2.68

Irish Radio Stations on Linux

UPDATED VERSION AVAILABLE: https://www.barryodonovan.com/index.php/2013/02/12/irish-radio-stations-on-linux-2013

I’m a bit of a newstalk junky and like to have the radio on in the back ground. It’s quite painful jumping between websites and even more painful getting them all to work under Linux so I have some simple Bash aliases for VLC and RTE Radio 1, Today FM and Newstalk:

alias 2fm='cvlc http://dynamic.rte.ie/av/live/radio/2fm.asx'
alias newstalk='cvlc http://newstalk.fmstreams.com:8008/listen.pls'
alias rteradio1='cvlc http://dynamic.rte.ie/av/live/radio/radio1.asx'
alias todayfm='cvlc http://audiostore.todayfm.com/audio/todayfmIRL_64K.asx'

UPDATED 2011-02-07: 2FM added.

Testing SPAM and Virus Filters

I’ve recently performed a complete upgrade of Open Solutions’ mail servers and I’ve now moved onto doing likewise for one of our ISP customers with a lot of users.

These retrofits include installing virus and SPAM filters to protect both ourselves and the ISP customers but also to stop customers who have infected computers from spewing these emails out.

When everything’s up and appears to be working, I like to test both filtering systems to ensure they’re working. Quoting from eicar:

Using real viruses for testing in the real world is rather like setting fire to the dustbin in your office to see whether the smoke detector is working. Such a test will give meaningful results, but with unappealing, unacceptable risks.

Fortunately, test files exist for virus checkers and SpamAssassin:

  • The EICAR standard anti-virus test file can be found here.
  • SpamAssassin created the GTUBE (Generic Test for Unsolicited Bulk Email) for the same purpose and this can be found here.

Asterisk SIP Brute Force Attacks on the Rise

See my article on the company blog for a discussion on this, and a how to on using Fail2ban to help stop these attacks.