xfs labels on mounted volumes

2020.11.28

turns out you can’t directly create an xfs label on a mounted volumes.

xfs_admin -L /dev/volume doesn’t work. 🙁

thanks to a coworker, i learned you can issue a raw xfs command to set the label instead.

xfs_io -c "label -s SOMELABEL" /some_mountpoint

verify with xfs_admin -l /dev/volume

how’d i discover this? mdraid volume wouldn’t keep the device name across reboots in centos 7. i changed /etc/fstab to mount with the label instead. also screw UUIDs.

Categories : geek

backup internet via xfinitywifi

2017.03.25

sometimes cable modems die. sometimes coax degrades causing your cable modem signals to tank. sometimes comcast de-registers your cable modem and re-registers your old cable modem. in these cases, it’d still be nice to have an internet connection at the house.

given that much is TLS these days, i’m not too worried about snooping. maybe i can get a router which supports EAP-TLS and/or 802.1x and transport will be encrypted as well.

i got clever. i picked up a tp-link tl-wr710n router because it has a WISP Client Mode. when it arrived, i configured it for this mode and attached it to xfinitywifi, served out by one of my gracious neighbors. i then authenticated via the captive portal and had the system remember my new router’s wifi MAC.

next, i changed the TP-Link’s LAN-side IP to be in the same subnet as my home network and disabled the internal DHCP server.

now to configure the my cisco 1841 for these shenanigans.

! default comcast docsis.
ip route 0.0.0.0 0.0.0.0 dhcp 250
! via xfinity wifi/tp-link router
ip route 0.0.0.0 0.0.0.0 10.11.12.252 254
! ip sla destination, since i don't use comcast dns
ip route 75.75.75.75 255.255.255.255 10.11.12.252 250

that’s the basic bits. if my cable modem loses its IP and/or the WAN interface of my 1841 goes down, the home network should leverage the xfinitywifi/tp-link path. i have a backup internet connection good for 15mbps down and 5mbps up.

this doesn’t help with problems further inside comcast’s network.  this doesn’t help with physical plant problems affecting the whole neighborhood.  however, i’m not paying for a second internet circuit either.

comcast is a metered connection. therefore next, i thought i could leverage this link for offsite backups. pbr to the rescue! but first, maybe some sla/tracking will help:


! define the check to see if the connection is up
ip sla 1
icmp-echo 75.75.75.75 source-interface FastEthernet0/1
frequency 5
! check forever
ip sla schedule 1 life forever start-time now
! create an acl identifying backup traffic
ip access-list extended send-backup
permit tcp any host x.y.z.a eq 22
! create a route-map for pbr
route-map send-backup permit 10
match ip address send-backup
set ip next-hop verify-availability 10.11.12.252 1 track 1
! apply pbr
interface FastEthernet0/1
description inside
ip policy route-map send-backup
! client cached redirects can be a challenge
no ip redirects
no ipv6 redirects

todo: get an ethernet hwic for my 1841 so this failover/failback stuff is easier.

Categories : geek

vimrc sets

2015.02.25

vim has become a bigger part of my life lately so i need to make it more useful. here’s my .vimrc set statements:

set number
syntax on
filetype indent plugin on
set tabstop=2
set expandtab
set shiftwidth=2
set softtabstop=2
set ruler
set hlsearch
set ignorecase

Categories : geek

nx-os route redistribution, simplified

2014.01.06

in a previous post, i talked about nx-os route redistribution, with a route-map. if you want all your static routes to be redistributed, you can simplify your route-map. how simple? skip the prefix list! 🙂

examine your static routes…

n7k1# sh run | inc “ip route ”

ip route 0.0.0.0/0 10.0.0.2
ip route 10.10.10.0/24 10.0.0.4
ip route 10.20.10.0/20 10.0.0.1
ip route 192.168.172.0/24 10.10.10.3

create a route-map, skip the prefix list.

route-map examplestaticmap permit 10

add them to your eigrp instance…

router eigrp 14
redistribute static route-map examplestaticmap

my coworkers are clever.

Categories : geek

eigrp offset-list

2013.04.13

offset lists are a tool to manipulate paths for eigrp routes.  in my topology, 4.4.4.4/32, 4.4.4.5/32, and 4.4.4.6/32 are loopbacks on r4.  fa1/0 has a delay of 10000 and fa2/0 has a delay of 15000 on both r2 and r3.  without any any changes, successor and feasible successor to r4 show up in the topology table but fa1/0 is preferred.

i want to make 4.4.4.5/32 and 4.4.4.6/32 prefer fa2/0 instead.  i found it’d be easier to understand outbound metric changes, since the router announcing the routes is the authority on which path to take.

offsetlistopology
routing table:

r2#sh ip route 4.4.4.5   
Routing entry for 4.4.4.5/32
  Known via "eigrp 1", distance 90, metric 2946560, type internal
  Redistributing via eigrp 1
  Last update from 10.23.23.3 on FastEthernet1/0, 00:00:41 ago
  Routing Descriptor Blocks:
  * 10.23.23.3, from 10.23.23.3, 00:00:41 ago, via FastEthernet1/0
      Route metric is 2946560, traffic share count is 1
      Total delay is 105100 microseconds, minimum bandwidth is 10000 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2

topology:

r2#sh ip eigrp top 4.4.4.5/32
EIGRP-IPv4 Topology Entry for AS(1)/ID(2.2.2.2) for 4.4.4.5/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2903808
  Descriptor Blocks:
  10.23.23.3 (FastEthernet1/0), from 10.23.23.3, Send flag is 0x0
      Composite metric is (2946560/2713600), route is Internal
      Vector metric:
        Minimum bandwidth is 10000 Kbit
        Total delay is 105100 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 4.4.4.4
  10.23.23.131 (FastEthernet2/0), from 10.23.23.131, Send flag is 0x0
      Composite metric is (6741248/2713600), route is Internal
      Vector metric:
        Minimum bandwidth is 12004 Kbit
        Total delay is 255000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 4.4.4.4

from r3, i can create an acl for routes i want to offset:

r3#sh run | s access-list
access-list 45 permit 4.4.4.5
access-list 45 permit 4.4.4.6

i use the offset-list to make fa1/0 less desirable than fa2/0:

r3#sh run | sec router eigrp 1
router eigrp 1
 network 3.3.3.3 0.0.0.0
 network 10.23.23.0 0.0.0.255
 network 10.34.34.0 0.0.0.255
 redistribute static
 offset-list 45 out 10000000 FastEthernet1/0  < ---------
 eigrp router-id 3.3.3.3

net result is that it adds 10000000 to the existing metric on fa1/0:

r3#sh ip prot
*** IP Routing is NSF aware ***

Routing Protocol is "eigrp 1"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Outgoing routes in FastEthernet1/0 will have 10000000 added to metric if on list 45  < ---------
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  Redistributing: static
! dropped irrelevant

back on r2, i should see the path to 4.4.4.5/32 via fa2/0:

r2#sh ip route 4.4.4.5       
Routing entry for 4.4.4.5/32
  Known via "eigrp 1", distance 90, metric 6741248, type internal
  Redistributing via eigrp 1
  Last update from 10.23.23.131 on FastEthernet2/0, 00:00:06 ago
  Routing Descriptor Blocks:
  * 10.23.23.131, from 10.23.23.131, 00:00:06 ago, via FastEthernet2/0
      Route metric is 6741248, traffic share count is 1
      Total delay is 255000 microseconds, minimum bandwidth is 12004 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 2

both successor and feasible successor should still be in the topology table on r2:

r2#sh ip eigrp top 4.4.4.5/32
EIGRP-IPv4 Topology Entry for AS(1)/ID(2.2.2.2) for 4.4.4.5/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2903808
  Descriptor Blocks:
  10.23.23.131 (FastEthernet2/0), from 10.23.23.131, Send flag is 0x0
      Composite metric is (6741248/2713600), route is Internal
      Vector metric:
        Minimum bandwidth is 12004 Kbit
        Total delay is 255000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 4.4.4.4
  10.23.23.3 (FastEthernet1/0), from 10.23.23.3, Send flag is 0x0
      Composite metric is (12946560/12713600), route is Internal
      Vector metric:
        Minimum bandwidth is 10000 Kbit
        Total delay is 495725 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 2
        Originating router is 4.4.4.4

verification from r1:

r1#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.12.12.2 16 msec 16 msec 24 msec
  2 10.23.23.3 40 msec 44 msec 44 msec  < ---------
  3 10.34.34.4 72 msec *  56 msec
r1#traceroute 4.4.4.5
Type escape sequence to abort.
Tracing the route to 4.4.4.5
VRF info: (vrf in name/id, vrf out name/id)
  1 10.12.12.2 20 msec 20 msec 20 msec
  2 10.23.23.131 44 msec 44 msec 40 msec  <---------
  3 10.34.34.4 64 msec *  60 msec

i’ll use this at work for some traffic engineering on datacenter-datacenter links.  i wanted to send some non-critical traffic down a slower link to get some better utilization across both links. we’re paying for unlimited transit, so don’t want one path to sit idle.

Categories : geek

cisco ipv6 acls

2012.05.29

in the usual ipv4 variety, i have a web/ssh server with static NAT entries in my 1841 router.  i also use NAT overloading for users behind the router in RFC1918 space.  the NAT overload offers some semblance of protection by not having end users directly accessible from the internet.

i use an ipv6 tunnel from hurricane electric‘s free tunnel broker service.  i’ve got a full /48 of routable ipv6 address space and have 3-4 /64s carved up.  i set it up for CCNP lab’ing.  it works but not terribly fast.  however, the cisco 1841 is a router and just forwards packets by default.  therefore, it needs an ACL to stop my internal network from being accessible from the outside while still allowing the internal network to access the outside. next piece of the puzzle was to allow http/s and ssh access to my server from the outside.

i chose eui-64 because i’m lazy.

here’s my tunnel config, relevant sections bolded:

1841#sh run int tu0
Building configuration…
Current configuration : 346 bytes
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ip route-cache flow
ipv6 address 2001:470:7:806::2/64
ipv6 enable
ipv6 traffic-filter inbound in
ipv6 traffic-filter outbound out

ipv6 flow ingress
ipv6 flow egress
tunnel source FastEthernet0/0
tunnel destination x.y.z.a
tunnel mode ipv6ip
end

‘inside’ interface config with relevant bits:

1841#sh run int fa0/1
Building configuration…
Current configuration : 308 bytes
!
interface FastEthernet0/1
description inside
ipv6 address 2001:470:E24F:2::/64 eui-64
ipv6 enable
end

here’s the tricky part: i needed the REFLECT keyword to make stateful.  also needed to use both inbound and outbound ACLs together.

1841#sh run | beg access-list inbound
ipv6 access-list inbound
sequence 50 permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq 22
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq www
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq 443
sequence 130 evaluate OUTREFLECT
permit tcp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq domain
permit udp any host 2001:470:E24F:2:202:B3FF:FEAB:733F eq domain
!
ipv6 access-list outbound
sequence 30 permit ipv6 2001:470:8:806::/64 any reflect OUTREFLECT
permit ipv6 2001:470:E24F::/48 any reflect OUTREFLECT
!
ipv6 access-list sshaccess
permit ipv6 2001:470:E24F::/48 any

my server MAC has changed since i did this, i should probably update this ACL since the eui-64 address changed. 🙂

should limit ipv6 ssh access to my router from my internal network too, using the sshaccess ACL from above.

1841#sh run | beg vty
line vty 0 4
access-class 10 in
ipv6 access-class sshaccess in
transport input ssh

world ipv6 day is coming. ready?

Categories : geek

Apple IDs

2012.04.16

Apple offers a way to create iTunes IDs without a credit card. This works IFF* you don’t already have an Apple ID.

There are cases where you have an Apple ID that isn’t associated with iTunes; whether it’s for developer accounts, discussion forums, registering your product, AppleCare, or Store appointments.

However, it doesn’t offer a way to convert/link an existing Apple ID with an iTunes ID without using a credit card.

This needs to change.

*If and only if

Categories : geek

cold-brewed coffee

2012.01.29

a few people have asked how we make our cold-brewed coffee.  we make it a gallon at a time, you can adjust quantities as needed.  it takes a while to make a batch but you can make the second batch while consuming the first.  🙂

you need a pitcher, a sun-tea jar, a strainer, coffee grounds (medium or dark roast), and coffee filters.

medium-grind two cups of coffee beans, pour them in the pitcher, add water (seems to be about two quarts.)  let it stand at room temperature for 12 hours.  stir it every couple of hours if you remember.

after 12 hours, put your coffee filter in your strainer and place it on top of the sun tea jar.

pour the coffee concoction through the filter.  you can fill up the filter but it won’t flow outside the jar.  this is the slowest/hardest/worst part for us because we’re impatient.  pour the mix in and walk away for 10 minutes, don’t watch it.  repeat this until the pitcher is empty.  you can replace the coffee filters when they get too gunked up to pass coffee any more.

 

almost done!  use your fingers on the outside to gauge how deep the coffee is.  then add that much water.  chill.  enjoy.  it will be good for about five days but rarely lasts any more than two days in our house.

Categories : fun  geek  reviews

3ware migrate/resize/extend crap

2011.11.27

turns out you can’t migrate/resize/extend a 3ware lun without adding disks, at least on a 9650se controller.  i had 4x 750gb disks attached to a controller, no free slots.  i replaced one by one with 1.5tb disks.  i wanted to extend the 2.05tb lun to 4.0tb but the software won’t let you do it.

[root@schitzo src]# ./tw_cli
//schitzo> /c2 show

Unit UnitType Status %RCmpl %V/I/M Stripe Size(GB) Cache AVrfy
------------------------------------------------------------------------------
u0   RAID-5   OK     -      -      64K    2095.44  ON    OFF

Port Status Unit Size    Blocks     Serial
---------------------------------------------------------------
p0   OK     u0   1.36 TB 2930277168 x
p1   OK     u0   1.36 TB 2930277168 y
p2   OK     u0   1.36 TB 2930277168 z
p3   OK     u0   1.36 TB 2930277168 a

//schitzo> /c2/u0 show

Unit    UnitType Status %RCmpl %V/I/M Port Stripe Size(GB)
------------------------------------------------------------------------
u0      RAID-5   OK     -      -      -    64K    2095.44
u0-0    DISK     OK     -      -      p1   -      698.481
u0-1    DISK     OK     -      -      p2   -      698.481
u0-2    DISK     OK     -      -      p0   -      698.481
u0-3    DISK     OK     -      -      p3   -      698.481
u0/v0   Volume   -      -      -      -    -      2095.44

//schitzo> /c2/u0 migrate type=raid5 disk=0:3
Error: (CLI:008) Invalid ID specified. Found a specified ID already in use.

lame.  time to destroy, create, mount, and restore.

Categories : geek

vmware server 2.0.2 crap

2011.11.27

largely saving for reference

Today i ran into something very strange, a freshly set up VMWare Server 2.0 host wasn’t accessible by https and vsphere client.
I analysed the logfiles and came accross

[2010-11-06 13:35:09.843 'Proxysvc' 4128988016 warning] SSL Handshake on client connection failed: SSL Exception: error:00000000:lib(0):func(0):reason(0)

which seemed to be related to some SSL v2 Certificate thingie.
It didn’t work out for me to enable SSL v2 but as a quick hacky solution replacing all

“httpsWithRedirect” with “httpAndHttps”
in /etc/vmware/hostd/proxy.xml
then do a /etc/init.d/vmware-mgmt restart

atleast now lets me connect to the server without ssl encryption just fine.
I know its not 100% safe but on a local network server its acceptable to me.
Keep in mind instead of https://xxx:8333 you now have to use http://xxx:8222

thanks thorian

Categories : geek