Pages

Monday, September 28, 2015

How to create an IPv6-only consul cluster with docker

Why?

  • we're using docker to run consul (and registrator and our services) in, and IPv6 makes this easier (no NAT => better performance)
  • it's easier to maintain one stack
  • consul is known to give issues with NAT and docker (https://github.com/docker/docker/issues/8795)
  • IPv4 is legacy and obsolete ;-)
Consul 0.5.2 has some issues running such a setup, but if you're building consul from master (which includes some fixes (see https://github.com/hashicorp/consul/commits?author=42wim) it will work fine.

Issues to be aware of:

  • the IPv4 version of consul listens by default on private address ranges, when using IPv6 you'll be running on 'public' addresses. So be sure you're firewalling those from the internet.
  • If you're using consul recursive powers, you'll also need IPv6 dns recursors. (e.g. google's 2001:4860:4860::8888)
  • Not IPv6 related, but for extra stability, enable leave_on_terminate.
  • Also not Ipv6 related, but I've noticed that the default LAN settings for consul can be a bit too strict when running on vmware hosts. This patch increase the probetimeout to 2 seconds (instead of 500msec)



Consul extra configuration server and client

Extra settings below necessary for the consul server and client agent setup


Configuration:
{
        "recursor": "[2001:4860:4860::8888]",
        "leave_on_terminate": true,
        "client_addr": "::",
        "addresses": { "http": "::"}
}

Consul server setup

The consul server are running as a docker host mode container (which means, they share the same network namespace as the host).

The reason here is that we need a fixed IPv6 address for the servers because we're forwarding our dns requests to those servers. (ofcourse with some extra work we could make a script that dynamically update our dns forwards to the dynamic IP address).

Our server has multiple IPv6 addresses so we'll have to add a -advertise and -bind flag

consul agent -server -advertise 2001:db8::1 -bind 2001:db8::1 -bootstrap-expect 3 -retry-join [2001:db8::1]:8301 -retry-join [2001:db8::2]:8301 -retry-join [2001:db8::3]:8301

Using consul-docker as our consul docker container (for client and server)

Consul client setup 

You'll need to cherry-pick this PR into your local build: https://github.com/hashicorp/consul/pull/1219.
The IPv6 address in the docker container will be random and we want to bind to the IPv6 address.
This patch looks for the first 'public' IPv6 address and uses this address to advertise.

So we start the client with:

consul agent -bind :: -join consul.service.consul

Gotcha's here:
bind :: actually binds to IPv4 and IPv6 addresses in the container, but because we advertise the IPv6 address the IPv4 address won't be used.

Other software

Registrator

We also use registrator to register our services in consul. So every time a container starts or stops, registrator handles the consul service registration process.

Also for registrator some extra fixes are needed to have IPv6 support. (not yet merged, see https://github.com/gliderlabs/registrator/pull/229)

Because we're running consul on IPv6 this means registrator also needs to connect to the IPv6 address.

registrator consul://server1.node.consul:8500

Registrator then can register other services that are running on the docker host, like e.g elasticsearch.

Registrator-netfilter

Besides main registrator we also run registrator-netfilter which automatically firewalls the IPv6 services in the container. The containers are no longer NATted but directly accessible, so they need to be firewalled.

Docker

A /64 is allocated for docker and a /80 is given to each docker host, running with the switches

--ipv6=true --fixed-cidr-v6=2001:db8::/80

Elasticsearch

ES is also run ipv6 only, using registrator, registrator-netfilter and consul.
You can find the relevant commands to give to docker below:

docker run --net bridge -e SERVICE_NAME=es -e SERVICE_9200_TAGS=http-data 
-e SERVICE_9300_TAGS=transport-data -e SERVICE_9200_IPV6=tcp -e SERVICE_9300_IPV6=tcp 
-e ADVERTISE_IPV6=yes

Tuesday, February 10, 2015

tmux memory usage on linux



So a while ago I switched from screen to tmux. My reason for switching was that GNU screen didn't work in my docker containers and tmux did ;-)

All was well for a few months and I was replacing screen with tmux everywhere. It did have some other niceties besides working in containers and seem to do its job.

Until


USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
wim       1660  1.3 12.8 135056 131404 ?       Ss    2014 722:46 tmux -u


Notice anything special above ? Compare it with screen.


USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
wim      29595  0.0  4.5  48784 46116 ?        Ss    2014   3:49 SCREEN -c mscreen


The tmux session has 8 open windows and 10000 history limit. (set -g history-limit 10000)
The screen session has 39 open windows and 10000 history limit (defscrollback 5000)

So, tmux seems to be using an awful lot of memory. Two times more than screen, for a 'lighter' session setup.

A quick google showed that other people were having the same issues

My first thought was, 'memoryleak', so I checked the code, but everything seemed to be free'd correctly.

I joined the #tmux channel on freenode for some help and got told that it's a specific glibc (linux) issue. Although the memory was free'd, Glibc wasn't releasing it back to the OS.

But you could force it by using malloc_trim(0). And maybe you could use specific glibc environment variables to control memory allocation behaviour to also emulate malloc_trim().

Too much time googling and testing was wasted, I couldn't get it too work, the memory wasn't getting released back to the OS.

So I made a small patch to tmux which
- calls malloc_trim(0) when a window gets destroyed
- also free's memory when you clear your history manually in a window (and also call malloc_trim())

The patch works for me but YMMV

I tried to get this patch into upstream tmux, but was told: 'It's up to glibc to decide how malloc works'.

PS: if you set history-limit 0, tmux actually uses less memory than screen (and doesn't grow), but ofcourse you don't have a scrollback ;-)


Saturday, January 24, 2015

Rancid 3.2 alpha + git


Rancid lovers rejoice, a 3.2 alpha version is released with (at least) 2 interesting features.

- Git support: based on the patch by jcollie.

But with a 'small' difference, not one repository for all the groups, but a repository per group.
Maybe fine if your starting from scratch, but for my situation I like the one repository setup of the original patch.

You can find the latest version with the original setup of one repository for everything, together with some other minor patches on https://github.com/42wim/rancid/commits/mypatches3.1.99

- WLC support: Now you can backup your Cisco Wireless Lan Controllers configuration out of the box. One patch less to maintain. Hurrah!

I'm running Rancid in a Docker setup, so upgrading and testing was quite easy.
No issues found yet with this version.

Tuesday, February 25, 2014

Circumventing IPv6 feature parity: drop AAAA to specific IPs

Unless you've been living under a rock, you'll be aware that IPv6 usage has been increasing.


Yes, it even has come to this: mere mortals can use it at home. The audacity!

Unfortunately not all vendors (if any?) have feature parity, in our case a specific VPN product doesn't support IPv6.
The client will only receive an IPv4 address from the VPN server.

When the user at home starts it's VPN and asks for an internal resource (which also has an IPv6 address), it will try to connect to this resource using the IPv6 from his provider (he didn't receive one from the VPN server) which doesn't work, because this specific resource is firewalled for outside addresses.


Luckily the user has to use our DNS server to look up records (forced to do so by the vpn client)
Luckily we're using PowerDNS recursor which has support for LUA scripting which can modify DNS responses.

The script below gives normal answers to every host not coming from 10.100.0.0/15 or 10.0.0.1/32. Otherwise if the answer contains an AAAA, drop it, and return the rest.


More information about LUA scripting for PowerDNS can be found here: http://doc.powerdns.com/html/recursor-scripting.html

Sunday, December 1, 2013

Winter is coming

Which means I have some more time, expect some IPv6 and Cisco related posts in the near future.



Monday, May 13, 2013

Compiling your own PuTTY-CAC with EID support


So we've got electronic ID's, (smartcards) but except for doing our taxes we're not using them so much.



Now under linux there are options to use them for SSH authentication, but these days I'm mostly using Putty on Windows, so I wanted it to work with this client. 

After some searches I found a possible candidate: Putty-cac : http://www.risacher.org/putty-cac/

It works with CAPI, the military uses it, it's opensource and based on Putty. Seems like a win-win-win-win. And for once it also is :-)



compared it with the official putty source from http://svn.tartarus.org/sgt/putty/ to see if nothing suspicious was added to the code. There wasn't, so I could safely build the binary myself.

I remembered that Visual Studio Express was a free C++ compiler from Microsoft, so i download version 2010

So now just open the project and press build right? Wrong! The project was made in Visual studio 6 and apparently you can not convert from visual studio 6 to visual studio 2010. According to the internets you need to first install Visual studio 2008, convert there, save it, open it in Visual studio 2010, convert, save and build.



Here is an overview for those that want to do this:

Start visual C++ 2008
Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.dsw
Convert and open project
Choose File - Save All
Start visual C++ 2010 (and close 2008 ;-)
Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.sln
You'll get a wizard: Next - Next - Finish

Now when you try to build it, it won't. You'll need to add a define 

Open c:\temp\putty-cac-master\windows\winstuff.sh
Add  #define SECURITY_WIN32 at the top of the file

If you compile now you'll get linking errors. You'll need to add 'sc.c' and 'capi.c' to the 'source files'

Now you're finally ready to build your binary. Press build and enjoy your own build putty.

To actually use your EID with this, just follow the CAPI instructions on http://www.risacher.org/putty-cac/


Stuff you'll need to get this working:

Microsoft Windows SDK for Windows 7 and .NET Framework 4

Visual 2008 express

Visual 2010 express

PuTTY CAC source

Good luck!

Wednesday, April 3, 2013

DHCPv6: ISC MAC logging and Cisco relay agent configuration



DHCPv6 server MAC address logging

One of the differences between DHCPv6 and DHCPv4 is that it uses DUID as an identifier instead of a MAC address.



As you probably know, DUID's are for the majority of OS (ie Windows) based on a timestamp suffixed by a MAC address

For some of our internal systems we use a MAC as an identifier, for now we will also be  needing this for IPv6. The default ISC DHCPv6 daemon isn't logging a MAC address by default. One way to have it print out is by adding this to your DHCP config.

option dhcp6.macaddr code 193 = string;
option dhcp6.leased-address code 194 = string;
option dhcp6.macaddr = binary-to-ascii(16, 8, ":", suffix(option dhcp6.client-id, 6));
option dhcp6.leased-address = binary-to-ascii(16,16, ":", substring(suffix(option dhcp6.ia-na, 24),0,16));
log (info, concat ("Lease for ",config-option dhcp6.leased-address, " leased to ", config-option dhcp6.macaddr));

Above code will only work for DUID-LLT and DUID-LL (so not DUID-EN, but I don't know anyone using this at the moment)
More info over DUID on http://tools.ietf.org/html/rfc6355
Other great blogpost about DHCPv6 at http://ipv6friday.org/blog/2011/12/dhcpv6/


DHCPv6 relay configuration on Cisco equipment

Overview of the configuration we're using on our routers.

(1) We're using FE80:: as our IPv6 default gateway everywhere, seems to work for me for now ;) any best practices for this? (update: because of issues with linux and fe80:: (linux responds to fe80:: if it's specified on any link, this has now changed to FE80::1)

(2) Asking the hosts on the subnet to not do SLAAC please, we're asking you nicely.
(3) Letting the hosts know we're managing the config, that they must use DHCPv6.
(4) Just to be sure also set this flag, tell them to use DHCPv6 not only for getting an IP but also for getting e.g. DNS servers
(5) We're the boss on this subnet.
(6) relay DHCPv6 requests to our server and use (7) the loopback as a source for this.

We're using link-local addresses for routing, so if we don't specifiy an source-interface, the relay agents would try to use a link-local address which obviously can not be routed.

Interface vlan42
  ipv6 address FE80::1 link-local (1)
  ipv6 address 2001:0db8:100:4200::1/64
  ipv6 nd prefix default 2592000 604800 no-autoconfig (2)
  ipv6 nd managed-config-flag (3)
  ipv6 nd other-config-flag (4)
  ipv6 nd router-preference High (5)
  ipv6 dhcp relay destination 2001:0db8:0:40::547:1 (6)
  ipv6 dhcp relay source-interface Loopback0 (7)

interface Loopback0
 ipv6 address  2001:0db8:300::63/128