Hi,
CentOS Stream 9 is now available for self-install and new installs.
https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer/CentOS_St…
We haven't yet sorted out installers for Alma Linux, Rocky Linux or
any of the other CentOS-like distributions and although that would
be pretty simple I'm not sure that we will do that. It depends upon
demand. I believe it's the case that as with CentOS Stream 8.x, you
can convert from it to Alma, Rocky or even RHEL without reinstall
using a script, so that might have to be the BitFolk-recommended way
to do that.
We are also going to consult about how much demand there is for RHEL
itself. Although that does require a Red Hat subscription, an
individual can get a no-cost subscription for personal use on up to
16 systems.
We do have to run these VMs under the kernel-lt or kernel-ml kernels
from ELRepo though, because Red Hat disables Xen support in its
kernels. Therefore such a VM may not be eligible for any form of
support from Red Hat which may result in there being no customer
demand to do so.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
I upgraded my Debian system from Bullseye to Bookworm earlier today. It mostly went pretty smoothly, but I have two questions:
1. I remembered to change the interface name from eth0 to enX0 but couldn't connect to any regular network services (ssh, httpd) after the system was rebooted. I used the Xen shell to change the interface name back to eth0, and could connect again after a reboot. Are some systems happy to stay as eth0? This is quite an old system and has been upgraded in place over several years (started as a Debian 5.x (Lenny) system in 2009.
2. The sysv-rc-conf package is being held back when I apt-get upgrade. If I try to upgrade it, apt wants to remove a load of packages (about 30). Can I safely just remove the sysv-rc-conf package? /sbin/init is a symlink to /lib/systemd/systemd, so I presume I'm using systemd and don't need sysv-rc-conf?
--
Jamie MacIsaac
jamie(a)macisa.ac
I'm trying to set up SPF for my carfax.org.uk domain (whence this
email comes). I'm getting a bounce from trying to send to gmail:
Diagnostic-Code: smtp; 550-5.7.26 This mail is unauthenticated, which poses a
security risk to the
550-5.7.26 sender and Gmail users, and has been blocked. The sender must
550-5.7.26 authenticate with at least one of SPF or DKIM. For this message,
550-5.7.26 DKIM checks did not pass and SPF check for [savella.carfax.org.uk]
550-5.7.26 did not pass with ip: [2001:ba8:1f1:f0e6::2].
However, I think I have the right TXT record in the DNS for carfax.org.uk:
@ TXT "v=spf1 mx a ip4:85.119.84.138/21 ip6:2001:ba8:1f1:f0e6::/64 a:mail.carfax.org.uk a:savella.carfax.org.uk -all"
and the diagnostic message from gmail isn't all that helpful about why
it's not matching.
Does anyone have any idea what I've missed here?
Thanks,
Hugo.
--
Hugo Mills | One of these days, I'll catch that man without a
hugo@... carfax.org.uk | quotation, and he'll look undressed.
http://carfax.org.uk/ |
PGP: E2AB1DE4 | Leto Atreides, Dune
Hi,
Back at the start of June the version of OpenSSH that we run on the
Xen Shell hosts was updated in order to provide support for
ecdsa-sk and ed25519-sk keys. These are used with "security key"
devices which support FIDO/U2F and was done after customer request.
At the same time this version of SSH disables the ssh-rsa signature
scheme. Older ssh clients may fail to negotiate an SSH connection to
the Xen Shell hosts (i.e. when you do "ssh
username(a)username.console.bitfolk.com") due to this.
If you see an error that reads something like this:
Couldn't agree a key exchange algorithm (available
curve25519-sha256,curve25519-sha256(a)libssh.org,ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp512,diffie-hellman-group16-sha512,
diffiehellman-group18-sha512,diffie-hellman-group14-sha256)
then this is the problem. You do not need to change your
authentication keys (if any) because that is not the problem. You
need to upgrade your SSH client.
The above message was from PuTTY 0.64; version 0.78 and above are
known to work.
ssh-rsa was deprecated since version 8.2 of the server in February
2020:
https://www.openssh.com/txt/release-8.2
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against
the SHA-1 hash algorithm for less than USD$50K. For this reason,
we will be disabling the "ssh-rsa" public key signature
algorithm that depends on SHA-1 by default in a near-future
release.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1
and Application to the PGP Web of Trust" Leurent, G and
Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf
It was then disabled from version 8.8 in September 2021:
https://www.openssh.com/txt/release-8.8
Potentially-incompatible changes
================================
This release disables RSA signatures using the SHA-1 hash
algorithm by default. This change has been made as the SHA-1
hash algorithm is cryptographically broken, and it is possible
to create chosen-prefix hash collisions for <USD$50K.
For most users, this change should be invisible and there is no
need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing
ssh-rsa keys will automatically use the stronger algorithm where
possible.
If you are unsure whether this affects you, just verify that you can
connect to your Xen Shell host. If you can't, and you can't find a
way to upgrade your client (or doing so is ineffective), please let
us know at support(a)bitfolk.com.
Again, this not about rsa authentication keys. You do not need to
abandon ssh-rsa public keys:
https://ikarus.sg/rsa-is-not-dead/
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
I did this yesterday and thought that others might be interested in the issues that I came across. It wasn’t quite as smooth as the upgrade to Bullseye this time last year but there were no show-stoppers.
The main issues were:
1. Interface renaming from eth0 to enX0 (as previously mentioned by Andy). Just remember to update /etc/network/interfaces before you reboot for the first time after the upgrade. If you forget, do it via the console and reboot (or ifup enX0). Don’t forget to update anything else that references eth0 - I forgot to update my ip6tables config and wondered for a minute why there was no IPv6 firewalling…
You can, of course, choose to keep using eth0 but I like to move with the times :)
2. mrtg now runs in daemon mode rather than being called regularly via cron. It will ask if you want the cron entry removing as part of the upgrade. In my case, I had set up mrtg a few years ago to use /var/www/mrtg for output and for the config file to be /etc/mrtg.cfg. After yesterday’s upgrade, the new version expects the config file to be at /etc/mrtg/mrtg.cfg and uses /var/www/html/mrtg, so I needed to do some minor Apache httpd reconfiguration.
I also had to add "Interval: 5” to mrtg.cfg for it to poll every 5 minutes.
3. Exim - this one was a bit strange. The upgrade to Exim 4.96 failed with "option "message_linelength_limit” unknown” while running the post install script.
I use a split config so worked round this by commenting out this setting from both
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp
and
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
then re-running the upgrade. I don’t know if this is the right way to solve this but it worked for my setup.
I think those were the only issues I came across (I have a short memory) but will mention anything else that I remember (or come across).
Cheers,
Mike
I seem to recall some discussion about Mastodon on here a while ago. I'd
appreciate guidance about using a Bitfolk VPS for a multi-user Mastodon
instance.
Specifically, I'm trying to get an idea of how much RAM and storage we'd
need for say, 50 or 100 users.
Robin
--
Military history author <https://russellphillips.uk/> : Mastodon
<https://historians.social/@RPBook>
Did this email go to spam? <https://phillipsuk.org/whitelist.html>
Hi,
As you may be aware, the latest stable release Debian 12 bookworm
was released on 10 June.
It is available for new orders and you can of course upgrade your
existing Debian VMs to this release, but we haven't yet updated the
web site to reflect this nor the Xen Shell to allow a clean
self-install. That will happen in the next couple of days.
A reminder though, that in this new release udev has learned about
Xen network interfaces and therefore will rename your eth0 to enX0.
This was previously discussed here:
https://mailman.bitfolk.com/mailman/hyperkitty/list/users@mailman.bitfolk.c…
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
Debian 12 "bookworm" which was released on 10 June 2023 is now
available for self-install from our Xen Shell:
https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer
The command:
xen shell> install debian_testing
also now leaves you with an install of testing, but aside from the
code names in /etc/apt.sources.list that is currently pretty much
exactly the same as bookworm.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
After a minor incident of some phishing emails being sent purporting
to be from bitfolk.com, on 3 June I tightened the SPF record of
bitfolk.com from ~all to -all. This basically says that ONLY the
hosts listed in the SPF record are permitted to use a bitfolk.com
envelope sender on email, and that any other host trying to do so
should be rejected.
I have since noticed that some customers are using traditional
server-side forwarding, e.g. on role addresses, to send BitFolk
emails to a group of people, and some of those recipients are doing
as asked and rejecting the email. More are probably silently
discarding or filing the mails away in spam/junk folders.
This happens because when your mail server forwards an email from
e.g. billing(a)bitfolk.com through role(a)yourdomain.co.uk and out to
joe.bloggs(a)example.com, your mail server is pretending to be
billing(a)bitfolk.com. Since you do not match bitfolk.com's SPF
record, the mail server for example.com rejects the email (unless
configured otherwise).
Unfortunately we can't go back on this configuration. It's just the
way that email works in the 21st century. Server-side forwarding of
email in this way is not something that can be expected to work any
more, unless you control both the recipient address and every
address it expands out to.
So what can you do if you currently do forwarding of addresses like
this?
- The generic answer is Snder Rewriting Scheme:
https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
- A more limited answer is to run a real mailing list of some sort,
so that, for example, billing(a)yourdomain.co.uk goes through a real
mailing list manager like majordomo or Mailman, is rewritten and
sent out to the people who should receive it.
- If you control or have strong influence on all recipients, you can
configure them to allowlist particular senders.
- You can set up real mailboxes for your role accounts and have
interested parties download the email by IMAP or POP.
I'm sorry that this change has broken some previously-working
forwarding setups. It isn't something we can revert though (and
indeed, it will have to get stricter, with additional DKIM and DMARC
to come).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi all,
I need some information/help to solve a problem. I backup my VM daily
using rsync, and I have been meaning to test the restore process, but
life got in the way. Until this week.
Bottom line, restore appears to set all the files correctly, I re-setup
grub, but restored machine will not boot.
What I am doing. I use a keyfile to ssh into the VM as root, and run the
following to take the backup.
#!/bin/bash
rsync -aAXv \
--delete-during \
--exclude=/swapfile \
--exclude=/dev \
--exclude=/lost+found \
--exclude=/media \
--exclude=/mnt \
--exclude=/proc \
--exclude=/run \
--exclude=/tmp \
--exclude=/var/log \
--exclude=/home/*/.cache \
--exclude=/sys \
--exclude=/var/lib/lxcfs \
root@ianhobson.co.uk:/* /home/ian/BackupFiles/hobson42
For the restore, I manually:
1) Created a proxmox VM to restore to.
2) Install the same version of the O/S (Ubuntu 20.04.06) as the live VPS.
3) Set up passwordless access for root, from the backup machine into the
restore machine.
4) Run the following as root
rsync -aAXv \
--exclude=/home/ian/BackupFiles/hobson42/etc/hostname \
--exclude=/home/ian/BackupFiles/hobson42/etc/hosts \
--exclude=/home/ian/BackupFiles/hobson42/etc/netplan/* \
--exclude=/home/ian/BackupFiles/hobson42/boot/*
--exclude=/home/ian/BackupFiles/hobson42/boot/grub/*
/home/ian/BackupFiles/hobson42/* root@europa.hcs:/
The excludes are to stop the IP, and hostname being changed.
5) I then run the following as root on restored machine.
grub-mkconfig > /boot/grub/grub.cfg
6) Tried to log in. Saw all users (restore has gui)
but logging in produced a quick error popup, which was so
fast I could not read a word. Then got the usernames again.
7) SSHed in OK, and checked the files - they seem OK.
8) Reboot. This shows the grub menu, but when I select ubuntu
I get a black screen - and nothing further.
I have tried omitting the excludes of boot - same result.
Thoughts:
Restore is to VM under proxmox and not xen. Significant?
Do I need to edit something in /etc/grub.d?
Have I missed something blindingly obvious?
Ideas very welcome. A backup that I can't restore is about as useful as
a chocolate tea pot!
Regards
Ian
--
Ian Hobson
Tel (+66) 626 544 695
