Hello,
Long email about DNS timers and alerting based on them. Unless you
have domains on BitFolk's secondary DNS platform you probably won't
care about this, and even then you still probably don't care unless
you've been receiving alerts about them. Turn back now!
Still here? OK.
I've recently implemented DNS secondary domain zone age alerts. They
send alerts when the zone on BitFolk's nameservers is too old. This
saves me having to read logs and open a support ticket to advise
customers that the zone transfers are failing, so I'm all in favour
of that.
The definition of "too old" differs on a per-domain basis. There are
two values in the SOA record of a DNS domain; refresh and expire.
The refresh value tells secondary servers how often to check in
with the primary.
The expire value tells secondary servers how long they should
consider themselves valid for without successful contact with the
primary. If there is no contact with the primary for the expire
period then the secondary server stops serving the domain and
returns SERVFAIL for every query.
So, based on the above, a DNS domain should never be "older" than
refresh. If it is older then that means that at least one refresh
attempt failed. If the age approaches expire then the domain is in
danger of not being served.
At the moment I have decided to send a warning alert on 150% of
refresh and a critical alert on 50% of expire.
RIPE recommends 84600 (one day) for refresh and 3600000 (1000 hours;
almost 6 weeks) for expire:
http://www.ripe.net/ripe/docs/ripe-203
RFC1912 (1996) recommends one day for refresh and 2-4 weeks for
expire:
http://www.faqs.org/rfcs/rfc1912.html
So let's say you go with RIPE's recommendations. You'd receive
a warning alert after your secondary DNS setup was broken for 36 hours,
and you'd receive a critical alert if it was still broken after 500
hours (almost 3 weeks). 500 hours after that, your domain stops
being served on the secondary servers.
That seems reasonable.
Finally getting around to the point of this email: what do you think
I should do about problematic SOA values that customers have chosen?
For example, there are some domains currently on BitFolk's servers
where the refresh and expire are both set to 300 seconds (5
minutes). Ignoring what happens with alerts for a moment, that means
that every 5 minutes the secondary servers check the primary, and if
that fails even once, the domain will return SERVFAIL for all
queries until contact is made again.
I can't understand what the use is of such a fragile setting; it
looks erroneous to me. This isn't just DNS purism saying, "ooh, I
don't like your non-standard values!" It will actually cause
breakage very easily. But perhaps it is not for me to reason why.
Those domains have been like that for a long time and I assume no
one has noticed. It must have caused some problems any time the
primary nameserver was unreachable by the secondary servers. But
arguably that is not my problem.
When combined with this new alerting though, what happens is that
there isn't a refresh for 5 minutes then 2.5 minutes into that a
critical alert fires since we're half way to expire (5 minutes). All
being well there should be a recovery ~2.5 mins later. In reality
these times will be variable because BitFolk's Nagios doesn't check
DNS every few minutes, more like an hour plus.
That is the most extreme example of this problem, but there are a few
other domains in there where refresh and expire have been set to the
same value. It will lead to a cycle of alert and then recovery,
forever.
So, what do you think I should do?
I'm not willing to give up on the alerts because I think most people
would like to know when their DNS setup is broken (or in danger of
being broken), and it saves me having to personally interact to tell
people this. Intentional DNS breakage is not my problem, but
answering/opening support tickets is.
Alerting can be disabled on a per-domain basis. Currently only by
asking support, but eventually you'll be able to flip that on the
Panel¹.
So how about have Panel warn on the web page about what are
considered unwise SOA values, and just allow the alerts to be
disabled if for some reason this sort of fragile DNS setup is
intentional?
Cheers,
Andy
¹ https://panel.bitfolk.com/dns/#toc-secondary-dns
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
I've just enabled some additional alerting for the DNS secondary
service. It will copy you in on alerts regarding BitFolk nameservers
that are not correctly serving your domain.
They look like this:
From: nagios(a)bitfolk.com
Subject: ** PROBLEM alert - a.authns.bitfolk.com/Auth. DNS example.com is UNKNOWN **
***** Nagios *****
Notification Type: PROBLEM
Service: Auth. DNS example.com
Host: a.authns.bitfolk.com
Address: 85.119.80.222
State: UNKNOWN
Date/Time: Fri Jan 27 19:46:10 UTC 2012
Additional Info:
DNS UNKNOWN - 1.444 seconds response time (No ANSWER SECTION found)
This would indicate that a.authns.bitfolk.com is not serving the
domain example.com when we would expect it to be.
The reason for this change is that there are quite a few customer
domains that aren't being served correctly and rather than keep
opening tickets and chasing it up, I would rather let Nagios do what
it is designed for.
I am also working on a check that AXFRs are happening.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
Hello,
It appears that recently, CentOS 6.x and Scientific Linux 6.x
installers started to require 512MiB RAM. Our smallest and most
popular VPS plan currently has 480MiB RAM. That means that the
average¹ BitFolk customer now cannot self-install derivatives of
RHEL 6.x.
This is extremely annoying since I suspect that these distributions
work just the same in 480MiB RAM now as they did a few months ago.
I can't find a simple way to override that check (please let me know
if you know of one), and I'm not quite ready to increase the default
RAM allocation to 512MiB.
In the short term I am tempted to make the installer boot with
512MiB RAM if you have 480MiB. It will then revert to 480MiB upon
normal use.
Any comments?
Cheers,
Andy
¹ Mode and median. The mean is 641MiB.
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Q. How many mathematicians does it take to change a light bulb?
A. Only one - who gives it to six Californians, thereby reducing the problem
to an earlier joke.
Hi
I'm pretty sure that my host has been fully configured for new IP, but
I got notification that someone has used old IP recently.
Has anyone a simple solution for catching where from and which
protocol are those connections coming for old IP?
Thanks,
Taavi
Hi everyone,
I have decided to venture down what I hope is a well trodden path by now;
upgrading my VPS from Debian Lenny to Squeeze.
I have scoured the list archives and tried to make the most of
http://www.debian.org/releases/squeeze/i386/release-notes/ch-upgrading.en.h…
however I'm not ashamed to admit that I'm no expert in this regard and
very much still learning so would appreciate a critique of my plan of
action:
- Ask Support kindly to perform a temporary disk snapshot
- Login via Xen console
- Verify no pending actions required for currently installed packages:
aptitude (Then hit 'g' once in 'visual mode')
- Verify that all packages are in an upgradable state:
dpkg --audit
- Show currently installed kernel(s):
dpkg -l | grep linux-image
Mine currently shows:
ii linux-image-2.6-xen-686 2.6.26+17+lenny1 Linux 2.6 image on
i686, oldstyle Xen suppor
ii linux-image-2.6.26-1-xen-686 2.6.26-13lenny2 Linux 2.6.26
image on i686, oldstyle Xen sup
ii linux-image-2.6.26-2-xen-686 2.6.26-26lenny2 Linux 2.6.26
image on i686, oldstyle Xen sup
- Confirm non-usage of grub2:
dpkg -l | grep grub
Mine currently shows:
ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy version)
ii grub-common 1.96+20080724-16 GRand Unified Bootloader, version
2 (common
- Updates apt sources lists from lenny to squeeze:
sed -i s/lenny/squeeze/g /etc/apt/sources.list
- Manually edit /etc/apt/source.list to confirm success of the above step
and comment out any other repositories (non-Debian, backports etc) ?
- Upgrade the kernel: (*** Am I aiming for the right one here? ***)
aptitude install linux-image-2.6-686-bigmem
- Update grub configuration:
update-grub
- Remove clocksource=jiffies from kopt directive in /boot/grub/menu.lst
and confirm correct kernel will be loaded (i.e. default # matches new
kernel position)
- Upgrade udev (to minimise the risk of running the old udev with the new
kernel):
apt-get install udev
- Reboot
- Record a transcript of the upgrade session:
script -t 2>~/upgrade-squeeze.time -a ~/upgrade-squeeze.script
(This can be reviewed at a later date with scriptreplay
~/upgrade-squeeze.time ~/upgrade-squeeze.script)
- Update the package list:
apt-get update
- Perform a minimal upgrade (i.e. upgrade those packages that don't
require installation/removal of any other package(s)):
apt-get upgrade
- Complete the rest of the upgrade:
apt-get dist-upgrade
- Remove old/obsolete packages no longer required:
apt-get autoremove
- (Hopefully:) After the dust settles, advise Support that the snapshot of
the old system can be removed
Hope does that all look? Please don't hold back...
Regards,
Mathew
I must confess, straight off the bat, that this has nothing to do with
Bitfolk, but you're the most knowledgeable group of guys and gals I know
when it comes to Linuxy things.
What's considered "normal" when it comes to the size of a CPanel
installation? I've got a VPS with a US provider, and the CPanel folder is
over 2GB, and that just feels wrong to me, but I don't have anything for
comparison.
Kind regards
Murray Crane
Hi Matthew,
You should be able to upgrade it using the do-release-upgrade tool
built into Ubuntu - this document details how to do it:
https://help.ubuntu.com/community/EOLUpgrades/Dapper.
Andy also suggested an alternative, which is to request a temporary
new VPS with the latest version of Ubuntu on it then migrate
everything from your old to your new one -
https://tools.bitfolk.com/wiki/Migrating_to_a_new_VPS
James
On 22 January 2012 15:41, Matthew Humphreys
<matthew.humphreys(a)austrey.net> wrote:
> Thanks James - spot on!
>
> Can you advise the easiest way to upgrade to Heron? I've tried via the
> control panel, but it doesn't seem to do anything!
>
> Any help much appreciated!
>
> Many thanks
>
>
> Matthew
> ---------------------------------------------------------------------
> Matthew Humphreys
>
> Please help me raise money for The Anthony Nolan Trust
> http://www.bmycharity.com/matthewhumphreys
>
> ---------------------------------------------------------------------
>
>
>
> On 22 January 2012 15:25, James Gregory <jgxenite(a)gmail.com> wrote:
>>
>> Hi Matthew,
>>
>> Judging by the log output, you're running Ubuntu Dapper (6.06), which
>> (for servers) went End of Life in June. That means no updates are
>> being released for it, and the apt repositories won't have been
>> updated. You should really upgrade to (at the least) the next LTS,
>> which is Hardy (8.04) (and is supported until 2013).
>>
>> Hope that helps,
>> James
>>
>> On 22 January 2012 15:18, Matthew Humphreys
>> <matthew.humphreys(a)austrey.net> wrote:
>> > Hi,
>> >
>> > I'm trying to install "apt-show-versions" to allow me to upgrade some
>> > packages on my server.
>> >
>> > sudo apt-get install apt-show-versions generates the following
>> > response:-
>> >
>> > ---------------------------
>> > matthew@mail:~$ sudo apt-get install apt-show-versions
>> > Reading package lists... Done
>> > Building dependency tree... Done
>> > The following NEW packages will be installed
>> > apt-show-versions
>> > 0 upgraded, 1 newly installed, 0 to remove and 35 not upgraded.
>> > 1 not fully installed or removed.
>> > Need to get 18.9kB of archives.
>> > After unpacking 123kB of additional disk space will be used.
>> > WARNING: The following packages cannot be authenticated!
>> > apt-show-versions
>> > Install these packages without verification [y/N]? y
>> > Errhttp://apt-cacher.lon.bitfolk.com dapper/universe apt-show-versions
>> > 0.09ubuntu1
>> > 404 Not Found
>> > Failed to fetch
>> >
>> > http://apt-cacher.lon.bitfolk.com/ubuntu/gb.archive.ubuntu.com/ubuntu/pool/…
>> > 404 Not Found
>> > E: Unable to fetch some archives, maybe run apt-get update or try with
>> > --fix-missing?
>> > matthew@mail:~$
>> > ---------------------------
>> >
>> > Can anyone suggest a fix - or am I doing something wrong?
>> >
>> > I also ran apt-get update and sudo apt-get install apt-show-versions
>> > --fix-missing, but this didn't help!
>> >
>> > Many thanks
>> >
>> >
>> >
>> > Matthew
>> >
>> >
>> >
>> > _______________________________________________
>> > users mailing list
>> > users(a)lists.bitfolk.com
>> > https://lists.bitfolk.com/mailman/listinfo/users
>> >
>
>
I renumbered my Ubuntu VPS at the end of december, I had thought
successfully, until this week I got an email letting me know that my
website was still using the old IP address. I didn't disable the old
address, but I did add the new one and change the address in the bind zone
file. I updated the serial number in the file, which I thought was
sufficient to send the file up the chain (pardon, my understanding of
what's really happening in this step is sketchy), but nslookup confirms
that the site is still using the old IP address. Is there something I'm
missing to get the Bitfolk nameservers to take the updated file?
Thank you,
Mike
Hi,
I'm trying to install "apt-show-versions" to allow me to upgrade some
packages on my server.
sudo apt-get install apt-show-versions generates the following response:-
---------------------------
matthew@mail:~$ sudo apt-get install apt-show-versions
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed
apt-show-versions
0 upgraded, 1 newly installed, 0 to remove and 35 not upgraded.
1 not fully installed or removed.
Need to get 18.9kB of archives.
After unpacking 123kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
apt-show-versions
Install these packages without verification [y/N]? y
Errhttp://apt-cacher.lon.bitfolk.com dapper/universe apt-show-versions
0.09ubuntu1
404 Not Found
Failed to fetch
http://apt-cacher.lon.bitfolk.com/ubuntu/gb.archive.ubuntu.com/ubuntu/pool/…
404 Not Found
E: Unable to fetch some archives, maybe run apt-get update or try with
--fix-missing?
matthew@mail:~$
---------------------------
Can anyone suggest a fix - or am I doing something wrong?
I also ran apt-get update and sudo apt-get install apt-show-versions
--fix-missing, but this didn't help!
Many thanks
Matthew
