Hello,
I found this an interesting read:
https://changelog.complete.org/archives/10478-easily-accessing-all-your-stu…
The author's favourite is Yggdrasil which I'll summarise.
It can be used as a simple VPN of course, but also an overlay
network to easily connect together disparate networks, VMs and
containers.
Once you run the daemon your host generates itself a static IPv6
address inside 200::/7 (a range of addresses that are marked as
deprecated so should not be in use anywhere else). That IPv6 address
stays with you as long as the keys the daemon generated still exist,
and it's how other nodes on the overlay network talk to you.
Initially I was a bit perturbed by this use of "someone else's"
IPv6, but it does make things very simple.
A normal VPN does all of that as well, but it's interesting that
yggdrasil will try to pick an optimal route. For example, if you
have two laptops which are away from their home network and they
want to talk to each other on their 200::/7 addresses they will try
to peer with each other directly over the Internet. That might fail
if they are both behind multiple layers of NAT or on really
restrictive networks or something. They would both also be trying to
peer with every other peer they know about though, so you'd probably
also have a node on your home network for them to connect to. Once
they'd both connected to that, traffic between them would go via
that node as if they were both traditional VPN clients in a star
topology. Yet once they both end up at their home network again the
traffic would go directly between them, bypassing the home server
node - without you having to change anything.
It's doing TCP-over-TCP which is also frowned upon, but they seem to
have taken some steps to optimise it. You might not notice the
overhead unless you're on a >1Gbps network. It's comparable to
Tailscale and ~50% to ~66% that of Wireguard.
As far as I understand, Tailscale does a lot of similar things as
well. I've not used it yet, but I'm liking the apparent simplicity
of Yggdrasil. Tailscale's free pricing tier is only for personal use
and you have to authenticate with github to use it.
Anyone else looked at Yggdrasil?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
After 12 years I am actually making some progress on implementing
DNSSEC for BitFolk domains:
https://tools.bitfolk.com/redmine/issues/59
I will continue to update this as more progress is made.
Sorry it's taken so long to get going. Mistakes are scary with this
(for me).
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
I just ran through the provisioning of a new Debian 12 VM and it
started up with the first network interface being enX0 instead of
eth0.
This means that the network doesn't come up because the
/etc/network/interfaces file that BitFolk creates on a new install
uses eth0. A simple:
# sed -e 's/eth0/enX0/g' /etc/network/interfaces
# ifup enX0
makes it work.
So at the moment this is a minor bug in our installer for Debian
testing, which we will fix.
It doesn't affect Ubuntu because as of 22.04 that doesn't use the
same installer (it boots the official Ubuntu Cloud Image).
I have not yet tested if upgrades from Debian 11 cause eth0 to
rename to enX0 or if they retain the eth0 they were previously
using.
We knew this was probably coming; the only reason why it hadn't
happened sooner is that udev didn't know what a Xen network
interface was, so it left it alone. Now, apparently, it does.
A lot of VM hosting companies seem to be supplying the net,ifnames=0
kernel command line option, which disables all this network
interface renaming and ensures you just have eth0. When we last
discussed this subject here, most were in favour of us not doing
that so as to be more like a "normal" OS install. So we won't. But
you can, if you like.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi all,
I am having to leave Proxmox behind - every time there has been a power
cut (every 4-6 weeks), the machine has failed to boot. This last time, I
have had to re-install and restore VMs from backup. So I am
investigating what to use instead, in the hope that it will be less
damaged by power breaks.
VBox is familiar, and the machine is not a lap-top, so running windows
24/7 is not a problem, although I suspect I should reboot once a week,
weather it needs it on not. :)
Xen is another option. New to me, but my websites are on Xen on Bitfolk,
so high compatibility.
The VMs are all Ubuntu. If I use Xen I will have to install a Windows VM
because I use software that has no Linux version yet.
Has anyone any advice or warnings they would like to share?
Thanks
Ian
--
Ian Hobson
Tel (+66) 626 544 695
Hello,
It's often the case that customers want to use disk encryption to
protect against someone with physical access to BitFolk's storage¹
reading their data. The major inconvenience with this is that the VM
doesn't boot on its own any more; it waits for the LUKS passphrase
to be typed into the console.
Today I saw this article that goes through the steps of how to
configure things so that the passphrase can be stored in the initrd
file and used to automatically unlock the root filesystem at boot
time:
https://michael-prokop.at/blog/2023/03/22/automatically-unlocking-a-luks-en…
It might be a useful middle ground for someone.
Obviously anyone with access to the initrd file, which is stored in
the unencrypted /boot, could use it to unlock the disk so this
would not protect against someone with root access to a running
BitFolk server².
In general it should also be considered that someone with root
access to BitFolk's infrastructure can read everything written to
(or displayed on) your consoles, so could just wait for your next
reboot to capture you typing your LUKS passphrase in.
Cheers,
Andy
¹ This doesn't have to be BitFolk staff or an attacker, but could be
someone who got hold of a storage device that was replaced and
taken out of service. Though discard/TRIM is used where possible.
² The attack method would be:
1. Take snapshot of customer disk and transfer it off-site.
2. Unpack initrd file from inside unencrypted customer /boot.
3. Use the LUKS passphrase from within that to unlock customer
root rilesystem.
All of which could be done without your knowledge.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hello, a question for the Gentoo users (all 4 or 5 of you?):
Where should portage be mirrored from?
We have a Portage mirror:
https://tools.bitfolk.com/wiki/Local_software_mirrors
It started off being mirrored from
rsync://mirror.bytemark.co.uk/gentoo-portage. That started refusing
connections in January so we switched to getting it from
rsync://rsync.uk.gentoo.org/gentoo-portage. That also started
refusing connections as of 9 March.
So where should this actually be mirrored from?
If no one knows / answers then I'll assume no one is using it and
probably just shut it down. There have been no connections to it in
the last week, except for our own monitoring.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Looks like my trusty old HP Microserver has come out in sympathy for Andy’s :) Unfortunately, it’s running my personal Mastodon instance.
I’m thinking of hosting it with BitFolk instead of at home. I’m the only user at the moment and I don’t envisage having more than another 2 or 3 users. I’m not connected to any relays as I can’t cope with massive timelines and things are going quite nicely as it is.
Does 2GiB RAM sound reasonable as a start? My HP has 8GB and is running other things as well but I rarely see memory usage go above 1.5GB. I’m using AWS (S3 plus Cloudfront) for the media cache (just for fun and because it’s less than £1 a month) so probably OK with 10-15GiB storage.
Anybody already doing this, either here or with another provider? I did spin up an Amazon Lightsail instance just to see what life is like elsewhere and wasn’t that impressed - it uses Cloud-Config which I find a pain in the backside.
Cheers,
Mike
I have officially had it with WordPress.
I loathe the Gutenberg editor WP devs have spent so much time on rather
than fix all the security holes, but the Disable Gutenberg plugin allows
me to mostly forget it exists.
The last straw was having had issues with doing my first new WordPress
install in a while. The latest version of PHP WP does officially support
is out of support as far as the PHP devs are concerned, and I had to
edit a core file to get it to install with the PHP 8.1 (released over a
year ago) that comes with Ubuntu 22.04 (released ten months ago). Once
it is installed, it would work without that patch, but argh, enough!
There are a bunch of worthwhile static site generators out there, but
some of the sites I want to port want to allow comments, so I either
need to pay a third party to host those (no budget) or have another free
self-hosted CMS that does dynamic sites.
Which one(s) do people recommend?
ClassicPress exists to be 'WordPress without Gutenberg' and supports PHP
8.0, but if there's something better, I would love to know. I would
greatly prefer something reasonably light, so Drupal and Joomla! are out.
Ian
Hi,
Someone asked for Kali Linux today.
https://www.kali.org/
It was new to me, but seems to be Debian based so fairly familiar
ground. I was able to massage their "Generic Cloud Image" into
working via the Rescue VM:
https://tools.bitfolk.com/wiki/Installing_Kali_Linux
It seems to have a PXE boot installer which might work like the
Debian one, or maybe even their net installer works like Debian too.
If so then we can probably make a nicer install process like we have
for Debian.
In the mean time if any of you are familiar with Kali and spot
issues with what I've done there please do edit the article or raise
a query. If you are particularly keen I can give you a VM to test
with and service credit for improvements…
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hi,
There was a blip of alerts relating to c.authns.bitfolk.com just now
for a few minutes as it was upgraded.
The work is now complete and there's not expected to be any further
alerts.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
