mikl's questions

I've been trying for weeks to figure out the right network configurtion for sharing a range of public IPs with KVM virtual machines running on my server, but so far with little luck and with the help of the friendly ServerFault community, I've managed to make it work. You can find my working setup below:

My ISP routes all the traffic to 192.168.8.118 (so that needs to be the primary IP of eth0), but I have 192.168.239.160/28 to my disposition.

Here's /etc/network/interfaces on the host machine:

# Loopback device:
auto lo
iface lo inet loopback

# device: eth0
auto  eth0
iface eth0 inet static
  address   192.168.8.118
  broadcast 192.168.8.127
  netmask   255.255.255.224
  gateway   192.168.8.97
  pointopoint 192.168.8.97
  # This device acts as gateway for the bridge, so provide a route.
  up ip route add 192.168.8.118/32 dev eth0 scope host

# device: br0
auto  br0
iface br0 inet static
  bridge_stp      off
  bridge_maxwait  0
  bridge_fd       0
  address   192.168.239.174
  broadcast 192.168.239.175
  netmask   255.255.255.240
  gateway   192.168.8.118
  # Create and destroy the bridge automatically.
  pre-up brctl addbr br0
  post-down brctl delbr br0
  # Our additional IPs are allocated on the bridge.
  up ip route add to 192.168.239.160/28 dev br0 scope host

I have configured a virtual machine like this:

sudo ubuntu-vm-builder kvm precise \
                  --domain pippin \
                  --dest pippin \
                  --hostname pippin.hobbiton.arnor \
                  --flavour virtual \
                  --mem 8196 \
                  --user mikl \
                  --pass hest \
                  --bridge=br0 \
                  --ip 192.168.239.162 \
                  --mask 255.255.255.240 \
                  --net 192.168.239.160 \
                  --bcast 192.168.239.175 \
                  --gw 192.168.239.174 \
                  --dns 8.8.8.8 \
                  --components main,universe \
                  --addpkg git \
                  --addpkg openssh-server \
                  --addpkg vim-nox \
                  --addpkg zsh \
                  --libvirt qemu:///system ;

If I inspect the virtual machine's XML definition, its network interface is defined like this:

<interface type='bridge'>
  <mac address='52:54:00:b1:e9:52'/>
  <source bridge='br0'/>
  <model type='virtio'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>

When I (re)start the virtual machine, /var/log/syslog receives these lines:

Jul 20 03:13:02 olin kernel: [ 4084.652906] device vnet0 entered promiscuous mode
Jul 20 03:13:02 olin kernel: [ 4084.686388] br0: port 2(vnet0) entering forwarding state
Jul 20 03:13:02 olin kernel: [ 4084.686394] br0: port 2(vnet0) entering forwarding state

My server is running Ubuntu 12.04 64-bit with kernel 3.2.0-26-generic (from Ubuntu). I'm running libvirt-bin 0.9.8-2ubuntu1 and qemu-kvm 1.0+noroms-0ubuntu13.

iptables on the host machine is currently set up to allow all traffic (to eliminate that as a problem source), and I have enabled forwarding of both ipv4 and ipv6 traffic.

When I log in to the guest via SSH from the host, I have no internet connection inside the guest OS. The guest’s /etc/network/interfaces looks like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.239.162
    netmask 255.255.255.240
    network 192.168.239.160
    broadcast 192.168.239.175
    gateway 192.168.239.174
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 8.8.8.8
    dns-search pippin

Now it works

The configuration outline above actually works as I want it to. Refer to the edit history if you want to see my earlier attempts.

My server has several public IPs, and is running a bunch of virtual machines with private IP adresses.

As an example, I want to map ports 80, 443 and 8080 on 232.21.23.23 (public) to 192.168.122.12 (private). I have tried a couple of different NAT mappings, but none of them seem to work:

# This doesn't work.
DNAT           net              loc:192.168.122.12  tcp  80,443,8080  -           232.21.23.23

# Neither does this.
DNAT           $FW              loc:192.168.122.12  tcp  80,443,8080  -           232.21.23.23

# Nor this.
DNAT           net:232.21.23.23 loc:192.168.122.12  tcp  80,443,8080

# I have no idea what I'm doing.
DNAT           $FW:232.21.23.23 loc:192.168.122.12  tcp  80,443,8080

Can anyone point me in the right direction?

I have a VIA M'SERV S2100 with FreeNAS 8.

Since I upgraded from FreeNAS 7, the M'SERV no longer turns back on after suffering a power failure. As I remember it, there was a setting for it in the old FreeNAS control panel, but I haven't been able to find one in the new one.

So logically, it should be something I could set from the CLI or some config file. Can someone point me in the right direction?

I am trying to set up rsync backup for my FreeBSD servers.

I’ve put together an rsync-command that looks like this:

rsync -avzhe ssh --progress --delete --delete-excluded \
--exclude-from=/root/rsync-excludes \
-e ssh / [email protected]:Backups/location

My /root/rsync-excludes file looks like this:

- *~
+ /root
+ /usr/home
+ /usr/srv
+ /etc
+ /usr/local/etc
+ /var/backups
+ /usr/local/pgsql/backups
- /root/.my.cnf
- /*

But for some reason, it only backs up /etc and /root, leaving out the other files. Can someone explain why?

Solution

As per the answer from Gilles, I figured it out, and my config now looks like this:

- *~
+ /etc
+ /root
+ /usr/
+ /usr/home
+ /usr/local/
+ /usr/local/etc
+ /usr/local/git
+ /usr/local/pgsql/
+ /usr/local/pgsql/backups
- /usr/local/pgsql/*
+ /usr/local/varnish
- /usr/local/*
+ /usr/srv
- /usr/*
+ /var/
+ /var/backups
- /var/*
- /root/.my.cnf
- /*

I have recently tried to set up jails on one of my FreeBSD servers, and I’m running into strange errors while trying to download FreeBSD packages via FTP.

I have these rules in the PF firewall to allow the download of packages on the host machine, where they work fine:

ext_if = "bge0"

# Allow downloads
pass out log on $ext_if proto tcp to any port {20, 21, 22, 80, 443}

# Special exception for FTP.
pass out log on $ext_if proto tcp to any port > 49151 keep state

But when I try to install packages from inside the Jail, the FTP connection just times out.
The error message I get is this:

%pkg_add -vr bash
[snipped FTP connection setup]
>>> CWD pub/FreeBSD/ports/amd64/packages-8.1-release/Latest
<<< 250 CWD command successful.
>>> MODE S
<<< 200 MODE S accepted.
>>> TYPE I
<<< 200 Type set to I.
binding data socket
>>> PORT 82,103,140,25,229,3
<<< 200 PORT command successful.
initiating transfer
>>> RETR bash.tbz
<<< 425 Can't build data connection: Operation timed out.
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/bash.tbz: Can't open data connection
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/bash.tbz' by URL
pkg_add: 1 package addition(s) failed

Is there some sort of connection I’m missing? I wish I could just configure pkg_add to use HTTP instead of FTP (I have no idea why FreeBSD still uses that sorry excuse for a protocol), but it seems FTP is needed to operate FreeBSDs package system, and I have no idea how to make it work with the firewall. Any suggestions will be welcome :)

I run Apache HTTPD 2.2 on my FreeBSD 7.2 webserver. I have enabled the httpready and dataready in my /boot/loader.conf, like this:

accf_http_load="YES"
accf_data_load="YES"

That works great when the server is started, but whenever I restart (via apachectl graceful or apachectl restart), I get a salvo like this in my /var/log/httpd-error.log:

[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'httpready' Accept Filter
[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'dataready' Accept Filter
[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'httpready' Accept Filter
[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'dataready' Accept Filter
[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'httpready' Accept Filter
[Thu Oct 08 13:32:53 2009] [warn] (22)Invalid argument: Failed to enable the 'httpready' Accept Filter

There' is a bug for this on ASF bugzilla, but that doesn't look like it's going anywhere soon, so in the meantime, I'm looking to find out if this is really a problem (does the httpready filter still work despite the warnings?), and if it is, is there a workaround?

I have a problem with my FreeBSD 7.1 server. PHP's GD implementation no longer works on PNG images. Whenever the system tries to work with PNG images, I get these three error messages:

[Sat Jul 18 21:41:15 2009] [error] [client 90.34.34.34] PHP Warning:  imagecreatefrompng() [function.imagecreatefrompng]: gd-png:  fatal libpng error: [00][00][00][00]: unknown critical chunk in /usr/storage/www/private/mikkel.hoegh.org/modules/acquia/imageapi/imageapi_gd.module on line 44, referer: http://mikkel.hoegh.org/admin/build/imagecache/3
[Sat Jul 18 21:41:15 2009] [error] [client 90.34.34.34] PHP Warning:  imagecreatefrompng() [function.imagecreatefrompng]: gd-png error: setjmp returns error condition in /usr/storage/www/private/mikkel.hoegh.org/modules/acquia/imageapi/imageapi_gd.module on line 44, referer: http://mikkel.hoegh.org/admin/build/imagecache/3
[Sat Jul 18 21:41:15 2009] [error] [client 90.34.34.34] PHP Warning:  imagecreatefrompng() [function.imagecreatefrompng]: 'sites/mikkel.hoegh.org/files/imagecache_sample.png' is not a valid PNG file in /usr/storage/www/private/mikkel.hoegh.org/modules/acquia/imageapi/imageapi_gd.module on line 44, referer: http://mikkel.hoegh.org/admin/build/imagecache/3

I've been trying to solve this half a day now, and the best clue I've found is another guy having the same problem – no solution there, though.

The code in question is fairly simple, it just calls imagecreatefrompng($filename);

Package versions of all the packages I can think of that might be related:

• php5-5.2.10
• php5-gd-5.2.10
• png-1.2.37
• gd-2.0.35_1,1

Any clues?

I've been trying to get Java working on my FreeBSD 7.1 server. I just want the runtime, since the JDK drags all kinds of unnecessary dependencies with it, and I just need it to run a jar file periodically. I've installed the FreeBSD-supported diablo-jre, but whenever I try to run it, I get a:

/usr/local/diablo-jre1.6.0/bin/java: 2: Syntax error: "(" unexpected

So what to do?