Upgrading openssh on Mac OS Yosemite

Great tutorial by mochtu.de.

brew install openssl
brew install openssh --with-brewed-openssl --with-keychain-support
sudo sed -i '' 's/\/usr\/bin\/ssh-agent/\/usr\/local\/bin\/ssh-agent/' /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
sudo mv /usr/bin/ssh /usr/bin/ssh_old
sudo ln -s /usr/local/bin/ssh /usr/bin/ssh

Great tips on improving ssh settings

I am currently reading “Ansible: Up and Running” and it pointed to several improvements I could do on my ssh settings. Also thanks to tenshu.net and OpenSSH Wikibooks.

Multiplexing:

Host *
  ControlPath /tmp/control-%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

Generate separate known hosts file for your local domain:

Host *.mycompany.com
    UserKnownHostsFile ~/.ssh/generated_known_hosts
    StrictHostKeyChecking yes

Sane global defaults:

HashKnownHosts no
Host *
    GSSAPIAuthentication no
    ForwardAgent no

Notify new ssh connections:

Host *
    PermitLocalCommand yes
    LocalCommand /home/user/bin/ssh-notify.sh %h

Setup host forward ports:

Host port-forwards-site1.company.com
  Hostname server1.company.com
  LocalForward 1234 10.0.0.101:1234

Jumphosts:

Host jumphost.company.com
  ProxyCommand none
Host *.company.com
  ProxyCommand ssh jumphost.company.com nc -q0 %h %p

–or– ProxyCommand ssh -W %h:%p jumphost.company.com

Keep it Alive:

ServerAliveInterval 30
ServerAliveCountMax 4

Upgrading my SSH and SSHd settings

Thanks to the great articles by stribika on github and Aaron Toponce, these are the updated settings I am using now:

Protocol 2
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,arcfour 
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

and

Host *
    Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,arcfour
    KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160

Difficulties installing TrueCrypt on OS X Yosemite

IMG_1013

Finally I came across doing a clean install of my Macbook, this is long due since the system is piling up crap from 2012.

I am a heavy TrueCrypt user despite the announcements the team made a couple of months back so after installing OS X I went to the archive page on GRC to get the latest fully functional binary and upon installing on my Mac I found that there was a version check.

Thanks to the fix on stefansundin.com I was able to be up and running:

First copy the package to your desktop, then open terminal and type:

sed -i '' 's/<installation-check .*>//' 'Desktop/TrueCrypt 7.1a.mpkg/Contents/distribution.dist'

Thats it!

How do I name my servers?

I’ve got asked this question a couple of times already! The process is straight forward now but it didn’t always have been!

At first I named my servers according with their purpose: “HOMESERVER”, “UTORRENT”, etc. This turned out not to work very well when I started to fiddle with virtualization. I needed to give them proper names that were not tied to the main software they were running so I could switch eventually, as I did when I decided to go with FreeNAS instead of Microsoft Windows Home Server.

The solution I took from watching the news about the US tornado season. They always have female names given alphabetically. My wife suggested to use stars since several analogies could be made: Constellations could hold servers that have a common purpose, the size of the star could be related to the given server’s processing power, there are several galaxies or groups of “stars” and the list goes on and on.

Right now I have the following names being actively used:

  • Andromeda – this is my low-power, always on, Proxmox Virtualization box.
  • Betelgeuse – this is my uTorrent-based downloader.
  • Capella – my FreeNAS 4x2TB ZFS Raid-Z file server.
  • Deneb – my cloud backup virtualized box: every hour it takes a snapshot of the websites I manage and also downloads and archives all gmail messages locally, these backups are all sent to Capella for long-term storage when it comes online.
  • Elnath – my git code server virtualized box.
  • Smokeping – this is a virtualized network test machine that constantly pings several addresses to keep track of when and where network failures occur, and yes, it needs a new name.
  • Puppetmaster – this is the puppet master virtualized machine I use to coordinate puppet settings, I also need a new name for it.

So there you have it, and before you ask, Andromeda is a galaxy but is also a constellation!

Creating an Ansible-Ready Proxmox VE OpenVZ template

Alongside with the instructions on creating a customized template, also:

  1. Create the user “ansible”.

    adduser ansible 
    mkdir /home/ansible/.ssh 
    echo "YOURSSSHKEYHERE" > /home/ansible/.ssh/authorized_keys 
    chown -R ansible:ansible /home/USERNAME/.ssh 
    chmod 600 /home/ansible/.ssh/authorized_keys
    
  2. Add it to the sudoer’s list:

    cat > /etc/sudoers.d/ansible <<!ENDSUDOERS 
    ansible ALL=(ALL) NOPASSWD: ALL 
    !ENDSUDOERS 
    chmod 440 /etc/sudoers.d/ansible
    

Speeding up slow zfs resilver on FreeNas

A couple of months ago I began receiving constant e-mail alerts stating that my FreeNas box was 80% full. My 2-year-old setup had 4 2TB Seagate drives in a Raidz1 pool. After some research and test with new firmware builds I found out that this was not optimal since the Raidz1 should follow the 2*n+1 formula [with n>0] (3, 5, 7 or 9 … drives).

I cannot afford to rebuild the pool at this time and one of the original drives failed and was replaced by a newer 4TB unit.

My approach was to replace every remaining 2TB drive on the pool by a 4TB one and this proved to be very time consuming. My box was taking too long to resilver the pool.

After some more research I came across Allan Jude’s “ZFS Advanced Topics” chapter proposed to the FreeBSD documentation project.

sudo sysctl vfs.zfs.resilver_delay=0

sudo sysctl vfs.zfs.scrub_delay=0

These tunables reduce the wait time between each resilver and scrub IO operation. Client performance was somewhat degraded but getting my pool back into pristine condition was more important.

Improving network performance of a new FreeBSD server

Thanks to Calomel.org for these tips. I was having network performance issues and my throughput more than doubled now!

Editing /etc/sysctl.conf:

# Default is fine for most networks. You may want to increase to 4MB if the
# upload bandwidth is greater the 30Mbit. For 10GE hosts set to at least 16MB
# as well as to increase the TCP window size to 65535 and window scale to 9.
# For 10GE hosts with RTT over 100ms you will need to set a buffer of 150MB and
# a wscale of 12.  Default of "2097152 = 2*1024*1024" is fine for 1Gbit, FIOS
# or slower.
# network:   1 Gbit   maxsockbuf:    2MB   wsize:  6    2^6*65KB =    4MB (default)
# network:   1 Gbit   maxsockbuf:    4MB   wsize:  7    2^7*65KB =    8MB (FIOS 150/65)
# network:  10 Gbit   maxsockbuf:   16MB   wsize:  9    2^9*65KB =   32MB
# network:  40 Gbit   maxsockbuf:  150MB   wsize: 12   2^12*65KB =  260MB
# network: 100 Gbit   maxsockbuf:  600MB   wsize: 14   2^14*65KB = 1064MB
kern.ipc.maxsockbuf=4194304  # (default 2097152)

# set auto tuning maximums to the same value as the kern.ipc.maxsockbuf above.
# Use at least 16MB for 10GE hosts with RTT of less then 100ms. For 10GE hosts
# with RTT of greater then 100ms set buf_max to 150MB. The default of
# "2097152" is fine for most networks.  
net.inet.tcp.sendbuf_max=4194304  # (default 2097152)
net.inet.tcp.recvbuf_max=4194304  # (default 2097152)