Posted on

My Debian activities in July 2014

FTP assistant
This month I was able to accept 237 packages, 27 times I contacted the maintainer to ask a question about a package and 40 times I had to reject a package. Additionally I needed to file nine serious bugs.
In the light of recent events I want to make clear that there is no automatism to create such bugs. They are all handmade and you can be quite sure that there are no false positives but only real issues.

The highlight of this month has been my first patch to dak, the software which is used to manage the Debian archive. Well, it was just a patch of an email template but at least it closes Bug #754805. Now the new Debian tracker at https://tracker.debian.org/ (a replacement for the Debian Package Tracking system (PTS)) is able to detect in which suite new uploads appear.

Squeeze LTS
This month the initiative to support Squeeze LTS, which was started by Freexian, got some momentum. I would like to thank every sponsor of this initiative (please see a list at
the Freexian LTS page) and of course Raphael Hertzog for organizing everything.

All in all I got assigned a workload of 10.5h for July. I spent these hours to upload new versions of tiff, libxml2, php5 and fail2ban. I prepared these uploads on the basis of the corresponding DSAs for Wheezy. So most of the time the patches for all CVEs could be applied smoothly and only line numbers had to be adjusted. For a few CVEs the difference between the code in Squeeze and Wheezy was too huge and things became more difficult. Luckily all CVEs contained good descriptions of what was wrong, so at the end I could find solutions for all security fixes. In this context I am a bit sad about the feedback on the Debian LTS mailing list. I had hoped to get more responses to my calls to test packages before uploading them to the archive. Of course I do some testing on my own, but I am sure I don’t cover all use cases.

I also used some time to fix the information in the security tracker. Three CVEs for dbus were marked as relevant for Squeeze, but the corresponding code didn’t exist in the Squeeze version.

Anyway, this was a lot of fun and I definitely want to be part of that initiative in the future.

Other packages
I tried to fix #752401 of net-dns-fingerprint. Unfortunately the new version does not really work and upstream is a bit silent.

Support
If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

My Debian activities in June 2014

FTP assistant
With my FTP assistant hat on, I accepted 285 packages. 29 times I had to ask the maintainer a question or had to give a comment. Unfortunately I also had to reject 33 packages. Most of the time due to mistakes in debian/copyright. The review of NEW also resulted in about ten serious bugs in packages that had incomplete copyright information. Dear fellow developers and maintainers: please be more careful when you collect copyright and license information. The better you do your homework, the faster your package will pass NEW!

Squeeze LTS
I also started to contribute to Debian Squeeze-LTS. In June I uploaded security fixes for scheme48 and lxml. Freexian, a French company run by Debian Developer Raphaël Hertzog, started an initiative to establish LTS (Long Term Support) for Debian Squeeze. Via Freexian you can hire other Debian Developers who provide security updates for some more months. So if you still need a stable security support for Debian please consider joining the initiative and visit the Squeeze LTS website at Freexian.

Other packages
For my own packages I uploaded some new versions for different kinds of meep.

Support
If you would like to support my Debian work please consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

Configure services – Apache (3.3)

Much to my consternation I noticed that my last post appeared almost six months ago. I hope I can increase again my posting frequency this year.

The last topic has been DNS resolving and this article shall be about IPv6 configuration in apache.

First we need to check whether our apache already listens to requests comming from IPv6. The default configuration on Debian in /etc/apache2/ports.conf says something like

     NameVirtualHost *:80
     Listen 80


This means: listen on port 80 of all addresses on this machine, including IPv6 ones. So in principle we are already done.

In case we want to restrict some interfaces to IPv4 or IPv6 access, we need to replace the general listen-directive with more restrictive ones, so for example:

     listen 1.2.3.4:80
     listen [1:2::4:5:6:7]:80


In the whole apache configuration IPv6 addresses need to be put in square brackets.

The same is also valid for virtual host configuration:

In this case any request, either via IPv4 or IPv6, will be handled by our apache:

     <virtualhost *:80>
       ServerName example.com
       ServerAlias all.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available only on a specific IPv6 address:

    <virtualhost [1:2::4:5:6:7]:80>
       ServerName example.com
       ServerAlias ipv6.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available only on a specific IPv4 address:

    <virtualhost 1.2.3.4:80>
       ServerName example.com
       ServerAlias ipv4.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

In this case, the vhost is available on specific IPv4 and IPv6 adresses:

    <virtualhost 1.2.3.4:80, [1:2::4:5:6:7]:80>
       ServerName example.com
       ServerAlias special.example.com
       DocumentRoot /www/example.com/public_html
       ErrorLog /www/example.com/logs/error_log
       Customlog /www/example.com/logs/combined_log combined
    </virtualhost>

So there is really no magic in IPv6 and it is easy to use.

Posted on

Configure services – bind (3.1)

After preparing everything, we can start to configure different services now. The first one shall be bind9. There are lots of information out there about configuring bind9 for IPv4, so I assume that there is a bind already running.

A newly installed bind (remember I am mainly writing about Debian systems) has the following option configured in /etc/bind/named.conf.options


options {
listen-on-v6 { any; };
};

Thus this daemon listens on all IPv6 interfaces to answer queries.

In the next step we just need to configure AAAA-records for every IPv6-address that we want to distribute. They look like A-records:

dummyhea.ipv6.alteholz.net. IN A 78.47.192.125
dummyhea.ipv6.alteholz.net. IN AAAA 2a01:4f8:d12:1b03::dead:2

Voila, we are done:


~$ dig dummyhea.ipv6.alteholz.net AAAA

; <> DiG 9.8.4-rpz2+rl005.12-P1 <> dummyhea.ipv6.alteholz.net AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25822
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5

;; QUESTION SECTION:
;dummyhea.ipv6.alteholz.net. IN AAAA

;; ANSWER SECTION:
dummyhea.ipv6.alteholz.net. 5706 IN AAAA 2a01:4f8:d12:1b03::dead:2


~$ ping6 -c5 dummyhea.ipv6.alteholz.net
PING dummyhea.ipv6.alteholz.net(2a01:4f8:d12:1b03::dead:2) 56 data bytes
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=1 ttl=49 time=66.8 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=2 ttl=49 time=67.1 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=3 ttl=49 time=66.8 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=4 ttl=49 time=71.6 ms
64 bytes from 2a01:4f8:d12:1b03::dead:2: icmp_seq=5 ttl=49 time=66.3 ms

--- dummyhea.ipv6.alteholz.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 66.378/67.782/71.678/1.969 ms

This was pretty easy.

Posted on

Configure external server (2)

According to the commands in these two articles of this blog, all external servers have IPv6 connectivity now and can be ping6ed.

Further both Hetzner and Strato offer the possibility to create a reverse DNS entry for their servers. One should always have one!

Posted on

Check IPv6 availability for external server at ispOne (1.23)

New vServer from ispOne do get 10 IPv6 addresses. For old vServers you need to pay a fee (9.90 EUR) to move the vServer from the old host to a new one with IPv6 connectivity. As I don’t want to spend that money now, I skip tests with this server.

Posted on

Check IPv6 availability for external server at Server4You (1.22)

Unfortunately it is not possible to get an IPv6 address for servers at Server4You.

Posted on

Check IPv6 availability for external server at Strato (1.21)

Every dedicated server at Strato can get an /56-IPv6-Subnet. Just activate IPv6 support on the control panel of that server and you will be informed about your subnet and the primary address of your server.

# configure address
/sbin/ip addr add <main ip address> dev eth3
# set default route
/sbin/ip route add default via fe80::1 dev eth3

In case everything was configured correctly you can test it with:

# ping6 -c5 ipv6.google.com
PING ipv6.google.com(ham02s11-in-x13.1e100.net) 56 data bytes
64 bytes from ham02s11-in-x13.1e100.net: icmp_seq=1 ttl=56 time=6.79 ms
64 bytes from ham02s11-in-x13.1e100.net: icmp_seq=2 ttl=56 time=7.24 ms
64 bytes from ham02s11-in-x13.1e100.net: icmp_seq=3 ttl=56 time=7.28 ms
64 bytes from ham02s11-in-x13.1e100.net: icmp_seq=4 ttl=56 time=7.28 ms
64 bytes from ham02s11-in-x13.1e100.net: icmp_seq=5 ttl=56 time=7.28 ms

--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 6.793/7.177/7.287/0.213 ms

If you want to keep that settings permanently, put all command it /etc/rc.local

So there seems to be no problem with stand alone servers at Strato.

Posted on

Check IPv6 availability for external server at Hetzner (1.20)

Every server at Hetzner will get a native /64-IPv6-Subnet routed to that server. Besides virtual servers, an additional /48 subnet might be requested. Reverse DNS entries can be configured with the Hetzner robot. On this webpage you can also see the assigned subnet and the default gateway for your server. So configuring IPv6 is pretty easy:

# configure address
/sbin/ifconfig eth0 inet6 add <ip address from subnet>
# activate ipv6 routing
/sbin/route -A inet6
# set default route
/sbin/route -A inet6 add ::/0 gw <Hetzner gateway>

In case everything was configured correctly you can test it with:

# ping6 -c5 ipv6.google.com
PING ipv6.google.com(fa-in-x69.1e100.net) 56 data bytes
64 bytes from fa-in-x69.1e100.net: icmp_seq=1 ttl=56 time=8.40 ms
64 bytes from fa-in-x69.1e100.net: icmp_seq=2 ttl=56 time=8.64 ms
64 bytes from fa-in-x69.1e100.net: icmp_seq=3 ttl=56 time=7.97 ms
64 bytes from fa-in-x69.1e100.net: icmp_seq=4 ttl=56 time=7.94 ms
64 bytes from fa-in-x69.1e100.net: icmp_seq=5 ttl=56 time=8.36 ms

--- ipv6.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 7.948/8.267/8.640/0.266 ms

If you want to keep that settings permanently, put all commands in /etc/rc.local

So there seems to be no problem with stand alone servers at Hetzner.

Posted on

IPv6 tunnel with Hurricane Electric (1.11 – 1.16)

Unfortunately Hurricane Electric (or tunnelbroker.net) uses 6in4 tunnels. In order to create a tunnel, my first obstacle is an IP address that answers pings. As I am captured behind a badly configured CGN of a German cable provider (Telecolumbus), I am afraid it is not possible to use the service of HE.

So for the rest of the experiment I will stick to the infrastructure provided by SixXS (of course I am pretty sure that the service of HE would be excellent as well).