Blog

Blog

Differences and Benefits Between i440fx and q35 in Proxmox

Differences and Benefits Between i440fx and q35 in Proxmox

My view

For application i440fx is enough, and it is simple, for hardware related, such as GPU passthru, then Q35 is better.

Switch between them

After switch between, the network interface name will be changed.

Q35

Q35 supports PCIe

  • Extended configuration space (MMCFG)
  • PCIe native hotplug
  • Advanced Error Reporting (AER)
  • Alternative Routing-ID Interpretation (ARI)
  • Native Power Management
  • Function Level Reset (FLR)
  • Address Translation Services (ATS)
  • AHCI storage controller
  • vIOMMU emulation
  • Secure Boot

Q35 limitations

  • No support for legacy guests (Windows XP/2000).
  • Questionable support for legacy QEMU devices.
  • Limited IO space can affect the number of devices used by a single Q35 machine

References

Differences/benefits between i440fx and q35 chipsets?
Q35 - QEMU
PCI vs PCI Express
PCI EXPRESS GUIDELINES

Escape Percent-signs(%) in crontab

Escape Percent-signs (%) in crontab

In order to input % character as command parameter in cron task, it needs to be escaped using backslash ().

man (5) crontab:

Percent-signs (%) in the command, unless escaped with backslash (\), 
will be changed into newline characters, and all data after the 
first % will be sent to the command as standard input.

Run script after interface up when using NetworkManager

Run script after interface up when using NetworkManager

Create a script as below in folder /etc/NetworkManager/dispatcher.d called 10-openvpn-tun0-up, change the permission to executable

#!/usr/bin/env bash

interface=$1
event=$2

if [[ $interface != "eth0" ]] || [[ $event != "up" ]]
then
  return 0
fi

# place your commands bellow this line

References

Network Manager script when interface up?

Systemd-resolved DNS configuration for VPN

Systemd-resolved DNS configuration for VPN

VPN GUI

When using ubuntu GUI VPN connection, the DNS might not be updated correctly. Following command can be used to update search domain and DNS server.

sudo systemd-resolve --interface tun0 --set-dns <dns_server> --set-domain <domain>

Note: The latest test in VPN GUI, the DNS setting is working as expected.

VPN CLI

For openvpn command line,

openvpn --config client.ovpn --script-security 2 --up ./manual-config

The manual-config script can be as follow

#!/bin/sh
set -e
resolvectl dns $dev 192.0.2.53 192.0.2.54
resolvectl domain $dev "~foo.example.com" "~bar.example.com"
resolvectl dnssec $dev off

or

#!/bin/sh
systemd-resolve -i $dev \
  --set-dns=192.0.2.53 --set-dns=192.0.2.54 \
  --set-domain=foo.example.com --set-domain=bar.example.com \
  --set-dnssec=off  # <- Not super nice, but might be needed.

Another method is to use /etc/openvpn/update-systemd-resolved script, which is in openvpn-systemd-resolved package,

openvpn \
  --config client.ovpn \
  --up /etc/openvpn/update-systemd-resolved \
  --down /etc/openvpn/update-systemd-resolved \
  --down-pre \

NetworkManager Integration

To allow DNS and other options applied to new interface, a dispatcher file can be created, for example, /etc/NetworkManager/dispatcher.d/10-openvpn-tun0-up. The content can be as follows

#!/usr/bin/env bash

interface=$1
event=$2

if [[ $interface != "tun0" ]] || [[ $event != "up" ]]
then
  return 0
fi

# place your commands bellow this line

resolvectl dns tun0 192.168.1.1 192.168.1.2
resolvectl domain tun0 "~new.com"

References

Systemd-resolved DNS configuration for VPN
Network Manager script when interface up?

Only pipe STDERR output in `bash` with timestamp

Only pipe STDERR output in bash with timestamp

bash

In order to discard standard output and only log the standard error, following command can be used. The second part of command is to prefix the current timestamp in the output

sh monitor 2>&1>/dev/null | ts '[%Y-%m-%d %H:%M:%S]'

dash

If need to run in dash, such as running in crontab, above syntax is wrong, use following command instead

sh monitor 3>&1 1>/dev/null 2>&3 3>&- | ts '[%Y-%m-%d %H:%M:%S]'

Note: This command can be run in bash too

References

Prepending a timestamp to each line of output from a command
Pipe only STDERR through a filter

Apply filter to STDERR in Linux

Apply filter to STDERR in Linux

STDOUT ────────────────┐
                       ├─────> terminal/file/whatever
STDERR ── [ filter ] ──┘

Method

If ./a.out outputs as below

In STDERR:

stderr output

In STDOUT:

more regular

Then the following command will output as below.

# ./a.out 3>&1 1>&2 2>&3 3>&- | sed 's/e/E/g'
more regular
stdErr output

Explanation

    First save stdout as &3 (&1 is duped into 3)
    Next send stdout to stderr (&2 is duped into 1)
    Send stderr to &3 (stdout) (&3 is duped into 2)
    close &3 (&- is duped into 3)

References

Pipe only STDERR through a filter

Fix Spice Certificate Issue in Proxmox

Fix Spice Certificate Issue in Proxmox

After changed the display to Spice and added Spice USB device, following error appeared.

swtpm_setup: Not overwriting existing state file.
kvm: warning: Spice: reds.c:2893:reds_init_ssl: Could not load certificates from /etc/pve/local/pve-ssl.pem
kvm: warning: Spice: error:0909006C:PEM routines:get_name:no start line
kvm: warning: Spice: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib
kvm: failed to initialize spice server
stopping swtpm instance (pid 55260) due to QEMU startup error
TASK ERROR: start failed: QEMU exited with code 1

Update certificate also got following errors

root@pve01:~# pvecm updatecerts --force
(re)generate node files
generate new node certificate
Signature ok
subject=OU = PVE Cluster Node, O = Proxmox Virtual Environment, CN = pve01.xxx.net
Getting CA Private Key
CA certificate and CA private key do not match
139954545105792:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:../crypto/evp/p_lib.c:93:
139954545105792:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:../crypto/x509/x509_cmp.c:303:
unable to generate pve ssl certificate:
command 'faketime yesterday openssl x509 -req -in /tmp/pvecertreq-56235.tmp -days 161 -out /etc/pve/nodes/pve01/pve-ssl.pem -CAkey /etc/pve/priv/pve-root-ca.key -CA /etc/pve/pve-root-ca.pem -CAserial /etc/pve/priv/pve-root-ca.srl -extfile /tmp/pvesslconf-56235.tmp' failed: exit code 1

In this case, remove keys and regenerate.

root@pve01:~# rm -f /etc/pve/pve-root-ca.pem /etc/pve/priv/pve-root-ca.* /etc/pve/local/pve-ssl.*
root@pve01:~# pvecm updatecerts -f
(re)generate node files
generate new node certificate
merge authorized SSH keys and known hosts
root@pve01:~# pvecm updatecerts -f
(re)generate node files
generate new node certificate
merge authorized SSH keys and known hosts
root@pve01:~# 

Now, problem fixed.

References

pveproxy fails to load local certificate chain after upgrade to pve 6

Error encountered during `apt install` indicated that the file couldn’t be accessed by user `_apt`

Error encountered during apt install indicated that the file couldn't be accessed by user _apt

When installing package from local file (.deb file), following error might be occurred.

Processing triggers for dbus (1.14.0-2ubuntu3) ...
N: Download is performed unsandboxed as root as file 'full_path_of_deb_file_name' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Usually apt tries to run the process that fetches packages as a different user called _apt to increase security. That's no problem if it has to download packages from the internet. But if you tell it to install a .deb file that's already on your system, it needs to have permission to access that file by _apt user. Otherwise, above error will be shown.

References

Download performed unsandboxed