Blog

Blog

Firewalld conflict between Docker and KVM

Posted on by Bian Xi Leave a Comment on Firewalld conflict between Docker and KVM

Firewalld conflict between Docker and KVM

After install docker, KVM bridge network can not access anything on network.

Identify

To identify the issue came from firewall and created by docker, the following facts had been collected.

  • After rebooted server, VM can access network, and restart firewalld without issue
  • After start docker service, VM can not access network any more
  • Then VM can access network after stop firewalld, but docker can not start container, because iptables is not accessible

Issue

No matter how to change iptables rules, and accept all traffics from everywhere, but VM was still isolated.

Commands used

Following commands were used for troubleshooting

Firewalld

In fact, there is no chain, rule, or passthroughs in firewall-cmd output. But after stop firewalld, the iptables rules became empty.

systemctl restart firewalld
firewall-cmd --list-all
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i bridge0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o bridge0 -j ACCEPT
firewall-cmd --reload

firewall-cmd --permanent --direct --get-all-chains
firewall-cmd --permanent --direct --get-all-rules
firewall-cmd --permanent --direct --get-all-passthroughs
firewall-cmd --permanent --direct --remove-passthrough ipv4 -I FORWARD -o bridge0 -j ACCEPT

firewall-cmd --get-default-zone
firewall-cmd --get-active-zone
firewall-cmd --get-zones
firewall-cmd --get-services
firewall-cmd --list-all-zones

iptables

iptables -L -v
iptables -L -v FORWARD
iptables -I FORWARD -i br0 -o br0 -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I FORWARD 1 -j ACCEPT
iptables -d FORWARD 1
iptables-save
iptables-restore

others

Following commands are used to collect info and compare the differences between before and after.

brctl-show
ip a
netstat -rn

Potential issues

Following possiblities caused this issue or wrong troubleshooting

  • The iptables might not be used in the system, but the counters are refreshing.
  • Some rules in intables might not appearred in the iptables list

Debugging

For firewald, FIREWALLD_ARGS=--debug needs to be added into /etc/sysconfig/firewalld.

For iptables, -j LOG --log-prefix "rule description" needs to be added into iptables rules which require debugging.

Suggestions from others

Add ACCEPT rules

Run following commands to add ACCEPT rules

#!/bin/sh

# If I put bridge0 in trusted zone then firewalld allows anything from 
# bridge0 on both INPUT and FORWARD chains !
# So, I've put bridge0 back into the default public zone, and this script 
# adds rules to allow anything to and from bridge0 to be FORWARDed but not INPUT.

BRIDGE=bridge0
iptables -I FORWARD -i $BRIDGE -j ACCEPT
iptables -I FORWARD -o $BRIDGE -j ACCEPT

Conclusion

After many testings, found that docker is directly adding rules into iptables, not go thru firewalld. This can be noticed using following steps.

  1. Stop both firewalld and docker, iptables has no rules
  2. Start docker, iptables has only docker's rules
  3. Start filewalld, in short period time, LIBVIRT rules appear, after seconds, replaced by docker rules

Another testing

  1. Stop both firewalld and docker again
  2. Start firewalld, only the LIBVIRT rules appear
  3. Start docker, both docker and LIBVIRT rules appear

One issue was facing during reboot, if both docker and firewalld are enabled, the server might hung during reboot, maybe this is because root filesystem is on iSCSI disk, but can not confirm.

Above behaivor shows iptables is not supporting firewalld, which directly inserts rules into iptables periodically, which corrupts firewalld rules.

Solution

Run script

This solution disables firewalld and enable docker

systemctl disable firewalld
systemctl enable docker

Then run following command to add iptables rules to enable traffics

iptables -I FORWARD -i br0 -j ACCEPT
iptables -I FORWARD -o br0 -j ACCEPT

This script can be put in /etc/rc.local, which will be executed when during boot up.

Install iptables services

This solution also disables firewalld and enable docker as previous solution, then add two FORWARD rules into default iptables rules /etc/sysconfig/iptablesas below.

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -o br0 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p icmp -j ACCEPT
#-A INPUT -i lo -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Then both LIBVIRT and docker will add their rules later after system started.

Modify firewalld rules

For this solution, failed last time, I will try it again later.

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i bridge0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o bridge0 -j ACCEPT

Feature

If possible, define firewalld rules which cover both LIBVIRT and docker.

References

Configure FirewallD to allow bridged virtual machine network access
Debug firewalld
How to configure iptables on CentOS

Less related topic
Do I need to restore iptable rules everytime on boot?
need iptables rule to accept all incoming traffic

Enable zRAM as swap in Linux

Posted on by Bian Xi Leave a Comment on Enable zRAM as swap in Linux

Enable zRAM as swap in Linux

The problem with swap on SD boot OS, such as Raspberry Pi 4, is slow and increase SD write counts, in fact, SD card is slower than hard disk and expensive. For Raspberry Pi 4, it has 8 GB ram, enough for normal operation, but if don't turn on swap, there is no visibility of current memory usage whether causing memory swapping.

Traditional swap space

Fixed swap partition is rquired if use traditional swap space. Some facts as below

  • Fixed swap partition is rquired
  • Hard to resize or move
  • Waste storage space if it is not using most of time

Loopback device as swap

To have dynamic swap device, create a regular file and make it as loopback block device for swap, is a solution to have no fixed partition. The steps as below.

  • Create a file with fixed size using dd or some other commands
  • Create loopback device on newly created file
  • Init swap on loopback device using mkswap command
  • Change /etc/fstab to point to the new device

Issue as below

  • The loopback device needs to be initialized everytime after reboot

File as swap

In fact, swap can be directly created on file as below.

  • Create a file with fixed size using dd or some other commands
  • Init swap on file using mkswap command
  • Change /etc/fstab to point to the that file

Issue as below

  • Still wasting space if swap is not using
  • Hard to adjust size
  • Manual tasks involved

dphys-swapfile

The dphys-swapfile package can be installed to automate the tasks described above. It is not an entry in /etc/fstab, but a service.

  • Install dphys-swapfile package
  • Adjust config in /etc/dphys-swapfile
  • Enable dphys-swapfile service
  • Can run dphys-swapfile <swapon|swapoff> command

Issue as below

  • Still wasting space if swap is not using

zRAM

The zRAM module is installed by default, service is using systemd.

  • Check zram module available
modprobe zram
lsmod | grep zram
  • Add module and set module options
echo zram > /etc/modules-load.d/zram.conf
echo "options zram num_devices=1" > /etc/modprobe.d/zram.conf
  • Create zram0 device when booting by adding following line in /etc/udev/rules.d/99-zram.rules
KERNEL=="zram0", ATTR{disksize}="512M",TAG+="systemd"
  • Create systemd service file /etc/systemd/system/zram.service
[Unit]
Description=Swap with zram
After=multi-user.target

[Service]
Type=oneshot 
RemainAfterExit=true
ExecStartPre=/sbin/mkswap /dev/zram0
ExecStart=/sbin/swapon /dev/zram0
ExecStop=/sbin/swapoff /dev/zram0

[Install]
WantedBy=multi-user.target
  • Enable service, then reboot
sudo systemctl enable zram
  • Check swaps
cat /proc/swaps
swapon -s

Issue with zram

  • When memory not enough, then use swap space, but swap uses ram
  • It is the same solution as compress ram

References

How to enable the zRAM module for faster swapping on Linux

Systemd services for user in Linux

Posted on by Bian Xi Leave a Comment on Systemd services for user in Linux

Systemd services for user in Linux

The traditional way of starting up program after user login, is using user profile. The systemd provides a new way for such tasks.

Usage

The systemd regular services are running as root privileges, unless User value in Service session. They are triggerred as background jobs, no matter user login or not. The systemd user services are running for user and run as that user id, and they are triggered after that user login.

Definition

To define services run as a normal user, they can be defined in user's home directory in ~/.config/systemd/user folder, they will be picked up by systemd as a user service.

Managing

To manage these services, folowing commands can be used.

Check all systemd services for user

systemctl status --user

Enable and start up

systemctl --user enable myuser.service
systemctl --user start myuser.service

Reload all systemd configuration. It is required after service definition files modified.

systemctl --user daemon-reload

For all users

The /etc/systemd/user/ folder is to define services for all users. The default available user services definition files are in /usr/lib/systemd/user/ folder, they can be used to enable systemd user service. For example, 

# ls /usr/lib/systemd/user/syncthing.service
syncthing.service
# systemctl --user status syncthing
Unit syncthing.service could not be found.
# systemctl status syncthing
* syncthing.service - Syncthing - Open Source Continuous File Synchronization
...

Other systemd user definition file locations can be defined by administrator

$XDG_RUNTIME_DIR/systemd/user/
~/.local/share/systemd/user/

Common usage

The most common usage of systemd user servers, are X window related processes, they need to be run after user login, running as background services for user, such as reminder, window manager, etc., but not the background services for system.

References

systemd user services and systemctl --user
What does "systemctl daemon-reload" do?

Add bluetooth device from ubuntu console

Posted on by Bian Xi Leave a Comment on Add bluetooth device from ubuntu console

Add bluetooth device from ubuntu console

I used following steps to add bluetooth keyboard.

Steps

  • Run bluetoothctl, then get following prompt
[bluetooth]#
  • Run following commands to initialize bluetooth
power on
agent on
default-agent
scan on

  • Find the bluetooth device mac address

  • Run following command to connect to it

trust XX:XX:XX:XX:XX:XX
pair XX:XX:XX:XX:XX:XX
connect XX:XX:XX:XX:XX:XX
  • Then disable scan and quit
scan off
exit

References

How to connect bluetooth headset via command line on ubuntu 12.04

Verify package using debsums

Posted on by Bian Xi Leave a Comment on Verify package using debsums

Verify package using debsums

Verify every installed package

debsums

Verify every installed package (including configuration files).

debsums -a

Verify installed packages and report errors only

debsums -s

Verify every installed package and report changed files only

debsums -c

Verify every installed package (including configuration files) and report changed files only.

debsums -ca

Verify every installed package and report changed configuration files only.

sudo debsums -ce

Verify specific package

debsums -a bash

Create mismatch list

dpkg-query -S $(sudo debsums -c 2>&1 | sed -e "s/.*file \(.*\) (.*/\1/g") | cut -d: -f1 | sort -u

To reinstall them

apt-get install --reinstall <package name>

References

How to verify installed packages

Hot swapable Keychron keyboard issues

Posted on by Bian Xi Leave a Comment on Hot swapable Keychron keyboard issues

Hot swapable Keychron keyboard issues

Just got Keychron keyboard, with hot swap, which can easily switch between two Mac machines easily. Some issues struggle me for a while.

No eject button

The major difference between normal Mac keyboard and Keychron keyboard is reject button, so need to use another combination of keys for sleep instead, which uses power button. But my old iMac power button has issue as well.

Then when I put iMac to sleep, then try to switch to Mac Mini, the keyboard wakes iMac up. To overcome this issue, I tried to use mouse, but I can not move the mouse as well, it also wakes iMac up.

After search internet, people give a solution, that is using mouse to sleep, then lift it up, after that make it upside down. Then I did the same thing, except switch it off, because my mouse got light.

Switch between MacOS and Windows or Linux

Because of the switching between MacOS and Windows or Linux via a physical button, it isn't that easy, and the manual mentions do not do it often, otherwise, can cause issue.

References

Shortcut key to make my macbook sleep?

The most insane issue with TrueNAS

Posted on by Bian Xi Leave a Comment on The most insane issue with TrueNAS

The most insane issue with TrueNAS

This morning, I saw the login screen of my TrueNAS, so decided to have a look. After login, the TrueNAS rebooted...

This is really a design issue, both shutdown and reboot are not well designed, the URL can be reused without any warning prompt.

In fact, I knew this issue, but only careful enough just after reboot or shutdown performed. After yesterday's reboot, I didn't try to login using UI URL.

Although I careful enough, this issue leads me avoid using Back button of browser, because the URL can be in history.

The solution can be very easy, just change GET method to POST method in both reboot and shutdown pages with addition variable. But when will they make such change as it is already a mature product for years.

ZFS useful commands

Posted on by Bian Xi Leave a Comment on ZFS useful commands

ZFS useful commands

Create pool

Storage providers

Storage provides are spinning disks or SSDs.

ls -al /dev/ada?

Vdevs

Vdevs are grouping of storage providers into various RAID configurations.

RAID 0 or Stripes

Create stripes pool

zpool create OurFirstZpool ada1 ada2 ada3

RAID 1 or Mirror

Create mirror vdev and add into pool

zpool create tank mirror ada1 ada2 ada3

Create another group of mirror vdev and add into existing pool

zpool add tank mirror ada4 ada5 ada6

Detach a disk from vdev

zpool detach tank ada4

RAID-Z1, RAID-Z2 and RAID-Z3

Create RAID-Z1 vdev and add into pool

zpool create tank raidz1 ada1 ada2 ada3

Create a RAID-Z1 vdev and add into existing pool

zpool add tank raidz1 ada4 ada5 ada6

Zpools

Zpools are aggregation of vdevs into a single storage pools

Create pool

zpool create OurFirstZpool ada1 ada2 ada3

Verify pool

zpool status

Add a new disk (vdev) to increase space

zpool add OurFirstZpool ada4

Z-Filesystems

Z-Filesystems are datasets with cool features like compression and reservation.

Create dataset

zfs create OurFirstZpool/dataset1

List dataset

zfs list

Zvols

Change max arc size on TrueNAS SCALE

Posted on by Bian Xi Leave a Comment on Change max arc size on TrueNAS SCALE

Change max arc size on TrueNAS SCALE

After upgrade memory to 64GB, the memory usage is less than 32GB even run two VMs together. To utilize all memory, increase zfs cache size is one of the solution can be done.

c_max

The max arc size is defined as a module parameter, which can be viewed by following command

truenas# grep c_max /proc/spl/kstat/zfs/arcstats
c_max                           4    62277025792
truenas# cat /sys/module/zfs/parameters/zfs_arc_max
62277025792
truenas#

To justify this value, following command can be used, but it is not a persistent way.

echo 60129542144 > /sys/module/zfs/parameters/zfs_arc_max

Suggestion from others

Many suggestions can be found, some of them maybe workable, for example

Create module option file

echo "options zfs zfs_arc_max=34359738368" > /etc/modprobe.d/zfs.conf

But they may not suitable for a NAS OS which can not be backed up using configuration backup provided by NAS OS.

  • The upgrade of OS can simply overwrite or delete the file
  • The file can be lost during OS rebuilting process.

Update sysctl (not workable)

Suggestion is update vfs.zfs.arc_max using sysctl, along with disable autotune, but it is only workable for kernel parameters, but no zfs parameters could be found, the zfs is loaded as module.

Implemenation

The parameter needs to be modified using TrueNAS web interface, to ensure that it will be saved during configuration export via System Settings => General => Manage Configuration => Download File.

So, following command is added into System Settings => Advanced => Init/Shutdown Scripts with When set to Post Init

echo 60129542144 > /sys/module/zfs/parameters/zfs_arc_max

Verification

Verify the setting as below.

arc_summary | grep size

Note: The number is in bytes

Reduce the number

In order to reduce the number without reboot, following command needs to be executed to reduce the cache immediately

echo 3 > /proc/sys/vm/drop_caches

References

Why I cannot modify "vfs.zfs.arc_max" in WebUI?
QEMU / KVM: Using the Copy-On-Write mode