lost and found ( for me ? )

BIND 9.7 : filter-aaaa-on-v4 option


BIND :  filter-aaaa-on-v4 option

[ What’s filter-aaaa-on-v4 options ? ]

This option filters AAAA records out from IPv4 to prevent frequently occurring IPv4 fallback due to IPv6 timeout configured wrongly

[ how to use filter-aaaa-on-v4 ]

This option is added BIND9.7.0b2 and later versions.
You need to compile BIND with ./configure --enable-filter-aaaa
root@ubuntu-7:~/bind-9.7.3# ./configure --help | grep aaaa
 --enable-filter-aaaa    enable filtering of AAAA records over IPv4


compile BIND
2020  ./configure --enable-filter-aaaa
2021  make
2022  make install


named.conf
options {
       directory "/var/cache/bind";
       max-cache-size 1M;
       recursion yes;
       filter-aaaa-on-v4 yes;
};

[ when AAAA queries come from IPv4 ]

AAAA recoreds are filterd out.
So IPv6 timeout won’t happen.
root@ubuntu-7:~# dig @127.1 www.isc.org aaaa

; <<>> DiG 9.7.3 <<>> @127.1 www.isc.org aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59145
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:
;www.isc.org. IN AAAA

;; AUTHORITY SECTION:
isc.org. 43168 IN NS sfba.sns-pb.isc.org.
isc.org. 43168 IN NS ams.sns-pb.isc.org.
isc.org. 43168 IN NS ord.sns-pb.isc.org.
isc.org. 43168 IN NS ns.isc.afilias-nst.info.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 86369 IN A 199.254.63.254


[ when AAAA queries come from IPv6 ]

get AAAA records
root@ubuntu-7:~# dig @::1 www.isc.org aaaa

; <<>> DiG 9.7.3 <<>> @::1 www.isc.org aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50213
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;www.isc.org. IN AAAA

;; ANSWER SECTION:
www.isc.org. 557 IN AAAA 2001:4f8:0:2::d

;; AUTHORITY SECTION:
isc.org. 43157 IN NS ams.sns-pb.isc.org.
isc.org. 43157 IN NS ns.isc.afilias-nst.info.
isc.org. 43157 IN NS sfba.sns-pb.isc.org.
isc.org. 43157 IN NS ord.sns-pb.isc.org.

;; ADDITIONAL SECTION:
ns.isc.afilias-nst.info. 86358 IN A 199.254.63.254
ns.isc.afilias-nst.info. 86358 IN AAAA 2001:500:2c::254

Linux : cpulimit command

What’s cpulimit

http://cpulimit.sourceforge.net/
You can force a running process to limit CPU usage.

[ How to install cpulimit  ]

CentOS 5.5

There is no cpulimit package in yum repository.
download source code n’ compile.
# wget http://sourceforge.net/projects/cpulimit/files/cpulimit/cpulimit/cpulimit-1.1.tar.gz
[root@centos5-1 ~]# tar xzvf cpulimit-1.1.tar.gz

[root@centos5-1 ~]# cd cpulimit-1.1
[root@centos5-1 cpulimit-1.1]# ls
Makefile  cpulimit.c

compile
[root@centos5-1 cpulimit-1.1]# make
gcc -o cpulimit cpulimit.c -lrt -Wall -O2

file name cpulimit is binary file you compiled.
[root@centos5-1 cpulimit-1.1]# cp cpulimit /usr/local/sbin/

Ubuntu 10.10

you can install it via apt-get
root@hat1:~# apt-get install cpulimit

[ Examples of usage ]

To limit CPU usage , at first you need to find a process ID or command name w/ ps aux , top etc.
[root@centos5-1 cpulimit-1.1]# cpulimit --verbose
Error: You must specify a target process
Usage: cpulimit TARGET [OPTIONS...]
  TARGET must be exactly one of these:
     -p, --pid=N        pid of the process
     -e, --exe=FILE     name of the executable program file
     -P, --path=PATH    absolute path name of the executable program file
  OPTIONS
     -l, --limit=N      percentage of cpu allowed from 0 to 100 (mandatory)
     -v, --verbose      show control statistics
     -z, --lazy         exit if there is no suitable target process, or if it dies
     -h, --help         display this help and exit

root@hat1:~# ps -C unbound
 PID TTY          TIME CMD
1571 ?        00:00:01 unbound

root@hat1:~# cpulimit --pid 1571 --limit 10
Process 1571 detected

or

root@hat1:~# cpulimit --exe unbound --limit 10
Process 1571 detected

display details
root@hat1:~# cpulimit --pid 1571 --limit 10 --verbose
Process 1571 detected

%CPU work quantum sleep quantum active rate
0.00% 100000 us     0 us 99.80%
0.00% 100000 us     0 us 99.80%
0.00% 100000 us     0 us 99.81%
0.00% 100000 us     0 us 99.80%

limit CPU usage of chrome browser by only 1% ,,, oh very slow..
root@hat1:~# cpulimit --exe chromium-browser --limit 1 --verbose
Process 2829 detected

%CPU work quantum sleep quantum active rate
1.11% 84803 us 15196 us 93.87%
5.53%  4244 us 95755 us 23.49%
2.21%  1082 us 98917 us 2.40%
2.21%  6587 us 93412 us 14.58%
3.32%  1384 us 98615 us 4.60%
2.21%   444 us 99555 us 0.98%
2.21%   233 us 99766 us 0.52%
7.75%  1477 us 98522 us 11.45%
2.21%   500 us 99499 us 1.11%
1.11%   415 us 99584 us 0.46%

cpulimit seems to limit CPU usage by SIGSTOP n’ SIGCONT

interesting tool :)

kernel error : nf_conntrack: table full, dropping packet.


# tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 10.10"

# uname -a
2.6.35-25-server #44-Ubuntu SMP Fri Jan 21 19:09:14 UTC 2011 x86_64 GNU/Linux


I saw the following errors on my DNS Server runnning unbound.

/var/log/message
kernel: [96324.941657] nf_conntrack: table full, dropping packet.

or you can also see same messages via dmesg
# dmesg | tail -1
[96324.941657] nf_conntrack: table full, dropping packet.


This seems to be caused by a full “iptables connection_table” due to DDoS , a huge amount of traffic.
You may solve this by increasing “ip_conntrack_max” if you have enough Memory available.

the default value is:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536


This value is 32bit integer.

increase this value w/ sysctl command
# sysctl -w net.netfilter.nf_conntrack_max=131072
net.netfilter.nf_conntrack_max = 131072


or edit sysctl.conf to reflect permanently
# egrep conntrack /etc/sysctl.conf
net.netfilter.nf_conntrack_max=131072


In my case , after increasing that value from 65536 to 131072 , I haven’t seen above errors :)

How to install FreeNX on CentOS 5.5

How to install FreeNX on CentOS 5.5

freenx
http://freenx.berlios.de/

freenx is alternative to VNC.

You can install freenx  via yum.
freenx is included in extras repository.

At first I wanted to install x2go server instead of freenx , however I can’t find rpm/source code of freenx :(
X2go alternative to FreeNX :)

[ how to install FreeNX Server ]

# cat /etc/redhat-release
CentOS release 5.5 (Final)
# uname -r
2.6.18-194.32.1.el5

# yum list | grep -i freenx
freenx.x86_64                              0.7.3-6.el5.centos          extras

install freenx via yum
# yum install freenx.x86_64

set up a key for an authentication ( don’t use my own custom key pair )
# nxsetup --install
------> It is recommended that you use the NoMachine key for
       easier setup. If you answer "y", FreeNX creates a custom
       KeyPair and expects you to setup your clients manually.
       "N" is default and uses the NoMachine key for installation.

Do you want to use your own custom KeyPair? [y/N] N
Setting up /etc/nxserver ...done
Setting up /var/lib/nxserver/db ...done
Setting up /var/log/nx/nxserver.log ...done
Adding user "nx" to group "utmp" ...done
Setting up known_hosts and authorized_keys2 ...done
Setting up permissions ...done
Setting up cups nxipp backend ...done

----> Testing your nxserver configuration ...
Warning: Could not find nxdesktop in /usr/bin. RDP sessions won't work.
Warning: Could not find nxviewer in /usr/bin. VNC sessions won't work.
Warning: Invalid value "APPLICATION_LIBRARY_PRELOAD=/usr/lib/libX11.so.6.2:/usr/lib/libXext.so.6.4:/usr/lib/libXcomp.so.2:/usr/lib/libXcompext.so:/usr/lib/libXrender.so.1.2". /usr/lib/libX11.so.6.2 could not be found. Users will not be able to run a single application in non-rootless mode.
Warning: "/usr/lib/cups/backend/smb" is not executable.
        Users will not be able to enable printing.
Warning: Invalid value "DEFAULT_X_SESSION=/etc/X11/xdm/Xsession"
        Users might not be able to request a default X session.
Warning: Invalid value "COMMAND_START_CDE=cdwm"
        Users will not be able to request a CDE session.
Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be able to use SAMBA.
Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use SAMBA.
Error: Could not find 1.5.0 or 2.[01].0 or 3.[01].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012].0 backend is needed for this version of FreeNX.

 Warnings occured during config check.
 To enable these features please correct the configuration file.

<---- done

----> Testing your nxserver connection ...
HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
<--- done

Ok, nxserver is ready.

PAM authentication enabled:
 All users will be able to login with their normal passwords.

 PAM authentication will be done through SSH.
 Please ensure that SSHD on localhost accepts password authentication.

 You can change this behaviour in the /etc/nxserver/node.conf file.
Have Fun!


start freenx server
# /etc/init.d/freenx-server start
freenx-server を起動中:                                    [  OK  ]


check the status of freenx ( it’s running )
# nxserver --status
NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
NX> 110 NX Server is running
NX> 999 Bye


[ FreeNX Client Setup ]

just download n’ Install freenx client for windows ( very easy ! )
http://www.nomachine.com/download-client-windows.php

launch freenx client n’ access to freenx server.


thx for reading :)