Thursday 24 February 2011

VMWare Vsphere CLI install on Debian

I just installed the VMWare vSphere Command Line Interface on Debian and had a headache because it kept reporting missing packages and RPM errors. BAsically the script looks for a file /etc/*-release and uses this to determine what type of system it is installing on. Since Debian does not have this file it falls back to assuming a RedHat based system and uses RPM to check for required dependencies. Not suprisingly this fails.

The quickest way to get round this is to pretend the system is ubuntu and install, then delete the ubuntu file:
# echo ubuntu > /etc/temp-release
Install using ./vmware-install script
# rm /etc/temp-release
The dependencies I had to install were libssl-dev and perldoc

Thursday 17 February 2011

Learning IPv6 part 4 - Postfix email server

Postfix is very simple to install and was also pretty simple to setup for IPv6 use.
  1. install the postfix and alpine programs (plus dependancies)
  2. edit /etc/postfix/main.cf
    1. check the mydestination field includes the domain you have setup
    2. Ensure the mynetworks field includes the IPv6 network you are using (so for me I needed to add "[2001:470:1f09:12e9::]/64" to the end of the line
    3. added a line "mydomain=test_ipv6_domain.com" above the mynetworks line
    4. Add "inet_protocols = ipv4, ipv6" to the end of the file otherwise Postfix currently defaults to only listening on the IPv4 addresses
  3. Add the relevant lines to the bind zone file
    1. @ IN MX 10 mail6.test_ipv6_domain.com
    2. mail6 IN AAAA 2001:470:1f09:12e9::123
Allow mail through the firewall to the IPv6 address and it all worked smoothly.

RDNS was a real pain until I realised I needed to register my DNS server with hurricane Electric on their tunnel setup page. Obvious when you think about it - the IP's are registered to HE, how are they to know what my DNS server is?

A partly usefull site is http://www.mxtoolbox.com which lets you check what it sees your DNS entries as, however it does not support IPv6 so shows the IP address as 0.0.0.0 - at least you know that it is working that far though. :) You can also check other DNS records on this site (NS, A, SPF, txt, PTR, CNAME etc etc etc.)

A better guide to Postfix setup which does not include IPv6 is here: http://www.linux.com/learn/tutorials/308917-install-and-configure-a-postfix-mail-server

Wednesday 16 February 2011

Learning IPv6 part 3 - Apache and DNS

Another day, another IPv6 adventure. Debian works with IPv6 really easily, just need to add the details to /etc/network/interfaces as shown in Linux network address setup. I'm using manually configured IP addresses for now, at some point I'll look into DHCP for IPv6.

That got me on the internet, next step was apache which it turns out was already done - I spent a while looking into config files but all I needed to do was restart apache with the IPv6 address setup and it picked it up automatically. To configure specific virtual hosts etc the syntax hasn't really changed, you just need to put the IP address in square brackets in the /etc/apache2/sites-available/* file. Oh and to browse by IP address you also need to use square brackets so in the web browser address bar you should type http://[2001:470:1f09:12e9::123] or whatever the address is for you.

Next I need to create a fully authoritative DNS server and connect it to a domain so that it can be resolved from the net as 123-reg does not support IPv6 yet. This turned out to be very simple (although to be honest I just wanted to get it working, not optimise it, set internal/external views/etc so very basic) following the instructions here: http://www.cahilig.net/2008/07/04/how-setup-lan-dns-server-using-bind9-under-debian-and-ubuntu-linux. There is also a good followup guide for DDNS here: http://www.cahilig.net/2008/08/02/debian-and-ubuntu-ddns-bind9-and-dhcp but not much detail on IPv6, mainly IPv4. Securing the Bind instance with chroot is covered fairly well here: http://linux.justinhartman.com/DNS_Installation_and_Setup_using_BIND9 but I have not tried this yet.

Set the DNS server for my test domain to be the laptop (123-reg actually insists on at least 2 DNS servers so I just put dns1.domain.com and dns2.domain.com, and gave the same IP address for both. Obviously not a good idea for a real system unless you like to live dangerously but for this test its fine - all my IPv6 stuff so far is running from a single old dell laptop and Netscreen 5GT firewall appliance.

Allowed DNS (IPv4) and http (IPv6) through the firewall and outside hosts can browse the web server over IPv6. The DNS server is set to respond to queries over IPv6 too but since most things lookup DNS entries over IPv4 at the moment I've left it for now. I've also not yet explored the reverse zone file in IPv6 or DDNS updates linking to a DHCP service to automatically add new hosts to the zone files. To test that properly I might need to setup several virtual machines to play with how IPv6 addresses are allocated and have a seperate internal/external DNS server setup.

This has got me thinking about our DNS setup. At the moment internal DNS is handled by our MS Small Business Server 2003 and external DNS by our Registra. With IPv6 it might make a bit more sense to handle this ourselves as we are likely to make changes more often initially but we would need several DNS instances to be reliably redundant. Say 2 internal DNS servers auto updated with new hosts as they are added by dhcp, and two external DNS servers which only contain the IP addresses of the hosts we want external people to be able to connect to. One of those external DNS servers would need to be off site though (otherwise if we get a power cut and someone tries to email us their main server will be unable to resolve the address and may bounce the message. If they can resolve the address but the mail server does not respond then most servers keep trying for a few days). Virtual machines would make this pretty easy and low cost except for the external server but I'm sure I can arrange a reciprical deal with someone I know for something as low bandwidth as a DNS server. Added benefit in that if our main SBS server dies now we loose DNS and therfore web access. I can easily change a DNS entry to our ISP manually but don't fancy doing that on dozens of computers while trying to fix a domain controller... It is still 4 new servers to keep an eye on which is more work.

Monday 14 February 2011

Learning IPv6 Part 2

I get the feeling that IPv6 is going to be bit tricky at first.

I sat down to try and get it going again and this time it all worked first time with no issues. Not sure what I was doing last time but I created a IPv6 tunnel with Hurricane Electric (free tunnel broker service at http://tunnelbroker.net), setup the tunnel in my old netscreen, added the routed subnet (despite them making the changed part of the IPv6 address bold I missed it the first time!), manually added some IPv6 addresses to the firewall and an old XP laptop and I was live on IPv6. No problems at all. Hit the button on the Hurricane Electric certification page to test and got promoted to Explorer from Newbie.

With lots of confidence I read the next test, basically I need to host a website on IPv6 with DNS resolution. Quickly decided to go for a linux install on the laptop with apache as a decent challenge (last setup Apache about 5 years ago, never with IPv6) and started downloading the latest Debian install ISO (6.0 - Squeeze - just released a few days ago). I hope this will also give me a good foundation for any other challenges that come along. While downloading I went to our domain registra's page planning to setup the DNS entry and found that 123-reg.co.uk does not support IPv6. Wait, what?

So our ISP (BTNet) does not yet support IPv6, neither does our "Fanatical support" web host Rackspace or our domain registra 123-reg.co.uk. The ISP I can work around with the free tunnel from Hurricane Electric and I think I can run my own DNS server but don't think 123-reg will let me make a separate server authoritative for a subdomain. Guess I'll be creating a ipv6testdomain.co.uk or similar to get this working for now, unless 123-reg have plans to support IPv6 soon. UPDATE: Yep, 123-reg have plans but no dates yet, guess I'll be learning how to set up a authoritative DNS server for IPv6 a bit sooner than expected.

In the mean time Debian Squeeze has nearly finished installing so I'm off to set up IPv6 in Linux and then probably watch the ASCII star wars intro to check its working.

Tuesday 1 February 2011

Final IPv4 addresses allocated by IANA

Well APNIC has finally requested the last two blocks it is entitled to taking the number of available blocks to 5. Since this is the same as the number of RIR's (Regional Internet Registries) the final distribution of blocks has now been put in motion bu IANA.

https://www.apnic.net/publications/news/2011/delegation

Not that the date this happens effects the end game much - generally we are still expecting to run out at the RIR level by the end of the year. APNIC expects to start limiting IP addresses in 3-6 months after which its new customers only and they only get a few addresses (Max 1024 regardless of how big the company is). What I find really frustrating about the whole situation is the lack of support from big ISP's. I can understand businesses not buying into it (hey the internet is still working right?) and the techies getting frustrated but for an ISP like BTnet to still not support IPv6 is getting farcical. End of Jan I tried again and got this response:

BTnet does not currently support IPV6.
IPv6 on BTnet
BT is committed to the development and support of IPv6 across its networks and services including our UK and Global Internet platforms and our UK (BTnet) and Global (BTIA) Internet Access Services. This will ensure IP address space will continue to be available for all our customers as the IPv4 address space is forecast to become exhausted within the next few years. Upgrading our platforms to IPv6 will also allow BT to stay at the forefront of IP based services.
Currently IPv6 is being trialled with some customers at a number of sites on our Global Internet platform. Plans for full introduction to the Global and UK platforms are being prepared with the expected hardware and system upgrades expected to start during 2011.
No changes are expected to existing BTnet services. Customers will be kept informed when IPv6 capability is deployed on our platforms and any changes to their service options will be fully communicated at that time.
So much for a business class ISP - we only pay for a 10Mb leased line on 100Mb bearer over fibre. Litterally months away from this becomming a problem and this is going to be a bottleneck if the economy does turn round. With APNIC due to run out first a lot of the companies in Asia will start to implement IPv6 and with its multicast abilities I'd expect lots of online systems (eg online games) to start prefering IPv6 reasonably soon.  They already uses P2P for things like updates quite a bit.  Ah well I'll just keep asking every few months. Should have my test IPv6 setup online in a few days, no point waiting for BT any longer.