Eki's Home

Creating Debian Cloud-init Template for Proxmox VE

Thu, 21 Sep 2023 19:33:53 +0900

Eki's Home https://eki.moe/posts/creating-debian-cloud-init-template-for-proxmox-ve/ -

Cloud-init is a package that contains utilities for early initialization of cloud instances. (Source: ArchWiki). It allows headless and painless configuration for spinning up new cloud instances, so no more installing from scratch for every new instance. Check out Proxmox’s documentation for more info on its support within Proxmox VE.

Debian actually provides cloud-init ready images for deploying now, so it is even more convinient than before.

Creating VM

Firstly we will need to create a VM as the basis of operations. Click Create VM on the top right corner. Then we just follow the interactive guide provided by the GUI.

Make sure to check the Advanced box to have all options show up.

Set your instance name and ID as you wish, and check Start at boot if you want it to do so, which you probably do. This will not boot the template, but any VMs you have created from it.

Select Do not use any media for the OS image, as we will not be installing by hand, but rather by importing a ready-made image.

Check Qemu Agent, and leave everything as is in the image. Qemu Agents will allow for extra operations from the host. VirtIO SCSI single should be used, as it has the best performance, stated here.

Delete the disk Proxmox VE has created for you by default, as we will not be needing it.

This is how it should look like after you have deleted the disk.

Regarding the CPU type,

If you don’t care about live migration or have a homogeneous cluster where all nodes have the same CPU and same microcode version, set the CPU type to host, as in theory this will give your guests maximum performance.
If you care about live migration and security, and you have only Intel CPUs or only AMD CPUs, choose the lowest generation CPU model of your cluster.
If you care about live migration without security, or have mixed Intel/AMD cluster, choose the lowest compatible virtual QEMU CPU type.

For QEMU CPU type compatibiliy,

kvm64 (x86-64-v1): Compatible with Intel CPU >= Pentium 4, AMD CPU >= Phenom.
x86-64-v2: Compatible with Intel CPU >= Nehalem, AMD CPU >= Opteron_G3. Added CPU flags compared to x86-64-v1: +cx16, +lahf-lm, +popcnt, +pni, +sse4.1, +sse4.2, +ssse3.
x86-64-v2-AES: Compatible with Intel CPU >= Westmere, AMD CPU >= Opteron_G4. Added CPU flags compared to x86-64-v2: +aes.
x86-64-v3: Compatible with Intel CPU >= Broadwell, AMD CPU >= EPYC. Added CPU flags compared to x86-64-v2-AES: +avx, +avx2, +bmi1, +bmi2, +f16c, +fma, +movbe, +xsave.
x86-64-v4: Compatible with Intel CPU >= Skylake, AMD CPU >= EPYC v4 Genoa. Added CPU flags compared to x86-64-v3: +avx512f, +avx512bw, +avx512cd, +avx512dq, +avx512vl.

This choice is up to personal taste. You can customize this setting after you create the template, or even for each instance.

For Memory and Network settings, set them to what you see fit.

Next, some operations using ssh / console is needed, as Proxmox VE do not have them ready in the GUI.

Readying VM

We will need to manually add a serial console to the VM, otherwise the web console will not work.

qm set <VM ID> --serial0 socket --vga serial0

The Debian team has prepared a variety of cloud images available for download. Goto https://cloud.debian.org/images/cloud/, and scroll down to find the release of your choice. Personally I prefer the “latest” flavor.

I will download the “genericcloud” “amd64” qcow2 image, as it fits me best.

Then we will need to resize the image, otherwise the image will be considered “full”, unavailable for any operations.

qemu-img resize <Image Filename> <Size, e.g. 5G>

Import the image file to our VM

qm importdisk <VM ID> <Image Filename> <Storage, be careful if you use LVM / ZFS>

Return to the web GUI. Go to Datacenter -> node -> VM -> Hardware. We will need to make 3 changes here.

Add -> CloudInit Drive -> Storage same as your VM disk storage -> Add
Unused Disk 0 at the bottom. This is the disk image we have just imported. Click on it, then choose “edit”. As I’m using SSDs, I’m going to make two changes - check “Discard” and “SSD emulation”. Also check “IO thread” if it isn’t checked.
Display -> edit -> Graphic card -> choose “default”. I prefer this over a serial console for it being graphics based.

Go to “Options” for this VM. Double-click “Boot Order”, enable “scsi0”, and move it to the second posision, as we might still want to boot from the virtual optical drive.

You can read more about all the VM options at Proxmox VE Documentation

Right-click the VM on the left side, and choose “convert to template”. Wait for it to finish, and now you have a template ready for use.

Using the template

To use the template, right-click again on the template, and choose “clone”. Name your VM, set a VM ID, and remember to set it to “Full Clone”, so the VM does not rely on the template.

Now we can go to the new VM -> Cloud-Init, and set your user name to root, root password, ssh public keys, and networking. Remember to set them so you don’t get locked out like I did.

Start the VM when you feel ready.

Final touches

Go to Console. If you see “starting serial terminal on interface serial0”, just press enter and the console will load. Wait for cloud-init to finish loading, and then ssh into the VM with username “root” and the password / ssh key you chose. You did set it, right? Right?

Install qemu-guest-agent and enable it.

apt install qemu-guest-agent && systemctl start qemu-guest-agent

References & Sources

- https://eki.moe/posts/creating-debian-cloud-init-template-for-proxmox-ve/ - Eki

Fancontrol Script for Dell iDRAC

Wed, 20 Sep 2023 21:45:00 +0900

Eki's Home https://eki.moe/posts/fancontrol-script-for-dell-idrac/ -

I have looked into some solutions for my noisy Dell PowerEdge R730 in the post iDRAC 8 Settings and Tricks. This is the solution I have come up in the end.

Thought process

Through experience and experiments I have found that under my loads, CPU temperatures will hardly go over 50 degress celcius even with a 5% fan speed. Thus my idea was to just keep it simple and set two thresholds for temperatures that I consider to be harmful and dangerous. They can be modified themselves.

Also, the script is designed to run on the server itself, so IPMI usernames and passwords are not neccesary.

Usage

All that is needed comes in this script. To run it, use this one-liner.

wget https://github.com/nagaeki/dell-idrac-fancontrol/raw/main/setup.sh -O setup.sh && chmod +x setup.sh && bash setup.sh && rm setup.sh

Check out the Github repository for more.

- https://eki.moe/posts/fancontrol-script-for-dell-idrac/ - Eki

iDRAC 8 Settings and Tricks

Wed, 20 Sep 2023 18:27:00 +0900

Eki's Home https://eki.moe/posts/idrac-8-settings-and-tricks/ -

Information might change with time. Categories based on left column in iDRAC GUI.

Server

System Hostname & Operating System

Normally these two values are provided by the Dell EMC iSM (iDRAC Service Module). Check to see if you can install iSM to update these values in realtime.

However iSM might not support the system you’re using. Those times it is helpful to manually set them. You can either use racadm or ipmitool.

racadm

To use racadm, either ssh into iDRAC, or use the mobile app Dell OpenManage,or use the racadm utility on your device. The racadm utility does not support any of my current operating systems in use, so I will use the first two methods.

Use the following commands -

racadm set System.ServerOS.HostName hostname.example.com
racadm set System.ServerOS.OSName "OSName"

ipmitool

Install ipmitool on your system. Most Linux repositories have this utility ready.

To use this, you first need to ensure that IPMI over lan is enabled. Go to iDRAC Settings -> Network -> scroll down to IPMI settings and check Enable IPMI Over LAN. Click apply in the bottom right corner.

Usage -

ipmitool -I lanplus -H $IP -U $USER -P $PASS raw $COMMANDS

Note that lanplus is constant. To set hostname, the following IPMI raw command can be used.

raw 0x06 0x58 0x02 0x00 0x05 0x04 0x4c 0x4d 0x4e 0x4f

Byte 0 : 0x06 Network Function
Byte 1 : 0x58 Command
Byte 2 : 0x02 Parameter Selector (distinguish between set Firmware Version, OS Name, System Name etc.)
Byte 3 : 0x00 Set Selector (this equals 0 implies that the user is setting the parameter)
Byte 4 : 0x05 Check String data
Byte 5 : 0x04  --> data length
Byte 6…n : data bytes

Usage:
For example, to set the hostname to "DELL":

raw 0x06 0x58 0x02 0x00 0x05 --This part is common
0x04 -- hostname string length- four characters(DELL) in our example
0x44 0x45 0x4c 0x4c -- ASCII equivalent for DELL

It is advised to use a ASCII to Hex convertor with the prefix 0x to easily translate the characters.

Virtual Console

Though HTML5 is the shiny new thing, I actually prefer to use Java here because of poor HTML5 performance on iDRAC8 and because how it always gets blocked for unsafe certificates.

Alerts

This is important!

Alerts

Firstly enable Alerts in the top.

For Alert Filters, I would uncheck Info because it’s often not that important. Then check what alerts you wish in the table down below. Note that you need to do this for every page. With Info unchecked, that will be 13 pages.

SNMP and Email Settings

Here you will need to set destination addresses for SNMP and email alerts. Down below you will find SMTP server settings. There are two things to take note here -

Regarding authentication, because of how old iDRAC8 is, it does not support newer versions of TLS and newer cipher suites, so you will need to change your mail server settings accordingly.
Regarding the username, this is only the username for authentication, not the mail envelope-from address. This might trigger safeguard mechanisms within your mail server, as this could be used for forging from addresses. You will need to allow this authentication address to send mail as the envelope-from address. I will mention this again down below.

What’s a envelope-from address? Just like real-life mail, there is a envelope and the letter itself. The envelope is used by mail servers (post offices) to send the mail to the recipient, however the recipient will most likely get who the mail is from and for using information from the headers (the actual letter inside the envelope). In fact, a lot of email clients does not bother to show the envelope-from and envelope-to address, leading to higher risks. Thus it is normally not allowed to authenticate with one address and use another address for envelope-from, however a whitelist function is also normally in place. Consolidate documentations for this setting.

Setup

Here you can choose where the server boots to, as well as does this setting persist or not. This could be useful if you’re trying to boot into BIOS but wants to go to the loo real bad.

iDRAC Settings

Network Settings

Network

DNS iDRAC name and static DNS domain name

This are the two components that actually make up the envelope-from address, as mentioned here. The address will be DNS-iDRAC-Name@Static-DNS-Domain-Name. For example,

If
DNS iDRAC name = iDRAC-1234
and
Static DNS domain name = example.com

Then the envelope-from address will be
idrac-1234@example.com

By default the DNS iDRAC Name value will be IDRAC-<Dell Service Tag #>. Source: Dell

IPMI Settings

Enable IPMI Over LAN - mentioned previously here.

User Authentication

Here you can change user passwords as well as upload ssh key files.

Update and Rollback

This is not apparent, but the function to automatically search for firmware updates for your currently installed hardware does exist. For file location choose HTTPS, and for HTTPS address use downloads.dell.com. Wait for it to load, and then you can forget about finding all the update files one by one.

Hardware

Fan

The default fan profile is definitely quieter than older models, such that I can actually sleep with it. However, it can be even quieter.

Context: Testing is done with 2 * E5-2680 V4 CPUs at around 25 degrees celsius ambient.

Basic static fan speeds

ipmitool is used here. How to use? Check here

# print temps and fans rpms
ipmitool -I lanplus -H <iDRAC-IP> -U <iDRAC-USER> -P <iDRAC-PASSWORD> sensor reading "Temp" 

# print fan info
ipmitool -I lanplus -H <iDRAC-IP> -U <iDRAC-USER> -P <iDRAC-PASSWORD> sdr get "FAN1"

# enable manual/static fan control
ipmitool -I lanplus -H <iDRAC-IP> -U <iDRAC-USER> -P <iDRAC-PASSWORD> raw 0x30 0x30 0x01 0x00

# disable manual/static fan control
ipmitool -I lanplus -H <iDRAC-IP> -U <iDRAC-USER> -P <iDRAC-PASSWORD> raw 0x30 0x30 0x01 0x01

# set fan speed to percentage
ipmitool -I lanplus -H <iDRAC-IP> -U <iDRAC-USER> -P <iDRAC-PASSWORD> raw 0x30 0x30 0x02 0xff 0xXX
# 0xXX as speed percentage in hexdecimal. 0% would be 0x00, 100% would be 0x64, and so on.

Fan speed curve

The idea is to check CPU temps every other few minutes using cron, and set fan speeds according the CPU temperature at the time. For example, there is one solution here on reddit.

However there is one problem with this approach as that in extreme circumstances CPU temperatures may rise too fast for cron to respond. Thus a response time of a few seconds is much more resonable.

Static speed + automatic curve

There is this wonderful docker image on Github tigerblue77/Dell_iDRAC_fan_controller_Docker that not only has a second-level response time, but also allows the bios curve to kick in if things get out of hand for the quiet low speed settings.

~~However, in my own testing, even with a fan speed of just 5%, my two E5-2680 V4s never exceeded 70 degress with max load.~~ But do not take my word for it. Do your own testing for your hardware’s safety.

Turns out I have made a mistake, and the previous test method did not put enough stress on the CPUs.

Faster responses

In the end I have decided to write a little script myself to regulate the fan speeds based on temperature thresholds. Find more about it in the post Fancontrol Script for Dell iDRAC.

Storage

The only thing that needs to be mentioned here is the integrated RAID controller. More can be read in this post.

References & Sources

- https://eki.moe/posts/idrac-8-settings-and-tricks/ - Eki

Proxmox VE Install Routine and Setup Email Notification

Mon, 18 Sep 2023 21:40:00 +0900

Eki's Home https://eki.moe/posts/proxmox-ve-install-routine-and-setup-email-notification/ -

These are some basic routines I go over during a Proxmox VE install. Putting them down here so I won’t forget about them. Information might change with time.

Install

File System

During install you get to choose which file system you want to use. I’m going with a ZFS mirrored (RAID1) setup for Proxmox VE itself. Note that by saying Proxmox VE itself, I mean that VMs / Containers will run on other disks. Will touch on this later.

Why ZFS? Basically, it’s great. If you want to know more about it, check out -

Why mirrored

Losing one ssd on Proxmox is acceptable. I do not expect to lose both SSDs at the same time.
RAIDZ needs at least 3 drives, while mirroring only needs 2.
For workloads prioritizing IOPs, more VDEVs are preferred. Though this might not matter for Proxmox VE itself, it does matter for VMs and their pool, as will be discussed later.

ZFS settings during install

Read more here as well as references below.

ashift = 12

The ashift value of the pool defines the minimum block size of the pool. As I have drives with 4K physical sectors (see here), ashift = 12 corresponds to 4K sectors (2^12 = 4096). Even if you have a drive that uses 512 byte physical sectors, which is rare, using ashift = 12 is still fine. Note that once the ashift value is set for a pool, there is no going back unless you destroy the pool, which would mean reinstalling Proxmox VE. This is also why using ashift = 12 is recommended even for physical 512 byte sector drives, as if you add a 4K sector drive you will encounter performance issues.

However, if you have those rare 8K sector SSDs - set ashift = 13. See also on this topic: ArchWiki

compress = lz4

LZ4 does not tax on IO performance but still compresses. Simple as that.

checksum & copies

Leave as-is.

hdsize

Normally it should be left at default, as this will let ZFS use all the free space it can use. However, if you want to leave some space for partitioning later, you can set it here. For example, because of complications regarding swap on ZFS (you shouldn’t), leave some space to add a swap partition later.

Email

Set it to a email address you own, as alerts will be sent here. This can be modified later.

Hostname

This can not be modified later.

After Install

Creating another zpool for VMs and Containers

Check if your pool is using entire disks - run zdb and find whole_disk.

It is recommended to point ZFS at an entire disk (ie. /dev/sdx rather than /dev/sdx1), which will automatically create a GPT (GUID Partition Table) and add an 8 MB reserved partition at the end of the disk for legacy bootloaders. Source: ArchWiki There is also a reason regarding IO, however I was unable to find documentation sources for this. Source: Reddit

Also, I don’t like the look of having boot & EFI & ZFS partitions on a single disk, so I would rather have dedicated disks for storage.

I use mirrored setups for this - not RAIDZ. Reasons have been listed above.

ZFS trim and scrub

This is actually already enabled by default.

root@ayanami:~# cat /etc/cron.d/zfsutils-linux 
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# TRIM the first Sunday of every month.
24 0 1-7 * * root if [ $(date +\%w) -eq 0 ] && [ -x /usr/lib/zfs-linux/trim ]; then /usr/lib/zfs-linux/trim; fi

# Scrub the second Sunday of every month.
24 0 8-14 * * root if [ $(date +\%w) -eq 0 ] && [ -x /usr/lib/zfs-linux/scrub ]; then /usr/lib/zfs-linux/scrub; fi

Postfix settings so alert emails won’t go to spam

I have my own email server with mailcow. If you use a different server / provider, your settings may vary.

Set email from address

Go to Datacenter -> Options -> “Email from address”. Enter your email from address here.

Get prerequisites

apt-get install libsasl2-modules

main.cf

nano /etc/postfix/main.cf

Comment out the relayhost = line.

Add the following at the end.

relayhost = mail.relay.host:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt

sasl_passwd

echo "mail.relay.host your-email@gmail.com:YourAppPassword" > /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
postfix reload

Send testmail

mail -s Testmail youremail@domain.com
Testmail
.

Check mail queue

root@ayanami:~# mailq
Mail queue is empty

Troubleshooting

If you have errors like -

root@proxmox:~# mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
43B2E100F17    1399 Mon Nov  1 18:36:56  root@proxmox.local
(SASL authentication failed; cannot authenticate to server smtp.sendgrid.net[13.114.210.107]: no mechanism available)

Then you might have messed up the following -

apt-get install libsasl2-modules
postmap /etc/postfix/sasl_passwd
Wrong account / password

Use postqueue -f to retry the queue.

System and ZFS alerts

If you have your correct email set at installation, you have nothing else to worry about. All alerts will be sent to root@proxmox, and then forwarded to the set email address.

If you need to fix it, you can find it at Datacenter -> Permissions -> Users -> root -> E-Mail.

To test them out, just pull your drives out and wait for a email alert to arrive.

Enable PCI-E passthrough

Make your modifications using the commmand line.

Follow these guides:

Disable Conntrack for asymmetrical routes

Create / modify /etc/pve/nodes/<nodename>/host.fw and add the following:

[OPTIONS]
nf_conntrack_allow_invalid: 1

Then restart the Proxmox VE firewall.

pve-firewall stop && pve-firewall start

Source: blog.swineson.me

References & Sources

- https://eki.moe/posts/proxmox-ve-install-routine-and-setup-email-notification/ - Eki

Using 520 Byte Sector Disks

Mon, 18 Sep 2023 17:07:00 +0900

Eki's Home https://eki.moe/posts/using-520-byte-sector-disks/ -

Bought some dirt cheap used enterprise SSDs on Yahoo Auction, only to be not able to do anything with them. The 520 byte sector problem.

The problem

What’s a sector

In computer disk storage, a sector is a subdivision of a track on a magnetic disk or optical disc. In simpler terms, it is the smallest unit of allocation or operation of a disk, to some extend kind like a atom during chemimal reactions. In practice, operations often span across multiple sectors, and data not filling entire sectors will have the remainder of the sector filled with zeros. [Source: Wikipedia]

Traditionally HDDs have been using 512 byte sectors for a long time, however some modern storage devices has turned to 4KiB sectors for its ability to integrate stronger error correction algorithms to maintain data integrity at higher storage densities.

Why do some disks use 520 byte sectors?

The main motive here is that the extra bytes could be used for something else. For example, hardware RAID may use it for parity calculations, or special file systems may use it for other purposes.

Sometimes 528 byte sectors are also used though less common in my experience. For the time being the focus will be put on 520 byte sectors.

The problem with 520 byte sectors

The problem is simple - it’s not normal. Linux cannot read disks formatted with 520-byte sectors. (Nor does Windows.) If you try to use linux with 520 byte sector drive, run dmesg and you might see the following error:

Source: youtube.com/@ArtofServer

However, this will only show up if the operating system has access to the drives. In my case, connecting 520 byte sector drives to a Dell R730 with a H730p controller, the drives do show up on the controller management page as 520 byte sectors and “RAID ready”, however I was unable to do anything with them, nor did the controller pass the drives to the operating system, despite setting the controller in “HBA Mode”. Although some info online suggested that flashing a H710 into “IT mode” was able to fix the problem, no workaround for H730/H730p or anything that generation has come up. Thus I was unable to do anything with the drives unless I purchase another HBA card.

In the end I purchased 2 LSI 9217-8i 2308 HBAs for 160 CNY (around 20 USD at the time) on Taobao. As a bonus the cards were already flashed into IT mode, reducing my pain. IT mode basically means that instead of functioning as a RAID controller, the card will passthrough the disks without any modification. Though the HBA mode on my H730p should have functioned the same, for some hiccup or another the H730p did not pass it through. I ended up using the cards on another machine that did not have a build-in SAS controller but only a SATA one, so I guess nothing is wasted afterall.

Why did you buy those disks then? Should I buy them?

The main selling point of these drives are that they are just cheap. Why are they cheap then? Well -

The 520 byte sector problem.
They’re old. In fact the drives I picked up were more than a decade old as of time writing. (Manufactured in week 52 of year 2012 - Data from S.M.A.R.T.)

But they also have pros -

They are enterprise grade drives, so you enjoy all the enterprise-level stuff, like SAS, power-loss protection, and a very high level of endurance. Some drives I picked up only had a few terabytes written, while two drives which had 800+TBs written only used ~4% endurance.
They are also pure MLC, so no slowdowns with TLC and QLC.
Same or better performance than buying brand new, but sometimes with 1/4-1/3 of the cost.

Should you buy them? Well if you’re just a “normal” person planning your next PC build, I would probably say, no. It’s still a lot of effort to get something like this working, let alone the specific parts and hardware. I still just use consumer NVMe SSDs in my personal PC. But if you’re building your “homelab” with already enterprise grade servers, then why not. Still, the choice is up to you.

But then again, come to think of it, no “normal” person should probably be reading this.

The fix

Basically the fix will just be to reformat the drives into 512 byte sectors.

Prerequisites

I would recommend using Linux for the operation. In my opinion booting a live Ubuntu USB and using it is much simpler than Windows. However, Windows will still work for this.

Fire up the terminal with root privileges. We will be using sg3-utils and smartmontools.

apt update && apt install sg3-utils smartmontools

Run sg_scan -i to see if your drives show up. If they don’t, then you have other problems to fix.

root@ubuntu:~# sg_scan -i
/dev/sg0: scsi0 channel=0 id=0 lun=0
    NETAPP    X446_RALS200MCHT  NA02 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg1: scsi0 channel=0 id=1 lun=0
    NETAPP    X446_RALS200MCHT  NA02 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg2: scsi0 channel=0 id=2 lun=0
    HITACHI   HUSMM118 CLAR800  C250 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg3: scsi0 channel=0 id=3 lun=0
    HITACHI   HUSMM118 CLAR800  C250 [rmb=0 cmdq=1 pqual=0 pdev=0x0] 
/dev/sg4: scsi0 channel=0 id=32 lun=0
    DP        BP13G+EXP         3.35 [rmb=0 cmdq=1 pqual=0 pdev=0xd] 
/dev/sg5: scsi10 channel=0 id=0 lun=0 [em]
    HL-DT-ST  DVD-ROM DTA0N     D3C0 [rmb=1 cmdq=0 pqual=0 pdev=0x5]

Identify your drives. Use lsblk and smartctl --all /dev/sgX to find the right drive. Like any other formatting operation, you will lose all the data on the drive you’re formatting. Precede with your own caution.

Formatting

Just like any other thing, using 512 byte sectors with a disk will require the disk’s firmware to support it. Older drives might require a firmware re-flash. If you need to do this, consolidate the web. However, most modern drives since 2012 (source) will support 512, 520 and other sector sizes with the same firmware. For example, the HITACHI Ultrastar SSD1600MMs clearly states that it does support 512, 520, 528, and 4K sector sizes in its datasheet, with the Ultrastar SSD400Ms supporting both 512 and 520 sector sizes, though not listed in its datasheet. This will come bite me back later. Anyhow, getting something old enough to not support 512 byte sectors out of the box is probably not worth the effort.

We will use the sg_format utility for formatting. The command goes

sg_format /dev/sgX

This will give information regarding the disk, such as

root@ubuntu:~# sg_format /dev/sg1
    NETAPP    X446_RALS200MCHT  NA02   peripheral_type: disk [0x0]
      << supports protection information>>
      Unit serial number: XXVAV10A        
      LU name: 5000cca01313b5bc
Mode Sense (block descriptor) data, prior to changes:
  Number of blocks=390721968 [0x1749f1b0]
  Block size=520 [0x208]
Read Capacity (10) results:
   Number of logical blocks=390721968
   Logical block size=520 bytes
No changes made. To format use '--format'. To resize use '--resize'

To actually format it, you will need to use the --format option. There is no going back if the operation has started. You will have 15 seconds to cancel after you press enter. Precede at your own risk. The follwing code only serves as an example.

root@ubuntu:~# sg_format -v --format --size=512 /dev/sgX
    SanDisk   DOPE1920S5xnNMRI  3P01   peripheral_type: disk [0x0]
      PROTECT=1
      << supports protection information>>
      Unit serial number: 00028FA6
      LU name: 50011731004624c0
    mode sense (10) cdb: 5a 00 01 00 00 00 00 00 fc 00 
Mode Sense (block descriptor) data, prior to changes:
  Number of blocks=3750748848 [0xdf8fe2b0]
  Block size=512 [0x200]

A FORMAT UNIT will commence in 15 seconds
    ALL data on /dev/sg2 will be DESTROYED
        Press control-C to abort

What if it doesn’t want to format?

For example, something like this will come up

root@ubuntu:~# sg_format -v --format --size=512 /dev/sgX
    SanDisk   DOPE1920S5xnNMRI  3P01   peripheral_type: disk [0x0]
      PROTECT=1
      << supports protection information>>
      Unit serial number: 00028FA6
      LU name: 50011731004624c0
    mode sense (10) cdb: 5a 00 01 00 00 00 00 00 fc 00 
Mode Sense (block descriptor) data, prior to changes:
  Number of blocks=3750748848 [0xdf8fe2b0]
  Block size=520 [0x208]
    mode select (10) cdb: 55 11 00 00 00 00 00 00 1a 00 
mode select (10):
Fixed format, current; Sense key: Illegal Request
Additional sense: Parameter list length error
  Sense Key Specific: Error in Data parameters: byte 0
MODE SELECT command: Illegal request sense key, apart from Invalid opcode

This is just the drive’s smart way of telling you that this is destructive. You can use dd to zero the device out first, or you can just sg_format them to 520 byte sectors first.

sg_format -v --format --size=520 /dev/sgX

After that, you can sg_format then to 512 byte sectors.

Confirming the results

Using smartctl --all /dev/sgX we can check the sector sizes after the format. For example

root@ubuntu:~# smartctl --all /dev/sg2
smartctl 7.3 2022-02-28 r5338 [x86_64-linux-6.2.16-3-pve] (local build)
Copyright (C) 2002-22, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF INFORMATION SECTION ===
Vendor:               HITACHI
Product:              HUSMM118 CLAR800
Revision:             C250
Compliance:           SPC-4
User Capacity:        800,176,914,432 bytes [800 GB]
Logical block size:   512 bytes
Physical block size:  4096 bytes
LU is resource provisioned, LBPRZ=1
Rotation Rate:        Solid State Device
Form Factor:          2.5 inches
Logical Unit id:      0x5000cca04fb58110
Serial number:        0RY6UEWA
Device type:          disk
Transport protocol:   SAS (SPL-4)
Local Time is:        Mon Sep 18 19:01:10 2023 JST
SMART support is:     Available - device has SMART capability.
SMART support is:     Enabled
Temperature Warning:  Enabled

=== START OF READ SMART DATA SECTION ===
SMART Health Status: OK

Percentage used endurance indicator: 4%
Current Drive Temperature:     28 C
Drive Trip Temperature:        70 C

Accumulated power on time, hours:minutes 45063:15
Manufactured in week 42 of year 2016
Specified cycle count over device lifetime:  0
Accumulated start-stop cycles:  0
Specified load-unload count over device lifetime:  0
Accumulated load-unload cycles:  0
Elements in grown defect list: 0

Vendor (Seagate Cache) information
  Blocks sent to initiator = 50707552

Error counter log:
           Errors Corrected by           Total   Correction     Gigabytes    Total
               ECC          rereads/    errors   algorithm      processed    uncorrected
           fast | delayed   rewrites  corrected  invocations   [10^9 bytes]  errors
read:          0        0         0         0          0     723754.391           0
write:         0        0         0         0          0     818404.477           0

Non-medium error count:        0

No Self-tests have been logged

But what about 4K sectors?

Advanced Format (AF) is any disk sector format used to store data on magnetic disks in hard disk drives (HDDs) that exceeds 528 bytes per sector, frequently 4096, 4112, 4160, or 4224-byte (4 KB) sectors. Source: Wikipedia

If it’s the new modern thing, than it must be better, right? Well, not always.

Remember how I said that the Ultrastar SSD400Ms not clearly labeling supported sector sizes will come back to bite me? Well, after trying to reformat them to 4096, aka 4K sectors, the formating succeeded without problem. However, I was unable to do anything to the disks. The disks still showed up in system, but anything as small as partitioning failed. After reverting them back to 512 byte sectors, everything worked fine, though S.M.A.R.T reports as Logical block size: 512 bytes Physical block size: 4096 bytes. But on the newer Ultrastar SSD1600MMs, they still worked fine with 4K sectors.

But what about performance? I expected performance to increase with 4K sectors, but it seemed to have actually decreased. Online sources divide on this topic, with some saying a increase while some say no noticeable differences. Considering that the older Ultrastar SSD400Ms are in 512 byte sectors, how the Ultrastar SSD1600MMs came in 512 byte sectors, as well as how my comsumer Kioxia NVMe SSDs worked fine in 512 byte sectors, I have decided to keep them in 512 byte mode. I guess it’s just not worth the hassle.

I do believe that the operation in not destructive toward the firmware, so you can try it out yourself. Still, your mileage may very. Precede at your own risk.

References & Sources

- https://eki.moe/posts/using-520-byte-sector-disks/ - Eki

在 internet.nl 上拿到满分

Mon, 13 Feb 2023 17:05:14 +0800

Eki's Home https://eki.moe/posts/full-score-on-internet-nl/ -

Internet.nl 是一个由网络社区和荷兰政府共同创立的项目。这个项目提供对网站，电子邮件和网络连接的测试，以便查看他们是否遵循了现代而可靠的技术/协议。 Source

测试分为三个部分：网站，邮件和网络连接。网站，邮局测试中达到满分的域名会被加入他们的“名人堂”列表，双满分则更为稀少。网络连接测试不会进行研究，原因会在后文解释。

网站测试

此部分使用 nginx 为例，版本号 1.22.1。

对于一些项目，可能需要更改的配置文件有

/etc/nginx/nginx.conf
/etc/nginx/sites-available/example.com (or /default)

如果你在使用 Certbot，则还可能需要更改

/etc/letsencrypt/options-ssl-nginx.conf

Modern address (IPv6)

分为三部分：

Nameserver 是否有 IPv6 地址，且是否可达（正确）。
网站是否有 IPv6 地址，且是否可达（正确）。
IPv6 连接下的网站是否和 IPv4 连接下的网站相同。

一般来说是能很容易满足的条件。

Signed domain name (DNSSEC)

DNSSEC 提供了对 DNS 数据来源的验证，在自己的域名注册商处设置即可。

Secure connection (HTTPS)

简单设置了 HTTPS 并不能在这里得到满分。

一个很有用的网站，由 mozilla 提供，可生成众多配置文件：ssl-config.mozilla.org

HTTPS available & HTTPS redirect

网站启用 HTTPS 连接与 HTTP 重定向即可。Nginx 模板如下

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2; 
    listen [::]:443 ssl http2;
    server_name example.com www.example.com

    ssl_certificate /etc/ssl/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/certs/example.com/privkey.pem;
}

HTTP compression

HTTP 压缩可能使服务器遭受 BREACH 攻击，启用与否是对流量/带宽和安全性的取舍。

gzip off;

HSTS

HSTS 将在浏览器再次访问网站时强制使用 HTTPS 连接，这有助于预防中间人攻击。Internel.nl 认为 HSTS 策略缓存时间为至少一年时，策略足够安全。

在 nginx 配置中添加以下语句

add_header Strict-Transport-Security "max-age=31536000" always;

参照 internet.nl 的提示，只有当确认全部子域名都被 HTTPS 覆盖到时，才应该添加 includeSubDomains 语句，即

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

TLS version

TLS 版本安全性表格：

优秀：TLS 1.3
足够：TLS 1.2
换代：TLS 1.1,1.0
不足：SSL 3.0,2.0,1.0

在 server 块中加入以下内容：

ssl_protocols TLSv1.2 TLSv1.3;

同时，如果使用了 Cloudflare CDN，我还需要在 Cloudflare 的面板中调整以下设置

Ciphers (Algorithm selections)

很多算法已经到了 phase-out 阶段，可以在 nginx 配置文件中禁用。

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

Cipher order

在 internet.nl 的列表中列出了 good, sufficient 和 phase out 列表。服务器应该：

若只支持 good 列表中的内容，则不参加此测试
若同时支持 good 列表外的内容，应优先使用 good cipher

ssl_prefer_server_ciphers

Nginx 推荐此项设置为 on，而 mozilla 推荐设置为 off。

我将其设置为了 off。

Key exchange parameters

Diffie-Hellman key exchange 是一种安全协议。服务端应支持足够安全的交换参数。

Github 上的 internetstandards/dhe_roups 仓库给出了足够安全的 ffdhe4096 参数。下载后在 nginx 中指定： ssl_dhparam /etc/nginx/ffdhe4096.pem;

OCSP stapling

OCSP stapling 将本应客户端发起的 OCSP 请求交给服务端发起，服务端将 OCSP 结果随证书一同发送给客户端，跳过了客户自己请求 OCSP 的过程，提高了效率。

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/fullchain;

Certificate 相关

证书相关，请求了证书并启用即可。

DANE

此处不强求，故不启用。若有兴趣，方法于邮件处的 DANE 设置相同。

Security options

X-Frame-Options

X-Frame-Options 用于避免 clickjacking 攻击。

X-Content-Type-Options

X-Content-Type-Options 用于指明 MIME 类型，同时避免 MIME 类型嗅探。

add_header X-Content-Type-Options nosniff;

Content-Security-Policy

按照 internet.nl 推荐，应至少有以下内容：

default-src: none/self/https:(不推荐)
frame-src: none/self/url
frame-ancestors: hone/self/url

其他项目可在 internet.nl 的测试项中查看细节，或在 content-security-policy.com 查看规范。

add_header Content-Security-Policy "default-src 'self';frame-src 'self';frame-ancestors 'self';" always;

Referrer-Policy existence

add_header Referrer-Policy 'strict-origin-when-cross-origin';

推荐值：

no-referrer/same-origin 如果不发送敏感信息到第三方。
strict-origin/strict-origin-when-cross-origin 如果只通过 HTTPS 发送敏感信息到第三方。

Security.txt

可以通过 securitytxt.org 生成 security.txt，并放置在 domain.com/security.txt 和/或 domain.com/.well-known/security.txt

Route authorisation (RPKI)

BGP 相关。

Nginx配置总和

不推荐直接抄，放这里只是为了方便我自己看。

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2; 
    listen [::]:443 ssl http2;
    server_name example.com;
    root /var/www/example.com;

    ssl_certificate /etc/ssl/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/certs/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/example.com/fullchain.pem;
    ssl_dhparam /etc/nginx/ffdhe4096.pem;
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy 'strict-origin-when-cross-origin';

    index index.html index.xml;

    location / {
            index index.html;
    }
}

邮局测试

此处使用 mailcow 为基础进行设置。

Modern address (IPv6) & Signed domain names (DNSSEC)

与上文相同。

Authenticity marks against phishing (DMARC, DKIM and SPF)

DMARC

DMARC 策略用于指明当一封邮件不能被 DKIM 和 SPF 认证时的处理方式。

参考： dmarc.org。

DKIM

不同平台配置方法不同，得到数据后添加至 DNS 记录即可。

SPF

SPF 用于验证邮件发送人的真实性。参考 Cloudflare 就此的文章：什么是 DNS SPF 记录？。

Secure mail server connection (STARTTLS and DANE)

TLS

简而言之就是对 postfix 进行的设置。/opt/mailcow-dockerized/data/conf/postfix/extra.cf 内容如下

tls_ssl_options = NO_COMPRESSION, 0x40000000
tls_preempt_cipherlist = yes
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA>
smtpd_tls_eecdh_grade = ultra
smtpd_tls_dh1024_param_file = /opt/mailcow-dockerized/data/assets/ssl/ffdhe4096.pem
smtp_host_lookup = dns
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA3>
lmtp_tls_note_starttls_offer = yes
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_ciphers = high
lmtp_tls_mandatory_ciphers = high
lmtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA3>
lmtp_tls_loglevel = 1
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

对每一项具体内容感兴趣可自行研究。

Certificate

证书相关，mailcow 帮我生成了自签名证书，此处自动解决。

DANE

提示：DNSSEC 为 DANE 设置的前提。

DANE 用于尽可能减少邮件传输时可能的内容窥探。可参考 Hands-on: implementing DANE in Postfix。

启用过程请参考 DANE for SMTP how-to。

懒人版：

需两个数值，自签证书的 DANE SHA-256 hash，和 root certificate 的 DANE SHA-256 hash。

对于 mailcow，自签证书位于 /mailcow-folder/data/assets/ssl/cert.pem；
根因使用 Let’s Encrypt，根证书为 ISRG Root X1，位于 /etc/ssl/certs/ISRG_Root_X1.pem

# openssl x509 -in /opt/mailcow-dockerized/data/assets/ssl/cert.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256
(stdin)= example_output_1
# openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256
(stdin)= example_output_2

随后需要在 DNS 中声明这两项结果

_25._tcp.mail.example.com. IN TLSA 3 1 1 example_output_1
_25._tcp.mail.example.com. IN TLSA 2 1 1 example_output_2

数值的具体意义可查看上述参考内容。

Route authorisation (RPKI)

同上，BGP 大佬受我一拜。

网络连接测试

基本就是测试本地是否能连接 IPv6 网络。但从国内连接的效果基本没有意义，如果真的在意不如使用 testipv6.cn。

这么多内容调整完了。问题是：有多少会产生实际影响？

~~当然在于玩的开心~~

- https://eki.moe/posts/full-score-on-internet-nl/ - Eki

Why I'm Transitioning to Static Websites

Sun, 12 Feb 2023 22:24:17 +0800

Eki's Home https://eki.moe/posts/why-im-transitioning-to-static-websites/ -

Note: This does not serve as a guide. It is only a reminder in case I forget this again.

What’s a static website? What are advantages of static websites? Please check this blog from Cloudflare.

I’m not in a position to say how one option is correct and the other option is not. This is only a log for myself.

Initial choice: WordPress

The reasons for which I chose to use WordPress in the beginning is simple:

Easy to follow tutorials
Beginner-friendly editor
Not too bad-looking pages
Abundant choice of themes/plugins

But after using WordPress for a while, I also realized some of its weaknesses:

Performance is much worse than static pages
CVEs appear often
I don’t need most of the functions a dynamic site provides
The editor can be hard to use sometimes

Turning to Hugo

There are a lot of choices for static site generators. I chose Hugo for the following options:

Good performance
Great plugins/themes/documentation
The fact that it uses Markdown for editing

At the same time, I use VSCode and Git for writing and source management, and overall have a wonderful experience.

Although initially I did not have much interest for solutions that require me to use the command line and external editors, after about half an hour of reading the documentation, it turned out to be not too difficult.

I also plan to remake the DN42 pages and other websites to be static where possible, to have a better editing experience.

Common knowledge and commands for Hugo

Source of truth for this part comes from the Hugo Docs

Quickstart

hugo new project quickstart

This command asks hugo to create a folder called quickstart, and generates a project skeleton within that folder. The project skeleton looks like this.

my-project/
├── archetypes/
│   └── default.md
├── assets/
├── content/
├── data/
├── i18n/
├── layouts/
├── static/
├── themes/
└── hugo.toml         <-- project configuration

Depending on your site’s requirements, you might not need some of those folders. After the site is built, the folders public/ and resources/ are also creates as the built files.

Each of the folders contribute to the website’s content or behaviour. For what each folder is used, refer to this docs

Page bundles

Hugo uses a folder structure that bundles images and other resources into Page bundles. Page bundles are content folders that holds index.md or _index.md at their foot. The resources within page bundles are called page resources, and they are only available to the page with which they are bundled.

Content should be organized in a manner that reflects the rendered website. For example, the following structure should work without additional configuration.

.
└── content
    └── about
    |   └── index.md  // <- https://example.org/about/
    ├── posts
    |   ├── firstpost.md   // <- https://example.org/posts/firstpost/
    |   ├── happy
    |   |   └── ness.md  // <- https://example.org/posts/happy/ness/
    |   └── secondpost.md  // <- https://example.org/posts/secondpost/
    └── quote
        ├── first.md       // <- https://example.org/quote/first/
        └── second.md      // <- https://example.org/quote/second/

A more detailed example with page resources could look like this.

content
└── post
    ├── first-post
    │   ├── images
    │   │   ├── a.jpg
    │   │   ├── b.jpg
    │   │   └── c.jpg
    │   ├── index.md (root of page bundle)
    │   ├── latest.html
    │   ├── manual.json
    │   ├── notice.md
    │   ├── office.mp3
    │   ├── pocket.mp4
    │   ├── rating.pdf
    │   └── safety.txt
    └── second-post
        └── index.md (root of page bundle)

Note that the page resources of page first-post are not visible to page second-post.

content/
├── blog/
│   ├── hugo-is-cool/
│   │   ├── images/
│   │   │   ├── funnier-cat.jpg
│   │   │   └── funny-cat.jpg
│   │   ├── cats-info.md
│   │   └── index.md
│   ├── posts/
│   │   ├── post1.md
│   │   └── post2.md
│   ├── 1-landscape.jpg
│   ├── 2-sunset.jpg
│   ├── _index.md
│   ├── content-1.md
│   └── content-2.md
├── 1-logo.png
└── _index.md

This example shows nested page bundles, namely content/_index.md, content/blog/_index.md, and content/blog/hugo-is-cool/index.md. Note that the home page cannot contain other content pages, although other files such as images are allowed.

Hugo only makes sure each content is rendered to the target paths, however the navigation to the contents at each path are up to the website’s author to implement, as well as the theme to decide on its apperance. For example, a blog based theme could list all of its posts at the home page, while a company facing theme probably won’t make each product page visible directly on the root page. Therefore it is important to refer to the theme’s manual and make changes accordingly.

Initializing Git

cd quickstart
git init
git submodule add https://github.com/gohugo-ananke/ananke themes/ananke

Of course, you would use git for source control on your content. Here we can add a theme as a Git submodule, to the path themes/ananke. More about this will be featured on the part, “How to use Git submodules”.

Editing and viewing content

To add a new page to the project’s content, you would use the following command.

hugo new content content/posts/my-first-post.md

Hugo will create the file to the path do designated, from the archetype you chose, which is in this instance posts.

By default the page’s front matter will set the value of draft to true, which will not be published by default.

To start Hugo’s development server, you would run the following command.

hugo server

However, to include draft content, you would run the following command.

hugo server --buildDrafts
hugo server -D

Publishing the project

When you choose to publish your project, Hugo renders all build artifacts to the public directory in the root of your project. This includes the HTML files for every site, along with assets such as images, CSS, and JavaScript. The command to do so is very simple.

hugo

It might be important to remember that Hugo does not clear the public directory before building your project. Existing files are overwritten, but not deleted. This behavior is intentional to prevent the inadvertent removal of files that you may have added to the public directory after the build. Depending on your needs, you may wish to manually clear the contents of the public directory before every build.

Same goes with the resources folder, which is said to By default this cache directory includes CSS and images. Hugo recreates this directory and its content as needed. Therefore in some cases it might be benefitial to remove that folder by hand.

How to use Git submodules

Source of truth to this section should be on the Git handbook

What are submodules?

Sometimes you need to refer to another repository from your own. However, if you simple refer to it by code by pointing to another directory outside of the current repository, you lose the advantages of using Git for version control on that, making updating it when newer upstream sources are available extremely difficult. Therefore, normally it is preferable to hold the code of that repository, within the same Git version controlled environment.

There are a few ways to do that. For example, some programming languages might have builtin package managers that allow importing packages. However, as is the case with Hugo themes, sometimes we do need the raw code at our hands. There is also the problem with simply including the library, which is that it is difficult to customize the library in anyway, or to make sure each time that the library is installed on a target machine.

Git addresses this problem with submodules, which allows the user to keep another Git repository as a subdirectory of a Git repository, while also keeping the commits separate.

Other advantages of using Git submodules also include:

Code safety when an external component is changing too fast, or when upcoming changes will break your project.
When an external component doesn’t change too often, and you want to track it as a dependency.

Hugo modules

Hugo allows the use of external resources as modules through its builtin management feature.

A module is a packaged combination of components which may contain archetypes, assets, content, data, templates, translation tables, and static files. A module may be a theme, a complete project, or a smaller collection of one or more components.

Source: Hugo docs

To put it simply, Hugo provides a way to manage external resources used by Hugo through the hugo mod command, which allows inclusion of external files through a subdirectory in the project folder, a external path on the system’s mountpoint, or even just a link to a Git repository. Importing, updating, caching, removing and other actions are all controlled by Hugo.

I do believe that this is a great tool to get started when other resources are necessary. However, since that this is a function confined to Hugo, the option to use the submodule function of Git, which could also be used in other projects unrelated to Hugo, could be a better option.

Quirks of Git submodules

Although submodules are represented by just another directory on your filesystem, Git sees it as a submodule and doesn’t track its contents when you’re not in that directory. Instead, it sees the directory as a whole, as a certain commit.

Therefore, when you wish to update contents of the submodule, it might not be as straightforward as editing a simple file, as there is a flow that needs to be followed.

Go to the submodule’s directory
Edit the submodule
Commit changes to the submodule
Push the submodule’s changes to remote
Now the parent repository sees a new version to the submodule
Commit changes to the parent repository, and pushto remote

It is important that the editor does not forget to push changes to the submodule to remote, before the parent repository is pushed. This is because Git only tracks the submodule to a commit, and when the parent repository is pushed without the new version of the submodule being available, other users trying to use the repository will fail to do so.

Common commands to use Git submodules

Again, the source of truth is the Git handbook, linked above. This part will only cover some common commands that I will probably use often.

Adding a submodule

To start to use a submodule, you would use the following command.

git submodule add https://link-to-repo

This will result in the repository being cloned, and the .gitmodules file created.

[submodule "submodule-a"]
    path = submodule-a
    url = https://link-to-repo

Note that if you’re using code from another developer, it might be a good idea to fork that repository first. This is because while using submodules, you probably with to edit the files to a certain point, however using the original developer’s repository directly does not allow your changes to be pushed to remote, at least the changes that only apply to yourself.

Cloning a repository with submodules

When cloning a project with a submodule in it, by default the directories that contain the submodules will be created, but not the contents inside those directories. To also clones the submodules, you need to run these commands.

git submodule init # inits local configuration
git submodule update # fetches data from remote

Another way to do this is to pass --recursive-submodules to the git clone command. This has the advantage of being able to recursively fetch data if any of the submodules in your repository has submodules of themselves.

git clone --recursive-submodules https://link-to-repo

Finally, if you have already cloned the repository but forgot to use --recursive-submodules, you can combine git submodule init and git submodule update with the following one liner.

git submodule update --init
git submodule update --init --recursive # if submodules are recursive

Updating upstream changes from submodule remote

One common way to use submodules is to consume its content, but not make any modifications on your own. Thus, it might be necessary to update the submodule from its upstream from time to time.

To check for new work in a submodule, go into its directory and run these commands.

git fetch
git merge origin/master

If you commit at this point then you will lock the submodule into having the new code when other people update.

An easier way to do this exists, if you do not wish to fetch and merge in the subdirectory by hand.

git submodule update --remote
git submodule update --remote submodule_name # when only updating one submodule

- https://eki.moe/posts/why-im-transitioning-to-static-websites/ - Eki

Nginx 禁用源站 IP 对网站的访问

Tue, 27 Dec 2022 23:26:06 +0800

Eki's Home https://eki.moe/posts/block-direct-ip-access-nginx/ -

对于这个问题有三种解决方法：

对于Nginx 1.19.4与更新，使用ssl_reject_handshake；
对于较老版本，使用自签SSL证书；
在server块中用if语句判断。

三种方法对 HTTP, HTTPS 都适用（为什么不呢）。

Update 2023/09/19

Configuration snippets as well as automatic installer script available on my Github

ssl_reject_handshake 方法

安装可用的Nginx版本

首先需要确定安装的是Nginx 1.19.4及以上版本，可使用 `nginx -v 命令查看。

处理此问题时Debian Stable仍在发行1.18.0版本，因此使用Nginx官网源安装新版。参考 Nginx官网安装步骤。

获得 nginx 签名密钥并添加信任

wget https://nginx.org/keys/nginx_signing.key 
apt-key add nginx_signing.key

添加 nginx 源

>/etc/apt/sources.list.d/nginx.conf
deb https://nginx.org/packages/mainline/debian/ bullseye nginx
deb-src https://nginx.org/packages/mainline/debian bullseye nginx

如果需要卸载原有的 nginx 安装

apt purge nginx nginx-common

随后安装并重启 nginx 服务即可。

启用default配置

在 nginx 的配置文件夹中写一个default文件，我选择位于 /etc/nginx/conf.d/default.conf ，根据习惯即可。

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;
    return 444;
}

解释：server_name _ 针对一切没有在本机匹配的域名，444响应让Nginx直接不响应内容。

记得启用此配置并刷新Nginx。

针对HTTPS

以上内容只针对HTTP请求有效（也只监听了80端口）。为了对HTTPS请求也生效，增加文件至以下内容：

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    listen 443 default_server;
    listen [::]:443 default_server;
    ssl_reject_handshake on;

    server_name _;
    return 444;
}

这样处理后，HTTPS请求到源站后不会露出证书。 这是我选择的方法。 效果如图，不同浏览器报错不同。

自签SSL证书方法

如果你在较老版本的Nginx上使用了上面的方法，你很有可能会遇到以下报错：

 nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive

如果你又不想更新Nginx，则可以使用自签SSL证书方法。

获得空白SSL证书

可以使用以下命令获得 ssl_certificate 和 ssl_certificate_key

 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt -subj '/CN='

这样会直接把 default.key 和 default.crt 输出在当前目录下。

更新Nginx配置

随后可以把 Nginx 的 default 配置改为如下：

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    listen 443 default_server;
    listen [::]:443 default_server;

    ssl_certificate /etc/nginx/ssl/default.crt;
    ssl_certificate_key /etc/nginx/ssl/default.key;

    server_name _;
    return 444;
}

重载配置后再次通过IP访问应该不会得到结果。

IF语句判断方法

对于某个域名的配置，写入以下内容：

server {
    listen 443 default_server;
    listen [::]:443 default_server;

    if ($host != eki.moe) {
            return 444;
    }

    server_name eki.moe;

...剩余内容

判断语句可以搭配正则表达式。但这种方法缺点太多了：

工作量大；
容易出错；
难以扩展；
上面两种方法好太多了。

本文参考

- https://eki.moe/posts/block-direct-ip-access-nginx/ - Eki