Joeseph - BGP / Vutr Followup
- Hi Alan, Kris and JT,
- Thank you for reading and responding to my last email about BGP and the TCP_SIGNATURE kernel option in Episode 175, this is a follow up. Vultr's BGP system requires TCP MD5. For most things they offer good support and instructions for FreeBSD, but for BGP they only provide instructions for Linux. Maybe if I get this working I can write something up for FreeBSD and submit it to them. They do community docs like DigitalOcean. I resorted to compiling a custom kernel which as you said isn't all that hard. The main trouble is that it complicates updating the system. At first I tried compiling it on one of my test machines, but with only 768MB of RAM it died before the kernel finished compiling. Since I have a server at home with 32GB of RAM I ended up compiling it there instead. I'm using puppet to distribute the custom kernel files by dropping the files in a folder and having a puppet module copy them to /boot/bgp_kernel. My puppet master runs out of a jail on my home server. This isn't the best way to get the job done but it was quick and easy to setup. To actually update the kernel I have to copy the contents of /boot/bgp_kernel to /boot/kernel, but this is fine, I don't want puppet automatically updating my kernel.
- Once I had a working kernel I ran into another problem, turning on bird6 (IPv6 bird daemon) would immediately kernel panic the VM. It turns out a bug got introduced which failed to initialize a data structure for IPv6 in sys/netinet/tcp_subr.c (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214169). So far the fix is in current and stable/11 but it's not in the releng/11.0 branch yet. Since I want to stick to the releng branch I just added the one line fix to the tcp_subr.c file on the releng branch and I wrote a script to handle doing svn update and copying my file in place and compiling that can run on a cron job. It checks the MD5 of the file so it can email if the copy in svn gets updated so I'll know to check for the fix to be in svn.
- I think I figured out why this option is turned off by default. It's dependent on IPSEC, which was off by default before FreeBSD 11 because it had such a performance penalty, even if you didn't use IPSEC. It could probably be enabled by default now, but since so few people use it, it was probably overlooked. What would be the best way for me to request that it be turned on in the generic kernel? If 11.1 includes it in the generic kernel I will be able to use freebsd-update again. Should I post to a particular mailing list, file a bug report, do both or do womething else?
- I really love FreeBSD and wish it was used more. I'm currently looking for a new job in the Boston area and I'd love to work with FreeBSD but I haven't been able to find any sysadmin/devops jobs looking for FreeBSD people, it's all Linux. The few job postings I've found that list FreeBSD include it with Unix and Linux, and it doesn't seem like these places actually use FreeBSD.
- Thanks again for the awesome show and indulging my long emails with questions about obscure functionality.
RAW Paste Data