There are many articles to mount sshfs using autofs, but most of them use "empty" passphrase. I come up with a way to enable passphrase. Here is a memo for myself in the future.
2019年12月7日土曜日
2019年2月9日土曜日
Building ROCm on Gentoo
ROCm
is a platform to utilze AMD GPU for computing.The most of the
components are open source. HIP which is a part of ROCm allows to
compile CUDA source.
2018年6月12日火曜日
A note to configure In-wall WiFi Accesspoint WAP-102S
I purchased 5 of In-Wall access point WAP-102S from PG-Direct. As of today, it is only 680JPY. I bought it by 980JPY :-(According to the article, the AP does not offer any setting GUI. It only works as WiFi router, it can not be an access point. But the catalogue says it is configurable.
After I tried, I could configure it to AP.
2017年7月4日火曜日
DDNS Site-to-Site IPsec VPN by Ubiquiti Networks EdgeRouter ER-X
I've been using ER-X from Ubiquiti Networks for more than half year. It is covered with metal chassis and its functionality is as solid as it looks, though it is cheaper than $50. One is used in my house and the other is used in my parents' house.
Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.
To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.
As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.
When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.
Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24, DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24, DDNS of WAN:site1.example.net
On site1,
On site0,
Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.
On site1,
The setting in brown color is what I found necessary to connect each other.
Good luck!
Now it is time to establish site-to-site IPsec VPN. Google says that site-to-site IPsec with DDNS is troublesome.
To be honest, I have 3 more ER-X for trying this site-to-site VPN without breaking existing internet connection, so I have 5 ER-X in total😀. The ER-X on the left of the picture emulates ISP and the internet, it offers PPPoE service and DNS. The two ER-X on the right correspond to routers in my home and my parents' home. After this experiment, some will be sent to my brothers.
As far as I studied from many posts, using pre-shared-key (PSK) for DDNS is the source of trouble. Using PSK is only good when IP address is used to specify the remote site.
When one needs to establish site-to-site VPN and both side use DDNS, RSA or x509 look promising.
The post on the Ubiquiti forum looks attractive to me, but the post uses VTI and the setting itself was not sufficient for my case.
Here is what I found and working on my test bench. Note that firmware version is 1.9.1.1.
site0 local network:192.168.20.0/24, DDNS of WAN:site0.example.net
site1 local network:192.168.30.0/24, DDNS of WAN:site1.example.net
Preparing RSA key on the both side
In CLI of both site, run the following command to generate RSA key.You need to copy the SOME_VERY_LONG_STRING to your local text file.ubnt@site0:~$ generate vpn rsa-key bits 4096 Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key Your new local RSA key has been generated The public portion of the key is: SOME_VERY_LONG_STRING
Register the public key of the counter part
On site0,configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site1 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE1
commit
On site1,
configure
set vpn rsa-keys local-key file /config/ipsec.d/rsa-keys/localhost.key
set vpn rsa-keys rsa-key-name site0 rsa-key SOME_VERY_LONG_STRING_SHOWN_IN_SITE0
commit
Open Firewall for remote site
Surprisingly, packets from the remote site come via pppoe0 (or whatever an interface you use to connect the internet). Usually an interface which is used for the internet connection has the most strict rules, so a rule to accept such packet is necessary. (configure, commit, and save are omitted in the following lists).On site0,
set firewall name WAN_LOCAL rule 60 action acceptOn site1,
set firewall name WAN_LOCAL rule 60 description FromSite1
set firewall name WAN_LOCAL rule 60 destination address 192.168.20.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description FromSite0
set firewall name WAN_LOCAL rule 60 destination address 192.168.30.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 source address 192.168.20.0/24
Notice that "WAN_LOCAL" and "rule 60" depend on your configuration. So adding via GUI is much easier.
Configure other VPN settings
On site0set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site1.example.com authentication id site0
set vpn ipsec site-to-site peer site1.example.com authentication mode rsa
set vpn ipsec site-to-site peer site1.example.com authentication remote-id site1
set vpn ipsec site-to-site peer site1.example.com authentication rsa-key-name site1
set vpn ipsec site-to-site peer site1.example.com connection-type initiate
set vpn ipsec site-to-site peer site1.example.com description ToSite1
set vpn ipsec site-to-site peer site1.example.com ike-group FOO0
set vpn ipsec site-to-site peer site1.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site1.example.com local-address any
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site1.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site1.example.com tunnel 1 local prefix 192.168.20.0/24
set vpn ipsec site-to-site peer site1.example.com tunnel 1 remote prefix 192.168.30.0/24
On site1,
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec site-to-site peer site0.example.com authentication id site1
set vpn ipsec site-to-site peer site0.example.com authentication mode rsa
set vpn ipsec site-to-site peer site0.example.com authentication remote-id site0
set vpn ipsec site-to-site peer site0.example.com authentication rsa-key-name site0
set vpn ipsec site-to-site peer site0.example.com connection-type initiate
set vpn ipsec site-to-site peer site0.example.com description ToSite0
set vpn ipsec site-to-site peer site0.example.com ike-group FOO0
set vpn ipsec site-to-site peer site0.example.com ikev2-reauth inherit
set vpn ipsec site-to-site peer site0.example.com local-address any
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer site0.example.com tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer site0.example.com tunnel 1 local prefix 192.168.30.0/24
set vpn ipsec site-to-site peer site0.example.com tunnel 1 remote prefix 192.168.20.0/24
The setting in brown color is what I found necessary to connect each other.
Good luck!
2017年7月2日日曜日
DNS Hosting and DDNS of changeip.com
Recently I registered some domain and want to use it for Dynamic DNS.
I googled for DDNS services which allows to use my own domain.
Some service costs more than $10 / month, which seems to be for business purpose.
I found ChangeIP offers DNS hosting for $9 / year and DDNS for $6 / year which is cheapest service I could find for using my own domain.
I hit a trouble that my domain was not shown on their WEB control panel even after paid fee and delegated authority to DNS serves of changeip.com.
I asked via their support ticket, they answered promptly and fixed my problem.
Of course no issue is better, but still quick and correct support is impressive.
I googled for DDNS services which allows to use my own domain.
Some service costs more than $10 / month, which seems to be for business purpose.
I found ChangeIP offers DNS hosting for $9 / year and DDNS for $6 / year which is cheapest service I could find for using my own domain.
I hit a trouble that my domain was not shown on their WEB control panel even after paid fee and delegated authority to DNS serves of changeip.com.
I asked via their support ticket, they answered promptly and fixed my problem.
Of course no issue is better, but still quick and correct support is impressive.
Overall
I'm satisfied with the service. I hope more people use the service, then their business succeeds and I can keep using the service in the good price 😄Pros:
- Competitive price ($9/year for DNS hosting and $6/year for DDNS of the domain)
- Rapid DDNS update (TTL is 30sec which I've never seen in free DDNS services)
- Quick support
- Useful knowledge base
Cons:
- Wizard or easy tutorial for initial setting does not exist
- Knowledge base is good, but standard manual is helpful.
2016年9月19日月曜日
RISC-V on JCPU
RISC-V is attracting attention from uses recently especially after acquisition of ARM by Softbank.
Specification of RISC-V is well documented. I found its ISA is very simple and suitable for high performance micro architecture; no flag is necessary for conditional branch.
I saw "Hello world" of RISC-V on JCPU within a day!. Although only user mode 32bit integer instructions are implemented, I don't see any difficulty to support further instructions.
The biggest hurdle I'm struggling is version up of LLVM. Afte LLVM-3.6, OldJIT is removed and only MCJIT is available. The MCJIT does not allow adding function to module once a module is translated. It is crucial for my use. I need to build module for each code block of target program.
The change takes time, which is not available for me ;-)
During writing a test bench of RISC-V, I found very easy-to-use elf load library ELFIO. It really is handy because header-only style and written in C++.
Specification of RISC-V is well documented. I found its ISA is very simple and suitable for high performance micro architecture; no flag is necessary for conditional branch.
I saw "Hello world" of RISC-V on JCPU within a day!. Although only user mode 32bit integer instructions are implemented, I don't see any difficulty to support further instructions.
The biggest hurdle I'm struggling is version up of LLVM. Afte LLVM-3.6, OldJIT is removed and only MCJIT is available. The MCJIT does not allow adding function to module once a module is translated. It is crucial for my use. I need to build module for each code block of target program.
The change takes time, which is not available for me ;-)
During writing a test bench of RISC-V, I found very easy-to-use elf load library ELFIO. It really is handy because header-only style and written in C++.
2014年11月17日月曜日
When zpool create command fails
When try to create pool on whole disk but a partition, zpool command automatically creates partition.
But sometimes the command fails and emits the following error message.
As described in ArchWiki, that is because udev fails to create the device file within 1 second.
The ArchWiki proposes to slow down the disk by parallel read.
I found another way which is much stable.
strace command traps syscalls and dump the parameters of syscalls to stderr.
cstream command lets you limit throughput.
So limit the stderr by cstream slows down the zpool.
If the command is too slow, then increase the throughput to 8K or 16K.
But sometimes the command fails and emits the following error message.
the kernel failed to rescan the partition table: 16
cannot label 'sdc': try using parted(8) and then provide a specific slice: -1
As described in ArchWiki, that is because udev fails to create the device file within 1 second.
The ArchWiki proposes to slow down the disk by parallel read.
I found another way which is much stable.
strace command traps syscalls and dump the parameters of syscalls to stderr.
cstream command lets you limit throughput.
So limit the stderr by cstream slows down the zpool.
strace zpool create /dev/sda /dev/sdb tank |& cstream -b 64 -t 2048
If the command is too slow, then increase the throughput to 8K or 16K.
登録:
投稿 (Atom)