Setting up a compute node

In this article I will go through the setting up of a compute node in the cluster from configuring it on the network, adding storage on the NAS and configuring docker.

Although these instructions are for the Raspberry PI, they are also used for other node types

Continue reading “Setting up a compute node”

Centralizing Certificate Management of LetsEncrypt with a Raspberry PI

Lets Encrypt is a new Certificate Authority (CA), run for the public’s benefit by the Internet Security Research Group (ISRG). At the time of writing it’s currently in Beta and is due to go public in December 2015.

Update: Lets Encrypt went into public -beta on December 3 2015. I have updated this article with the minor change needed to work with the live servers.

Now in the default mode, the standard Lets Encrypt client (it’s not the only one) can manage this automatically – however it’s not ideal if you have more than one server.

What I describe here is how to centralize managing certificate registration (& later renewal) on a central machine. When a certificate is then registered or renewed we can then copy the certs to the remote servers.

Continue reading “Centralizing Certificate Management of LetsEncrypt with a Raspberry PI”

Getting IPv6 working on the UK Mobile Network

One problem with mobile data here in the UK is that everything is NATed to death. Most consumer mobile data connections do not support static IP‘s and those that do are expensive. Also, the UK is lagging behind most of the world in providing access to the IPv6 internet. It’s not that IPv6 is new either, it’s been around for 10 years but no, here in the UK they want to try not fork out the cash to replace older kit that can only handle IPv4 & it’s not exactly rocket science either.

Ok, my home network is IPv6 enabled. I have a /64 subnet routed to home out of my /48 allocation at my ISP (they support IPv6 natively). If you don’t know what this is don’t worry – l this means is that on the IPv6 internet I actually have more static IP’s on my home network than the old legacy internet put together. In fact the legacy has about 4 billion & I have 1.8*1019. Now you see the main selling point of IPv6 – there’s room for every single device that’s networkable to have just one IP address and be accessible from anywhere – obviously behind a firewall.

Anyhow, the problem I had to solve was this: I’ve got a fair few machines on my network and at times I need to be able to ssh into them remotely. Currently I can do this by either ssh into my firewall by it’s IPv4 address and then onto the internal machine or I could setup a VPN – but why should I when I’m fully IPv6 enabled?

Setting up a Tunnel Broker

Well there is a way. When native IPv6 isn’t available, one option is to use a tunnel broker. A broker sets up a tunnel between your device and an endpoint at the broker. IPv6 is then encapsulated in an IPv4 packet, sent through the tunnel to the broker, then sent out from there as IPv6. Now there are plenty out there like Hurricane Electric and SixXS but as I need to use this on a 3G device they won’t work as they require a static IPv4 address and we don’t have that – we’re behind a NAT, so the only available option is Gogo6 (which owns Freenet6). They are also a broker but they support NAT traversal which is what we need.

So, on my Linux Mint laptop it’s a simple case of installing the Gogo6 client:

sudo apt-get install gogoc
sudo /etc/init.d/gogoc stop
sudo /etc/rc5.d/S20gogoc

Now you might wonder why we stop then delete a file after installation. This is because when it installs it starts the service and we don’t want it running just yet. Also the rc5.d file means it starts on boot which we don’t want – we want to use this on 3G remember.

As it stands that’s all there is to do – by default it’s configured to use an anonymous account so the next time you’re on 3G you simply:

sudo /etc/init.d/gogoc start

and you’ll find you are now on the IPv6 internet. When you go offline just stop gogoc:

sudo /etc/init.d/gogoc stop

Getting a more permanent static IPv6 address

With an anonymous connection you’ll get an IP address out of a pool but if you want a static address you’ll need to register an account and edit /etc/gogoc/gogoc.conf

In that file:

  1. edit the lines with userid= and passwd= with you’re account’s username and password.
  2. The line server= needs to be their endpoint. Here you register against a specific one, so as I used amsterdam set this to
  3. Finally change the auth_method= line from anonymous to one of the other methods listed just above that line.

Now that last step might take some work to get working. any should always work but it risks sending your password in the clear but you might want to play with that later.

That’s it. When you start gogoc you’ll get a new IP address which will be permanent. You’ll also get a dns entry setup as well, so now you can get into your laptop.

Tunneling an entire network

There is a final option available but out of scope here, and thats connecting an entire network to the tunnel. Thats simply a case of changing the host_type= line from host to router. Then you’re local network will get an IPv6 address with your laptop as the router.

How well does it work

Well I’ve tested it on T-Mobile UK and it works pretty well. I can access my home servers directly and as I use the non-anonymous option I can actually ssh from home to the laptop via it’s 3G connection.

I’ve even tried setting up a proxy on an Apache server which is accessible from the legacy IPv4 internet and it connects to the laptop’s Apache server fine – although sluggish but remember this is over 3G.

At some point I’ll try it on other operators (I also use GiffGaff & 3).

Next I need to figure out how to get this working on Android so that I can get my Nexus 4 & Nexus 7 3G online – both supports IPv6 when on the WiFi at home, just would be nice when out and about.