Unifi controller with a real cert

I finally got sick of seeing a certificate error when connecting to my Ubuiquiti Unifi WiFi controller.

There are a bunch of shitty howtos describing how to install a cert, and one good one. But in order to make it more copy-paste for future me when the certificate needs renewing, and because the paths are not quite the same since I run the controller in a Docker container on a raspberry pi, here are the commands (after copying fullchain.pem and privkey.pem into the stateful data dir):

host$ docker ps  # make note of the docker ID
host$ docker exec ID_HERE -ti bash
docker$ openssl pkcs12 \
        -export \
        -inkey privkey.pem \
        -in fullchain.pem \
        -out cert.p12 \
        -name unifi \
        -password pass:secret
docker$ keytool \
        -importkeystore \
        -deststorepass aircontrolenterprise \
        -destkeypass aircontrolenterprise \
        -destkeystore /usr/lib/unifi/data/keystore \
        -srckeystore cert.p12 \
        -srcstorepass secret \
        -alias unifi \
        -noprompt
docker$ exit
host$ docker stop ID_HERE
host$ docker start ID_HERE

I’m mostly happy with the Ubiquiti access points. I have an AP-AC-LR and an AP-M. My complaints are:

  • When I reported a bug about access to SSH on non-management interfaces, they responded by turning off management over IPv6 Continue reading

5G services: Another FCC auction to jumpstart carrier deployments

The Federal Communications Commission plans yet another auction of radio-frequency spectrum suitable for delivering 5G services and continues to scrutinize the security of 5G infrastructure made in China, both of which will affect how quickly 5G services are deployed. 5G resources What is 5G? Fast wireless technology for enterprises and phones How 5G frequency affects range and speed Private 5G can solve some problems that Wi-Fi can’t Private 5G keeps Whirlpool driverless vehicles rolling 5G can make for cost-effective private backhaul CBRS can bring private 5G to enterprises The commission says it will seek bids on licensing another 100MHz swath of RF spectrum in the 3.4GHz mid-band range, which lies close to the C-band frequencies that were auctioned off late last year, and will impose stiff build-out requirements on winning bidders in order to get 5G infrastructure up and running quickly.To read this article in full, please click here

Buying Used Cisco Gear From eBay For Your Lab

While most of the lab work I do is with virtualized networking gear, once in a while, I need actual hardware. For instance, to fully explore QoS, hardware is key. Many QoS commands won’t be available to you in a virtual network device.

eBay offers lots of older networking gear for pennies or even fractions of a penny of what the gear was worth new. Why so cheap? Mostly, older networking gear is too slow for modern LANs and WANs. That’s a win for learners who don’t care about the speed as long as they can still use the old box to learn the fundamentals of routing and switching.

There are caveats to eBay networking gear, though, not unlike buying a used car. Know what you’re getting into.

You’re buying someone else’s junk.

Why is it junk? It could be the gear aged out, but still works fine. It could be that the gear broke, but you’ll be able to fix it. It could be that the gear broke, and you won’t be able to fix it. Sometimes, folks who move out of a data center sell pallets of retired gear by weight to whoever will take it just because Continue reading

Transit delay and queueing


The recently finalized sFlow Transit Delay Structures extension provides visibility into the performance of packet forwarding in a switch or router using the industry standard sFlow protocol.

The diagram provides a logical representation of packet forwarding. A packet is received at an Ingress Port, the packet header is examined and a forwarding decision is made to add the packet to one of the queues associated with an Egress Port, finally the packet is removed from the queue and sent out the Egress Port to be received by the next device in the chain.

The time between sending and receiving a packet is the packet's transit delay. The transit delay is affected by the time it takes to make the forwarding decision and the time the packet spends in the queue. Identifying the specific queue selected and the number of bytes already in the queue fills out the set of performance metrics for the forwarding decision. The sFlow Transit Delay Structures extension adds these performance metrics to the metadata associated with each packet sample. 

The following output from sflowtool shows that data contained in a packet sample:

startSample ----------------------
sampleType_tag 0:1
sampleType FLOWSAMPLE
sampleSequenceNo 91159
sourceId 0:2216
meanSkipCount  Continue reading

VNC Cannot Currently Show the Desktop

I have a Dell Latitude E5440 laptop which most of the time I run headless in a 3D-printed stand next to its slightly bigger brother, a Dell E6500 or similar.

The laptops don’t take up much space on my desk in this vertical configuration (which is helpful as I have four laptops on my desk) and I use VNC to remote into them when I need to work on a Windows system. My main system is an Apple MacBook Pro, and I have that in a similar vertical dock with two 27″ monitors, a bluetooth keyboard and touchpad, and a USB-C port expander/charger. By using VNC I can keep using the peripherals I like and quickly switch between systems while sharing copy/paste buffers as well, which is pretty much perfect.

There’s one nagging little problem though, that I can’t get around. When I access the E5440 using RealVNC, it is slow to show the screen when initially connecting and every time there is a Windows UAC prompt I have to wait about five seconds or so while staring at a black screen which says “Cannot currently show the desktop”.

This is somewhat annoying and after digging around a bit I Continue reading

Stuff The Internet Says On Scalability For March 17th, 2021

Hey, HighScalability is here again!

 

Reverse engineering an ancient analog computer is a detective story worth reading. A Model of the Cosmos in the ancient Greek Antikythera Mechanism.

 

Do you love this Stuff? Without your encouragement on Patreon this Stuff won't stuffin’ stuff. 

 

Know someone who needs to know the cloud? I wrote Explain the Cloud Like I'm 10 just for them. On Amazon it has 262 mostly 5 star reviews. Here's a review that is not on the block chain:

Number Stuff:

Don't miss all that the Internet has to say on Scalability, click below and become eventually consistent with all scalability knowledge (which means this post has many more items to read so please keep on reading)...

Libraries Are Bridging the Digital Divide

Libraries and Community Networks are teaming up and discovering new ways to connect the unconnected

When the COVID-19 pandemic hit in early 2020, libraries across the world shut down their buildings to limit transmission of the virus. What did not shut down were the crucial services they provided. Instead, librarians stepped up and zeroed in on their passion to serve the public, acting as first responders and amplifying their steadfast commitment to ensure people have access to public information.

A year into this pandemic, Internet access is crucial. So many people need to be online for everything from school and work to getting updates about vaccinations. But lifesaving lockdown measures are presenting challenges to the ways many of us have been able to access the Internet in public spaces.

As COVID-19 exacerbates issues associated with lack of Internet access, libraries are playing even more of a key role in getting local communities online. This has happened in multiple creative ways, from turning bookmobile vans into roaming hot spots delivering Wi-Fi throughout the community, to extending library Wi-Fi access into the parking lot and beyond.

Libraries have a long history of working closely with community networks to provide affordable Internet access Continue reading

Honeypods: Applying a Traditional Blue Team Technique to Kubernetes

The use of honeypots in an IT network is a well-known technique to detect bad actors within your network and gain insight into what they are doing. By exposing simulated or intentionally vulnerable applications in your network and monitoring for access, they act as a canary to notify the blue team of the intrusion and stall the attacker’s progress from reaching actual sensitive applications and data. Once the blue team is aware of the situation, the attack can be traced back to the initial vector. The attack can then be contained and removed from the network.

Applying this technique into a Kubernetes environment works exceedingly well because of the declarative nature of applying manifests to deploy workloads. Whether the cluster is standalone or part of a complex pipeline, workload communications are defined by the application’s code. Any communication that’s not defined can be deemed suspicious at minimum and indicate that the source resource may have been compromised. By introducing fake workloads and services around production workloads, when a workload is compromised, the attacker cannot differentiate between other real and fake workloads. The asymmetric knowledge between the attacker and the cluster operator makes it easy to detect lateral movements from compromised Continue reading

Docker and CNCF Join Forces for “Container Garage” Event Series

At Docker, we’re constantly trying to engage and connect with developer communities around the world to explore ways we can cross pollinate ideas, share, and learn from each other. Today, we’re thrilled to announce that Docker and the CNCF are joining forces to run a community-led event series called “Container Garage”, covering all things containers and focusing on a particular theme each time (eg. “runtime”, “images”, “security” etc…). The aim of the event is to engage our respective communities and foster closer collaboration.

To this end Docker Captains and CNCF Ambassadors are taking the lead with the planning and execution of the event, working in lock-step to curate excellent content and recruit amazing speakers for engaging talks, demos, and live panels.

The kick-off event will be on Thursday April 1st around the theme of container runtimes. The agenda is structured as follows: 

2pm – 4pm CET : Talks & Demos

4pm – 4:15 CET : Break

4:15pm – 5pm CET : Live panel discussion

5pm – 5:15 : Break

5pm – 7pm CET : Talks & Demos 

Again, the first event will be held on April 1st on the topic of container runtimes.

You can register for free Continue reading

File systems and UUIDs on Linux

The /etc/fstab file is a very important file on Linux systems. It contains information that allows the system to connect to disk partitions and determine where they should be mounted in the file system. While this file has played an important role over the years, its format has changed with the introduction of UUIDs and, on some systems, a more reliable file-system type.Here's an example of an /etc/fstab file on a Fedora system:$ cat /etc/fstab # # /etc/fstab # Created by anaconda on Fri Mar 12 12:26:55 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk/'. # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info. # # After editing this file, run 'systemctl daemon-reload' to update systemd # units generated from this file. # UUID=a9e33237-9114-44ae-afd5-8ddb231d301f / btrfs subvol=root 0 0 UUID=15f42905-5897-4804-9c51-e6d5e169e6c2 /boot ext4 defaults 1 2 #UUID=a9e33237-9114-44ae-afd5-8ddb231d301f /home btrfs subvol=home 0 0 UUID=d867ced1-8d81-47c6-b299-3365ba8a02de /home ext4 defaults How to loop forever in bash on Linux Each line in the file (other than the comments) represents a file system and has six fields.To read this article in full, please click here

AMD launches third generation Epyc server processors

AMD has taken the wraps off the third generation of Epyc server processors, codenamed Milan, just 18 months after launching the Rome generation. Formally named Epyc 7003, the new generation sports a new Zen 3 core with a number of performance bumps.The Zen 3 core has been on the market for a while in desktop form as AMD’s Ryzen 5000 series, a line that has proven very hard to find due to a supply shortage and high demand. Because of its performance, the 5000 series is insanely popular with gamers.Cisco uses new AMD Milan processor to grow its UCS server family Like the Zen 2/Rome/Epyc 7002 line, the new Milan is built on a 7nm manufacturing process and is socket-compatible with the prior two generations of servers, so you can give your servers a processor upgrade without having to replace the whole thing. All you need is a BIOS upgrade from the motherboard maker.To read this article in full, please click here

File systems and UUIDs on Linux

The /etc/fstab file is a very important file on Linux systems. It contains information that allows the system to connect to disk partitions and determine where they should be mounted in the file system. While this file has played an important role over the years, its format has changed with the introduction of UUIDs and, on some systems, a more reliable file-system type.Here's an example of an /etc/fstab file on a Fedora system:$ cat /etc/fstab # # /etc/fstab # Created by anaconda on Fri Mar 12 12:26:55 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk/'. # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info. # # After editing this file, run 'systemctl daemon-reload' to update systemd # units generated from this file. # UUID=a9e33237-9114-44ae-afd5-8ddb231d301f / btrfs subvol=root 0 0 UUID=15f42905-5897-4804-9c51-e6d5e169e6c2 /boot ext4 defaults 1 2 #UUID=a9e33237-9114-44ae-afd5-8ddb231d301f /home btrfs subvol=home 0 0 UUID=d867ced1-8d81-47c6-b299-3365ba8a02de /home ext4 defaults How to loop forever in bash on Linux Each line in the file (other than the comments) represents a file system and has six fields.To read this article in full, please click here

AMD launches third generation Epyc server processors

AMD has taken the wraps off the third generation of Epyc server processors, codenamed Milan, just 18 months after launching the Rome generation. Formally named Epyc 7003, the new generation sports a new Zen 3 core with a number of performance bumps.The Zen 3 core has been on the market for a while in desktop form as AMD’s Ryzen 5000 series, a line that has proven very hard to find due to a supply shortage and high demand. Because of its performance, the 5000 series is insanely popular with gamers.Cisco uses new AMD Milan processor to grow its UCS server family Like the Zen 2/Rome/Epyc 7002 line, the new Milan is built on a 7nm manufacturing process and is socket-compatible with the prior two generations of servers, so you can give your servers a processor upgrade without having to replace the whole thing. All you need is a BIOS upgrade from the motherboard maker.To read this article in full, please click here

Repost: Using MP-TCP to Utilize Unequal Links

In the Does Unequal-Cost Multipathing Make Sense blog post I wrote (paraphrased):

The trick to successful utilization of unequal uplinks is to use them wisely […] It’s how multipath TCP (MP-TCP) could be used for latency-critical applications like Siri.

Minh Ha quickly pointed out (some) limitations of MP-TCP and as is usually the case, his comment was too valuable to be left as a small print at the bottom of a blog post.

Intuitively I don’t necessarily agree with all of his conclusions, but don’t know enough to have a qualified opinion.
Read more …
1 723 724 725 726 727 3,794