Stuff

config/linux-server/storage-zfs.md

@@ -10,42 +10,19 @@ Using ZFS on Linux (ZoL) running on Debian.
 
 ## Info
 
-Note: ZFS's history (Oracle) and license (CDDL, which is incompatible with the Linux mainline kernel) are pretty good reasons to avoid ZFS.
-
-### Features
-
-- Filesystem and physical storage decoupled
-- Always consistent
-- Intent log
-- Synchronous or asynchronous
-- Everything checksummed
-- Compression
-- Deduplication
-- Encryption
-- Snapshots
-- Copy-on-write (CoW)
-- Clones
-- Caching
-- Log-strucrured filesystem
-- Tunable
-
-### Terminology
-
-- Vdev
-- Pool
-- Dataset
-- Zvol
-- ZFS POSIX Layer (ZPL)
-- ZFS Intent Log (ZIL)
-- Adaptive Replacement Cache (ARC) and L2ARC
-- ZFS Event Daemon (ZED)
-
-### Encryption
-
-- ZoL v0.8.0 and newer supports native encryption of pools and datasets. This encrypts all data except some metadata like pool/dataset structure, dataset names and file sizes.
-- Datasets can be scrubbed, resilvered, renamed and deleted without unlocking them first.
-- Datasets will by default inherit encryption and the encryption key (the "encryption root") from the parent pool/dataset.
-- The encryption suite can't be changed after creation, but the keyformat can.
+- ZFS's history (Oracle) and license (CDDL, which is incompatible with the Linux mainline kernel) are acceptable reasons to avoid ZFS.
+- Reasons ZFS is great:
+    - Everything checksummed (RIP bit rot).
+    - Copy-on-write (CoW).
+    - Always consistent.
+    - Integrated physical volume manager.
+    - RAID.
+    - Encryption.
+    - Compression.
+    - Deduplication.
+    - Cloning.
+    - Snapshots.
+    - Extensible caching (ARC, L2ARC, SLOG, special devices).
 
 ## Setup
 
@@ -122,6 +99,37 @@ The installation part is highly specific to Debian 10 (Buster). The backports re
     - Includes metadata operations.
     - If no interval is specified, the operations and bandwidths are averaged from the system boot. If an interval is specified, the very first interval will still show this.
 
+#### L2ARC
+
+- Info:
+    - The L2ARC works as a second tier cache and is kept on a separate disk instead of in memory.
+    - Dirty content is never stored in the L2ARC and all data in it is also kept on disk, so it doesn't _need_ any kind of redundancy and can die without causing significant trouble.
+    - It works only as a read cache since it can't contain dirty data.
+    - It's most useful running itself on a fast SSD with the rest of the pool on a slow HDD array.
+    - Using an L2ARC requires more memory as well as some metadata about it must be stored in the ARC, so it's not meant as a direct replacement for getting more memory.
+    - For encrypted pools, data in the L2ARC is always encrypted.
+- Adding L2ARC device: `zpool add [-f] <pool> cache <drive>`
+
+#### SLOG
+
+- Info:
+    - The separate intent log (SLOG) is a drive used to contain the ZFS intent log (ZIL) for a pool, effectively becoming a write cache.
+    - It only has effect for synchronized writes (which generally aren't used for many use cases for pools), since unsynchronized writes are cached in memory.
+    - It's most useful running itself on a fast SSD with the rest of the pool on a slow HDD array.
+    - The drive must have high write durability.
+    - Since data can get lost if it dies, it should have an appropriate level of redundancy, on par with the rest of the pool.
+- Adding SLOG device: `zpool add [-f] <pool> log <drive-config>` (e.g. `mirror drive-1 drive-2`)
+
+#### Special Device
+
+- Info:
+    - A _special_ drive may be added to a pool to store metadata (in order to speed up e.g. directory traversal) and optionally very small files.
+    - It's most useful running itself on a fast SSD with the rest of the pool on a slow HDD array.
+    - The special device generally needs the same kind of redundancy as the rest of the pool as it's not recoverable and will take the whole pool with it if it dies.
+    - If it gets full, it simply overflows back into the data array of the pool.
+    - More practical info: [ZFS Metadata Special Device: Z (Level1Techs Forums)](https://forum.level1techs.com/t/zfs-metadata-special-device-z/159954)
+- **TODO**
+
 ### Datasets
 
 - Basics:
@@ -172,6 +180,11 @@ The installation part is highly specific to Debian 10 (Buster). The backports re
 
 ### Encryption
 
+- Info:
+    - ZoL v0.8.0 and newer supports native encryption of pools and datasets. This encrypts all data except some metadata like pool/dataset structure, dataset names and file sizes.
+    - Datasets can be scrubbed, resilvered, renamed and deleted without unlocking them first.
+    - Datasets will by default inherit encryption and the encryption key (the "encryption root") from the parent pool/dataset.
+    - The encryption suite can't be changed after creation, but the keyformat can.
 - Show stuff:
     - Encryption root: `zfs get encryptionroot`
     - Key status: `zfs get keystatus`. `unavailable` means locked and `-` means not encrypted.
@@ -201,11 +214,11 @@ The installation part is highly specific to Debian 10 (Buster). The backports re
 
 ### Error Handling and Replacement
 
-- Clear transient device errors: `zpool clear <pool> [device]`
+- Clear transient drive error counters: `zpool clear <pool> [drive]`
 - If a pool is "UNAVAIL", it means it can't be recovered without corrupted data.
-- Replace a device and automatically copy data from the old device or from redundant devices: `zpool replace <pool> <old-device> <new-device>`
-- Bring a device online or offline: `zpool (online|offline) <pool> <device>`
-- Re-add device that got wiped: Take it offline and then online again.
+- Replace a drive and begin resilvering: `zpool replace [-f] <pool> <old-drive> <new-drive>`
+- Bring a drive online or offline: `zpool (online|offline) <pool> <drive>`
+- Re-add drive that got wiped: Take it offline and then online again.
 
 ### Miscellanea
 
@@ -222,7 +235,7 @@ The installation part is highly specific to Debian 10 (Buster). The backports re
 - As far as possible, use raw disks and HBA disk controllers (or RAID controllers in IT mode).
 - Always use `/etc/disk/by-id/X`, not `/dev/sdX`.
 - Always manually set the correct ashift for pools.
-    - Should be the log-2 of the physical block/sector size of the device.
+    - Should be the log-2 of the physical block/sector size of the drive.
     - E.g. 12 for 4kB (Advanced Format (AF), common on HDDs) and 9 for 512B (common on SSDs).
     - Check the physical block size with `smartctl -i <dev>`.
     - Keep in mind that some 4kB disks emulate/report 512B. They should be used as 4kB disks.
@@ -263,8 +276,6 @@ The installation part is highly specific to Debian 10 (Buster). The backports re
 - ECC memory is recommended but not required. It does not affect data corruption on disk.
 - It does not require large amounts of memory, but more memory allows it to cache more data. A minimum of around 1GB is suggested. Memory caching is termed ARC. By default it's limited to 1/2 of all available RAM. Under memory pressure, it releases some of it to other applications.
 - Compressed ARC is a feature which compresses and checksums the ARC. It's enabled by default.
-- A dedicated disk (e.g. an NVMe SSD) can be used as a secondary read cache. This is termed L2ARC (level 2 ARC). Only frequently accessed blocks are cached. The memory requirement will increase based on the size of the L2ARC. It should only be considered for pools with high read traffic, slow disks and lots of memory available.
-- A dedicated disk (e.g. an NVMe SSD) can be used for the ZFS intent log (ZIL), which is used for synchronized writes. This is termed SLOG (separate intent log). The disk must have low latency, high durability and should preferrably be mirrored for redundancy. It should only be considered for pools with high synchronous write traffic on relatively slow disks.
 - Intel Optane is a perfect choice as both L2ARCs and SLOGs due to its high throughput, low latency and high durability.
 - Some SSD models come with a build-in cache. Make sure it actually flushes it on power loss.
 - ZFS is always consistent, even in case of data loss.

config/network/linksys-lgs.md

@@ -11,7 +11,13 @@ breadcrumbs:
 
 - LGS326
 
-## Setup
+## Information
+
+- Default IP address: DHCPv4 with fallback to `192.168.1.251/24`.
+- Default credentials: Username `admin` with password `admin`.
+- MCLI password: `mcli`
+
+## Basic Setup (HTTP GUI)
 
 1. Wait for it to boot (a few minutes).
 1. (Optional) Reset the configuration:
@@ -31,4 +37,8 @@ breadcrumbs:
         - Uploading to startup config: Wait for the upload to finish, then reboot the device for it to take effect. Only do this for functioning configs.
     1. Wait for it to come back up to whatever IP address it's configured to use (should take under a minute). If it doesn't come back up within a few minutes, fix the config and restart/reset the switch.
 
+## Basic Setup (Telnet CLI)
+
+**TODO**
+
 {% include footer.md %}

config/network/tplink-jetstream-switches.md

@@ -51,6 +51,8 @@ breadcrumbs:
 
 ## Initial Setup
 
+**Warning**: These steps are incomplete as we decided not to use these switches when we found out they can't run IPv4 and IPv6 source guard simultaneously.
+
 1. Connect to the switch using serial (see info about for details).
     - Note that you may need to use `Ctrl+H` for backspace.
 1. Login with username `admin` and password `admin` and set a new admin password when asked.
@@ -87,7 +89,7 @@ breadcrumbs:
     1. Make them members of the LAG and use LACP: `channel-group <n> mode active`
     1. Enter port channel interface: `interface port-channel <n>`
     1. Configure it as an interface (applies when the LACP interface is up).
-    1. Show the status: `show lacp internal` and `show lacp neighbor`
+    1. Show the status: `show etherchannel detail`
 1. Define VLANs (L2):
     1. Enter the VLAN config: `vlan <VID>`
     1. Name it: `name <name>`
@@ -121,8 +123,8 @@ breadcrumbs:
 1. Set DNS servers: **TODO** Not possible?
 1. Set time and NTP servers:
     1. Set recurring DST: `system-time dst recurring last Sun Mar 2:00 last Sun Oct 3:00` (Norway)
-    1. Set time and NTP servers: `system-time ntp UTC+01:00 <ip-1> <ip-2> <update-hours>`
-    1. Note: Both servers must be IP addresses and using the same IP version, but they may be the same address.
+    1. (Optional) Set time and NTP servers: `system-time ntp UTC+01:00 <ip-1> <ip-2> <update-hours>`
+    1. Note: Both NTP servers must be IP addresses and using the same IP version, but they may be the same address.
 1. (Optional) Enable LLDP globally: `lldp`
 1. Enable LLDP:
     1. Enable globally: `lldp`
@@ -147,32 +149,38 @@ breadcrumbs:
     1. Enable for broadcast: `storm-control broadcast <threshold>` (e.g. 1%)
     1. Enable for multicast: `storm-control multicast <threshold>` (e.g. 1%)
     1. Enable for unknown unicast: `storm-control unicast <threshold>` (e.g. 1%)
-1. Enable DHCPv4/v6 snooping:
-    1. Enable globally: `{ip|ipv6} dhcp snooping`
-    1. Set max number of bindings on port (interface) (1-2 per interface should be enough): `{ip|ipv6} dhcp snooping max-entries <n>`
-    1. **TODO** Trusted ports. DHCP filter?
-    1. **TODO** Detection.
-    1. **TODO** Per VLAN?
-    1. **TODO** Test.
-1. Enable ARP (IPv4) snooping and detection:
-    1. Enable snooping and detection globally: `ip arp inspection`
-    1. Validate source: `ip arp inspection validate src-mac`
-    1. Validate destination: `ip arp inspection validate dst-mac`
-    1. Validate IP address: `ip arp inspection validate ip`
+1. Enable DHCPv4/DHCPv6/ND snooping:
+    1. Note: Snooping by itself doesn't do anything but is used by other protection mechanisms.
+    1. Enable globally (global): `{ip|ipv6} {dhcp|nd} snooping`
+    1. Enable for VLAN (global): `{ip|ipv6} {dhcp|nd} snooping vlan <vid-range>`
+    1. Set max number of bindings per port (interface): `{ip|ipv6} {dhcp|nd} snooping max-entries <n>` (e.g. 2)
+    1. Show bindings: `show {ip|ipv6} source binding`
+1. Enable ARP (IPv4) inspection/detection:
+    1. Note: ARP detection prevents ARP spoofing and flooding.
+    1. Enable globally: `ip arp inspection`
+    1. Enable for VLAN (global): `ip arp inspection vlan <vid-range>`
+    1. (Debug) Enable logging (global): `ip arp inspection vlan <vid-range> logging`
+    1. Validate source MAC address (global): `ip arp inspection validate src-mac`
+    1. Validate destination MAC address (global): `ip arp inspection validate dst-mac`
+    1. Validate sender/target IP address (global): `ip arp inspection validate ip`
     1. Set trusted interface (interface): `ip arp inspection trust`
-    1. **TODO** Per VLAN?
-    1. **TODO** Test.
-1. Enable ND (IPv6) snooping and detection:
-    1. Enable snooping globally: `ipv6 nd snooping`
-    1. Enable detection globally: `ipv6 nd detection`
-    1. Set max number of bindings on port (interface) (avoid setting this too low as IPv6 may use a lot of addresses per interfaces): `ipv6 nd snooping max-entries <n>`
+    1. **TODO** Rate limiting interfaces.
+    1. Note: To restore an interface that has exceeded the rate limit, run `ip arp inspection recover` on it.
+1. Enable ND (IPv6) detection:
+    1. Note: ND detection will validate the source IPv6 and MAC addresses for ND packets and will discard router adversisements and router redirects on untrusted ports.
+    1. Enable globally (global): `ipv6 nd detection`
+    1. Enable for VLAN (global): `ipv6 nd detection vlan <vid-range>`
+    1. (Debug) Enable logging (global): `ipv6 nd detection vlan <vid-range> logging`
     1. Set trusted interface (interface): `ipv6 nd detection trust`
-    1. **TODO** Per VLAN?
-    1. **TODO** Test.
-1. Enable IP source guard:
-    1. Note: IPSG uses the DHCP/ND/ARP snooping database. For IPv6, the SDM template must be set correctly to allocate hardware resources.
-    1. Enable for IP and MAC (interface): `{ip|ipv6} verify source sip-mac`
-    1. **TODO** Test.
+    1. **TODO** Fix, seems to fail to learn link local addresses from newly connected devices and then drops RSes and NAs from them due to IMPB mismatch.
+1. Enable IPv4/IPv6 source guard:
+    1. Note: IP source guard validates the source IP and MAC addresses for normal traffic.
+    1. Enable DHCPv4/DHCPv6/ND snooping (see above).
+    1. **TODO** Enable globally?
+    1. Enable for IP and MAC (interface): `{ip|ipv6} verify source sip[v6]-mac`
+    1. (Debug) Enable logging (global): `ip verify source logging` **TODO** IPv4 only?
+    1. **TODO** Fix, enabling for IPv6 drops all traffic for both IPv4 and IPv6.
+    1. **WARNING**: These switches don't have enough resources to run _both_ IPv4 and IPv6 source guard. On one switch I tested, it caused it to drop all traffic for both protocols. On another switch, it simply denied me from activating IPv4 source guard when using the "enterpriseV6" SDM template.
 1. Enable DoS prevention:
     1. Enable globally: `ip dos-prevent`
     1. Prevent scan-synfin: `ip dos-prevent type scan-synfin`
@@ -184,10 +192,10 @@ breadcrumbs:
 1. Setup RSTP:
     - Set variant: `spanning-tree mode rstp`
     - Enable globally: `spanning-tree`
-    - Enable on all ports (interface config): `spanning-tree`
-    - Enable portfast for edge ports (interface config): `spanning-tree common-config portfast enable`
-    - Enable BPDU guard for edge ports (interface config): `spanning-tree bpduguard`
-    - Enable loop guard for uplink ports (interface config): `spanning-tree guard loop`
+    - Enable on all ports (interface): `spanning-tree`
+    - Enable portfast for edge ports (interface): `spanning-tree common-config portfast enable`
+    - Enable BPDU guard for edge ports (interface): `spanning-tree bpduguard`
+    - Enable loop guard for uplink ports (interface): `spanning-tree guard loop`
 1. (Optional) Setup sFlow: **TODO**
 1. Set terminal idle timer: **TODO**
 1. Save the config (exec mode): `copy run start`

config/pc/kubuntu.md

@@ -63,4 +63,10 @@ breadcrumbs:
 
 Reboot the system.
 
+**Connecting an Xbox One controller over Bluetooth fails for some unknown reason:**
+
+1. `sudo apt install sysfsutils`
+1. `echo "/module/bluetooth/parameters/disable_ertm=1" | sudo tee -a /etc/sysfs.conf`
+1. `reboot`
+
 {% include footer.md %}