Stories
Slash Boxes
Comments

SoylentNews is people

posted by NCommander on Tuesday April 01 2014, @12:00PM   Printer-friendly
from the there-was-much-rejoicing dept.
As part of wanting to be part of a brighter and sunny future, we've decided to disconnect IPv4 on our backend, and go single-stack IPv6. Right now, reading to this post, you're connected to our database through shiny 128-bit IP addressing that is working hard to process your posts. For those of you still in the past, we'll continue to publish A records which will allow a fleeting glimpse of a future without NAT.
Believe it or not, we're actually serious on this one.

Linode IPv6 graph

We're not publishing AAAA records on production just yet as Slash has a few minor glitches when it gets an IPv6 address (they don't turn into IPIDs correctly), though we are publishing an AAAA record on dev. With one exception, all of our services communicate with each other on IPv6.

Perhaps I will write an article about our backend and the magical things that happen there :-).

Related Stories

Removing IPv4 Completely from FreeBSD and Other Operating Systems 69 comments

A Swiss VM hosting provider has a technical blog post about how to kill IPv4 completely on FreeBSD. That is to say, turning it completely off, not just preferring IPv6. They then solicit concrete solutions describing, along with a proof of concept, how to turn IPv4 completely off in other operating systems and allowing them to communicate with IPv6 only.

Earlier on SN:
Vint Cerf's Dream Do-Over: 2 Ways He'd Make the Internet Different (2016)
You have IPv6. Turn it on. (2016)
We've Killed IPv4! (2014)


Original Submission

The Nuts and Bolts of SN: A Look At The Backend, Part 1 28 comments
So, in a bid to keep my sanity while working on the manifesto, I felt an interesting side-project would be to do a series of articles going in-depth on our backend is put together, and what goes into the nuts and bolts of a decently large website. I'm sort of writing this as I get writers block on the manifesto, and I have no set agenda, so if interesting questions come up, I may dedicate an article or two about them. For this first one though, I wanted to give a relatively broad overview of our backend, then an article about each major component that comes together to form SN.
Full Disclosure: SN Email Account Compromised 91 comments

Normally, when I make a post on SoylentNews, it's to talk about some exciting new feature, our future, or something similar.

Unfortunately though, on rare occasions, I have to make announcements like this one. Sometime between May 12-13th, one of our email accounts was breached. The account ("test1") was left over from go live, over a year and half ago, and had a very weak password protecting it. We believe that an automated password guesser was able to find and access the account. Once breached, the account was used to send a significant amount of spam until we deleted the affected account on the 14th May 2015.

As a result of the compromise, several spam services have blacklisted our mail server; we're currently working to try and get ourselves cleared whenever we become aware of one of these blocks. We do not believe any user information or sensitive data was compromised; the account in question was simply a virtual dovecot account with no corresponding UNIX account attached to it.

mechanicjay was primarily responsible for handling this and cleaning up the mess, and I wish to personally thank him and the rest of the sysops team for their handling of this issue. We are looking at taking steps to prevent a reoccurence such as using fail2ban and the like. Unfortunately, most IDS systems like fail2ban are incompatible with IPv6 which we use extensively internally within our network.

A sysops meeting is being scheduled to discuss this and other changes we're making to the infrastructure.

I will update this article (or post a new one) with additional information should it become available,
NCommander

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Funny) by oodaloop on Tuesday April 01 2014, @12:03PM

    by oodaloop (1982) <reversethis-{moc.ohoz} {ta} {ffonimakj}> on Tuesday April 01 2014, @12:03PM (#24052)

    I love a good April Fool's joke. You almost had me there, though. Killing off IPv4 indeed.

    --
    Many Bothans died to bring you this comment.
    • (Score: 2) by elf on Tuesday April 01 2014, @12:26PM

      by elf (64) on Tuesday April 01 2014, @12:26PM (#24066)

      If this was an April fools joke I was totally fooled :) I know nothing about networks really so a pretty graph had me hook, line and sinker!

    • (Score: 1, Insightful) by khchung on Tuesday April 01 2014, @12:43PM

      by khchung (457) on Tuesday April 01 2014, @12:43PM (#24085)

      (Hopefully someone who matters will see this, eventually.)

      Please just STOP these April Fools stories, lame or not.

      With the other site's US focus, one can hardly complain. But if Soylent would rather not have the same US-centric focus, then maybe Soylent should understand that not every country make a big deal out of April Fools' day.

      It is downright annoying to have the news site you frequent to become totally worthless for a whole day every year due to it being totally filled with fake news that pretend to be funny.

      Instead of trying to see which ones are fake and which ones are real, I just skip the site for one day every year. If Soylent follows this tradition, then I just also skip Soylent for the same day.

      • (Score: 4, Informative) by xlefay on Tuesday April 01 2014, @12:46PM

        by xlefay (65) on Tuesday April 01 2014, @12:46PM (#24087) Journal

        Actually, I was involved with this bloody procedure, IPv4 was not happy, at all. It was quite bloody, but we got it done.

        PS: It's true, I swear.

        • (Score: 1, Redundant) by Thexalon on Tuesday April 01 2014, @01:18PM

          by Thexalon (636) on Tuesday April 01 2014, @01:18PM (#24124)

          "Look at them, bloody IPv4 users, filling up the bloody address space with bloody devices they can't afford to bloody connect."
          "But what are we, dear?"
          "IPv6, and fiercely proud of it!"

          --
          "Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
      • (Score: 0) by Anonymous Coward on Tuesday April 01 2014, @02:34PM

        by Anonymous Coward on Tuesday April 01 2014, @02:34PM (#24198)

        It would be easier if you just gave in and started making a big deal about April Fool's day yourself. Start spreading the tradition in your country! It's fun and harmless and an opportunity for people to test their humour and wit.

      • (Score: 1) by timbim on Tuesday April 01 2014, @10:23PM

        by timbim (907) on Tuesday April 01 2014, @10:23PM (#24501)

        We're all gonna make is bro.

    • (Score: 5, Informative) by NCommander on Tuesday April 01 2014, @01:01PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:01PM (#24108) Homepage Journal

      We're actually serious; we threw out the IPv4 addressing when it got to the point we had to run NAT to get offsite backup to work. We tested IPv6 addressing in DBIx::Password for dev to make sure nothing blew, and then flipped production last week. We had a SLIGHT hiccup as MySQL doesn't listen to IPv6 port out of the box, but after I fixed the config, we've had no problems, and we're removing the IPv4 internal IPs from the nodes one by one.

      (we've already purged them from the internal li694-22 zone)

      --
      Still always moving
      • (Score: 2, Insightful) by dcollins on Tuesday April 01 2014, @04:56PM

        by dcollins (1168) on Tuesday April 01 2014, @04:56PM (#24320) Homepage

        The April Fools' stories on Slashdot were always my most-loathed part of the site (at least there, all Apr-1 stories were bullshit and I could shut off the site for a day). But you've compounded the problem by posting both real and fake stories on Apr-1, so it takes debugging time to separate out which is which.

        Please just dump the Apr-1 fake stories tradition.

        • (Score: 2) by NCommander on Tuesday April 01 2014, @05:14PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @05:14PM (#24334) Homepage Journal

          There have been two stories that have obviously been false. There's one more in the hopper to end the BaconMuffins despite (I hate dangling plot threads) and then back to business as usual.

          --
          Still always moving
          • (Score: 1) by dcollins on Wednesday April 02 2014, @06:20AM

            by dcollins (1168) on Wednesday April 02 2014, @06:20AM (#24636) Homepage

            So low Type I Error, but thus high Type II Error, and therefore even more wasted time through the day.

            Plus it's just stupid in the first place. Dump it, please.

          • (Score: 1) by dcollins on Wednesday April 02 2014, @06:22AM

            by dcollins (1168) on Wednesday April 02 2014, @06:22AM (#24637) Homepage

            Or at least make it a community vote/poll: yes or no.

          • (Score: 2) by lhsi on Wednesday April 02 2014, @08:28AM

            by lhsi (711) on Wednesday April 02 2014, @08:28AM (#24663) Journal

            I kind of liked the idea of a "slow roll". Normal day of news stories. Then one story starts of plausible but ends with an obviously comedic reveal (like what looks like a story about someone being bullied ends up with them being sent to their aunt and uncle in Bell Air). That way there is a tiny bit of April Fools (and only in one place)

  • (Score: 4, Funny) by nightsky30 on Tuesday April 01 2014, @12:11PM

    by nightsky30 (1818) on Tuesday April 01 2014, @12:11PM (#24058)

    This is amazing! It's like...ERR MEH GERD, 6 Tubes!!!

  • (Score: 3, Interesting) by WizardFusion on Tuesday April 01 2014, @12:31PM

    by WizardFusion (498) on Tuesday April 01 2014, @12:31PM (#24072) Journal

    I don't get IPv6. Really, I don't. I understand that we are running out of IPv4 address, but the argument I always see is that we can now connect every device to the internet, like fridges that can reorder products for us, etc.

    That's great and everything, but why the hell would I want my fridge to have a world accessible IP address.? If for some silly reason I wanted my fridge internet enabled, I would NAT it behind a firewall.

    Does anyone actually have a compelling reason to use IPv6 anywhere.? Certainly not at in my home network/lab.
    The only reason I can think of is mobile phones. Get rid of the IMEI numbers (which can be duplicated) and use an fixed IPv6 address instead.

    • (Score: 1) by Nesh on Tuesday April 01 2014, @12:43PM

      by Nesh (269) on Tuesday April 01 2014, @12:43PM (#24084)

      Try to NAT a thousand items behind your firewall and get back to me.

      • (Score: 2) by FatPhil on Tuesday April 01 2014, @01:02PM

        by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Tuesday April 01 2014, @01:02PM (#24110) Homepage
        My computer. g/f's computer. 2 laptops. PDA. Fridge. Microwave. Hifi. Telly. Sauna stove controller. ...

        Wait a sec - where did this "1000" number come from? From Strawmanland, apparently.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
        • (Score: 1) by Nesh on Tuesday April 01 2014, @01:22PM

          by Nesh (269) on Tuesday April 01 2014, @01:22PM (#24130)

          You're at home.
          Some sites have way more machines in it.

        • (Score: 2) by hankwang on Tuesday April 01 2014, @02:28PM

          by hankwang (100) on Tuesday April 01 2014, @02:28PM (#24190) Homepage

          My computer. g/f's computer. 2 laptops. PDA. Fridge. Microwave. Hifi. Telly. Sauna stove controller. ...

          Um, do you have an internet-enabled microwave and fridge or are you just looking into the future? We're a 2-person household. The DNS configuration file of my home server has 31 devices listed. If I remove old (non-used) devices and double-counted ethernet/wifi, I still have 17 devices. And I'm not counting a block of addresses reserved for VPN: 1 desktop, 2 laptops, 2 tablets, 3 Android media players, audio system, cable decoder/DVR, 2 smartphones, e-reader, modem/router, wifi access point, home server, printer, Wii.

          Within a couple of years, I can well imagine network access for IP cameras, home automation (temperature, window shutters, lighting). I still wonder why I would want to have a network-enabled fridge or microwave oven, though.

        • (Score: 2) by skullz on Tuesday April 01 2014, @03:21PM

          by skullz (2532) on Tuesday April 01 2014, @03:21PM (#24238)

          You have a networked microwave but you still use a PDA? *snort snort* What does it run, NetBIOS? *snort pushes glasses back up*

        • (Score: 1) by VanessaE on Tuesday April 01 2014, @10:59PM

          by VanessaE (3396) <vanessa.e.dannenberg@gmail.com> on Tuesday April 01 2014, @10:59PM (#24518) Journal

          What, no toaster? :P

      • (Score: 2) by NCommander on Tuesday April 01 2014, @01:42PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:42PM (#24138) Homepage Journal

        The moment we realized if we wanted to interconnect our off-site backup and our backend would require NAT was the moment IPv4 came up on the chopping block and I made a plan to migrate.

        --
        Still always moving
    • (Score: 0) by Anonymous Coward on Tuesday April 01 2014, @12:47PM

      by Anonymous Coward on Tuesday April 01 2014, @12:47PM (#24090)

      Companies like Google want IPv6 so every individual (and device) has its own unique IP address. With NAT gone, it will be much easier for them to identify and track your every move.

      • (Score: 1) by Nesh on Tuesday April 01 2014, @12:53PM

        by Nesh (269) on Tuesday April 01 2014, @12:53PM (#24098)

        That would be right apart from the Privacy Extensions which nearly every OS is using.
        http://en.wikipedia.org/wiki/IPv6#Privacy [wikipedia.org]

        You automatically get a new outgoing IPv6 address every x minutes while still being reachable by the main address. In fact, privacy extensions hange the outgoing address a lot more than the DHCP IPv4 address your provider doles out to you. I know my IPv4 address is stable as long as I don't disconnect my modem.

    • (Score: 2) by VLM on Tuesday April 01 2014, @12:48PM

      by VLM (445) on Tuesday April 01 2014, @12:48PM (#24092)

      The problem is the engineers are talking about an ISO layer 2 addressing scheme, and the marketing droids are talking about their usual random BS at ISO layer one zillion that has nothing to do with it, other than maybe they can sell something useless by product tieing to something useful.

      It would be like discussing CIDR addressing math for ipv4 at a meeting and then some droid busting in, and in Disney Goofy character voice saying "hay guise, lets sell this as enabling itunes yuck yuck". Unfortunately that is literally how working as an engineer/dev is, although they never tell you that in school, other than maybe you read Dilbert cartoons and laugh because you think its exaggeration (LOL).

      ipv6 has nothing technological to do with fridges or whatever marketing pipe dreams.

      Also you wouldn't NAT your ipv6 fridge behind a firewall, you'd just use a stateful FW acting as a "network diode". Playing games with the address buys you precisely nothing. You already have a stateful FW in your NAT box so its not exactly new tech either. I'm sure the marketing people will be of great assistance in trying to redefine existing terms to confuse people and increase sales, so we probably will see firewalls at best buy claiming ipv6 NAT but delivering a stateful firewall and not doing NAT at all.

      "Does anyone actually have a compelling reason to use IPv6 anywhere.?"

      Check the stats for unallocated ipv4 addressing space and be unhappy. Oh, you'll be using ipv6 soon enough because you're not going to be using ipv4, that's for sure.

      Of course the PHB solution is instead of ipv4 addrs being 0-255.0-255.0-255.0-255 why not switch to 0-999.0-999.0-999.0-999 and those folks are an absolute joy to deal with I assure you.

    • (Score: 3, Insightful) by mmcmonster on Tuesday April 01 2014, @12:52PM

      by mmcmonster (401) on Tuesday April 01 2014, @12:52PM (#24097)

      There are some reasonable things you can do with IPv6, world-accessible kitchen appliances.

      Imagine your fridge had a camera feed. You could see what you needed to get when picking up groceries. If it also had a vision algorithm (+/- a scale on each level), it could tell you the milk's almost done or that the fruits are going bad (based on color and type of fruit). Or, most important, it can tell you that the fridge door isn't quite closed.

      Your toaster oven (or regular oven) could tell you that it's left on for an excessive period of time.

      Your alarm system could notify you when the kids get home.

      Your thermostat and alarm system could work in conjunction to turn down the AC/Heater when it knows no one is in the house. The temperature would go back to comfortable when your car or cell phone gets within 5 miles of the house.

      Whether these things are important to you is another matter.

      • (Score: 0) by Anonymous Coward on Tuesday April 01 2014, @01:15PM

        by Anonymous Coward on Tuesday April 01 2014, @01:15PM (#24119)

        Imagine your fridge had a camera feed. You could see what you needed to get when picking up groceries.

        Hmm, let's see. I'm out of milk. I am however not out of Goatse, so don't buy any more of that. I might, however, want to get a new stack of updates for my fridge.

        Oh look, the latest firmware for my fridge is two years old - same as the fridge - and rather than fix the bugs, they just want me to buy a new fridge.

      • (Score: 2) by bucc5062 on Tuesday April 01 2014, @02:32PM

        by bucc5062 (699) on Tuesday April 01 2014, @02:32PM (#24195)

        I read your post and thought of this story [wikipedia.org] right away. Kind of makes your vision a little scary and prophetic.

        --
        The more things change, the more they look the same
    • (Score: 0) by Anonymous Coward on Tuesday April 01 2014, @01:08PM

      by Anonymous Coward on Tuesday April 01 2014, @01:08PM (#24113)

      The whole internet of things idea is just salespeople talking. Unfortunately, managers listen more to salespeople than to engineers, so it may still hold true.

      IPv6 is no related to the internet of things. We need IPv6 to have ip addresses enough that everybody can have a PC. And a tablet. And a phone. And right now, there's only about enough for half the people on the planet to get ONE ip address, and that's if every subnet is filled perfectly.

      However, because the people behind IPv6 wanted to be absolutely sure never to run out again (even after we colonize Mars), they made IPv6 large enough that even if the "internet of things" morons get what they want, IP addresses is not going to be our problem. Keeping all those "things" updated and secure is.

    • (Score: 5, Insightful) by githaron on Tuesday April 01 2014, @01:26PM

      by githaron (581) on Tuesday April 01 2014, @01:26PM (#24132)

      There is a difference between world-routable and world-accessible. IPv6 is world-routable. The network firewall would decide if a device is world-accessible.

      • (Score: 2) by NCommander on Tuesday April 01 2014, @01:44PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:44PM (#24140) Homepage Journal

        This, this, a thousand times this. You haven't experienced the joys of networking when all you need is a firewall and NOT NAT. We could even run IPsec over IPv6 and it would work for most people without hours of pain.

        --
        Still always moving
        • (Score: 1) by bill_mcgonigle on Tuesday April 01 2014, @01:53PM

          by bill_mcgonigle (1105) on Tuesday April 01 2014, @01:53PM (#24148)

          This, this, a billion times this.

          We're past a thousand users on the Internet now. :)

      • (Score: 1) by monster on Tuesday April 01 2014, @01:55PM

        by monster (1260) on Tuesday April 01 2014, @01:55PM (#24151) Journal

        Yes, but turning every layman into a network administrator is pure comedy gold waiting to happen.

        • (Score: 2, Informative) by urza9814 on Tuesday April 01 2014, @06:58PM

          by urza9814 (3954) on Tuesday April 01 2014, @06:58PM (#24408) Journal
          That's the situation we *already have*, IPv6 is going to make it *better*, not worse. You *already* need to be a freakin' network administrator to properly set up a NAT. What protects you isn't the NAT, it's the firewall, and that will still be included in the router. But you'll be able to actually turn it off where and when needed now, which will be nice. (And no, DMZ doesn't count, because it's one system at a time)
        • (Score: 2) by sjames on Tuesday April 01 2014, @09:09PM

          by sjames (2882) on Tuesday April 01 2014, @09:09PM (#24466) Journal

          Why would that be an issue. The Ap/router will just come with a default configuration that does the right thing for nearly everyone and home users won't understand it, just like with IPv4 and NAT, only it won't overload the tiny embedded processor as easily.

    • (Score: 1) by bill_mcgonigle on Tuesday April 01 2014, @01:50PM

      by bill_mcgonigle (1105) on Tuesday April 01 2014, @01:50PM (#24146)

      If for some silly reason I wanted my fridge internet enabled, I would NAT it behind a firewall.

      If you have a properly configured firewall, what benefit is NAT getting you? Most people who are saying this are saying, "I don't need a firewall because I have NAT". Security is a side-effect of NAT, not its purpose.

      Does anyone actually have a compelling reason to use IPv6 anywhere.?

      Have you ever had to statically map a port on a firewall? Enabled uPNP on a router? Why just this weekend I was trying to VoIP chat with a friend on Retroshare and we spent nearly an hour getting this straightened out. That all goes away with IPv6 (not that my local ISP's even offer it...).

    • (Score: 1) by MozeeToby on Tuesday April 01 2014, @02:54PM

      by MozeeToby (1118) on Tuesday April 01 2014, @02:54PM (#24217)

      NATs are not security features. Even if your fridge had a global IP it could, and should, be behind a firewall.

      Finally, it's not really about fridges and washing machines, it's about... well, whatever we come up with next that would be handy to have it's own IP address. It's future proof, and that's the point.

    • (Score: 1) by Mike on Tuesday April 01 2014, @06:19PM

      by Mike (823) on Tuesday April 01 2014, @06:19PM (#24380)

      Does anyone actually have a compelling reason to use IPv6 anywhere.?
      Certainly not at in my home network/lab. The only reason I can think
      of is mobile phones. Get rid of the IMEI numbers (which can be
      duplicated) and use an fixed IPv6 address instead.

      The simple answer:

      End-to-End connections, i.e., the real Internet (get-off-my-lawn).

      The more ranty answer: End to end is basically it. Yes, there are
      lots of ways to hack around not being on the Internet: NAT, dynamic
      IPs, paying an obscene amount to your ISPs for an actual IP address
      (really?, Really!?), etc. But frankly, that's crap. A default
      Internet connection should be just that.

      By themselves, there are more cellphones on the planet than IPv4
      addresses. The internet needs a bigger number space for addresses and
      for good or bad, IPv6 is it.

    • (Score: 2) by sjames on Tuesday April 01 2014, @08:21PM

      by sjames (2882) on Tuesday April 01 2014, @08:21PM (#24449) Journal

      The whole fridge thing is just a red herring.

      I find it handy that in the IPv6 world, my ISP must give me a subnet rather than just a single IP address. I can access anything at home I need to over IPv6 from anywhere. Meanwhile, NAT is resource intensive for a firewall. It's much better to avoid packet re-writing and just filter.

      But much of the benefit is for larger organizations and for the future. We really are running out of v4 addresses even while some of them are being clawed back. NAT presents it's own problems, including the already mentioned resource drain on a firewall. The same hardware filtering v6 rather than NATing v4 can handle many more machines. If you as the admin of such a place (for example, a large office) get an abuse report, instead of just your external IP address and a time that may or may not be accurate, you get an IPv6 address that uniquely identifies the probably infected PC.

      When I stand up a VM at work that doesn't need to be accessible by the public, I can just skip IPv4 and use it's autoconfig v6 address. No need to be concerned with depleting the much smaller pool of available public v4 addresses.

  • (Score: 2) by chebucto on Tuesday April 01 2014, @12:46PM

    by chebucto (36) on Tuesday April 01 2014, @12:46PM (#24088) Journal

    Perhaps I will write an article about our backend and the magical things that happen there :-).

    Please do.. it's always fun to read about how (relatively) big sites operate.

    PS - love the new button CSS ('Read More', 'Preview', etc.)

    • (Score: 2) by Vanderhoth on Tuesday April 01 2014, @12:57PM

      by Vanderhoth (61) on Tuesday April 01 2014, @12:57PM (#24104)

      PS - love the new button CSS ('Read More', 'Preview', etc.)

      Agreed, it's a very accessible way to handle buttons.

      --
      "Now we know", "And knowing is half the battle". -G.I. Joooooe
    • (Score: 2) by nightsky30 on Tuesday April 01 2014, @02:22PM

      by nightsky30 (1818) on Tuesday April 01 2014, @02:22PM (#24180)

      Ditto, I think that small change has caused me to like the red a little bit more.

  • (Score: 1) by Nesh on Tuesday April 01 2014, @12:48PM

    by Nesh (269) on Tuesday April 01 2014, @12:48PM (#24091)

    if you actually offered IPv6 to start with.

    I understand it's not a top priority.
    As a site for geeks you might consider it.

    • (Score: 2) by NCommander on Tuesday April 01 2014, @12:56PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @12:56PM (#24103) Homepage Journal

      Its actually been on the TODO list from day one. The problem is that Slash creates IPID instead of storing raw IP addresses. This has some glitches when it gets an IPv6 address vs. IPv4; its at the point the site no longer explodes in flames, but we don't get a valid SUBID, which causes issues with cookies. This code probably needs a rework to be fully IPv6 complaint.

      That being said, it has no problems talking to the database over IPv6.

      --
      Still always moving
      • (Score: 1) by Nesh on Tuesday April 01 2014, @01:11PM

        by Nesh (269) on Tuesday April 01 2014, @01:11PM (#24117)

        I can believe you don't have any problems talking to the database over IPv6.
        Linode VMs are now native IPv6 enabled and it works good.
        Before that time we had to use a 6in4 broker to get IPv6 working on a Linode VM.

        This may be a good place to refer to the nice people at HE [he.net]
        (not affliated in any way) for people that want to learn about and do more with IPv6.

        The free hands-on certification [he.net] is excellent and fun to do.
        If your provider lacks native IPv6 support, their free tunnelbroker [tunnelbroker.net] is a good help.
        The 6in4 tunnel adds latency but it's good enough to get started with.

        • (Score: 2) by NCommander on Tuesday April 01 2014, @01:21PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:21PM (#24128) Homepage Journal

          Actually, when we yanked out the old A records, the only thing that didn't quite work was MySQL as it doesn't listen on IPv6 by default. That required one line in its config file:

          bind-address = ::

          Which set it to bind IPv6 only. I wanted to post the netstat output, but it seems it has too many colons and the lameass filter won't let it through.

          --
          Still always moving
  • (Score: 4, Funny) by Bartman12345 on Tuesday April 01 2014, @12:54PM

    by Bartman12345 (1317) on Tuesday April 01 2014, @12:54PM (#24100)

    As a discerning netophile, I can tell you all that since SN switched to IPv6, my experience on the site has felt much crisper, with improved colour separation and much warmer text overtones.

    Feels faster too.

    • (Score: 2) by NCommander on Tuesday April 01 2014, @12:58PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @12:58PM (#24105) Homepage Journal

      Welcome to the future. We have flying cars too.

      --
      Still always moving
      • (Score: 2) by skullz on Tuesday April 01 2014, @03:28PM

        by skullz (2532) on Tuesday April 01 2014, @03:28PM (#24247)

        "Unless you're over 60, you weren't promised flying cars. You were promised an oppressive cyberpunk dystopia. Here you go."

        -Some people who stole this quote and put it on the internet

  • (Score: 2) by VLM on Tuesday April 01 2014, @12:59PM

    by VLM (445) on Tuesday April 01 2014, @12:59PM (#24106)

    "With one exception, all of our services communicate with each other on IPv6."

    Well, don't leave us in suspense... As a guy who's had a tunnel at home of one sort or another for WAY more than a decade, the only thing that immediately comes to mind is non-cutting edge version of AFS. Which I'm guessing you're not using. So...

    Hopefully not some "duh" kind of thing like you've got quagga software routing with ospfd which is inherently ipv4 only, if you wanted ipv6 you'd run ospf6d, that kind of "duh". Which as a side issue as an ex network guy it was hilarious how you could have dual stack with independent routing protocols with independent tables, and if you called those two protocols RIP and BGP no one would bat an eye but it confuses the hell out of people if both the protocols are called OSPF its just the ipv4 doesn't in any way cooperate with the ipv6 version of the same protocol. Good times, good times...

    • (Score: 3, Informative) by NCommander on Tuesday April 01 2014, @01:36PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:36PM (#24136) Homepage Journal

      Funny you should bring up OpenAFS, as we were considered it as a method to deploy slash to the web frontends (basically have one box be an OAFS master, and the webheads replicate locally so we can update once and deploy everywhere). The main reason we dumped IPv4 is we got into the rather silly situation of having to run NAT/VPN on our staff box so we could suck up backups easily (due to our firewall setup, you can only get into our internal cluster through one point).

      While OAFS is shiny, its a fucking PITA to setup, and I've got concerns about its fragility (we've got kerberos, but if our internal BIND takes a crap, kerberos stops working which breaks OAFS). We're probably going to go NFSv4 with replica to make this work, or cobble something our of rsync. Worse case scenario, we'll update nodes one by one (backwards compatibility on DB schemas makes this relatively easy).

      I ran through the list of services we run, and decided to go full monty on this, and make IPv4 a legacy technology. Here's specifically what we're running with IPv6 only

      • LDAP (TLS)
      • Kerberos (though this required making IPv6 rdns work which is a PITA)
      • icinga (with some homemade patches to do kerberosized SSH)
      • varnish (connects to Apache via IPv4, but relays the inbound IP)
      • nginx
      • OpenSSH
      • barcula
      • postfix (IPv4/IPv6 dualstack for the main server; emails from slash->world get to the MTA via IPv6)

      I'm probably forgetting a couple of things, but these were the major ones. Aside from our mystery service (which we'll announce later today), and Apache 1.3, our migration was seemless, and we can now have our clouds interconnect and not need to NAT.

      --
      Still always moving
      • (Score: 2) by VLM on Tuesday April 01 2014, @02:33PM

        by VLM (445) on Tuesday April 01 2014, @02:33PM (#24197)

        "While OAFS is shiny, its a fucking PITA to setup"

        Oh its not that bad. Google spinlocksolutions and AFS. Obviously start following the tutorial with LDAP, then kerberos, then afs... The tutorials are extremely long because of endless screencaps and tests/experiments, the actual work required is pretty minimal. My puppetmaster has a couple files, maybe a screen of manifest instructions, that's about it. It really does make life easy in the long run.

        "but if our internal BIND takes a crap, kerberos stops working which breaks OAFS"

        That is true, I did end up with a ridiculous amount of replication. Multiple LDAP servers, multiple BIND, etc. If you're in physical world this is cheap/free, but I can totally see in virtual/cloudy world where each virtual machine costs $$$$ and every bit/cycle is accounted for, this is a bit of a scaling/financial issue. Every 24x7 machine I have is a primary for exactly one thing also a secondary for as many other things as I can set up.

        The biggest annoyance I have with AFS at home is the eternal battle between cron and AFS (really, kerberos) ... they just don't conceptually get along very well.

        Mystery service that doesn't like NAT... let me guess it involves SIP protocol? SIP doesn't like NAT very much. OR let me guess, minecraft.soylentnews.org?

        • (Score: 2) by NCommander on Tuesday April 01 2014, @02:42PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @02:42PM (#24204) Homepage Journal

          I'll take your word for it. We're still undecided on the filesystem issue, but it looks like IPv6 support still hasn't landed in OAFS, and I rather not reintroduce IPv4 back into our BIND instance. We're going to glue the sysops heads together somepoint this month and discuss it more indepth.

          As for cron and kerberos, keytabs are a wonderful thing; we use kerberosized SSH for our cron services so we don't have to deal with SSH authorized_keys madness (we have a backported OpenSSH on the server which can pop a key from LDAP which we use for staff gaining access to the network and for the SSH proxy), but kerberos allows us to have one central list of authentication. We've got master/slave KDCs setup, and BIND is replicated, though we haven't tested failover (yet). LDAP isn't, mostly because slapd is a fucking pig to setup (they threw out a perfectly sane config file for putting everything in LDAP and then poorly documented it to boot!), but all the services are using local accounts so the site itself will stay up if LDAP takes a shit on us.

          As for our IPv4 only service, you'll have to wait and see. Trust me, I think you'll approve of this (and I plan to write patches to bring it to IPv6 sooner or later)

          --
          Still always moving
  • (Score: 1) by alioth on Tuesday April 01 2014, @01:16PM

    by alioth (3279) on Tuesday April 01 2014, @01:16PM (#24122)

    ...and get the front end also with AAAA records. I've had an IPv6 address at home and at work for years now. Services to allow teenagers to share selfies (Facebook) have a working IPv6 front end, it's silly that a *tech* site does not! (And that goes for slashdot too. Years of writing articles about IPv6 and they still don't support it either).

    • (Score: 2) by xlefay on Tuesday April 01 2014, @01:20PM

      by xlefay (65) on Tuesday April 01 2014, @01:20PM (#24126) Journal

      As mentioned before, Slash takes issue with IPv6, we're looking to fix that. And with 'we' I mean, NCommander and others.

    • (Score: 3, Informative) by NCommander on Tuesday April 01 2014, @01:25PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @01:25PM (#24131) Homepage Journal

      We're publishing one on dev right now, and I'm going to go through the DNS and make sure we have them on all other services aside from production

      From dig: ;; ANSWER SECTION:
      dev.soylentnews.org. 300 IN AAAA 2600:3c00::f03c:91ff:fe6e:d0a3

      I hope to have IPv6 up by the end of the month; I've got a good idea on how to fix the problems with slash when it receives a 128-bit address.

      --
      Still always moving
  • (Score: 2) by Nerdfest on Tuesday April 01 2014, @02:33PM

    by Nerdfest (80) on Tuesday April 01 2014, @02:33PM (#24196)

    What made you think of doing this, what are the advantages, is this common in other setups?

    • (Score: 1) by paulej72 on Tuesday April 01 2014, @02:46PM

      by paulej72 (58) on Tuesday April 01 2014, @02:46PM (#24210) Journal

      Linode does not charge for IPv6 traffic inside of their network. So it made sense to put all of the back end traffic on IPv6 and save our network quota for use on the front end.

      --
      Team Leader for SN Development
    • (Score: 2) by NCommander on Tuesday April 01 2014, @03:19PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @03:19PM (#24235) Homepage Journal

      Its not a common setup to say the least, and sanity was questioned on it. One of our sysops guys was on VAC while we did this, and when he came back the response was basically "WTF?". The problem is our offsite backup is in a data center in France, and with the old IPv4 setup, we were looking at the possiblity of having to run a VPN and NAT. We could get around it by creative firewalling, and stupid DNS tricks, but I was sick of dealing with those from a previous job. Furthermore, I'd like for us to have mirrors in multiple data centers across the world, and IPv6 addressing means that no matter where a node is, it can always access another node with a consistently known IP address, and rdns/dns *just work*. No stupid hacks, no insane IPtables routes. It Just Works.

      It might be kinda extreme, but it puts us very much ahead of the curve on such things, and our network is extremely nice to work with due to the way its setup as an end result (I've had a couple minds blown on how we do single signon/LDAP SSH/etc.).

      --
      Still always moving
  • (Score: 2) by bucc5062 on Tuesday April 01 2014, @02:51PM

    by bucc5062 (699) on Tuesday April 01 2014, @02:51PM (#24213)

    Dammit, can we not think about those minds that were trained for years, nay decades to think in 4 octets and just numbers. The horror, the heart wrenching terror I felt when I first witnessed an IPv6 number. It struck to the core. Letters and numbers, mixed together, 6 sets, not four.

    ...damn you...damn you all to hell.

    You can go IPv6 when you rip this IPv4 number, 192.168.1.78, from my cold lifeless fingers. Now I am suppose to be 1fe.67a.e45.dd1.176, NEVER! As if I can remember that mess. I'm here to tell you, once we go IPv6, it will be the day computers take over the world for only they will truly *know* each other. Now where's my damn lawn again?

    --
    The more things change, the more they look the same
    • (Score: 5, Funny) by NCommander on Tuesday April 01 2014, @03:20PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @03:20PM (#24236) Homepage Journal

      We upgraded your lawn while you were ranting. You can find it at ::1

      --
      Still always moving
      • (Score: 2) by bucc5062 on Tuesday April 01 2014, @04:19PM

        by bucc5062 (699) on Tuesday April 01 2014, @04:19PM (#24283)

        That was just cruel. Delishly, baconly cruel. Well played, and now time to learn once again (reaches for TCP/IP Networking for Dummy, version 6)

        --
        The more things change, the more they look the same
        • (Score: 2) by NCommander on Tuesday April 01 2014, @04:24PM

          by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @04:24PM (#24288) Homepage Journal

          Actually, this might be a good topic for us to go in-depth about

          --
          Still always moving
          • (Score: 2) by NCommander on Tuesday April 01 2014, @04:24PM

            by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Tuesday April 01 2014, @04:24PM (#24289) Homepage Journal

            Oops, didn't mean to submit. I meant to write, go in-depth in an original post, vs. us just agitating news ...

            --
            Still always moving
            • (Score: 1) by middlemen on Tuesday April 01 2014, @05:17PM

              by middlemen (504) on Tuesday April 01 2014, @05:17PM (#24337) Homepage

              Ncommander, please write a blog post on how you went about implementing the IPv6 features for SN so that other folks could be inspired to implement it for their own websites/LANs.

              Thanks.

    • (Score: 1) by jayjay.br on Tuesday April 01 2014, @04:28PM

      by jayjay.br (1849) on Tuesday April 01 2014, @04:28PM (#24294)
      6 sets, not four.

      Must've been the BETA version. IPv6 goes up to 8 sets. And IPv7 should go up to eleven.
  • (Score: 1) by darkfeline on Tuesday April 01 2014, @06:08PM

    by darkfeline (1030) on Tuesday April 01 2014, @06:08PM (#24374) Homepage

    I have a hard time deciding whether or not this is an April Fools joke or not. Considering the fact that most people still do not have IPv6 because of US ISPs' rapid innovation, it's probably a joke, but I would actually appreciate if it wasn't. We really need a push to cut off IPv4 so people start forcing their ISP to actually do shit. I understand IPv4 works fine with NAT finagling, but the expanded address space is just icing on the fact that ISPs' will be forced to do some much needed upgrading.

    --
    Join the SDF Public Access UNIX System today!
    • (Score: 1) by urza9814 on Tuesday April 01 2014, @07:09PM

      by urza9814 (3954) on Tuesday April 01 2014, @07:09PM (#24415) Journal
      It's not a joke, but I don't think it's what you're thinking. They're using IPv6 *internally*. Between their own servers in their datacenter. The outside world can still access via IPv4.
  • (Score: 1) by egp on Tuesday April 01 2014, @07:16PM

    by egp (3606) on Tuesday April 01 2014, @07:16PM (#24417)

    Often websites that are experimenting with IPv6 will have an address like ipv6.soylent.org that is reachable only by IPv6. Do we have one setup yet?

    • (Score: 2) by NCommander on Sunday April 06 2014, @03:01PM

      by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Sunday April 06 2014, @03:01PM (#27074) Homepage Journal

      No, and the design of slash makes it extremely tricky to have a subdomain point to the main site and make it work because of the use of absolute addresses *everywhere*. The dev site has IPv6 records and we're using that to experiment with. Once we have the known IPv6 bugs extinguished, we'll publish AAAA records on the main site.

      --
      Still always moving
  • (Score: 2) by GlennC on Thursday May 08 2014, @07:11PM

    by GlennC (3656) on Thursday May 08 2014, @07:11PM (#41009)

    You Bastard!

    (yes, I know I'm horribly late...sue me!)

    --
    Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.