Archives

All posts by K1WIZ

Now and then, heavily used systems may need to have their swap usage cycled (reset) to increase performance. There are many occasions where even though a system has enough RAM, there may still be a growing swap usage. The steps I outline here are safe to run on a production host to reduce swap usage and return swap contents to RAM.

Check current swap use:

[email protected]:~# free -m
              total        used        free      shared  buff/cache   available
Mem:           7800        4822         383           1        2594        2668
Swap:          4095         429        3666
[email protected]:~#

We can see here that about 430MB of swap is used even though there is plenty of RAM available. In this case, the system gets average consistent use and has been up for 206 days. We want to also see what the swappiness setting is currently set at and maybe reduce it:

[email protected]:~# cat /proc/sys/vm/swappiness
60
[email protected]:~#

[email protected]:~# sysctl vm.swappiness=20
vm.swappiness = 20
[email protected]:~# cat /proc/sys/vm/swappiness
20
[email protected]:~#

This new setting of 20 should help the system swap less often. We now want to force the system to move swap contents back to RAM where it belongs. To do that, we’ll turn swap off, and WAIT approx. 30 seconds, then turn swap back on:

[email protected]:~# swapoff -a
[email protected]:~# swapon -a
[email protected]:~# free -m
              total        used        free      shared  buff/cache   available
Mem:           7800        5295         143           2        2360        2194
Swap:          4095           0        4095
[email protected]:~#

We can now see that swap contents has been moved to RAM and that swap has reclaimed space. It should be easy to write a cron job to check swap usage and periodically do this when swap usage goes above an acceptable threshold.

Those plug-in smart switches that are uniquitous in the market are only good to 10 amps. (most of them) I had one on my dehumidifier project to control when the dehumidifier would turn on and off (by turning it completely off, we save energy and money on the electric bill). After a couple years of use, the “plug in” smart switch died, likely because the dehumidifier draws close to or beyond the current limit of the small relay in those switches. I looked around on the ‘Net and was hard pressed to find something that would handle higher currents. The unit is on a 20A circuit so I needed to be sure that whatever I used was rated to switch that much current. Most of the relays that are out there for “arduino” projects seem to also be limited to 10 amps as well. Boo!

I found a relay on Amazon that was capable of switching up to 30 amps! I’m thinking “this ought to last”, but I need to build a circuit that can energize a 12V DC coil. The ESP8266 module runs on 5 volts, and doesn’t put out nearly enough voltage and current to drive the coil. I needed to add a 12 volt modular switching power source, a 5 volt regulator for the ESP8266, and a MOSFET transistor pack (triggered by the GPIO pin on the ESP8266) to switch the 12 volt supply and send DC to energize the relay coil. Here’s what I used to build this industrial strength appliance smart switch:

Of course, it goes without saying, I installed the open source Tasmota software on the ESP8266 module! I then set pin D1 to drive the relay:

12 VDC buck switching supply:

120-240VAC IN – 12VDC OUT

Here’s a picture of the ESP8266, 5VDC buck regulator, and MOSFET module all wired up on a PCB. This is what gives the switch its smarts and allows the automation system to control it over MQTT/WiFi:

Here you can see the large relay. It is DPDT (double pole, double throw), has a 12V coil, and the switch contacts are rated for 30A @250VAC:

This is the entire smartswitch build finished:

All enclosed in a sealed IP67 rated enclosure. This design can be used outdoors!

And of course, with power applied (it passed the smoke test!):

ABSTRACT

A neighbor (looking at you Chad) recommended cloudflare for my website and I figured I’d try it out.  Doing so entailed changing my NS records on my domain at the registrar.  This effectively moved all my DNS zone for the domain over to cloudflare.  Awesome!  Getting the benefits of cloudflare, only thing is, I realized that my old bash script which kept my home network IP tied to a DNS host name now no longer works.  I needed to update it.   So I set out to rewrite the script and figured I’d share it here, hopefully to help someone else wanting to have a DDNS hostname for a dynamic IP at home.  Without further delay, here’s the script, all that is needed is to plug in the values for the variable, set it in a crontab, and done:

#!/bin/bash

time=$(/bin/date)
myip=$(/usr/bin/curl -X GET "ipinfo.io/ip")
# Populate with your own cloudflare specs
myZoneID   = ""
myRecordID = ""
myKey      = ""
hostname   = ""
email      = ""

curl -X PUT "https://api.cloudflare.com/client/v4/zones/$myZoneID/dns_records/$myRecordID" \
        -H "X-Auth-Email: $email" \
        -H "X-Auth-Key: $myKey" \
        -H "Content-Type: application/json" \
        --data '{"type":"A","name":"'$hostname'","content":"'$myip'","ttl":1,"proxied":false}'

echo "$time IP Updated to: $myip for $hostname" >> /var/log/DNS-UPDATE-$(date +"%Y-%m-%d").log

In addition to updating your DNS record, this also keeps logs of the changes to preserve a history of IP address changes.

There are many websites out there that will gladly take the details of your wifi network and in exchange for receiving those details, will generate an QR code that you can use to allow others easy access to your guest network, or business wifi. I strongly recommend against use of such sites as you can’t be sure they aren’t mining the data to build a repository of such information, and for what other purposes.

Instead, I used a freely available tool in Linux known as qrencode. Fortunately, qrencode is a simple program that you run locally on your linux machine (hell you could even roll up a linux VM to do this if you don’t have a machine with linux on it).

Installing qrencode in debian or ubuntu is as easy as:
sudo apt install qrencode

Once you have it installed, the format for generating the QR code is pretty straightforward:
qrencode -l H -t PNG -o qrwifi.png "WIFI:S:{SSID name of your network};T:{security type - WPA or WEP};P:{the network password};;"

So say your wifi name is “FBI VAN” with a password of “b0nehead” and has WPA encryption, your command to generate the QR would look like this:
qrencode -l H -t PNG -o qrwifi.png "WIFI:S:FBI VAN;T:WPA;P:b0nehead;;"

You would then see this QR code generated: (go ahead, scan it here!)

Once done, you have a nice QR code you can print and display for your guests. This makes it easy to get them connected, and they don’t have to worry about bothering anyone for the wifi password anymore. It’s a win on both sides.

ABSTRACT

So we recently moved to Northbridge (July 2020) and we were excited that (at the time) the NPS school district was not a GoGuardian customer.  Our family fought with our last school district in North Attleboro to stop deploying GoGuardian to our equipment at home for the reasons I documented back then.  The concept is simple:

  • MY house
  • MY home network
  • MY privately paid for internet
  • MY computers
  • MY electricity that was/is being paid for to run such an invasive application extension software

As a student/family privacy advocate, I believe the school should monitor it’s equipment and only on school grounds.  When it comes to family owned equipment used at home or anywhere off school campus, it should be HANDS OFF!  Students (and families) deserve a reasonable expectation of privacy in their own homes and on their own computers.

You should know that today (at the time of this writing) I telephoned the product team at GoGuardian, and asked them about their data collection and retention policies.  They refused to give me any information citing that I wasn’t their customer.   Tax dollars funded the acquisition and installation of this software in our schools, I think full disclosure is totally appropriate.

LATEST FINDINGS/HOW TO TELL IF YOUR SCHOOL IS WATCHING

So at home, it’s YOUR computer, and your child is logged in to process homework, or email a teacher.  How do you know your school is watching and recording all their browsing history?  Here’s how:

Ensure they are logged into their school account on chrome.  Once logged in, type this in the address bar:

chrome://extensions

You will see something like this showing GoGuardian is installed: (click for larger view)

 

Here you can see GoGuardian is installed and running on the browser.  ON YOUR COMPUTER!  Did you ever give your school system permission to install a monitoring agent on YOUR equipment?  No?  then you need to complain to the highest levels of administration up to and including your school committee.  They are hoping this goes unnoticed, but I bet if they held a public forum on it and went out asking for consent, that most people would decline when they fully understand that GoGuardian really does.  I’ll also note that it isn’t possible to remove this extension – the ability to remove it is managed by the school district’s Google Apps domain policy.

You can see here the permissions given to the GoGuardian browser extension – it’s disturbing:

Here’s a snapshot of the DNS queries I saw in our logs just after doing a test search for illicit materials on our machine: (click for larger image)

 

That right there friends, is GoGuardian “phoning home” on what I just did.  (in this case web browsing history and searching) was sent to GoGuardian, and whatever I did is now visible to school officials.  There are real ramifications to this kind of tracking (which I will not go into here) but simply put, you should contact your school system and demand removal of this invasive browser extension from running in your home.  Here’s a brief use case/reasons why:

  • when the equipment and network the application/extension is running on does not belong to NPS
  • students need to have a perceived sense of privacy within their own home and on family owned equipment.
  • on shared family owned equipment, the data collection could violate the privacy of any person who uses that equipment and unknowingly is operating within a chrome browser logged into that account.  People seldom check to see who chrome is logged in as – they just open a window and go online.
  • This also has the potential to implicate the “tracked” student in other people’s internet activity unfairly, on privately owned (but possibly shared) equipment.

Also the EFF (Electronic Frontier Foundation) has released an extensive study into the privacy matters and even legality of off-campus school surveillance.

SIGN THE PETITION TO REMOVE GOGUARDIAN FROM SCHOOLS

You can sign the petition here (I did): https://www.change.org/p/goguardian-ban-goguardian-in-schools-across-the-globe

HOW CAN MY SCHOOL MAKE THIS RIGHT?

Simple.  All the technology department needs to do is work with GoGuardian to prevent it’s extension from being deployed on non-school owned assets:

  • Work with GoGuardian to come up with a way to better control extension deployment by confining it to the following:
  • Define a Google Apps OU just for school-owned assets
  • Put all school-owned assets in that OU
  • Push GoGuardian policies to ONLY that OU containing school owned assets.

UPDATE 9/24

I spoke with Director Tiago Vital and Superintendent McKinstry today about the privacy concerns with the GoGuardian extension running on privately owned equipment.  Here are the key points:

  • McKinstry agrees that this extension running on “private property” is a bit concerning, wants to find a solution to exclude private computing equipment where possible.
  • Director Vital has actually looked into fixating GoGuardian to specific OUs within the NPS GApps domain, but mentioned it doesn’t appear that GoGuardian currently honors this in it’s current version.
  • Both Director Vital and Superintendent McKinstry agreed that a joint conference to discuss directly with GoGuardian, ways of excluding private equipment from the product deployment scope is desired and have invited me to join the call to present the concern from a parent’s point of view.
  • Time and date of such call is yet to be determined.

I will provide additional updates as they become available.

UPDATE 9/27

I got an email back from Director Vital which makes it clear GoGuardian does not wish to hear from/or involve in discussion, parents.  Here’s what the email said (and my response) click for larger view:

It should be noted that the claim of the extensions on non-chromebook devices are inaccurate.  Our family computer is a Linux (Ubuntu 20.04) machine running Chrome browser.  You can see from the screenshots above from that computer, that the extension was present and alive.  A test search for porn caused several DNS queries for goguardian servers to immediately show, indicating that the computer was talking to and sending data to GoGuardian.  This computer is private property, and we don’t consent to the residency of this executable extension (and code) belonging to GoGuardian, running on our private property (computer) in our home.

Since I learned that GoGuardian will not talk to parents – I went to my local police department (Northbridge Police) and filed a police report. (I’ll copy any developments herein as they happen)  I intend to fully pursue the legality of a school system and/or company placing executable monitoring agents in people’s homes on privately owned equipment.  I need parents to join this effort to preserve the expectation of privacy in our homes.  I also believe there are serious 4th amendment violations at work here.

UPDATE 9/30

I’ve kept an eye on our machine over the last couple days and there has no longer been any GoGuardian traffic.  The extensions also appear to be missing from Chrome now.  I suspect that the school has removed this extension somehow from being deployed to our equipment when the kids log on – THANK YOU!   I do ask that parents use this guide to check and verify if the GoGuardian extensions have disappeared from their chrome browsers also.  Please follow the steps above and please feel free to comment below.   NOTE: I believe this removal is only for PRIVATE at home equipment.  If your child is using school issued equipment at home or on campus, I believe you will still see this extension in use.   Please remember that the focus of this cause, is ONLY for removal of the goguardian extension from PRIVATE equipment used OFF CAMPUS.

ABSTRACT

In our home, we have 2 garage doors with RF remotes in our cars.  For most people, this is generally considered “good enough”.  I wanted to come up with a way to connect our garage door openers to our home automation system.  Doing so would have the added benefit of remote control from anywhere, especially if we are away.  This could be useful so that deliveries could be placed in the garage, or for any other reason where we would want to allow someone access to the garage but not the rest of the house.  Some folks have a code entry panel that serves this purpose but then you have to share that code and by doing so, can compromise security should the code be shared without your knowledge.  With the ability to remotely open the garage, allows access without needing to share a credential.

This article makes the following assumptions:

  • You already know how to flash Tasmota onto ESP8266 hardware
  • You are familiar with Domoticz home automation console and adding devices
  • You use some method of message transport ie. MQTT between Domoticz and your Tasmota powered hardware

View the following video to see a demo of how this works:

 

SOLUTION

Since I already have an in-place home automation system, all I needed to do was configure two buttons on the console that would accept a pushbutton command and send a signal to a relay to open the door.  For hardware, I used a dual relay board that has an esp8266 chip.  The 8266 chip was flashed with the latest Tasmota release, and configured to operate the relays.  The switch output of the relays is wired to the existing wall switches of the garage door so that when tripped, will cause the door to operate just as the physical wall buttons already do. 

The Tasmota configuration uses the “Generic” template and configures GPIO0 to be Relay1, and GPIO2 to be Relay2.  After setting the GPIOs, I had to enter some settings and a ruleset into the Tasmota Console on the ESP-01.  To enable the ESP-01 to talk to the relay serial chip on the board, I had to go to the console and enter the following command and ruleset:  (NOTE: some older versions of this dual relay board may use 9600 baud instead of the 115200 baud shown here.)  Also, the dual relay board needs to operate in Mode 1 (default mode and indicated by a red LED on the board).

seriallog 0
Rule1
on System#Boot do Backlog Baudrate 115200; SerialSend5 0 endon
on Power1#State=1 do SerialSend5 A00101A2 endon
on Power1#State=0 do SerialSend5 A00100A1 endon
on Power2#State=1 do SerialSend5 A00201A3 endon
on Power2#State=0 do SerialSend5 A00200A2 endon

Then to enable the above rule:

rule1 1

turns on rule1.  Once enabled, I want to ensure that power disturbances do not trigger the relays or cause the ESP-01 to lose it’s config.  To ensure that the relays stay OFF when there are power interruptions or power cycles, I needed to enter this command on the Tasmota Console:

PowerOnState 0

I also wanted to make sure the config would remain intact even if there were several power cycles/disturbances (sometimes Tasmota can reset to defaults if there are more than 6 fast consecutive power cycles), so I also entered this command into the Tasmota Console:

SetOption65 1

Finally, we want the relays to only trigger momentarily when activated so that a pulse is registered to the garage door openers.  To do that, we must enter two more commands on the Tasmota Console of the relay board:

PulseTime1 1
PulseTime2 1

Once these changes are set, all that is needed is to set the Domoticz IDX address to match the two pushbuttons that were added to the Domoticz console.   At this point it should be possible to remotely trigger the relays from Domoticz and they will trigger ON for 1 second and then switch off when called via Domoticz.  All that is left to do is wire the relay N.O. contacts to the physical garage door wall switches in the garage.  It will now be possible to open or close the garage doors from the Domoticz console via any mobile device that has access to the Domoticz home automation console.

ABSTRACT

I moved to an area where my AM news station (WBZ) comes in rather scratchy.  Sure I could stream them over the internet on a mobile device, but what about the radios I currently have?  Have they now become paperweights?  Fortunately, WBZ streams online and I found a cool FM transmitter module that I thought “I could use this with a Raspberry Pi to put WBZ on the FM dial near my home”.  The FM module is about $12 and available on Amazon and I already had a raspberry pi computer I could dedicate for the project.  Why not try it?

SOLUTION

I installed Ubuntu Linux 20.04.2 server on the raspberry pi computer, and then installed a software called liquidsoap.  Liquidsoap is an audio/streaming swiss army knife and is of course, open source.  Normally, people use liquidsoap to capture a live audio source and then create a stream on the internet.  I wanted to do the reverse, and pull in an internet stream and play it over the USB DSP that is built into the FM module.  A bonus is that the FM module is also powered via the USB connection – one cable does it all.  Shown here is the finished transmitter:

The FM module is quite versatile.  It has an analog line-in, condenser mic, and USB audio interface all built in!  Depending on what input you use, the module is smart enough to pick that input and use only that.  When I hooked the module to my raspberry pi and ran:

aplay -l

I was able to see the USB audio interface on the FM module:

[email protected]:~$ aplay -l
**** List of PLAYBACK Hardware Devices ****
card 0: Headphones [bcm2835 Headphones], device 0: bcm2835 Headphones [bcm2835 Headphones]
Subdevices: 8/8
Subdevice #0: subdevice #0
Subdevice #1: subdevice #1
Subdevice #2: subdevice #2
Subdevice #3: subdevice #3
Subdevice #4: subdevice #4
Subdevice #5: subdevice #5
Subdevice #6: subdevice #6
Subdevice #7: subdevice #7
card 1: CD002 [CD002], device 0: USB Audio [USB Audio]
Subdevices: 0/1
Subdevice #0: subdevice #0

The “card 1” device is the USB connection to the FM module.

All I needed to do now was install and setup liquidsoap.  For that I used this guide and installed with OPAM.  Once I had liquidsoap installed, I created a .liq script which had the following configuration to stream WBZ and play it on the FM module’s USB interface:

str = "http://cast.wizworks.net:8000/wbz"
prog = mksafe(input.http(str))
prog = amplify(0.7,override="replay_gain",prog)
output.alsa(device="plughw:CARD=CD002,DEV=0",prog)

With this .liq file saved as play.liq, I could then start it up by running:

liquidsoap ./play.liq

If you want to add this as a systemd service, just follow the conventions to create the service file and install it as a service so it comes up whenever the raspberry pi is started.

FM Module Tips

The FM module as it comes, does not have an antenna on it.   For best results, solder a 1 meter length of wire on the “ANT” solder pad and place the entire RPi/FM setup in a high location within your home.  You should find a clear spot on your FM dial using a portable radio and set the FM module to that frequency.  When properly set, you should be able to pickup the signal from your RPi/FM package at least 4 houses away before you start to hear static.  This amount of range from such a small module is pretty decent and sufficient to enjoy your streamed audio source on any ordinary radio near your home.  The sound quality is very good for a $12 module and sounds nice on my Tivoli and other radios.

Background

My neighbor recently did a landscape lighting project of his own.  It looked great and was a simple grid-tied system.  I wanted to kill 2 birds with one stone and do a landscape lighting system of my own, but I wanted ours to be connected (wirelessly) to our Domoticz home automation system and I didn’t want to pay for the electricity to run it.  I was able to achieve both goals in this project through the use of ESP8266 and some MOSFETs triggered by PWM which had the added benefit of making the system dimmable if desired.

Solution

For this project, I gathered the following materials:

The way my house is situated, all the sun shine is in the back yard – plenty of sun there year round.  In the front where our landscaping is, has a lot of shade so not a good place for a solar panel.  I also wanted to hide all the power generation and control stuff in the back yard anyway.   I was able to cut a thin slice into the side yard following the foundation from the back yard to the front yard and bury the cable in the dirt easily.  You can’t even see the cable:

In the back, is where the power generation and control stuff was located.   I made the wireless PWM controller inside an  IP67 rated enclosure and put banana posts on for easy connection:

This allows me to control the lights ON/OFF/Dim using my existing Domoticz home automation system.  commands and telemetry is carried over wifi and MQTT to the Domoticz docker container.  The object in Domoticz can then apply time schedules, change brightness, or even turn on the lights during a motion trigger event from a PIR sensor that can be added to sense presence.

In the back yard, I set the case containing the battery and charge controller, solar panel, and PWM controller under the solar panel, in a spot where there is ample sunlight all day.

In the front, I ran the cable near the areas I wanted the lights and used the included connectors that came with the lamps.

I had the object in Domoticz setup to turn these on at 50% brightness 30 minutes past sun down.  Here’s the final result on how it looks:

ABSTRACT

We moved into town in July 2020 and as new residents always looking for ways to get a pulse on happenings in the town.  One great way to do that is to monitor the radio systems of the municipal services that operate within the town.  To monitor, one can either go out and purchase a $400 scanning receiver, install an antenna, and stay within ear shot of the scanner to stay informed, or the (better) option is to setup a dedicated receiver for each service and connect the audio output to a computer (running appropriate software) to create and send a stream to broadcastify.com or other streaming relay service.  What’s nice about streaming to broadcastify, is that they archive all the audio you send them, so when something interesting happens, and you miss it, you can download the audio from the stream archives and listen to it from anywhere as your schedule permits – or you can just listen live from any mobile device using the broadcastify app from anywhere.

MY STREAMS

POLICE



FIRE


MY SOLUTION

I chose to do the second option, because I have plenty of spare radios and computers.   To create my streams I use the following in my arsenal:

  • a low power Intel Atom ultra small form factor computer with plenty of USB ports and running Linux OS.
  • the liquidsoap audio toolkit to define and create the streams.
  • USB audio interfaces with inputs (connected to the radios)
  • UHF or VHF radios to dedicate to the monitoring setup – connected to a common (shared) or individual antennas.
  • An account on Broadcastify or other stream server  – from where you will serve your streams.
  • Broadcastify stream details for each stream (you will use this to setup liquidsoap).
  • a wired network connection (preferred) for your computer generating the streams.

I started with a small energy efficient computer (an ASUS Intel Atom “net top” computer) on which I installed Ubuntu Linux and Liquidsoap.  This computer needs a reliable internet connection and power source, as it will be running 24/7.  I chose a low power computer because I wanted to keep my energy costs low for the project.  Once Linux is installed, and an IP setup on the box, a keyboard and monitor are no longer needed.  You can do the rest of the setup over the local network over SSH.  To setup the computer for streaming, I installed Liquidsoap and created a config file to define the streams: (/etc/liquidsoap/radio.liq)


apt install liquidsoap
apt install liquidsoap-plugin-alsa

Once installed, you need to create a config file to tell liquidsoap how to create and process your streams:


# Define physical audio pickups:
radio4 = mksafe(input.alsa(device="plughw:CARD=USB,DEV=0"))
radio5 = mksafe(input.alsa(device="plughw:CARD=CODEC,DEV=0"))


# Define stream destinations:
output.icecast(
%mp3(stereo=false, bitrate=16, samplerate=22050),
host="audio3.broadcastify.com",
port=80, password="[email protected]", genre="Scanner",
description="Northbridge Police Dispatch", mount="/kejrncsk888",
name="Northbridge Police Dispatch - 453.1875 MHz", user="source",
url="https://www.broadcastify.com/listen/feed/34984", radio4)


output.icecast(
%mp3(stereo=false, bitrate=16, samplerate=22050),
host="audio1.broadcastify.com",
port=80, password="[email protected]", genre="Scanner",
description="Northbridge Fire Dispatch", mount="/s7sfsd87dsf",
name="Northbridge Fire Dispatch - 154.3625 MHz", user="source",
url="https://www.broadcastify.com/listen/feed/35186", radio5)

You get the parameters for the above output definitions from the feed details in your broadcastify account when you apply to setup a feed.  Once setup in the config file, you can issue the following command to restart the liquidsoap service and bring your feeds online:


sudo systemctl restart liquidsoap

Once restarted, liquidsoap should now be sending your audio to broadcastify.  You should see your feeds online:

HOOKING UP THE RADIOS

Now that your stream is up, it’s time to hook up the radios and start sending audio over your stream (radio configuration/programming is out of the scope of this article).  Connect the “speaker out” jack on the back of the radio to the correct “line in” port on your USB audio pickup device and set the volume halfway to start.  (You don’t want too much audio or your stream could be noisy/distorted).  As the radio is receiving audio, adjust the volume knob on the radio for good balance of loudness and clarity.  Do the same on any other radios you wish to setup.  Be sure to lock the tuning so that the frequency can’t be accidentally changed.

RADIOS NEED ANTENNAS

Because we’re pulling signals off the air and streaming them online, you’ll need to either buy or make an antenna for such a dedicated setup.  I chose to make a simple one using an SO-239 connector:

LISTEN FROM ANYWHERE

Now, you can download the Broadcastify app on any mobile device and listen to the feeds from anywhere.  The data rate is extremely small so listening for long periods should not consume a lot of data on a data plan.  Now you can stay informed by listening or listen whenever you see local police/fire activity in your town.

Rebuilding My Home Network

ABSTRACT

I have had my ESXi box for YEARS and recently decided to take a dive into the world of KVM (QEMU) on Ubuntu Linux.  It’s a popular and completely open hypervisor that has become a staple in many datacenter environments.  I had been loathing the change because it meant I had to rebuild a few of the VMs I still had.  Though I made the plunge recently into docker containers and finding apps I could containerize, I still have a handfull of VMs that perform various functions on my home network and “home lab”.  I’ll preface this by saying that the ESXi box did us well over the years and I hardly ever had to touch it.  The one thing I did not have with ESXi was other hosts to use for moving VMs.  The fact that the license isn’t free and ESXi is very persnickety about hardware requirements just was a put-off in trying to implement V-Motion (VMWare’s method of migrating/moving VMs around in a cluster).  With KVM, my options are more open and I have a handful of hosts that are compatible with KVM so if I ever had to move VMs around, I can in a pinch if ever I have a problem with hardware.

SOLUTION

To create a small cluster of physical hosts to run my new VMs built on KVM, I simply carried out these steps (I’ll go into greater detail on each one):

  • Install Ubuntu Server 20.04 OS on each physical machine
  • Configure a netplan for each physical KVM (pkvm) host that achieves:
    • bonded (teamed) interfaces
    • LACP (802.3ad) attributes to bring up the channel-group session
    • vlan tagged traffic over the bond
    • bridge interfaces to allow kvm guest VMs to attach to the desired vlan
  • Install necessary KVM packages
  • Configured a port channel interface on the main switch & define physical switch ports that will participate in the LACP channel-group
  • Configure a common NFS mount on the NAS to hold the KVM guest images on the network
  • Moving new kvm VMs into my newly rebuilt KVM host
  • Consume donuts that my wife and kids made while the “internet was out”

Setting a Netplan

Ubuntu 20.04 uses netplan to configure the operation of network interfaces.  This method uses a simple YAML formatted file that is easy to write and backup.  If you screw up, you can always revert back to a previous file.  (always make a backup!)  My netplan file looks like this:

network:
  bonds:
    bond0:
      interfaces:
      - enp1s0f2
      - enp1s0f3
      parameters:
        mode: 802.3ad
        lacp-rate: fast
        mii-monitor-interval: 100
  ethernets:
#    enp1s0f0: {}
#    enp1s0f1: {}
    enp1s0f2: {}
    enp1s0f3: {}
    enp3s0:
      dhcp4: no
    enp4s0:
      dhcp4: no
  vlans:
    vlan.2:
      id: 2
      link: bond0
      dhcp4: no
    vlan.5:
      id: 5
      link: bond0
      dhcp4: no
    vlan.11:
      id: 11
      link: bond0
      dhcp4: no
    vlan.10:
      id: 10
      link: bond0
      dhcp4: no
    vlan.50:
      id: 50
      link: bond0
      dhcp4: no
    vlan.73:
      id: 73
      link: bond0
      dhcp4: no
    vlan.300:
      id: 300
      link: bond0
      dhcp4: no
  bridges:
    br73:
      interfaces:
      - vlan.73
    br2:
      interfaces:
      - vlan.2
    br5:
      interfaces:
      - vlan.5
    br10:
      interfaces:
      - vlan.10
    br11:
      interfaces:
      - vlan.11
      addresses: [10.0.1.3/24]
      gateway4: 10.0.1.1
      nameservers:
        addresses: [10.0.1.10]
    br50:
      interfaces:
      - vlan.50
  version: 2

Installing KVM packages

apt install -y qemu qemu-kvm libvirt-daemon bridge-utils virt-manager virtinst

Configuring a port channel interface

With the netplan configuration saved and in place, I just executed sudo netplan apply and then proceeded to setup the switch-side of the bonded connection.  The first thing I needed to do was configure a new port channel interface on the switch that would be suitable for carrying tagged traffic:

interface Port-channel2
 description KVMBOX
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast
end

After setting up the port channel interface, I now had to add the physical interfaces that are cabled from the switch to the big KVM box:

interface GigabitEthernet1/0/44
 description TRUNK_TO_VBOX1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 lacp port-priority 500
 channel-protocol lacp
 channel-group 2 mode active
interface GigabitEthernet1/0/45
 description TRUNK_TO_VBOX1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 lacp port-priority 500
 channel-protocol lacp
 channel-group 2 mode active
end

wr mem

Once both ports were setup, I could then test the channel-group status:

CORE-SW#sh etherchannel 2 summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
2      Po2(SU)         LACP      Gi1/0/44(P) Gi1/0/45(P)

It’s time to now setup an NFS share for holding KVM images

This part is easy:

  • apt install nfs-client

Add a line to /etc/fstab:

10.9.9.20:/volume1/vol1 /vol1   nfs     _netdev,nfsvers=3,noatime,bg    0       0

Then mount: sudo mount /vol1.   I then created a symbolic link from the /var/lib/libvirt/images directory to point to /vol1/kvms (where the other KVM servers put their images)

Now time to move my newly built KVM VMs into my new KVM host (built on a temporary KVM host)