[Systems] Fwd: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org

Bernie Innocenti bernie at codewiz.org
Sat Dec 22 20:36:58 EST 2018


I just saw this, but I'm on vacation and not sure whether I'll be able to assist with the IP migration for sunjammer.

Can someone please coordinate with Ian and Ruben to update sunjammer's config?


-------- Original Message --------
From: Ian Kelling <iank at fsf.org>
Sent: December 20, 2018 11:22:04 PM UTC
To: bernie at codewiz.org
Cc: Andrew Engelbrecht <andrew at fsf.org>, Ruben Rodriguez <ruben at fsf.org>
Subject: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org


Ian Kelling <iank at fsf.org> writes:

> Our network provider TowardEX generously donated our bandwidth and IP
> addresses for many years and now we have a new donor: Hurricane
> Electric. This change requires replacing our main IP ranges:
> 208.118.235.0/24 and 2001:4830:134::/48.
>
> If you have hardcoded the IP address of any GNU/FSF servers in those
> ranges in any code or configuration files, they will need to be
> updated. If you refer to our servers by their DNS name, such as
> "gnu.org", then that will continue to work.  You should use the DNS name
> wherever possible.
>
> There is a chance this change may temporarily cause some of the email we
> send to change its spam score. If you receive email from our servers,
> please check your spam email box and if you see any email from us there,
> please mark it as not spam so that your email provider will not see it
> as spam in the future.
>
> When? Most IP addresses will change on December 20-21. For machines
> where the IP change requires coordination with parties outside the FSF,
> such as volunteer administered machines, the old and new addresses will
> work simultaneously until January 7th, when the old IP may be removed at
> any time. If you think we might need to coordinate with you and we
> haven't contacted you yet, please email sysadmin at gnu.org.
>
> We expect all machines to keep the last number of their IPv4 address and
> the last 80 bits of their IPv6 address.
>
> On IPv4, we are changing from
> 208.118.235.0/24
> to
> 209.51.188.0/24
>
> And for IPv6, from
> 2001:4830:134::/48
> to
> 2001:470:142::/48
>
> So, for example fsf.org will change from
> 208.118.235.174
> to
> 209.51.188.174
> and from
> 2001:4830:134:4::a
> to
> 2001:470:142:4::a
>
> Since you administer your own machines:
>
> These are the major steps:
>
> 1. Enable the new IP (maybe more than 1 for IPv6 and IPv4) and create a secondary routing table.
> 2. Make the new IP be the default for outbound connections
> 3. Change DNS entries to the new IP.
> 4. Remove the old IP.
>
> Before and after each step, there may be specific steps and testing you
> want to do for your vm. For example, before the first step and after the
> last, you may have a firewall to update. Since you know the extra steps
> and how to test if things are broken, we prefer you to do as many steps
> as possible. However, if you are not confident in changing networking
> configs and you can tell us what to test or needs changing between
> steps, we can make the change.
>
> The FSF tech team prefers to work in our normal hours, but we can help
> outside those if necessary. Until the Jan 7th deadline, we are in the
> office today to Dec 21, Jan 2-4, and Jan 7. Usually 10am-6pm eastern
> time. We are also iank, quidam, and sudoman in #fsfsys on freenode.
>
>
> For sunjammer, since you control the DNS, you can do this all on your
> own. However, we want you to wait until we have made some IP changes on
> our own machines to prove that everything works. We will notify you, we
> expect by December 21st to say that everything is ready.
>
> Some technical notes
>
> For step 1. Generally, you can add your new IP by adding a section in
> /etc/network/interfaces, like this (replace 204):
>
> auto eth0:1
> iface eth0:1 inet static
>   address 209.51.188.204
>   gateway 209.51.188.1
>   netmask 255.255.255.0
>   
> Then run:
>
> ifup eth0:1
>
> Then, to enable this IP, but not be default for outbound connections:
>
> i=209.51.188.204; net=${i%.*}
> ip route add default via $net.1 dev eth0 table 1
> ip route add $net.0/24 dev eth0 src $i table 1
> ip rule add from $i/32 table 1
> ip rule add to $i/32 table 1
>
> Where the $i is your own IP, and eth0 is your main interface. If the new
> IP is on eth0 or eth0:1, eth0 works in the above commands.
>
> For step 2. To change the default outbound connection, remove the ip route
> and rules from step 1, create them again, but using the old IP,
> then change the main routing table to use the new IP using a command like:
>
> ip route replace default via 209.51.188.204
>
> With your help we can make this migration uneventful!


We've done our testing and groundwork, you are free to start the
migration, or let us know how we can help.

Some additional technical notes:

We have new resolver machines, if you are pointing to old range ips,
they need to be updated. Here is an example /etc/resolv.conf with the
new resolver ips:

domain fsf.org                                                                                
search fsf.org gnu.org                                                                        
nameserver 209.51.188.16                                                                      
nameserver 209.51.188.27                                                                      
options timeout:1 attempts:3 rotate

Our ipv6 network has additional changes in the new range. The netmask is
now 48 instead of 64, and there is now only one gateway ip (some were
removed). Here is an example of a section in /etc/network/interfaces
that works with the new ipv6 network.

iface eth0 inet6 static                                                                                                                                                                       
  pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_dad                                                                                                                                     
  address 2001:470:142:5::37                                                                                                                                                                  
  netmask 48                                                                                                                                                                                  
  gateway 2001:470:142::1                                                                                                                                                                     
  hostname emailselfdefense1p.fsf.org   

-- 
Ian Kelling | Senior Systems Administrator, Free Software Foundation
GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
https://fsf.org | https://gnu.org

-- 
ベルニー
Sent from my Android device with K-9 Mail.


More information about the Systems mailing list