[Systems] Fwd: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org

James Cameron quozl at laptop.org
Sun Dec 23 19:38:08 EST 2018


Step 1 completed.  As I don't have access to DNS, I cannot proceed
beyond that.

On Sun, Dec 23, 2018 at 01:36:58AM +0000, Bernie Innocenti wrote:
> I just saw this, but I'm on vacation and not sure whether I'll be able to assist with the IP migration for sunjammer.
> 
> Can someone please coordinate with Ian and Ruben to update sunjammer's config?
> 
> 
> -------- Original Message --------
> From: Ian Kelling <iank at fsf.org>
> Sent: December 20, 2018 11:22:04 PM UTC
> To: bernie at codewiz.org
> Cc: Andrew Engelbrecht <andrew at fsf.org>, Ruben Rodriguez <ruben at fsf.org>
> Subject: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org
> 
> 
> Ian Kelling <iank at fsf.org> writes:
> 
> > Our network provider TowardEX generously donated our bandwidth and IP
> > addresses for many years and now we have a new donor: Hurricane
> > Electric. This change requires replacing our main IP ranges:
> > 208.118.235.0/24 and 2001:4830:134::/48.
> >
> > If you have hardcoded the IP address of any GNU/FSF servers in those
> > ranges in any code or configuration files, they will need to be
> > updated. If you refer to our servers by their DNS name, such as
> > "gnu.org", then that will continue to work.  You should use the DNS name
> > wherever possible.
> >
> > There is a chance this change may temporarily cause some of the email we
> > send to change its spam score. If you receive email from our servers,
> > please check your spam email box and if you see any email from us there,
> > please mark it as not spam so that your email provider will not see it
> > as spam in the future.
> >
> > When? Most IP addresses will change on December 20-21. For machines
> > where the IP change requires coordination with parties outside the FSF,
> > such as volunteer administered machines, the old and new addresses will
> > work simultaneously until January 7th, when the old IP may be removed at
> > any time. If you think we might need to coordinate with you and we
> > haven't contacted you yet, please email sysadmin at gnu.org.
> >
> > We expect all machines to keep the last number of their IPv4 address and
> > the last 80 bits of their IPv6 address.
> >
> > On IPv4, we are changing from
> > 208.118.235.0/24
> > to
> > 209.51.188.0/24
> >
> > And for IPv6, from
> > 2001:4830:134::/48
> > to
> > 2001:470:142::/48
> >
> > So, for example fsf.org will change from
> > 208.118.235.174
> > to
> > 209.51.188.174
> > and from
> > 2001:4830:134:4::a
> > to
> > 2001:470:142:4::a
> >
> > Since you administer your own machines:
> >
> > These are the major steps:
> >
> > 1. Enable the new IP (maybe more than 1 for IPv6 and IPv4) and create a secondary routing table.
> > 2. Make the new IP be the default for outbound connections
> > 3. Change DNS entries to the new IP.
> > 4. Remove the old IP.
> >
> > Before and after each step, there may be specific steps and testing you
> > want to do for your vm. For example, before the first step and after the
> > last, you may have a firewall to update. Since you know the extra steps
> > and how to test if things are broken, we prefer you to do as many steps
> > as possible. However, if you are not confident in changing networking
> > configs and you can tell us what to test or needs changing between
> > steps, we can make the change.
> >
> > The FSF tech team prefers to work in our normal hours, but we can help
> > outside those if necessary. Until the Jan 7th deadline, we are in the
> > office today to Dec 21, Jan 2-4, and Jan 7. Usually 10am-6pm eastern
> > time. We are also iank, quidam, and sudoman in #fsfsys on freenode.
> >
> >
> > For sunjammer, since you control the DNS, you can do this all on your
> > own. However, we want you to wait until we have made some IP changes on
> > our own machines to prove that everything works. We will notify you, we
> > expect by December 21st to say that everything is ready.
> >
> > Some technical notes
> >
> > For step 1. Generally, you can add your new IP by adding a section in
> > /etc/network/interfaces, like this (replace 204):
> >
> > auto eth0:1
> > iface eth0:1 inet static
> >   address 209.51.188.204
> >   gateway 209.51.188.1
> >   netmask 255.255.255.0
> >   
> > Then run:
> >
> > ifup eth0:1
> >
> > Then, to enable this IP, but not be default for outbound connections:
> >
> > i=209.51.188.204; net=${i%.*}
> > ip route add default via $net.1 dev eth0 table 1
> > ip route add $net.0/24 dev eth0 src $i table 1
> > ip rule add from $i/32 table 1
> > ip rule add to $i/32 table 1
> >
> > Where the $i is your own IP, and eth0 is your main interface. If the new
> > IP is on eth0 or eth0:1, eth0 works in the above commands.
> >
> > For step 2. To change the default outbound connection, remove the ip route
> > and rules from step 1, create them again, but using the old IP,
> > then change the main routing table to use the new IP using a command like:
> >
> > ip route replace default via 209.51.188.204
> >
> > With your help we can make this migration uneventful!
> 
> 
> We've done our testing and groundwork, you are free to start the
> migration, or let us know how we can help.
> 
> Some additional technical notes:
> 
> We have new resolver machines, if you are pointing to old range ips,
> they need to be updated. Here is an example /etc/resolv.conf with the
> new resolver ips:
> 
> domain fsf.org                                                                                
> search fsf.org gnu.org                                                                        
> nameserver 209.51.188.16                                                                      
> nameserver 209.51.188.27                                                                      
> options timeout:1 attempts:3 rotate
> 
> Our ipv6 network has additional changes in the new range. The netmask is
> now 48 instead of 64, and there is now only one gateway ip (some were
> removed). Here is an example of a section in /etc/network/interfaces
> that works with the new ipv6 network.
> 
> iface eth0 inet6 static                                                                                                                                                                       
>   pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_dad                                                                                                                                     
>   address 2001:470:142:5::37                                                                                                                                                                  
>   netmask 48                                                                                                                                                                                  
>   gateway 2001:470:142::1                                                                                                                                                                     
>   hostname emailselfdefense1p.fsf.org   
> 
> -- 
> Ian Kelling | Senior Systems Administrator, Free Software Foundation
> GPG Key: B125 F60B 7B28 7FF6 A2B7  DF8F 170A F0E2 9542 95DF
> https://fsf.org | https://gnu.org
> 
> -- 
> ベルニー
> Sent from my Android device with K-9 Mail.
> _______________________________________________
> Systems mailing list
> Systems at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/systems

-- 
James Cameron
http://quozl.netrek.org/


More information about the Systems mailing list