[Systems] Fwd: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org
James Cameron
quozl at laptop.org
Wed Jan 9 23:27:10 EST 2019
Looks like Bernie finished this on 6th January. Thanks Bernie!
On Mon, Dec 24, 2018 at 11:38:08AM +1100, James Cameron wrote:
> Step 1 completed. As I don't have access to DNS, I cannot proceed
> beyond that.
>
> On Sun, Dec 23, 2018 at 01:36:58AM +0000, Bernie Innocenti wrote:
> > I just saw this, but I'm on vacation and not sure whether I'll be able to assist with the IP migration for sunjammer.
> >
> > Can someone please coordinate with Ian and Ruben to update sunjammer's config?
> >
> >
> > -------- Original Message --------
> > From: Ian Kelling <iank at fsf.org>
> > Sent: December 20, 2018 11:22:04 PM UTC
> > To: bernie at codewiz.org
> > Cc: Andrew Engelbrecht <andrew at fsf.org>, Ruben Rodriguez <ruben at fsf.org>
> > Subject: Re: FSF public IP addresses are changing between December 20 and January 7th. coordination for sunjammer.sugarlabs.org
> >
> >
> > Ian Kelling <iank at fsf.org> writes:
> >
> > > Our network provider TowardEX generously donated our bandwidth and IP
> > > addresses for many years and now we have a new donor: Hurricane
> > > Electric. This change requires replacing our main IP ranges:
> > > 208.118.235.0/24 and 2001:4830:134::/48.
> > >
> > > If you have hardcoded the IP address of any GNU/FSF servers in those
> > > ranges in any code or configuration files, they will need to be
> > > updated. If you refer to our servers by their DNS name, such as
> > > "gnu.org", then that will continue to work. You should use the DNS name
> > > wherever possible.
> > >
> > > There is a chance this change may temporarily cause some of the email we
> > > send to change its spam score. If you receive email from our servers,
> > > please check your spam email box and if you see any email from us there,
> > > please mark it as not spam so that your email provider will not see it
> > > as spam in the future.
> > >
> > > When? Most IP addresses will change on December 20-21. For machines
> > > where the IP change requires coordination with parties outside the FSF,
> > > such as volunteer administered machines, the old and new addresses will
> > > work simultaneously until January 7th, when the old IP may be removed at
> > > any time. If you think we might need to coordinate with you and we
> > > haven't contacted you yet, please email sysadmin at gnu.org.
> > >
> > > We expect all machines to keep the last number of their IPv4 address and
> > > the last 80 bits of their IPv6 address.
> > >
> > > On IPv4, we are changing from
> > > 208.118.235.0/24
> > > to
> > > 209.51.188.0/24
> > >
> > > And for IPv6, from
> > > 2001:4830:134::/48
> > > to
> > > 2001:470:142::/48
> > >
> > > So, for example fsf.org will change from
> > > 208.118.235.174
> > > to
> > > 209.51.188.174
> > > and from
> > > 2001:4830:134:4::a
> > > to
> > > 2001:470:142:4::a
> > >
> > > Since you administer your own machines:
> > >
> > > These are the major steps:
> > >
> > > 1. Enable the new IP (maybe more than 1 for IPv6 and IPv4) and create a secondary routing table.
> > > 2. Make the new IP be the default for outbound connections
> > > 3. Change DNS entries to the new IP.
> > > 4. Remove the old IP.
> > >
> > > Before and after each step, there may be specific steps and testing you
> > > want to do for your vm. For example, before the first step and after the
> > > last, you may have a firewall to update. Since you know the extra steps
> > > and how to test if things are broken, we prefer you to do as many steps
> > > as possible. However, if you are not confident in changing networking
> > > configs and you can tell us what to test or needs changing between
> > > steps, we can make the change.
> > >
> > > The FSF tech team prefers to work in our normal hours, but we can help
> > > outside those if necessary. Until the Jan 7th deadline, we are in the
> > > office today to Dec 21, Jan 2-4, and Jan 7. Usually 10am-6pm eastern
> > > time. We are also iank, quidam, and sudoman in #fsfsys on freenode.
> > >
> > >
> > > For sunjammer, since you control the DNS, you can do this all on your
> > > own. However, we want you to wait until we have made some IP changes on
> > > our own machines to prove that everything works. We will notify you, we
> > > expect by December 21st to say that everything is ready.
> > >
> > > Some technical notes
> > >
> > > For step 1. Generally, you can add your new IP by adding a section in
> > > /etc/network/interfaces, like this (replace 204):
> > >
> > > auto eth0:1
> > > iface eth0:1 inet static
> > > address 209.51.188.204
> > > gateway 209.51.188.1
> > > netmask 255.255.255.0
> > >
> > > Then run:
> > >
> > > ifup eth0:1
> > >
> > > Then, to enable this IP, but not be default for outbound connections:
> > >
> > > i=209.51.188.204; net=${i%.*}
> > > ip route add default via $net.1 dev eth0 table 1
> > > ip route add $net.0/24 dev eth0 src $i table 1
> > > ip rule add from $i/32 table 1
> > > ip rule add to $i/32 table 1
> > >
> > > Where the $i is your own IP, and eth0 is your main interface. If the new
> > > IP is on eth0 or eth0:1, eth0 works in the above commands.
> > >
> > > For step 2. To change the default outbound connection, remove the ip route
> > > and rules from step 1, create them again, but using the old IP,
> > > then change the main routing table to use the new IP using a command like:
> > >
> > > ip route replace default via 209.51.188.204
> > >
> > > With your help we can make this migration uneventful!
> >
> >
> > We've done our testing and groundwork, you are free to start the
> > migration, or let us know how we can help.
> >
> > Some additional technical notes:
> >
> > We have new resolver machines, if you are pointing to old range ips,
> > they need to be updated. Here is an example /etc/resolv.conf with the
> > new resolver ips:
> >
> > domain fsf.org
> > search fsf.org gnu.org
> > nameserver 209.51.188.16
> > nameserver 209.51.188.27
> > options timeout:1 attempts:3 rotate
> >
> > Our ipv6 network has additional changes in the new range. The netmask is
> > now 48 instead of 64, and there is now only one gateway ip (some were
> > removed). Here is an example of a section in /etc/network/interfaces
> > that works with the new ipv6 network.
> >
> > iface eth0 inet6 static
> > pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_dad
> > address 2001:470:142:5::37
> > netmask 48
> > gateway 2001:470:142::1
> > hostname emailselfdefense1p.fsf.org
> >
> > --
> > Ian Kelling | Senior Systems Administrator, Free Software Foundation
> > GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF
> > https://fsf.org | https://gnu.org
> >
> > --
> > ベルニー
> > Sent from my Android device with K-9 Mail.
> > _______________________________________________
> > Systems mailing list
> > Systems at lists.sugarlabs.org
> > http://lists.sugarlabs.org/listinfo/systems
>
> --
> James Cameron
> http://quozl.netrek.org/
--
James Cameron
http://quozl.netrek.org/
More information about the Systems
mailing list