Networking

How to fix Nextcloud updater PHP Fatal error:  Allowed memory size of … bytes exhausted

Problem:

While trying to update Nextcloud using the command line (e.g. SSH) using a command like

php updater/updater.phar

you see an error message containing PHP Fatal error:  Allowed memory size of ... bytes exhausted such as this one:

[✔] Check for expected files
[✔] Check for write permissions
[✔] Create backup
[✔] Downloading
[ ] Verify integrity ...PHP Fatal error:  Allowed memory size of 134217728 bytes exhausted (tried to allocate 155061456 bytes) in phar:///owncloud.mydomain.com/updater/updater.phar/lib/Updater.php on line 637

Solution:

First, try to adjust the memory limit in your webhosting panel or php.ini. If this is not possible – such as for my hoster, which has different settings for the FastCGI PHP as opposed to the command line (CLI) PHP, you can manually set the memory limit using

php -d memory_limit=512M updater/updater.phar

 

Posted by Uli Köhler in Networking, Nextcloud, PHP

How to fix Nextcloud Step … is currently in process. Please call this command later.

Problem:

While trying to update Nextcloud using the command line (e.g. SSH) using a command like

php updater/updater.phar

you see the following error message:

Nextcloud Updater - version: v20.0.0beta4-11-g68fa0d4

Step 5 is currently in process. Please call this command later.

Solution:

No matter if the step that appears to be currently in progress is Step 3Step 5 or any other step, the solution is always the same: Reset the update by deleting the data/updater-occ[random-string] folder.

Recommended: If you are paranoid about losing data, just rename the directory:

mv data/updater-occ* ../DELETEME-updater

Not recommended: You can also just delete the directory

rm -rf data/updater-occ*

 

Posted by Uli Köhler in Networking, Nextcloud

Traefik container labels for the Unifi controller via docker-compose

For the basic configuration & setup of the Unifi controller via docker-compose, see Simple Unifi controller setup using docker-compose ! This post just covers the Traefik label part.

This setup is based on our previous post on the Unifi docker-compose setup. Furthermore, our traefik configuration is discussed in more detail in our post on Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges.

For this example, we’ll use a wildcart Let’s Encrypt certificate for the domain *.mydomain.com via the Traefik certificate provider named cloudflare, with the Unifi controller running on unifi.mydomain.com

Here’s the container label config:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.unifi.rule=Host(`unifi.mydomain.com`)"
  - "traefik.http.routers.unifi.entrypoints=websecure"
  - "traefik.http.routers.unifi.tls.certresolver=cloudflare"
  - "traefik.http.routers.unifi.tls.domains[0].main=mydomain.com"
  - "traefik.http.routers.unifi.tls.domains[0].sans=*.mydomain.com"
  - "traefik.http.services.unifi.loadbalancer.server.port=8443"
  - "traefik.http.services.unifi.loadbalancer.server.scheme=https"

Note particularly these lines which make Traefik access the Unifi controller via HTTPS:

- "traefik.http.services.unifi.loadbalancer.server.port=8443"
- "traefik.http.services.unifi.loadbalancer.server.scheme=https"

Complete example

version: '2.3'
services:
  mongo_unifi:
    image: mongo:3.6
    network_mode: host
    restart: always
    volumes:
      - ./mongo_db:/data/db
      - ./mongo/dbcfg:/data/configdb
    command: mongod --port 29718
  controller:
    image: "jacobalberty/unifi:latest"
    depends_on:
      - mongo_unifi
    init: true
    network_mode: host
    restart: always
    volumes:
      - ./unifi_dir:/unifi
      - ./unifi_data:/unifi/data
      - ./unifi_log:/unifi/log
      - ./unifi_cert:/unifi/cert
      - ./unifi_init:/unifi/init.d
      - ./unifi_run:/var/run/unifi
      - ./unifi_backup:/unifi/data/backup
#    sysctls:
#      net.ipv4.ip_unprivileged_port_start: 0
    environment:
      - DB_URI=mongodb://localhost:29718/unifi
      - STATDB_URI=mongodb://localhost:29718/unifi_stat
      - DB_NAME=unifi
      - UNIFI_HTTP_PORT=8090
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.unifi.rule=Host(`unifi.mydomain.com`)"
      - "traefik.http.routers.unifi.entrypoints=websecure"
      - "traefik.http.routers.unifi.tls.certresolver=cloudflare"
      - "traefik.http.routers.unifi.tls.domains[0].main=mydomain.com"
      - "traefik.http.routers.unifi.tls.domains[0].sans=*.mydomain.com"
      - "traefik.http.services.unifi.loadbalancer.server.port=8443"
      - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
# Ports commentet out since network mode is set to "host"
#    ports:
#      - "3478:3478/udp" # STUN
#      - "6789:6789/tcp" # Speed test
#      - "8080:8080/tcp" # Device/ controller comm.
#      - "8443:8443/tcp" # Controller GUI/API as seen in a web browser
#      - "8880:8880/tcp" # HTTP portal redirection
#      - "8843:8843/tcp" # HTTPS portal redirection
#      - "10001:10001/udp" # AP discovery
  logs:
    image: bash
    depends_on:
      - controller
    command: bash -c 'tail -F /unifi/log/*.log'
    restart: always
    volumes:
      - ./unifi_log:/unifi/log
Posted by Uli Köhler in Networking, Traefik

How to check MikroTik RouterOS license level

How to find RouterOS license using the web interface

In the WebFig web UI, you can check the license level by clicking on System -> License

How to find RouterOS license level using the Terminal

Run the following command:

/system license print

Look for the nlevel line. In the following example, the MikroTik RouterOS license level is Level 5:

[[email protected]] > /system license print
  software-id: 5ABC-DEF0
       nlevel: 5
     features: 
Posted by Uli Köhler in MikroTik, Networking

How to find out architecture of your Mikrotik RouterOS router

Find out the CPU architecture using the webinterface (WebFig)

In the WebFig Web UI you can go to System -> Resources where you can see the architecture listed as CPU:

Find out the CPU architecture using the terminal

On the terminal, run

/system resource print

and look for the cpu line. In the following example, the architecutre is ARM:

[[email protected]] > /system resource print
                   uptime: 10m24s
                  version: 7.3.1 (stable)
               build-time: Jun/09/2022 08:58:15
         factory-software: 6.44.6
              free-memory: 446.0MiB
             total-memory: 512.0MiB
                      cpu: ARM
                cpu-count: 2
                 cpu-load: 0%
           free-hdd-space: 1148.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 595
         write-sect-total: 139871
               bad-blocks: 0%
        architecture-name: arm
               board-name: CRS326-24G-2S+
                 platform: MikroTik

 

Posted by Uli Köhler in MikroTik, Networking

Which MikroTik switch can you use with 100M SFP modules?

Generally, 100M SFP modules can not be used with SFP+ ports. They sometimes can be used with SFP ports, however there is no guarantee it will work properly until you’ve actually tested the compatibility of the hardware!

Compatible devices

The MikroTik help page lists the CRS106-5S-1C as being compatible with both 100M and 1G SFP modules:

This unit is compatible with 100Mbit and 1.25G SFP modules

It has 5 SFP ports and 1 Combo SFP or GigE port.

Besides manually searching the MikroTik site for other compatible devices, I also used Google to search for similar sentences on the MikroTik site. I could not find any other MikroTik device for which any statement about 100Mbit SFP compatibility is being made.

Incompatible devices

For the following devices I have checked the respective MikroTik help page and it does not list compatibility with 100M SFP modules. This does not automatically mean they aren’t compatible but it’s much less likely. Possibly the help page will be updated in the future to indicate compatibility. I have not physically tested any of those devices with 100M transceivers.

  • CRS310-1G-5S-4S+IN
  • CRS112-8P-4S-IN
  • hEX S
  • CRS109-8G-1S-2HnD-IN
  • CRS212-1G-10S-1S+IN

Often, the help pages with read something like Compatible with 1.25G SFP modules. This means that standard 100Mbit SFP modules are incompatible.

Posted by Uli Köhler in Electronics, MikroTik, Networking

How to disable XCP-NG Windows Update PCIe device on the command line

This post shows you how to disable the XCP-NG windows update device on the command line. This prevents automatic installation of the Citrix drivers, enabling manual install of a custom version.

Note that you can easily disable the Windows update PCIe device in XenOrchestra using a single click, but not in XCP-NG center!

Prerequisite: Shut down the VM in question – usually you need to disable the device before installing Windows!

First, get the UUID of the VM usinjg

xe vm-list

which will output, for each virtual machine, something like:

uuid ( RO)           : 98002b8d-070f-9638-071c-be7e6c82f6a3
     name-label ( RW): CoreOS
    power-state ( RO): running

From that, copy the UUID such as 98002b8d-070f-9638-071c-be7e6c82f6a3.

Now run:

xe vm-param-set uuid=YOURUUID has-vendor-device=false

for example,

xe vm-param-set uuid=98002b8d-070f-9638-071c-be7e6c82f6a3 has-vendor-device=false

Now you can startup your VM with the driver installation PCIe device being disabled.

Posted by Uli Köhler in Networking, Virtualization

How to setup Cloudflare DNS-over-HTTPS (DoH) cache on MikroTik RouterOS router

Compared to standard UDP DNS, DNS-over-HTTPS (DoH) provides the huge advantage that – due to it being encrypted, someone able to sniff the traffic will not be able to determine what domain names are being used.

However, consider the disadvantage that the latency of resolving a domain name is significantly larger with DoH – however, setting up the MikroTik router as DNS cache will significantly reduce the overall DNS latency, at least for cached domain names.

The following list of RouterOS commands will setup the internal DNS server as a DNS cache running on DNS-over-HTTPS.

First, download CA certificates onto the router in order to be able to verify CloudFlare’s HTTPS certificates:

/tool fetch url=https://curl.se/ca/cacert.pem

Wait for it to finish downloading, e.g.

[[email protected]] > /tool fetch url=https://curl.se/ca/cacert.pem
      status: finished
  downloaded: 210KiBz pause]
       total: 210KiB
    duration: 1s

Now import the file and setup the DNS server:

/certificate import file-name=cacert.pem passphrase=""
/ip dns set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

 

Posted by Uli Köhler in MikroTik, Networking

MikroTik webinterface reverse proxy using Traefik

The following Traefik .toml file which reverse proxies a MikroTik router’s WebFig webinterface is based on our Traefik setup from Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges. It assumes that the MikroTik router is reachable at 10.1.2.3 via HTTP.

No Authentication beyond the MikroTik router’s WebFig internal authentication is performed. However – at least when using our Traefik config from our previous post it enforces HTTPS i.e. encrypted access.

Save the following file under config/mikrotik01.toml. Traefik will automatically reload, no restart will be required.

[http.routers.mikrotik01]
rule = "Host(`mikrotik01.mydomain.com`)"
service = "mikrotik01"

[http.routers.mikrotik01.tls]
certresolver = "cloudflare"

[[http.routers.mikrotik01.tls.domains]]
main = "mydomain.com"
sans = ["*.mydomain.com"]

[http.services]
[http.services.mikrotik01.loadBalancer]
[[http.services.mikrotik01.loadBalancer.servers]]
url = "http://10.1.2.3.4/"

 

Posted by Uli Köhler in MikroTik, Networking, Traefik

XenOrchestra docker-compose setup with Traefik labels

Based on Simple XenOrchestra setup using docker-compose, this extension of our config from that post features Traefik container labels. For the Traefik configuration, see for example our previous post Simple Traefik docker-compose setup with Lets Encrypt Cloudflare DNS-01 & TLS-ALPN-01 & HTTP-01 challenges

This setup uses a Wildcard certificate but you can also use a non-wildcard cert (e.g. if you don’t have access to the DNS for the DNS01 challenge) by just deleting both traefik.http.routers.xenorchestra.tls.domains... lines and selecting a suitable resolver.

version: '3'
services:
    xen-orchestra:
        restart: unless-stopped
        image: ronivay/xen-orchestra:latest
        container_name: xen-orchestra
        network_mode: host
        stop_grace_period: 1m
        environment:
            - HTTP_PORT=1780
        cap_add:
          - SYS_ADMIN
        security_opt:
          - apparmor:unconfined
        volumes:
          - ./xo-data:/var/lib/xo-server
          - ./redis-data:/var/lib/redis
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.xenorchestra.rule=Host(`xenorchestra.mydomain.com`)"
          - "traefik.http.routers.xenorchestra.entrypoints=websecure"
          - "traefik.http.routers.xenorchestra.tls.certresolver=cloudflare"
          - "traefik.http.routers.xenorchestra.tls.domains[0].main=mydomain.com"
          - "traefik.http.routers.xenorchestra.tls.domains[0].sans=*.mydomain.com"
          - "traefik.http.services.xenorchestra.loadbalancer.server.port=1780"

 

Posted by Uli Köhler in MikroTik, Networking, Virtualization

nginx FritzBox webinterface reverse proxy

The following nginx config allows remote access to a local FritzBox over VPN etc. You explicitly need to set the Host header to fritz.box in the proxied request – else, the FritzBox will reject the request as part of its rebind protection.

server {
        listen 80 default_server;

        access_log off;
        error_log  off;
        location / {
            proxy_pass http://192.168.241.1;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host 'fritz.box';
        }
}

On most linux distributions such as Debian or Ubuntu, install nginx using sudo apt -y install nginx or similar and place our config file as /etc/nginx/sites-enabled/default.

Posted by Uli Köhler in Networking, nginx

How to install tailscale on XCP-NG host

By installing tailscale on XCP-NG hosts, you can provide easier access to your virtualization host using VPN.

Run the following commands via SSH as root on the XCP-NG host:

sudo yum-config-manager --add-repo https://pkgs.tailscale.com/stable/centos/7/tailscale.repo
sudo yum -y install tailscale

and enable & start the tailscale daemon tailscaled:

systemctl enable --now tailscaled

 

Posted by Uli Köhler in Headscale, Networking, Virtualization, VPN

How to set X-Forwarded-Proto header in nginx

Directly after any proxy_pass line add

proxy_set_header X-Forwarded-Proto $scheme;

Typically X-Forwarded-Proto is used together with X-Forwarded-Host like this:

proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;

 

Posted by Uli Köhler in Networking, nginx, Wordpress

How to run iperf3 on Synology NAS using SSH

I prefer this method to the GUI docker method because:

  • It’s much more reproducible in practice
  • It involves fewer steps
  • It uses --net=host and therefore doesn’t involve additional routing, bridging or forwarding of packets which might impact performance

Login to the Synology NAS over SSH using a user with admin privileges, then sudo su.

For using iperf3 as a serve, use

docker run  -it --rm --name=iperf3-server --net=host networkstatic/iperf3 -s

For using iperf3 as a client, use

docker run  -it --rm --name=iperf3-client --net=host networkstatic/iperf3 -c 10.1.2.3

 

Posted by Uli Köhler in Networking

Real-world Tailscale iperf3 results between a VM and a bare metal Desktop on a switched network

We tested iperf3 performance using our network based on the following devices:

  • Desktop: Ubuntu 21.10 i7-6700 CPU @ 3.40 GHz, connected using 1Gbase-T to
  • Desktop switch: Mikrotik CSS610-8G-2S+IN connected using 10GBase-T multimode SFP+ module to:
  • Core switch: Mikrotik CRS309-1G-8S+IN, connected using 10GBase-T DAC cable to
  • Virtualization server: i5-6500 CPU @ 3.20GHz running XCP-NG 8.2.1
  • Virtual Machine: Ubuntu 20.04, 4 cores, 8GB RAM

Tailscale version was

1.24.1
  tailscale commit: 1a9302b1edba91d0f638e775faeaa0ce2a6a25f8
  other commit: 1331ed5836e1a0ab32b10e6ce8748e17ba2c7598
  go version: go1.18.1-ts710a0d8610

 

The network is completely switched, not routed and we took care that tailscale actually used the switched connection using tailscale ping.

Test 0: Direct connection over switched network

Desktop running iperf -s, VM running iperf -c 10.9.2.10:

Connecting to host 10.9.2.10, port 5201
[  5] local 10.9.2.103 port 52944 connected to 10.9.2.10 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  94.7 MBytes   794 Mbits/sec  338    109 KBytes       
[  5]   1.00-2.00   sec  98.0 MBytes   822 Mbits/sec  353    148 KBytes       
[  5]   2.00-3.00   sec  96.6 MBytes   811 Mbits/sec  382    117 KBytes       
[  5]   3.00-4.00   sec   103 MBytes   862 Mbits/sec  334    116 KBytes       
[  5]   4.00-5.00   sec   101 MBytes   851 Mbits/sec  483    102 KBytes       
[  5]   5.00-6.00   sec   104 MBytes   874 Mbits/sec  503    126 KBytes       
[  5]   6.00-7.00   sec   105 MBytes   883 Mbits/sec  527    119 KBytes       
[  5]   7.00-8.00   sec   108 MBytes   906 Mbits/sec  451    105 KBytes       
[  5]   8.00-9.00   sec   108 MBytes   903 Mbits/sec  442    117 KBytes       
[  5]   9.00-10.00  sec   107 MBytes   900 Mbits/sec  461    123 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  1.00 GBytes   861 Mbits/sec  4274             sender
[  5]   0.00-10.00  sec  1.00 GBytes   860 Mbits/sec                  receiver

iperf Done.

VM running iperf -s, Desktop running iperf -c 10.9.2.103

Connecting to host 10.9.2.103, port 5201
[  5] local 10.9.2.10 port 42630 connected to 10.9.2.103 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  88.5 MBytes   742 Mbits/sec    0    966 KBytes       
[  5]   1.00-2.00   sec  90.0 MBytes   755 Mbits/sec    0   1.12 MBytes       
[  5]   2.00-3.00   sec  87.5 MBytes   734 Mbits/sec   33    833 KBytes       
[  5]   3.00-4.00   sec  90.0 MBytes   755 Mbits/sec    0    833 KBytes       
[  5]   4.00-5.00   sec  88.8 MBytes   745 Mbits/sec    0   1.00 MBytes       
[  5]   5.00-6.00   sec  88.8 MBytes   744 Mbits/sec    0   1.00 MBytes       
[  5]   6.00-7.00   sec  87.5 MBytes   734 Mbits/sec    0   1.09 MBytes       
[  5]   7.00-8.00   sec  90.0 MBytes   755 Mbits/sec    0   1.09 MBytes       
[  5]   8.00-9.00   sec  90.0 MBytes   755 Mbits/sec    0   1.09 MBytes       
[  5]   9.00-10.00  sec  90.0 MBytes   755 Mbits/sec   13    863 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   891 MBytes   747 Mbits/sec   46             sender
[  5]   0.00-10.00  sec   888 MBytes   745 Mbits/sec                  receiver

iperf Done.

The direction where the VM hosts the iperf -s server i.e. sends the data shows a slight degradation of performance

Test 1: Desktop running iperf -s, VM running iperf -c

Connecting to host 100.64.0.2, port 5201
[  5] local 100.64.0.3 port 37466 connected to 100.64.0.2 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  39.4 MBytes   330 Mbits/sec   62    149 KBytes       
[  5]   1.00-2.00   sec  45.8 MBytes   385 Mbits/sec   44    150 KBytes       
[  5]   2.00-3.00   sec  38.9 MBytes   326 Mbits/sec   97    122 KBytes       
[  5]   3.00-4.00   sec  47.9 MBytes   401 Mbits/sec    7    242 KBytes       
[  5]   4.00-5.00   sec  39.5 MBytes   332 Mbits/sec  118    110 KBytes       
[  5]   5.00-6.00   sec  46.6 MBytes   391 Mbits/sec   32    136 KBytes       
[  5]   6.00-7.00   sec  41.8 MBytes   351 Mbits/sec   42    159 KBytes       
[  5]   7.00-8.00   sec  44.3 MBytes   372 Mbits/sec   91    104 KBytes       
[  5]   8.00-9.00   sec  36.1 MBytes   303 Mbits/sec   72    133 KBytes       
[  5]   9.00-10.00  sec  41.5 MBytes   348 Mbits/sec   39    139 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   422 MBytes   354 Mbits/sec  604             sender
[  5]   0.00-10.00  sec   421 MBytes   353 Mbits/sec                  receiver

iperf Done.

Test 2: VM running iperf -s, Desktop running iperf -c

Connecting to host 100.64.0.3, port 5201
[  5] local 100.64.0.2 port 36744 connected to 100.64.0.3 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  23.7 MBytes   199 Mbits/sec  104   89.9 KBytes       
[  5]   1.00-2.00   sec  23.6 MBytes   198 Mbits/sec   80   49.2 KBytes       
[  5]   2.00-3.00   sec  21.1 MBytes   177 Mbits/sec   59   54.0 KBytes       
[  5]   3.00-4.00   sec  23.6 MBytes   198 Mbits/sec   68   69.6 KBytes       
[  5]   4.00-5.00   sec  19.1 MBytes   160 Mbits/sec   77   48.0 KBytes       
[  5]   5.00-6.00   sec  25.3 MBytes   212 Mbits/sec   76   62.4 KBytes       
[  5]   6.00-7.00   sec  21.4 MBytes   179 Mbits/sec   50    107 KBytes       
[  5]   7.00-8.00   sec  25.6 MBytes   215 Mbits/sec   35    124 KBytes       
[  5]   8.00-9.00   sec  22.5 MBytes   188 Mbits/sec   71   48.0 KBytes       
[  5]   9.00-10.00  sec  25.0 MBytes   209 Mbits/sec   42   64.8 KBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   231 MBytes   194 Mbits/sec  662             sender
[  5]   0.00-10.01  sec   230 MBytes   193 Mbits/sec                  receiver

UDP tests

UDP tests were mostly similar to TCP tests (albeit slightly higher throughput at up to 400 Mbit/s), including the sensitivity to the direction of the connection.

Interpretation of the results

Tailscale has significant impact on network speeds and will not regularly be able to achieve near-Gigabit iperf3 speeds given typical setup with Desktop that are a couple of years old, and virtual machines. However, achieving a throughput of 200-400 Mbit/s is more than enough for most applications.

Interestingly, the speed is highly dependent on the direction of transfer between a less powerful VM and a more powerful Desktop, with a factor of x1.5 … x2 between the two directions. This might be attributed to the amount of computation required to encrypt or decrypt the data.

Posted by Uli Köhler in Networking