Skip to content

Home

Welcome to Centerionware.com.

Current Status:

Migration from Docker to Podman in cloud images: 80% complete Cisco Router likely vulnerable to 0day if ever exposed to the internet. Currently it is not exposed but it's still a valid concern. The heart of ths infra. Investingating and looking into SIEM tools.

Current issues:

  • running commands to restart services that start before cloud-init (eg: dhcpcd or podman) ends the cloud-init script instantly in the new 3.18 Alpine

  • First boot of new vm's is fairly broken in small part due to the issue above, big part due to me not figuring it out yet.

  • all installed images need to be switched from --restart unless-stopped to --restart always or they won't automatically restart

  • sometimes the dual pipe ipv6 address gathering solution fails. ** see DNS Server Issues

DNS Server issues

Currently all VM's are launched on servers internally on my local network. This allows me maximum control over the DHCP server and the DNS servers all the vm's will use. When a VM is launched with the hostname 'supercoolvm', the internal machines can find the addresses to that VM at the address 'supercoolvm.centerionware.lan' automatically thanks to OpenWRT - ODHCPD - Unbound - Unbound control. These are internal network addresses, but also in the case of ipv6 external addresses. This allows me to do some really cool things, like have NFS security based on domain resolution, if supercoolvm.centerionware.lan tries to mount an NFS share, the server looks at the ip, asks the dns server 'hey, who's this?', gets a response and compares it to *.*.centerionware.lan and *.centerionware.lan , if it's a match then it's something inside my network and gains a level of trust.

This is a problem. It's fine for inside the network but what if I want to allow running of other domains? Or if I want to have some vm's in external data centers?

Currently run a single external VM on linode as a nanode for email egress, and it connects home via wireguard. This is untennable for growth. Wireguard is great sure, but do I really want to allow every vm in the world that I make in datacenters around the world connect to my home network? I'd have to invest in all kinds of silly solutions to scale this. And this isn't secure.

Quick stage 1

As a stage one I can move away from the hacky dual unix fifo pipe solution and set it find \(project_name.\)vmid.centerionware.lan - This doesn't scale to other domains though. To do that, need some kind of much better solution.

Proposed solution

Already running 3x DNS servers internally. Two on edge gateway (One of those in docker) - The one on the gateway itself is Unbound. In docker and the other server are both bind9 servers running with webmin. The one in docker on the gateway is the slave to the primary running in docker on a vm on another server. The Unbound on the edge gateway is used for dhcp clients, and is the primary forward for both of the primary and slave internal resolvers. Unbound (should) be set up to use dnssec, and could be set to operate recursively but that really does seem to slow down all internet access a very noticeable amount, so it should fall back to the popular CF and Google servers.

I need to find software that can integrate into the dashboard, n8n, or gitlab layer to generate a unique key when launching a server in an external datacenter (ssh keys most likely easiest way here), then that key should be used to call home to add a dns entry to the primary dns server - but not have access to any other dns entries. It should only be allowed to update the subdomains of the domain associated with the key when it was generated on the server.

The DNS servers would then have to be moved be public servers, responding with only public addresses for all the things if a request is coming in from a public network address. potentially many deployed around the world to minimize latencies.

Probably easiest to write a flask app

Honestly, a flask app that generates some simple ass bind or even unbound files probably isn't a huge ask, just a costly one.

Requirements?

  • Secure - Key and unique keys and maybe cycling keys for access to everything.
  • Scalable? Kubernetes deployements with consul?
  • Simple
  • Generates bind and or unbound and or ? Naw what other open source DNS server really is there that needs to support? If there is a good one I need to find out.

I need to add a frickin comments section with mkdocs

Biases

Python and flask are great, cause easy prototype. fast though? Probably not.

C++ rules. C is better for low level.

Java can suck it. I love Java apps, just not the language. at all. Java coming to be - tried to address the cross platform problem, how to make the same program run across different systems. It re-introduced the same patterns and then worse patterns that c++ already had and has, and made things worse.

Containerization has replaced the only reason java ever existed.

Gitlab should be run by all serious devs, at home, on a server.