Dnsmasq On Nixos 2305

This is a small update on the evolved configuration from my Build a simple dns with a Raspberry Pi and NixOS blog post.

I upgraded to 23.05 and learned that i should run sudo nix-collect-garbage -d from time to time to avoid running out of disk space.

And here is the updated dnsmasq configuration:

networking.hostFiles = [(pkgs.fetchurl {
  url = "https://hostname.local/l33tname/hosts/raw/branch/main/hosts";
  sha256 = "14hsqsvc97xiqlrdmknj27krxm5l50p4nhafn7a23c365yxdhlbx";

services.dnsmasq.enable = true;
services.dnsmasq.alwaysKeepRunning = true;
services.dnsmasq.settings.server = [ "" "" "" ];
services.dnsmasq.settings = { cache-size = 500; };

As you can see with the latest version some config keys changed slightly. But the big new thing is that the hosts files is now fetched from my local git server. This allows me to version and edit this file in a singe place.

Note: The hash nix-prefetch-url $url should be updated if the file changes, otherwise NixOS will happily continue to use the the file fetched last time.

Mikrotik Openvpn Updated Params

I run a site-to-site tunnel: OPNsense to MikroTik site-to-site tunnel. Which runs fine but the support for OpenVPN in MikroTik is not very good. At some point I need to investigate Wireguard for this site-to-site connection.

But for now I still run OpenVPN and a recent upgrade of OpenVPN on OPNsense made my tunnel fail because it could not find a common cipher.

No common cipher between server and client. Server data-ciphers: 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305', client supports cipher 'AES-256-CBC'

As you can see MikroTik with the settings I documented uses AES-256-CBC. According to the documentation it should also do aes256-gcm which would match the supported AES-256-GCM.

But how would one do that, because the UI does not offer any options for that. Turns out you need to do that on the terminal only.

Here is how:

edit <connection-name>
value-name: auth
(Opens a editor update value to: null, exit with control + o)

edit <connection-name>
value-name: cipher
(Opens a editor update value to: aes256-gcm, exit with control + o)

Check with print if the settings are changed.

Note if your OpenVPN log looks something like this it's probably still a mismatch in cypher, at least in my case it was a typo.

Data Channel MTU parms [ mss_fix:1389 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, client-instance restarting

Hint: make sure you changed the OPNsense server config to use AES-256-GCM!

Pull Zfs Backup

I got a good deal on a 18TB Harddisk. Which was reason enough to rethink my backup setup. Until now I used a push strategy where the system pushed the backup to my backup system. (see blog post for reference Zfs Remote Backups) This will change today!

The new strategy is that my backup system will pull the data itself. This has a few advantages and makes it harder to if the main system is compromised to compromise the backup. I will also replace the shell scripts with sanoid or actually with syncoid. For snapshots I continue to use zfstool.

The New Setup

On the system which should be backuped we need to install sanoid and add a user with ssh key and minimal permissions.

# Install package
pkg install sanoid

# Add user
pw user add -n backup -c 'Backup User' -m -s /bin/sh

# Setup SSH with key
mkdir /home/backup/.ssh
echo "ssh-ed25519 AAA...jaM0 foo@bar.example" > /home/backup/.ssh/authorized_keys
chown -R backup:backup /home/backup/.ssh 
chmod 700 /home/backup/.ssh
chmod 600 /home/backup/.ssh/authorized_keys

# Give access to the ZFS pools for the new user
zfs allow -u backup aclinherit,aclmode,compression,create,mount,destroy,hold,send,userprop,snapshot tank
zfs allow -u backup aclinherit,aclmode,compression,create,mount,destroy,hold,send,userprop,snapshot zroot

As for the system which should pull the datasets. We also install sanoid and add a small script to our crontab which does all the magic and pulls all datasets we want to backup. It also pushes the status to influx so alerting and graphing can be done. (Careful with the script there are some things you need to update for your usecase!)

# Install package
pkg install sanoid

# Put script in crontab
$ crontab -l
13       0 * * 7	/root/backup.sh

The /root/backup.sh script:



mkdir -p $(dirname $logfile)

if [ ! -f $lockfile ]
    echo $$ > $lockfile
    echo "$(date): early exit ${lockfile} does exist previous backup still running" | tee -a $logfile
    exit 13

# Backup a ZFS dataset by pulling it
# localhost is the host where this scripts runs,
# where as remote is the host which should get backuped
# $1: name of the dataset on the remote host
# $2: name of the dataset on the local host
# return: a status code, 0 if successful
backup_dataset() {

    syncoid --sshkey=${KEY} --recursive --no-privilege-elevation ${REMOTE}:${remote_ds} ${local_ds} >> /tmp/raw_backup.log 2>&1
    code=$?hostname echo "$(date): pulling ${remote_ds} -> ${local_ds} exit code was: ${code}" >> $logfile
    echo $code

start=$(date +%s)
echo "$(date): backup started (log: $logfile)" | tee -a $logfile

exit_code=$((exit_code + $(backup_dataset 'tank/backup' 'tank/backup')))
exit_code=$((exit_code + $(backup_dataset 'tank/data' 'tank/data')))
exit_code=$((exit_code + $(backup_dataset 'tank/music' 'tank/music')))
exit_code=$((exit_code + $(backup_dataset 'tank/photography' 'tank/photography')))
exit_code=$((exit_code + $(backup_dataset 'tank/podcast' 'tank/podcast')))
exit_code=$((exit_code + $(backup_dataset 'zroot/iocage' 'tank/iocage')))
exit_code=$((exit_code + $(backup_dataset 'zroot/usr/home' 'tank/hostname-home')))

end=$(date +%s)
echo "$(date): exit code: ${exit_code} script ran for ~$((runtime / 60)) minutes ($runtime seconds)" | tee -a $logfile

curl -i -XPOST -u mrinflux:password 'https://influx.host.example:8086/write?db=thegreatedb' \
        --data-binary "backup,host=hostname.example status=${exit_code}i
        backuptime,host=hostname.example value=${runtime}i"

rm -f $lockfile
exit $exit_code

Mingelton Cpp

Wouldn't it be fun if your singleton exist multiple times? The answer is yes! (Unless you need to debug it or when it actually needs to work)

Lets take a closer look at the situation:

│                                                                         │
│                            Application                                  │
│                                                                         │
│                             ┌───────────────────────────────────────┐   │
│                             │                                       │   │
│                             │ dynamic loaded library                │   │
│                             │ (Plugin)                              │   │
│                             │                                       │   │
│                             │                                       │   │
│                             │                                       │   │
│  ┌──────────────────────┐   │              ┌─────────────────────┐  │   │
│  │ shared library A     │   │              │ shared library A    │  │   │
│  │                      │   │              │                     │  │   │
│  │ [Singleton]          │   │              │ [Singleton]         │  │   │
│  │                      │   │              │                     │  │   │
│  └──────────────────────┘   │              └─────────────────────┘  │   │
│                             │                                       │   │
│                             └───────────────────────────────────────┘   │
│                                                                         │

The application loads dynamically a library (basically a plugin) which was built using the shared library. The shared library is where the singleton exists. The same shared library is used directly in the app.

Meyer's singleton

Lets take a simple Meyer's singleton implementation.

#pragma once
#include <string>

struct Simpleton {
    static Simpleton& GetInstance();
    std::string value{"simple"};

    Simpleton() = delete;
    Simpleton &operator=(Simpleton&&) = delete;

If we create a small test inside our main app where we access the singleton inside the app and inside the dynamic loaded library.

    cout << "Simpleton:\n";

    auto* simple_instance = reinterpret_cast<void const*(*)()>(dlsym(plugin_handle, "simple_instance"));
    auto* simple_get = reinterpret_cast<std::string(*)()>(dlsym(plugin_handle, "simple_get"));
    auto* simple_set = reinterpret_cast<void(*)(std::string)>(dlsym(plugin_handle, "simple_set"));

    cout << " app=" << &Simpleton::GetInstance() << " plugin=" << simple_instance() << '\n';
    cout << " value=" << Simpleton::GetInstance().value << " get=" << simple_get() << '\n';
    simple_set("updated simple value");
    cout << " value=" << Simpleton::GetInstance().value << " get=" << simple_get() << '\n';

We expect that the address of &Simpleton::GetInstance() and simple_instance() is the same. And after setting the singleton via the plugin we expect the value readout in the app to reflect the changed value. Otherwise it is not really a singleton. If we check the output that is what happens.

 app=0x7fa0bf373160 plugin=0x7fa0bf373160
 value=simple get=simple
 value=updated simple value get=updated simple value

Singleton Template

Check out the last blog post about the singleton pattern as a base for this singleton. There is a small issue with this approach. The template works great in almost all situations, except when you need access to the singleton inside a library.

What happens when we use our fun singleton implementation.

    cout << "ConcreteSingleton:\n";

    auto* instance = reinterpret_cast<void const*(*)()>(dlsym(plugin_handle, "instance"));
    auto* get = reinterpret_cast<std::string(*)()>(dlsym(plugin_handle, "get"));
    auto* set = reinterpret_cast<void(*)(std::string)>(dlsym(plugin_handle, "set"));

    cout << " app=" << &ConcreteSingleton::GetInstance() << " plugin=" << instance() << '\n';
    cout << " value=" << ConcreteSingleton::GetInstance().value << " get=" << get() << '\n';
    set("updated value");
    cout << " value=" << ConcreteSingleton::GetInstance().value << " get=" << get() << '\n';

We would expect the same behavior as for our Meyer's singleton.

 app=0x1ccf350 plugin=0x1ccf380
 value=default get=default
 value=default get=updated value

Ups. Seems like the plugin and our app are using different singletons.

If you use google to figure out what is happening here lets turn to google. There is this very unhelpful comment from code review.

When working with static and shared libraries, one must be careful that you don't have several implementations of the instance() function. That would lead to hard to debug errors where there actually would exist more than one instance. To avoid this use an instance function inside a compilation unit (.cpp) and not in a template from a header file.

source: https://codereview.stackexchange.com/a/222755

Otherwise I drew blank in searching for the issue. Which was the main motivation to create this blog post with actual demo code.

A solution

It seems like the issue is that _instance is defined inside the header.

template <class T> typename Singleton<T>::unique_ptr Singleton<T>::instance_;

Somehow this means we have a _instance in our application and a different _instance inside our dynamic loaded library.

If we look at the unhelpful comment again we should move it to our cpp. This is possible with a macro. something along the lines of this.

    template <> Singleton<x>::unique_ptr Singleton<x>::instance_{}

And each concrete singleton needs to implement this macro in the cpp file.


Voilà it works as expected.

 app=0x123c350 plugin=0x123c350
 value=default get=default
 value=updated value get=updated value

What now?

If anyone can explain the behavior better or why this is the way it is let me know. A example of the code can be found in this git repository: l33tname/mingelton. It contains a full CMake setup to reproduce the issue. The first commit is a working state (with macro) and the newest commit contains the diff where it fails. Instructions to build and run can be found inside the README.md.

Singelton Cpp

When you build software at some point you might need a singleton. Singletons are often a sign of bad software design, but that is not the focus of this blog post.

In software engineering, the singleton pattern is a software design pattern that restricts the instantiation of a class to a singular instance.

(Source: Wikipeda: Singleton pattern)

And good software is using obviously a bunch of singletons. To ensure that they are all the same we make use of a template.

template <class T> class Singleton
  using unique_ptr = std::unique_ptr<T>;

  using element_type = T;
  using deleter_type = typename unique_ptr::deleter_type;

  /// Returns a reference to the single instance, the instance is created if none exists
  static element_type &GetInstance()
    if (not _instance)
      _instance.reset(new element_type{});
    return *_instance;

  /// Releases the single instance and frees its memory
  static void Release() { _instance.reset(); }

  Singleton() = default;
  virtual ~Singleton() = default;
  Singleton(const Singleton &) = delete;
  Singleton &operator=(const Singleton &) = delete;
  Singleton(const Singleton &&) = delete;
  Singleton &operator=(Singleton &&) = delete;

  static unique_ptr _instance;
template <class T> typename Singleton<T>::unique_ptr Singleton<T>::_instance;

This implementation favors simplicity over thread-safety. If you need a thread-safe implementation don't use this one.

With that template in place it is now super easy to create a new singleton like this:

class ConcreteSingleton : public Singleton<ConcreteSingleton>
  // need to be friend to access private constructor/destructor
  friend Singleton<ConcreteSingleton>;
  friend Singleton<ConcreteSingleton>::deleter_type;

  void SomeGreatFunction() const;

// unless you have a great reason to have a
// public constructor and destructor it should be private
  ConcreteSingleton() { ... some stuff ... }
  ~ConcreteSingleton() = default;

If you use that for all singletons in your code they all look uniform.