Fixes, add additional images

87c9d271 · JackV · 5490dc28 · 87c9d271 · 87c9d271 · 87c9d271
Commit 87c9d271 authored Apr 23, 2020 by JackV
--- a/assets/rockpro64.png
+++ b/assets/rockpro64.png
--- a/assets/tinkerboard.png
+++ b/assets/tinkerboard.png
--- a/slides/content.md
+++ b/slides/content.md
@@ -3,9 +3,9 @@
 * Networking & NFtables basics
 * How to debug network problems
 * Wireguard: easy to setup vpn
-* Ansible: how to manange many computers
+* Ansible: how to manage many computers
 * Why have servers running at home
-* Internet connections technologies
+* Internet connection technologies
 * How to build a linux home router

 ---
@@ -21,7 +21,7 @@ A lot of what we are going to
 cover today has been done in depth
 in previous Linux courses  
 (links in the relevant sections)  
-This talk focuses more on how
+This talk will focus more on how
 all these topics can come together

 ----
@@ -59,7 +59,7 @@ Software stack: `ip {address,route}`
 ## Transport Layer

 Works to provide a usable implementation (socket) to the
-program, provide important feature such as:  
+program, it provides important feature such as:  

 * Ports
 * Packet reliability
@@ -83,20 +83,20 @@ Main technologies: HTTP, HTTPS, IMAP, gRPC
  other computers
 * IPs have a __subnet mask__ that indicates which other IPs
  can be contacted directly through the link layer
-  * Computer use ARP/NDP to have a **IP <-> MAC** translation
-  * This also means that there is a ARP/NDP record that tells us
+  * Computers use ARP/NDP to have a **IP <-> MAC** translation
+  * Also there is a ARP/NDP record that tells us
    the **MAC address** relative to the IP we want to contact

 ---

-## What is important to remember /2
+<h2 style="min-width: 110%">What is important to remember /2</h2>

-* For all other IPs (eg. `176.31.102.216`) we need to have
-  a **default gateway** where we deliver our IP packets to have
+* For any other IP (eg. `176.31.102.216`) we need to have
+  a **default gateway** to which we deliver our IP packets to have
  them sent to the Internet
 * Computers that act as default gateways are called **routers**
  (since they **route** packets) and usually take the form of
-  those boxes that ISP give to you
+  those boxes that ISPs give to you

 ---

@@ -137,7 +137,7 @@ $ ip address show

 ## Important information

-```
+```bash
 3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
 ```

@@ -148,6 +148,8 @@ $ ip address show

 ---

+## Important information /2
+
 ```bash
 link/ether 9c:b6:d0:06:87:35
 ```
@@ -163,6 +165,8 @@ Our interface's IP addresses

 ---

+## Important information /3
+
 ```bash
 $ ip route show
 default via 192.168.0.1 dev wlp2s0 <clipped>
@@ -187,11 +191,12 @@ packet filter (firewall) allowing us to block out unwanted traffic

 ---

-## NFtables vs IPtables vs firewalld (& co.)
+<h2 style="min-width: 110%">NFtables vs IPtables vs firewalld (& co.)</h2>

 * **iptables**: frontend for `xt_*` kernel modules, old (1998)
 * **nftables**: frontend for `nf_*` kernel modules, "new" (2014)
-* **firewalld & co.**: allow easier configuration, under the hood all use iptables
+* **firewalld & co.**: allow easier configuration, under the hood 
+  they all use iptables

 ---

@@ -226,7 +231,7 @@ Source: [Wikipedia](https://commons.wikimedia.org/wiki/File:Netfilter-packet-flo
  2 separate interfaces (like a switch)
 * The **routing decision** step is also what decides the output interface,
  the __forward__ hook is the first to know the output interface
-* There are **4** chains: **filter** and **nat** (common), mangle and raw (rarely used)
+* There are **4** chains: **filter** and **nat** (common), `mangle` and `raw` (rarely used)
 * There are **5** hooks:
  * filter: **input**, **forward**, **output**
  * nat: **prerouting**, **postrouting**
@@ -300,10 +305,10 @@ network configuration problems

 ### Network checklist

-* Does the network have working routing?
+* Can the network route to another address?
 * Does the network resolve domain names?
 * Are response packets coming back?
-* Are there problems in upper layers?
+* Is everything ok in upper layers?

 ---

@@ -322,7 +327,7 @@ network configuration problems

 * Again **ping** can be used to quickly check if DNS resolution
  is working as intended, `ping poul.org` will return an ip
-  address is DNS is working
+  address if DNS is working

 * **dig** can help to check more complex problems,
  using `dig poul.org` will tell us if the system DNS
@@ -340,7 +345,7 @@ network configuration problems

 * Only have ssh but want to have a gui? No problem!<br>
  ```
-  ssh root@<ip> 'tcpdump -i eth0 -s0 -w -' | wireshark -k -i -
+  ssh root@<ip> "tcpdump -i eth0 -s0 -w - 'not port 22'" | wireshark -k -i -
  ```

 ---
@@ -431,11 +436,11 @@ Endpoint = <server public ip>:51820
 ---

 ```
-wg-quick server.conf
+wg-quick up server.conf
 ```

 ```
-wg-quick client.conf
+wg-quick up client.conf
 ```

 ---
@@ -447,7 +452,8 @@ wg-quick client.conf
 ## Well not so fast

 Due to the fail-open nature, it is sometimes difficult to debug
-Some debugging techniques are shown in the previous sections.
+Some debugging techniques are shown in the previous sections.  
+Ping tends to report an error if wireguard is misconfigured.  
 The linked slides offer a more in-depth explaination of the
 configuration that might help to debug problems.

@@ -467,14 +473,15 @@ Strong points:
 * Only Python and SSH need to be installed to have a machine
  be controlled by Ansible
 * Idempotent (multiple runs have the same result as one)
-* Declarative/Stateless - what is on the config files dictates the end result
+* Declarative/Stateless - what is on the config files dictates the end result,
+  not how to get there

 ---

 ## What can you do with ansible?

 * Maintain consistent configurations across machines
-* Have all your machines have a set of installed packages
+* Have set of installed packages on all your machines
 * Manage installation/upgrade of services in a reproducible way

 ---
@@ -487,7 +494,7 @@ Strong points:

 ---

-## Anatony of an inventory
+## Anatomy of an inventory

 ```ini
 [webservers]
@@ -522,7 +529,7 @@ apk:
  remote_user: root
  tasks:
  - name: install webserver
-    apk:
+    package:
      name: lighthttpd
      state: latest
  - name: start webserver
@@ -552,15 +559,15 @@ apk:

 ---

-### Server
+### Cloud Server

-* Usually have better uptime (much closer to 100%)
+* Usually has better uptime (much closer to 100%)
 * Storage has magic underneath
-* Usually have higher network bandwidth
+* Usually has higher network bandwidth

 ---

-### What to consider to do cost/benefit
+### What to consider to do cost/benefit-wise

 * On cloud servers the entire infrastructure
  is redundant, and if a component breaks the
@@ -589,11 +596,15 @@ apk:

 ## SBC ARM/Router

-<img src="assets/rpi4.jpg" style="max-height: 30%">
+<div style="display: block; margin: 0 auto">
+    <img src="assets/rpi4.jpg" style="max-width: 27%">
+    <img src="assets/tinkerboard.png" style="max-width: 30%">
+    <img src="assets/rockpro64.png" style="max-width: 25%">
+</div>

 * Cost: 20-100€
 * Computing power: Medium-Low
-* Storage: scarce (eccetto usb 3)
+* Storage: scarce/decent
 * Power consumption: > 10W

 ---
@@ -612,14 +623,15 @@ apk:

 ## Why you shouldn't buy a RPi

-* 1-3 have usb ports behind an hub
+* 1-3 have usb ports behind a hub
 * 1-3 have ethernet behind an usb adapter<br>(guess where it is attached?)
 * Wifi tends to be very crappy without
  an u.FL connector and a proper antenna
-* Computing power is generally poorer than
+* Computing power is generally lower than
  competitors for the same price point
 * RPi linux distributions tend to come with
-  a lot of propietary broadcom blobs
+  a lot of proprietary broadcom blobs
+* Generally poor power supply circuitry

 ---

@@ -632,7 +644,7 @@ apk:

 * Cost: 50-200€
 * Computing power: Medium-High
-* Storage: sufficent
+* Storage: usually quite decent
 * Power consumption: 10-50W

 ---
@@ -646,9 +658,9 @@ apk:

 * Cost: 100-2000€
 * Computing power: High
-* Storage: sufficent-plenty (SAN)
+* Storage: sufficent-plenty (NAS)
 * Power Consuption: 200-2000W
-* Pros: no house heating costs
+* Pros: [no house heating costs](https://hardware.slashdot.org/story/17/09/13/002250/french-company-plans-to-heat-homes-offices-with-amd-ryzen-pro-processors)

 ---

@@ -735,7 +747,7 @@ AFAIK there is no ONT with OpenWRT support

 <img src="assets/ethernet.jpg" style="max-height: 30%" />

-Some provides (eg. Eolo) use alternative transmission mediums,
+Some providers (eg. Eolo) use alternative transmission mediums,
 usually these will have an ordinary ethernet cable attached
 to a mundane wifi router

@@ -757,7 +769,7 @@ to a mundane wifi router
 ## Small digression: Modem Libero

 At the end of 2018 the AGCOM (italian telecomunications agency) approved
-a set of rules that force ISP to provide appropiate means to allow consumers
+a set of rules that forces ISPs to provide appropiate means to allow consumers
 to choose their own router (ONT are still part of the ISP's network)  
 Obtaining the various settings for connecting to the ISP's network varies
 by difficulty and amount of call centers you have to contact based on the ISP you pick