Medo's Home Page

My SSH Crypto Settings

With ever-expanding number of scripts on my NAS I noticed that pretty much every one had similar, but not quite the same parameters. For example, my automatic replication would use one set of encryption parameters while my Mikrotik router backup script would use other, and my website backup script would use a third variant.

So I decided to see if I could still keep the reasonable security but consolidate all these to a single type.

For key exchange, I had choice of diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1. Unfortunately there is no curve25519-sha256@libssh.org or similar algorithms that are considered more secure.

For a while I considered using diffie-hellman-group14-sha1 as it uses 2048 bit prime but its abandonment by modern SSH versions made me go with diffie-hellman-group-exchange-sha256. As this method allows for custom groups, it should be theoretically better but it also allows server to setup connection with known weak parameters. As servers are in my control, that should not pose an huge issue here.

For cipher my hands were extremely tied - Mikrotik, my router of choice, supports only aes256-ctr and aes192-ctr. Both are of acceptable security so I went with faster: aes192-ctr.

For authentication Mikrotik was again extremely limited - only hmac-sha2-256 and hmac-sha1 were supported. While I was tempted to go with hmac-sha1 which is still secure enough despite SHA1 being broken (HMAC part really does make a difference), I went with hmac-sha2-256 as former might get obsoleted soon.

My final set of “standard” parameters is as follows:

-2 -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -c aes192-ctr -o MACs=hmac-sha2-256

Additional parameter is not strictly encryption related but I find it very reasonable to enforce SSH protocol version 2.

My Settings for Panasonic LX100

On these pages I cover a wide array of topics. There is no order to it - just things that interest me and problems I faced trying to make them work. More often than not, posts are just a way for me to remember solutions thinly veiled into a more generic topic.

However, some posts are so specific I cannot even pretend I am actually helping somebody else than me. This is one of those posts - my general settings for Panasonic LX100 camera. Probably of no interest to anyone, oddly specific to my way of shooting photos, and for a camera that is a bit on the old side.

PS: Panasonic also makes available online full basic and advanced manual where much more detail can be found.

Rec

Photo Style	Standard: NR-2	Standard profile with a touch of lower noise reduction.
Picture Size	L 12M	Not sure why you would go any lower.
Quality	Fine	Occasionally I might add Raw to it too, but not in general. I found myself too lazy to do a lot of post-processing.
AFS/AFF/AFC	AFF	This setting is actually one I change the most and value varies between AFS (single focus) and AFF (flexible focus). They are both really similar but AFF does adjust a bit for moving subjects so it fits my use better as default choice.
Metering Mode	Multi-metering	For evening/night time photography I sometime change it to center-weighted or spot settings. However, for daytime use it almost always stays at default.
Burst Rate	M	I love mid-speed setting as it gives me 7 pictures per second bursts while keeping the live view working. Even better, at this speed, fast card, and with JPEG-only you can shoot forever. For sports it is tempting to switch to high speed but there is no benefit if you are using AFF/AFC and you lose live view. Super-high speed uses electronic shutter so approach with care.
Auto Bracket	-	I almost never do bracketing of any kind other that for HDR which uses other settings anyhow. So I just pretend this doesn't exist.
Self Timer	10 seconds (3)	I really rarely use this - frankly cannot remember the last time I had it. However, I feel as having it shoot three pictures instead of one is a nice feature.
Highlight Shadow	-	I generally leave this at default setting. If I have picture where adjusting it would make sense I simply record it raw and edit it on computer.
i.Dynamic	Standard	I found enabling this feature gives me better shadows for a general use case without having to fiddle with raws.
i.Resolution	Off	It basically just increases sharpness at the cost of fine detail.
Simultaneous record without filter	On	I really rarely mess with filters but when I do, I like option to have the same picture with and without filter applied. Do notice this setting can only be changes if filter is selected and you are not shooting raw (annoying restriction!).
iHandheld Night Shot	On	I love this setting on my FZ-300 as it helps tremendously during night recording. Unfortunately available only in automatic mode (iA).
iHDR	Off	This is automated HDR and not necessarily too bad if you are on a lazy side. However, I leave it off by default.
HDR	Off	This is manually enabled HDR and I set it to On only if I really want it. While some settings can be adjusted (e.g. EV) I like to use it on full auto.
Multi Exposure	-	This setting is more of a guide for taking pictures with multiple exposures. I could never been bothered to play much with it.
Time Lapse Shot	-	If you are fan of leaving your camera somewhere and recording a time-lapse, this camera has really nice helper. Just set the starting time and interval, and away you go.
Stop Motion Animation	-	If you like to make stop-animation movies this helper saves you a bit of time and even creates end video for you.
Panorama Direction	Right	Default is good.
Shutter Type	Mechanical	While you can use higher shutter speeds with electronic shutter, that comes at the cost of various artifacts for the fast-moving subjects as it takes as much as 100 ms to read the whole sensor. That's an eternity. I prefer to use mechanical shutter unless silence is needed. In silent mode you have electronic shutter whether you like it or not.
Flash	-	Haven't used it in eternity - don't even know where flash that came with camera is.
Red-Eye Removal	Off	There used to be time when subjects in every picture seemingly had red vampire eyes. Not sure if people evolved in last few years or cameras got better but I don't see it happening as often anymore. And it is trivial to adjust in any photo editor so I leave it off.
ISO Limit Set	6400	While this camera can go all the way up to 25600, I find that anything above 6400 is really noisy. If I really need ISO that high I prefer to set it manually instead.
ISO Increments	1EV	I find that thirds are simply too finicky for me to bother.
Extended ISO	Off	Unlike with most other cameras, extended ISO doesn't increase your maximum setting but it lowers your minimum ISO to 100 instead of native 200. As this is done in software, I cannot see why you would bother.
Long Shutter Noise Reduction	On	It turns on only at low shutter speeds (1/15th and below) and it does make a difference if you need to go that low.
i.Zoom	Off	Realistically, it is a small digital zoom and it will impact your picture quality. Yes, 3x lens can be a bit limiting but suck it up.
Digital Zoom	Off	Why would you do this to yourself?
Color Space	sRGB	While Adobe RGB is better, sRGB is what literally every consumer device supports for viewing. Use Adobe RGB only if you know what you are doing.
Stabilizer	Vertical-only	Full stabilizer is a nice thing but quite annoying when panning - i.e. catching your kids running next to you.
Face Recognition	Off	Somehow I never bothered to register the faces needed for this.
Profile Setup	Off	Just more stuff for kids and dogs.

Motion Picture

4K Photo	Off	It is nice idea but requires you to record everything in 4K and it changes compression method a bit.
Rec Format	MP4	I find MP4 a bit better supported with amateur software.
Rec Quality	FHD 20M 30p	I rarely record videos and, when I do, I stick to HD most of the time. Only if I know I will be editing video further or upload it to YouTube I switch to 4K 100M 30p.
Picture Mode	Motion-priority	Allows you to take 2M picture while video is recorded. I don't generally use it but I prefer it to Still-priority which essentially stops the movie in order to take picture. Annoying if done by accident.
Continuous AF	On	For most of time I want camera to refocus to action. If I am recording something where I can control field of action, I might switch it Off to keep focus steady.
Mic Level Display	On	While it does add additional clutter, I find it useful to see if camera is picking up some noise it shouldn't.
Mic Level Adjust	3	It is default and I wen't with it.
Wind Cut	Auto	I might change this if I record in windy situations but I generally just leave camera to decide.

Custom

Utilize Custom Set Feature	Off	As I am the only one using this camera, I never found myself needed different customization styles.
Silent Mode	Off	I usually keep it off as it enforces dreadful electronic shutter. However, I do keep it on quick menu for occasions when I need it.
AF/AE Lock	AF/AE Lock	I prefer to lock both focus and exposure when using that button. As I use it only if I am recording something,
AF/AE Lock Hold	On	Setting this to on allows locking of AF/AE with the long press to the button and then using shutter without having to hold the button at the same time. I find default setting requires way too much fidgeting on a small space for my taste.
Shutter AF	On	It just enables half-press focus, full-press take picture mode.
Half Press Release	Off	It just enables half-press focus, full-press take picture mode.
Quick AF	Off	Idea of this setting is that camera focuses as you get ready to take picture. In reality it just eats up the battery and doesn't work when you need it the most (e.g. low-light).
Eye Sensor AF	Off	I prefer to set my focus by half-press and not to have camera refocus every time I switch between monitor and viewfinder.
Pinpoint AF Time	MID	I rarely use pinpoint AF so I simply go with default.
Pinpoint AF Display	PIP	I rarely use pinpoint AF so I simply go with default.
AF Assist Lamp	Off	Somehow I always find myself in positions behind glass or with shiny metal around me and AF assist lamp goes berserk. I might re-enable it during low-light.
Direct Focus Area	Off	Since I use `Fn1` to adjust focus area, I keep this off.
Focus/Release Priority	Release	I'll rather have blurry picture than no picture at all.
AF+MF	Off	Call me lazy but I usually don't mess with auto-focus. If I want manual focus I simply use the side lever and go crazy.
MF Assist	Wheel Focus	It uses control ring for adjusting.
MF Assist Display	PIP	Picture-in-picture works for me.
MF Guide	On	When using manual focus, a small scrollbar is shown with focus position marked.
Peaking	On / High	When manually focusing, blue dots are nice hint to know what is in the focus.
Histogram	On	I would say histogram is mandatory. My favorite position is down-right; just far enough not to mess with picture framing.
Guide Line	3x3	I love guide lines. Makes framing much easier.
Highlight	On	Even with histogram, it is easy to get picture overexposed by accident. With highlight you will see all those overexposed areas blinking and that is much harder to ignore. :)
Zebra Pattern	ZEBRA2	I like to see my errors early. :)
Monochrome Live View	Off	Supposedly it is easier to focus in black-and-white; I just ignore it.
Constant Preview	On	I love constant preview as it allows me to immediately see if I messed up Aperture/Shutter/ISO trinity instead of figuring that once my button is already half-pressed.
Exposure Meter	On	When changing aperture or shutter speed, it is nice to see where you stand.
Dial Guide	On	More guides never hurts. :)
LVF Display Style	Top+Bottom	I like lot of details.
Monitor Display Style	Top+Bottom	I like lot of details.
Monitor Info Display	On	Why not having more info? :)
Recording Area	Picture	I like my default setup to show how stills would look.
Remaining Display	Stills	As I don't use videos much, I prefer to see number of stills remaining.
Auto Review	2 seconds	Two seconds is more than enough to see picture you have taken.
Fn Button Set	Fn1	I only remap Fn1 to Focus Area Set. Fn2 I leave on Wi-Fi and Fn3 stays LVF/Monitor switch.
Zoom Lever	Smooth	Default is fine.
Control Ring	Off	If there is one thing I don't like on LX100 it is its control ring. It simply doesn't feel right and it is easy to move by accident. So I simply turn it off. Mind you, control ring still works for manual focus even if you turn it off.
Zoom Resume	Off	I prefer to start on the widest zoom.
Quick Menu	Custom	Default menu is OK but I find it a bit on a crowded side with all settings I can set more easily directly on the button. With custom menu, I can configure up to 3 screens with 5 settings each albeit I keep it on a single screen for even faster adjustments.
iA Button Switch	Press And Hold	Two things I find easy to do by accident: changing exposure compensation and entering iA mode. While I cannot do anything about oversensitive wheel, I can at least make later a bit harder to enter.
Video Button	On	As someone who takes stills most of the time, I like having video recording on a separate button.
Eye Sensor	Low	I lower the sensibility of eye sensor to minimize misdetects.

Setup

Menu Resume	On	I prefer menu state to be remembered between visits.
Menu Information	On	I leave it on since even if you turn it off, you don't get an extra row.
Self Timer Auto Off	On	I don't see purpose of remembering self-timer between camera restarts.

Playback

Delete Confirmation Yes first I prefer to have Yes preselected when deleting images. I guess I like to live a dangerous life.

Custom Quick Menu

AFS/AFF/AFC	I like to be able to quickly switch between AFS and AFF.
Metering Mode	Switching between 49-area and single-area focusing comes in handy.
HDR	For rare occasions I need HDR, I don't need to hunt it in menu.
Stabilizer	Essentially just to select between full and vertical-only stabilization.
Silent Mode	Nice for museums and similar places. Lousy for high-speed subjects.

Encrypted ZFS for My Backup Machine

I already wrote about my ZFS setup. However, for my new machine I made a few changes. However, setup is still NAS4Free based.

The very first thing I forgot last time is randomizing the disks upfront. While not increasing security of new data, it does remove any old unencrypted bits you might have laying around. Even if disk is fresh, you don’t want zeros showing where your data is. Dangerous utility called dd comes handy here (once for each disk):

dd if=/dev/urandom of=/dev/ada0 bs=1M
dd if=/dev/urandom of=/dev/ada1 bs=1M

This takes a while but fortunately it is possible to see current progress with Ctrl+T. Do use tmux to keep session alive as this will take long time (with a big disk, more than a day is not unexpected).

Next, instead of using glabel, I decided to use the whole disk. That makes it easier to move disk later to other platform. No, I am not jumping BSD ship but I think having setup that can change environments is really handy for emergency recovery.

While ZFS can handle using device names like ada0 and ada1 and all shenanigans that come with their dynamic order, I decided to rely on serial number of drive. Normally device labels containing serial number are found under /dev/diskid/ directory. However, NAS4Free doesn’t have them on by default.

To turn them on, we go to System, Advanced, and loader.conf tab. There we add kern.geom.label.disk_ident.enable=1 and reboot. After this, we can use /dev/diskid/* for drive identification.

Those drives I then encrypt and attach each drive:

geli init -e AES-XTS -l 128 -s 4096 /dev/diskid/^^DISK-WD-WCC7KXXXXXXX^^
geli init -e AES-XTS -l 128 -s 4096 /dev/diskid/^^DISK-WD-WCC7KYYYYYYY^^

geli attach /dev/diskid/^^DISK-WD-WCC7KXXXXXXX^^
geli attach /dev/diskid/^^DISK-WD-WCC7KYYYYYYY^^

Finally, I can create the pool. Notice that I put quota around 80% of the total pool capacity. Not only this helps performance but it also prevents me from accidentally filling the whole pool. Dealing with CoW file system when it is completely full is something you want to avoid. And also, do not forget .eli suffix.

zpool create -o autoexpand=on -m none -O compression=on -O atime=off -O utf8only=on -O normalization=formD -O casesensitivity=sensitive -O quota=3T Data mirror /dev/diskid/^^DISK-WD-WCC7KXXXXXXX^^.eli /dev/diskid/^^DISK-WD-WCC7KYYYYYYY^^.eli

zdb | grep ashift
            ashift: 12

Once pool was created, I snapshotted each dataset on old machine and sent it over network. Of course, this assumes your pool is named Data, you are working from “old” machine, and new machine is at 192.168.1.2:

zfs snapshot -r ^^Data^^@Migration
zfs send -Rv ^^Data^^@Migration | ssh ^^192.168.1.2^^ zfs receive -Fs ^^Data^^

This step took a while (more than a day) as all datasets had to be recursively sent. Network did die a few times but resumable send saved my ass.

First I would get token named receive_resume_token from the destination:

zfs get receive_resume_token

And resume sending with:

zfs send -v -t ^^<token>^^ | ssh ^^192.168.1.2^^ zfs receive -Fs ^^Data/dataset^^

Unfortunately resume token does not work with recursion so each dataset will have to be separately specified from that moment onward.

Once bulk of migration was done, I shut every single service on old server. After that I took another (much smaller) snapshot and sent it over network:

zfs snapshot -r ^^Data^^@MigrationFinal
zfs send -Ri ^^Data^^@Migration ^^Data^^@MigrationFinal | ssh ^^192.168.1.2^^ zfs receive -F ^^Data^^

And that is it - shutdown the old machine and bring services up on the new one.

PS: If newly created machine goes down, it is enough to re-attach GELI disks followed by restart of ZFS daemon:

geli attach /dev/diskid/^^DISK-WD-WCC7KXXXXXXX^^
geli attach /dev/diskid/^^DISK-WD-WCC7KYYYYYYY^^
/etc/rc.d/zfs onestart

[2018-07-22: NAS4Free has been renamed to XigmaNAS as of July 2018]

Running Script Without Forking

Default way of running scripts in Linux is that shell forks new process based on hashbang (#!) found in the first line and gives rest of content to that process. And this works beautifully most of the time.

But what if we really need something found only in our current shell?

Fortunately, as long you are using bash, it is easy to run script without creating a separate shell. Just prefix it with dot (.):

./myScript

Some restrictions apply of course - the biggest gotcha being that script should be either bash or with only simple commands as content will be executed directly regardless of hash-bang (#!) specified.

PS: Yes, this works with other shells too, I use bash here as it is most common shell by far.

My Backup ZFS Machine

With my current ZFS pool getting close to its 2 TB limit I started to think about expanding it a bit. However, before doing anything with main NAS server, I decided to get the backup server up to speed. Reason is simple: while I am not a ZFS newbie, I don’t move pools on regular basis and moving backup server’s data will give me nice practice opportunity so I have procedure pinned down when I go to deal with the main storage.

My main parameters were to build machine capable of at least ZFS mirror, be reasonably easy to hide as it will be situated in living room, be as quiet as possible, and cost no more than $300 for all the hardware excluding disks. Note that nowhere I have any conditions on its speed - it is a backup machine I hopefully will never touch again.

For the case I went with Supermicro SC504-203B 19" 1U rack mountable chassis. Some of you might be reasonable wondering which drugs I am taking that causes me to think of 19" rack case as unobtrusive and easy to fit in living room. Well, you are missing a detail that my TV stand is piece of solid wood with opening that is about 25" wide and 2" tall. Just enough for me to slide the case below and for it never to be visible again.

As point of interest, you might notice Supermicro offers SC504-203B and SC505-203B rack cases that have seemingly identical specs. It took me a while to figure out the only difference: 504 has all the connectors in the back and 505 has the motherboard connectors at the front. For my case, more common setup of connectors at the back was better, but your mileage might vary.

Other than its perfect size, this case is one of rare in the lower price range to have enough place for two 3.5" drives. As I am really not too happy with my current situation of backup on a single (albeit) ZFS-formatted drive, upgrading backup to a mirrored combo seemed like a long delayed improvement. Other than that, case has an efficient power supply (80+ Gold) alongside a wide selection of compatible boards.

And there is also a bummer - not all mini-ITX boards can fit this case. Better said, they will fit the case but their IO shield will be a tad too high for an 1U format. Yes, you can always go without the shield or by frankensteining the solution but I actually found a reasonably priced Supermicro board.

I decided to go with X10SBA-L board instead of similarly priced but seemingly more powerfull X10SBA. The “L” board doesn’t have additional Marvell chip and thus it has only two SATA 2.0 ports (Marvell brings additional four SATA 3.0 ports), it has one USB 3.0 and three USB 2.0 ports where Marvell offers additional two 2.0 ports, it has m-SATA port (which cannibalizes one of SATA 3.0 ports), and lastly it lacks eDP. For me neither of those were breaking deal as I intended to use only two disks with the single USB 3.0 port carrying Nas4Free installation.

A bit controversial decision is lack of ECC memory support that is not really frowned upon when dealing with ZFS. In reality, I couldn’t find any ECC board that would fit within my budget. And, while memory is important for ZFS, let’s not forget that this is just a backup machine and that memory errors are usually not catastrophic. Plan is to have ECC RAM on my next ZFS server. But my backup server - mah…

Speaking of memory, I essentially selected the cheapest 2x 4GB modules from manufacturer I trust. While I have bought Crucial, I would have taken Corsair, Kingston, or Samsung the same.

For disks I opted to go with WD Red 4TB model for now. As my current data actually fits into 2.5" 2TB drive, space-wise I have quite a buffer for the next year and probably much longer. I was toying with the idea to use Seagate Ironwolf due to its attractive 6TB price, but noise level made me stick with WD Red. To minimize any potential issue affecting the whole batch, I actually bought disks at two different places (NewEgg and B&H).

A few curiosities were observed while pairing motherboard and case. First one is lack of opening for display port on the back. While slightly annoying, I found it bearable since HDMI opening, while grossly oversized, was accessible. If you really need display port you can order separate part number MCP-260-00068-0B but it will cost you $25.

Another one is mismatch between chassis power supply that has only 20-pin ATX connector and motherboard that requires 24-pin connector. As motherboard is really modest as far as power consumption goes, plugging 20-pin connector and leaving 4 leftmost pins empty works fine.

I also connected front-panel connector to PCI bracket in order to bring those ports to the outside. I only did it because I had bracket already available. Likewise, I swapped SATA cables that arrived with motherboard with shorter, round ones. This is just purely for cosmetics.

Without further ado, here is the itemized list:


Supermicro SuperChassis 504-203B	$100
Supermicro X10SBA-L	$149
Crucial 8GB DDR3L Kit (2 x 4GB)	$54
SATA cable, 6", right-angle	2x $7
TOTAL	$317

1 … 94 95 96 97 98 … 268