Make an Infinite Sleep Program in Only 4KB

In my network configuration, some of my Docker containers, for example DNS, need to achieve high availability with Anycast. In my previous post , I created a Busybox container and run tail -f /dev/null , in order to let it persist infinitely, but without using any CPU cycles, to maintain a network namespace used by both the server application and BIRD. In short: I invented a Pod in Kubernetes on my own. I don't use K8S, since my nodes run individually rather than in a cluster, I don't need the cluster functionality of K8S at all. In addition, K8S is difficult to set up. But on another thought, a Busybox container seems like an overkill for this purpose, and I have to set the entrypoint manually. It would be great if I have a tiny Docker image that only sleeps indefinitely. Plan A:...

Static Build Tiny Docker Images

What's stored in Docker images can be seen as numerous tiny Linux systems. Most of them are based on Debian, Ubuntu, or Alpine, with extra software installed on top. Using a complete Linux distribution as the basis gives the benefit of having commonly used commands available, such as ls and cat . They are often used in the image-building process. In addition, they have comprehensive libraries of software packages, allowing users to create images that "just work" with apt-get . However, as soon as the image is built, these utilities become unnecessary burdens for disk space. In addition, a full Linux contains a service managing daemon, like SystemD or OpenRC, useless for Docker containers running only one program at a time. Although Docker images are "overlaid",...

Illustration for Planning Ahead: Using Post-Quantum Cryptography

Planning Ahead: Using Post-Quantum Cryptography

On the modern Internet, most websites already support HTTPS. The SSL/TLS encryption protocol will encrypt users' requests and the website's responses so that malicious users along the way cannot steal or tamper with the information. One important component of SSL/TLS protocol is asymmetric cryptographic algorithms. For these algorithms, the key separates into a public key and a private key , with the public key being public and the private key protected carefully. Accessing an HTTPS website usually follows these procedures: The website sends its public key (as a certificate) to the browser. The browser will verify the public key in case that a man-in-the-middle modified the key in order to block or tap into the communication. The browser (or the operating system)...

Self-hosting a DNS Root Server

With the scale of conflict between China and the United States increasing, on some social media websites in China, some users started expressing concerns for the United States cutting China's access to DNS root servers or removing China's domains in the root servers in order to break China's Internet. By now, there is much analysis on the matter that states that this is unlikely to happen. Most of them focus on the following two points: DNS root servers use Anycast to broadcast their IPs, and there are root servers present in China that won't be affected by the network cut; For the United States, shutting down root servers cause more trouble than benefit, both economically and politically. Yet today, I'm going to present another point:...

An Elegant "Scripture of Safety" Generator

This post is about a meme in China that may require some cultural background to understand. Since the content is related to the specific language used, there are minor differences between the Chinese and English versions. What's "Scripture of Safety"? The Scripture of Safety (平安经) is a book written by He Dian, the (now former) official of Jilin Public Security Department, China. The content in the book is simply a repetition of the phrase "Wish XXX safe" (XXX 平安), yet the book is sold at a high price. The public speculates that publishing and purchase of the book serves as a mean of bribe. The content of The Scripture of Safety is formatted as: (from Wikipedia (Chinese) ) 「眼平安,耳平安,鼻平安」 "Wish eyes safe, ears safe,...

Configure BGP Confederation & Fake Confederation in Bird (Updated 2020-06-07)

Changelog 2020-10-01: Add warning to not filter private ASNs within the internal network 2020-06-07: Add limitations of Bird confederation and a way to simulate confederation 2020-05-17: Initial version Comparison of BGP Interconnection Schemes within an ISP Most ISPs, or Internet Service Providers, use the BGP protocol to exchange their route information. Each ISP will obtain an ASN (Autonomous System Number) from the regional NIC (Network Information Center, e.g., APNIC, RIPE), like China Telecom's ASN is 4134 for example. Then, ISPs connect their boundary routers via physical links (copper line, fiber, satellite link, etc.), and configure BGP protocol on the boundary routers, so they will tell the other part that: "I'm AS4134, and I can provide access to the IP block of 202.101.0....

x32 ABI and Docker Containers

History of x86 & x86_64, and x32 ABI Most of the personal computers and servers we use nowadays use the x86_64 architecture, whose specification was released by AMD in 2000 and the first processor released in 2003. Since x86_64 is a 64-bit architecture, in x86_64, each register in the CPU can hold 64 bits of data (or 8 bytes). Before x86_64 went popular, most computers used Intel processors, and the corresponding x86 architecture / ISA, a 32-bit architecture whose registers hold 32 bit of data (or 4 bytes). One significant improvement of the 64-bit architecture is the improved memory addressing ability. Computers usually follow such a routine while accessing the memory: write the memory address to be accessed into a register,...

Writing a Simple Telegram Bot

Based on the requests of DN42 Telegram Group members, I plan to add Telegram Bot support to my Bird Looking Glass , so it is easier for them to look up whois information, testing networks and finding sources of route leaks. The bot is supposed to recognize commands starting with / , and respond to the message. My Looking Glass is written in Go, so at the beginning, I looked for Telegram Bot APIs in the Go language. However, those popular API libraries all use the same scheme for handling requests: Telegram server sends a callback to my own server; My program handles the request and may send multiple requests actively to the Telegram server, authenticated with a locally configured Token; Finally, the program actively sends a request to the Telegram server to send the response....

Sharing Network Namespace Among Docker Containers for Bird Anycasting

At exactly one year ago, I set up an Anycast service with Docker in the DN42 network (Chinese only atm) . Back then, I customized the container's image and added a Bird installation to it, then put in a config file to broadcast Anycast routes via OSPF. However, as time went by, a few problems were exposed: The process of installing Bird takes time. Instead of installing Bird with apt-get , since my Dockerfiles need to support multiple architectures (Chinese only atm) , and Bird isn't available in some architecture's repos for Debian. And since my building server is AMD64, and is running images of other architectures with qemu-user-static (Chinese only atm) , a lot of instruction translation is needed in the image building and software compilation progress, which is extremely inefficient....

Running Anycast DNS with Docker in DN42

2020-03-16 Notes There is an updated scheme compared to this post, see Sharing Network Namespace Among Docker Containers for Bird Anycasting . It is suggested to read only the concept explanations in this post, and use the above scheme instead for deployment. What's Anycast The commonly used routing protocol on Internet, the BGP, works like this: I own an IP range, 172.22.76.104/29, on DN42. With a BGP software like BIRD, I "announce" that my server has access to IP range 172.22.76.104/29. Servers with peering to me will record this message: "Over this path, I can access 172.22.76.104/29 which is 1 step away." These servers continue to announce to others with peering to them: "This server is 1 step away from the source of 172.22.76.104/29." Similarly,...