| ~/rails/activerecord (master)$ bundle exec rake mysql2:test | |
| /Users/bronson/.rubies/ruby-2.2.2/bin/ruby -w -I"lib:test" -I"/Users/bronson/.rubies/ruby-2.2.2/lib/ruby/2.2.0" "/Users/bronson/.rubies/ruby-2.2.2/lib/ruby/2.2.0/rake/rake_test_loader.rb" "test/cases/adapter_test.rb" "test/cases/aggregations_test.rb" "test/cases/ar_schema_test.rb" "test/cases/associations/association_scope_test.rb" "test/cases/associations/belongs_to_associations_test.rb" "test/cases/associations/bidirectional_destroy_dependencies_test.rb" "test/cases/associations/callbacks_test.rb" "test/cases/associations/cascaded_eager_loading_test.rb" "test/cases/associations/eager_load_includes_full_sti_class_test.rb" "test/cases/associations/eager_load_nested_include_test.rb" "test/cases/associations/eager_singularization_test.rb" "test/cases/associations/eager_test.rb" "test/cases/associations/extension_test.rb" "test/cases/associations/has_and_belongs_to_many_associations_test.rb" "test/cases/associations/has_many_associations_test.rb" "test/ |
| # Redirect all HTTP to HTTPS. | |
| upstream gitlab { | |
| server 192.168.122.12; | |
| } | |
| server { | |
| listen 80; | |
| listen [::]:80; |
Previous: https://gist.github.com/bronson/c857a462edb0c6eeab2d
It's a typical libvirt setup: the host masquerades its public IP for the VMs running on it. The host's public IP is 173.233.67.174, and its internal IP on virbr0 is 192.168.122.1.
The catch is, the host is also forwarding port 25 to the mail server VM on 192.168.122.10.
All chains default to ACCEPT, rp_filter is disabled (didn't make any difference), bridge-nf is disabled. See NOTES below for more on this.
This builds on the previous gist: https://gist.github.com/bronson/c857a462edb0c6eeab2d
OK, let's add a logging rule at the start of every chain. This should show us every single chain the packet traverses.
The result? Same as before.
I don't understand why this packet just disappears...
I have a host port-forwarding port 25 to a virtual machine. The host has public IP address 173.233.67.174, private address 192.168.122.1, and the VM has address 192.168.122.10. The host masquerades for the VM (it's just the default libvirt setup).
All chains default to ACCEPT, rp_filter is disabled (didn't make any difference), bridge-nf is disabled. See NOTES below for more on this.
| Here's a trace of a packet originating on the network host. I would like it to get DNATed to the virtual machine. | |
| Instead, it never gets DNATed. | |
| First, the packet originates on the network host and exits unmodified. So far so good: | |
| Dec 3 14:03:43 ex kernel: TRACE: raw:OUTPUT:rule:1 IN= OUT=lo SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307) UID=0 GID=0 | |
| Dec 3 14:03:43 ex kernel: TRACE: raw:OUTPUT:policy:3 IN= OUT=lo SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00 SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307) UID=0 GID=0 | |
| Dec 3 14:03:43 ex kernel: TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 |
So, why does libvirt set its rules up like this?
Since the default policy is ACCEPT, and all rules are ACCEPT, that means that all traffic coming into the host is accepted. So why bother allowing DNS and BOOTP (DHCP) traffic? Answer: because libvirt wants to ensure that, even if the INPUT chain has a different policy, all guests (traffic originating on the virbr0 interface) will receive DNS and DHCP service from the host.
Chain INPUT (policy ACCEPT 380 packets, 37990 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
To prepare the production database and launch the server, run these two command lines:
RAILS_ENV=production rake db:drop db:create db:migrate db:seed assets:precompile
RAILS_ENV=production RAILS_SERVE_STATIC_ASSETS=true rails server
Now, load each URL and see what Rack and Chrome Devtools show for response time.
Fair warning: this is running on a Macbook Air with 20% battery... kinda flimsy.
| bobrock [11:11 AM] | |
| I assume Atom grammars can be written in JSON interchangeably with CSON? | |
| lee-dohm [12:25 PM] | |
| I believe so, but I’ve never tried it | |
| thomasjo [12:26 PM] | |
| Yes. |
| '.platform-darwin .tree-view': | |
| 'ctrl-f': 'unset!' | |
| 'body': | |
| 'ctrl-f': 'unset!' | |
| 'body .native-key-bindings': | |
| 'ctrl-f': 'unset!' |