IPv6 Day

Today both google and facebook turn on their IPv6 addresses in their DNS servers for one day.

C:>ping www.google.com

Pinging www.l.google.com [2001:4860:800c::93] with 32 bytes of data:
Reply from 2001:4860:800c::93: time=29ms
Reply from 2001:4860:800c::93: time=32ms
Reply from 2001:4860:800c::93: time=68ms
Reply from 2001:4860:800c::93: time=28ms

Ping statistics for 2001:4860:800c::93:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 68ms, Average = 39ms

C:>ping www.facebook.com

Pinging www.facebook.com [2620:0:1c00:0:face:b00c:0:2] with 32 bytes of data:
Reply from 2620:0:1c00:0:face:b00c:0:2: time=102ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=125ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=94ms
Reply from 2620:0:1c00:0:face:b00c:0:2: time=95ms

Ping statistics for 2620:0:1c00:0:face:b00c:0:2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 94ms, Maximum = 125ms, Average = 104ms

More Information

My ISP timewarner cable does not support native ipv6 yet, so I am still using he tunnelbroker for my home connection. Nonetheless it works pretty well.

Both most recent Tomato Firmware and Openwrt trunk version have built-in 6in4 and 6to4 support.

Update 1: http://test-ipv6.com/

Update 2: http://ipv6-test.com/

Source address route with multiple IPv6 addresses

I always had ipv6 tunneling enabled on my server. One with he.net and one with 6to4. I never had any problems with them with either as a default route. Recently my server provider linode.com start supporting native IPv6, but I found out other IP addresses are not route-able through native interface. Linux is only smart enough to pick which source address to use for outgoing connection, but not so much about return path.

The solution is policy based routing with IPv6. There are two related options in kernel configure, so make sure they are enabled. If not, you will encounter an error.

First install iproute2 and add a new route table.

echo "200 to4" >> /etc/iproute2/rt_tables

Then you can add source based rules and routes to this table.

ip -6 rule add from 2002::/16 table to4
ip -6 route add 2002::/16 dev 6to4 table to4
ip -6 route add default via :: dev 6to4 table to4

One thing I am still not sure is whether to delete the 2002::/16 from main route table.

ip -6 route del 2002::/16

I think this can solve some stateful firewall problem, but not necessary.

Add QR code to Tumblr Posts

It’s super simple to add a QR code to each Tumblr post. Just add this to anywhere between {block:posts} in your custom template.

<img src="http://chart.apis.google.com/chart?cht=qr&chs=116x116&chl={ShortURL}"/>

Here is an Example on my tumblr.

Amazon offer Free AWS

Amazon announced 1 year free service for new customer. Sign up here.

AWS Free Usage Tier (Per Month):

  • 750 hours of Amazon EC2 Linux Micro Instance usage (613 MB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month*
  • 750 hours of an Elastic Load Balancer plus 15 GB data processing*
    10 GB of Amazon Elastic Block Storage, plus 1 million I/Os, 1 GB of snapshot storage, 10,000 snapshot Get Requests and 1,000 snapshot Put Requests*
  • 5 GB of Amazon S3 storage, 20,000 Get Requests, and 2,000 Put Requests*
  • 30 GB per of internet data transfer (15 GB of data transfer “in” and 15 GB of data transfer “out” across all services except Amazon CloudFront)*
  • 25 Amazon SimpleDB Machine Hours and 1 GB of Storage**
    100,000 Requests of Amazon Simple Queue Service**
  • 100,000 Requests, 100,000 HTTP notifications and 1,000 email notifications for Amazon Simple Notification Service**
  • In addition to these services, the AWS Management Console is available at no charge to help you build and manage your application on AWS.

CloudFlare free cdn service

CloudFlare is a new cloud service which provides free website security and caching. A quick test revealed that it uses anycast geodns technology with nginx reverse caching.

The setup process is very easy. You only need to change DNS server from domain registry. Setup wizard will automatically import old DNS setting. However multi tiered sub domain won’t be detected. Both CNAME and A host will be proxyed through by default.

Once DNS change finished, your website will be severed with transparent proxies. Unwanted visitor will be screened and static assets will be cached.

Here is the page loading timeline of my test page
Without CloudFlare
Without CloudFlare
With CloudFlare
With CloudFlare
The page is very simple, but still it clearly shows there’s no measurable latency with dynamic contents and notable improvement with static assets. However text assets like html, css and js have slightly bigger size. My original is compressed with gzip -9.


  • Anycast GeoDNS hosting
  • Vistor security screen
  • Slick analytics
  • Transparent caching around world
  • Basic account is free
  • Very easy to setup


  • Http only, no video streaming
  • Slow in Asia
  • Suboptimal gzip compression ratio

Overall I am very impressed with the free features and performance.

A Simple OpenID Login Example on Appengine

I wrote a simple openid login example.

I used user api to do the real login.
Login Buttons

Here is source code.

The idea is very simple. Instead of redirecting main page, I use javascript to popup a small page. Most providers have webpage optimized for popup. Then this page will detect callback and refresh main page and close itself. A hidden iframe will also try previous login url if available.

Integrate open graph with tumblr

Facebook Like button relies on Open Graph protocol to provide site information such as name, image and title.

With tumblr‘s custom HTML theme, you can integrate open graph protocol in your theme. When user click on a like button, facebook will display your real site name instead of domain itself. If it is a photo post, in activity stream a nice thumbnail will be displayed.

My test page
Facebook with open graph

Here is a tumblr theme fragment which includes required items. I also uploaded images for all post types.


If you use Disqus comments system, you probably already have a facebook app id. You can find out both your app id and user id on facebook insights page. When you click “Insights for your Domain”, you will see a list of your apps and yourself. If you select any of them, the correct meta tag will be displayed.

Boot grub2 stage2 directly from windows bootmgr with grub4dos stage1

There is problem which has been puzzled me for long time. When the grub2 root is on 2nd disk, the stage2 is not directly bootable from grub4dos stage1, but can be chain loaded from grub4dos as a linux kernel. The same problem happens to burg as well.

It turns out the stage2 file only has the relative path from root if you use grub-install script. So all you have to do is to embed a absolute path in prefix. Here is the brief step to make a direct bootable stage2.

grub-mkimage --output=/boot/grub/core.img --prefix=(hd1,2)/boot/grub 
         biosdisk part_msdos ext2
cat /boot/grub/lnxboot.img /boot/grub/core.img > g2ldr

Now copy g2ldr to your windows’ partition. Make a grub4dos stage1 file

grubinst.exe -o -b=g2ldr g2ldr.mbr

You can find grubinst.exe from grub4dos website.

Add it to windows bootmgr with bcdedit

bcdedit /create /d Linux /application BOOTSECTOR
bcdedit /set {ID} device partition=c:
bcdedit /set {ID}  path g2ldr.mbr
bcdedit /displayorder {ID} /addlast

Linux container LXC on Amazon EC2 server (Cloud inside Cloud)

Amazon AWS announced supporting pvgrub kernel a week ago. So it is possible to run your own kernel with new features like btrfs, cgroup, namespace, high resolution timers. Just be aware the AWS still use a very ancient xen version, so you will need to patch stock kernel to be bootable.

Here is a step by step guide on how to setup a linux container on top of EC2. Since EC2 itself is virtual environment, it is almost impossible to run other vm technology on top of it. You can read these general guide [1] [2] on how to setup a linux container.

Step 1: Host VM

In order to run lxc, the host will need to support cgroup and namespace. Ubuntu 10.4 lucid or newer includes them. I also made two public archlinux AMIs which support all these features, you can find them here.

Mount up /cgroup,

mkdir /cgroup
mount -t cgroup none /cgroup

In order for network to work you will need these two packages: iptables and bridge-utils. Ubuntu has lxc package, but on archlinux you will need to build it from aur.

Bring up the virtual network interface, you only need one here for all your lxc.

brctl addbr br0
ifconfig br0 up

Of course, you can pick other network address. You should skip the step mentioned in other guide to add your physical network such as “brctl addif br0 eth0″, because amazon will not route your private packet.

Step 2: Filesystem

Lxc installation should already include templates for some popular linux distribution. You can read the guide I mentioned above. For archlinux you can use my chroot script and patch.

I am not sure how to manually setup network for other distribution. You can also setup a dhcpd on host for the container.

On archlinux you can disable the eth0 setup but enable the default route like this in rc.conf,

gateway="default gw"

Here I assume your new root filesystem inside /mnt/mini. You LXC config file should look like this

lxc.utsname = mini
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.ipv4 =
lxc.mount.entry = none /mnt/mini/dev/pts devpts newinstance 0 0
lxc.mount.entry = none /mnt/mini/proc    proc   defaults 0 0
lxc.mount.entry = none /mnt/mini/sys     sysfs  defaults 0 0
lxc.mount.entry = none /mnt/mini/dev/shm tmpfs  defaults 0 0
lxc.rootfs = /mnt/mini
lxc.tty = 3
lxc.pts = 1024

Step 3: Container network

For network inside container to work, you still need to do two more things.

cp /etc/resolve.conf /mnt/mini/etc
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1

Now you can start your container.

lxc-create -f /mnt/config -n mini
lxc-start -n mini

If there is no error during container boot, you can proceed to enter your container.

lxc-console -n mini

Login as root with no password.

ping www.google.com

If you are lucky, you should see ping go through. It may take a second to discover the new route inside container.

Step 3: Run service inside container

The main reason for most people to setup a container inside an EC2 is probably for jailing network daemons. But your container only have non reachable private address, so do it home router style using port forwarding with iptables.
For example, start your httpd daemon inside container as usual, then run this on host

iptables -t nat -A PREROUTING -i eth0 -p tcp 
   --dport 80 -j DNAT --to-destination

Now you should be able to reach your container from public ip.

Linux file copy benchmark cp vs cpio vs tar vs rsync

There are many commands to copy a directory in Linux. The difference between them in current Linux distribution are very small. All of them support link, time, ownership and sparse.

I tested them to copy a Linux kernel source tree. Each command I tested twice and keep the lower result.
The original directory size is 639660032 bytes. All methods generate exact same size of 675446784 bytes without sparse option.

Non Sparse Sparse
rsync rsync -a src /tmp rsync -a -S src /tmp
cpio find src -depth|cpio -pdm /tmp find src -depth|cpio -pdm –sparse /tmp
cp cp -a –sparse=never src /tmp cp -a –sparse=always src /tmp
tar tar -c src|tar -x -C /tmp tar -c -S src|tar -x -C /tmp

Time used and destination size:

For non sparse copy, rsync is the fastest. For sparse copy, rsync and cpio have the best space efficiency, but slow.