I strongly advise against placing any production or critical workflows on any of these; use for testing or fun.

A note on production workflows

Anything that you depend on being reliable should always be hosted at a reputable hosting provider. Most of the dirt cheap providers you will find in any of the resources or websites I am sharing with you may most likely not stay in business for long.

For business or critical use VPS you can choose any of the big dogs: Amazon AWS, Microsoft Azure, Google Cloud (GCP). They all have its positives and negatives. This article does not focus on these.

Aggregators / Deals lists websites

The following websites seem to aggregate deals found in multiple web forums. You should start here to see the average prices for specific features (RAM, disk space, bandwidth, IPv4 allocation, etc). Note that most aggregators make a commission on your purchases (I do not but you can buy me a beer)

Forums

These are some online communities dedicated to dirt-cheap VPS and hosting. Good for limited time / quantity deals, and researching providers reviews.

You would think this would be pretty easy, a few clicks and done? That wasn’t my experience on Azure and setting this up isn’t easy nor straightforward. Below is how to get it done, if this helps you – you can buy me a coffee or beer.

Updates

June 2021: Reader “Ben R” contacted me about this article and shared some noteworthy information for folks using older VM images or installations. DHCPv6 may be disabled and must be manually enabled. See this article for enabling DHCPv6 on Azure.

ERROR: Cannot open TUN/TAP dev /dev/net/tun

To allow this for a specific container in Proxmox, we need to make a few tweaks to allow this interface to work in a specific container (we don’t want to allow all containers to be able to setup a tunnel – hackers can hide their tracks using it).

How to do this:

ADD these lines to /etc/pve/lxc/<container-id>.conf


lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

OPNsense virtual machine is configured with VirtiO network drivers.

Other than the obvious “I can’t access anything on the internet” or can’t reach external IP addresses problem I looked at troubleshooting via nmap – because the devices on the network could ping externally (8.8.8.8) and also resolve DNS requests.

In a broken state you may see ‘tcpwrapper’ when testing a known host serving HTTP, like so:

root@test:~# nmap -p 80 -sV 216.58.194.206

Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-17 17:54 UTC

Nmap scan report for sfo03s01-in-f206.1e100.net (216.58.194.206)

Host is up (0.010s latency).

PORT   STATE SERVICE    VERSION

80/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.91 seconds

To fix this issue, ensure that “Disable hardware checksum offload” is  enabled in the OPNsense interface, then reboot the firewall for changes to take effect.

After a reboot, doing another test via nmap will actually respond with HTTP fingerprints, as expected and internet is back.

root@test:~# nmap -p 80 -sV 216.58.194.206

Starting Nmap 7.40 ( https://nmap.org ) at 2018-11-17 18:00 UTC

Nmap scan report for sfo03s01-in-f14.1e100.net (216.58.194.206)

Host is up (0.0096s latency).

PORT   STATE SERVICE VERSION

80/tcp open  http    gws

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port80-TCP:V=7.40%I=7%D=11/17%Time=5BF0574C%P=x86_64-pc-linux-gnu%r(Get

SF:Request,8A7A,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2017\x20Nov\x202

SF:018\x2018:00:43\x20GMT\r\nExpires:\x20-1\r\nCache-Control:\x20private,\

SF:x20max-age=0\r\nContent-Type:\x20text/html;\x20charset=ISO-8859-1\r\nP3

SF:P:\x20CP=\"This\x20is\x20not\x20a\x20P3P\x20policy!\x20See\x20g\.co/p3p

SF:help\x20for\x20more\x20info\.\"\r\nServer:\x20gws\r\nX-XSS-Protection:\

SF:x201;\x20mode=block\r\nX-Frame-Options:\x20SAMEORIGIN\r\nSet-Cookie:\x2

SF:01P_JAR=2018-11-17-18;\x20expires=Mon,\x2017-Dec-2018\x2018:00:43\x20GM

SF:T;\x20path=/;\x20domain=\.google\.com\r\nSet-Cookie:\x20NID=146=0dp1WLb

SF:UhFIr1MIVwhAglx_4O6x-0eJHrmYFTov9a3oFxE2-lZSUI_9mmKBFXQZjYbjKbSRiirLZ-U

SF:cfybTiNQR_vmHD2MY4RBHP-hj4K7oyQX4lXuCgrSU7ESRXiX2Jn0qwoLWvvEItnC2hgDHEb

SF:oLJffQrfiEazdGDp5XppPU;\x20expires=Sun,\x2019-May-2019\x2018:00:43\x20G

SF:MT;\x20path=/;\x20domain=\.google\.com;\x20HttpOnly\r\nAccept-Ranges:\x

SF:20none\r\nVary:\x20Accept-Encoding\r\n\r\n<!doctype\x20html><html\x20it

SF:emscope=\"\"\x20itemtype=\"http://schema\.org/WebPage\"\x20lang=\"en\">

SF:<head><meta\x20content=\"Search\x20the\x20world's\x20information,\x20in

SF:cluding\x20webpages,\x20images,\x20videos\x20and\x20more\.\x20Google\x2

SF:0has\x20ma")%r(HTTPOptions,71B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Al

SF:lowed\r\nAllow:\x20GET,\x20HEAD\r\nDate:\x20Sat,\x2017\x20Nov\x202018\x

SF:2018:00:44\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nSe

SF:rver:\x20gws\r\nContent-Length:\x201592\r\nX-XSS-Protection:\x201;\x20m

SF:ode=block\r\nX-Frame-Options:\x20SAMEORIGIN\r\n\r\n<!DOCTYPE\x20html>\n

SF:<html\x20lang=en>\n\x20\x20<meta\x20charset=utf-8>\n\x20\x20<meta\x20na

SF:me=viewport\x20content=\"initial-scale=1,\x20minimum-scale=1,\x20width=

SF:device-width\">\n\x20\x20<title>Error\x20405\x20\(Method\x20Not\x20Allo

SF:wed\)!!1</title>\n\x20\x20<style>\n\x20\x20\x20\x20\*{margin:0;padding:

SF:0}html,code{font:15px/22px\x20arial,sans-serif}html{background:#fff;col

SF:or:#222;padding:15px}body{margin:7%\x20auto\x200;max-width:390px;min-he

SF:ight:180px;padding:30px\x200\x2015px}\*\x20>\x20body{background:url\(//

SF:www\.google\.com/images/errors/robot\.png\)\x20100%\x205px\x20no-repeat

SF:;padding-right:205px}p{margin:11px\x200\x2022px;overflow:hidden}ins{col

SF:or:#777;text-decoration:none}a\x20img{border:0}@media\x20screen\x20and\

SF:x20\(max-width:772px\){body{background:none;margin-top:0;max-width:none

SF:;padding");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 52.89 seconds

root@test:~#

The problem with creating a directory for something before is mounted is that when zfs-mount.service runs and attempts to mount the zfs mount points you will get these kind of errors:

root@pve:~# systemctl status zfs-mount.service
● zfs-mount.service - Mount ZFS filesystems
Loaded: loaded (/lib/systemd/system/zfs-mount.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2017-06-30 18:10:21 PDT; 21s ago
Process: 6590 ExecStart=/sbin/zfs mount -a (code=exited, status=1/FAILURE)
Main PID: 6590 (code=exited, status=1/FAILURE)

Jun 30 18:10:19 pve systemd[1]: Starting Mount ZFS filesystems...
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-102-disk-1': directory is not empty
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-106-disk-1': directory is not empty
Jun 30 18:10:20 pve zfs[6590]: cannot mount '/gdata/pve/subvol-109-disk-1': directory is not empty
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Main process exited, code=exited, status=1/FAILURE
Jun 30 18:10:21 pve systemd[1]: Failed to start Mount ZFS filesystems.
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Unit entered failed state.
Jun 30 18:10:21 pve systemd[1]: zfs-mount.service: Failed with result 'exit-code'.

Fixing the root of the problem: change how proxmox deals with mounts by editing /etc/pve/storage.cfg – you need to add “mkdir 0” and “is_mountpoint” to the directory mount. Example:

dir: gdata-dump
path /gdata/vz
content iso,vztmpl,backup
maxfiles 0
shared 0
mkdir 0
is_mountpoint 1

Now we need to do some system cleanup before we reboot and confirm the problem is fixed.

Let’s check which mount points have failed:
root@pve:~# zfs list -r -o name,mountpoint,mounted

Now let’s umount all zfs mount points (except rpool of course – assuming the rootfs is zfs)

# zfs umount -a

After making sure ZFS mount points are unmounted, now we can delete the empty folders. Recall the failed mount points that the zfs list command gave you and one by one delete them like so:

# rm -rf /gdata/pve/subvol-102-disk-1

Do this for each folder that showed issues mounting. You have a choice to remount everything with zfs mount -O -a — or better… reboot the system and check its fixed. I like the later better. So reboot.

After it boots back up check that service was able to mount zfs without issues:

# systemctl status zfs-mount.service
# zfs list -r -o name,mountpoint,mounted

That’s all folks… if you made the edit to storage.cfg and added the two variables this should not occur again. This was an annoying bug to deal with but good to have found a better solution than a startup script doing some dirty tricks!

This time, I have a couchpotato container that I want to change its default port from 5050 to port 80, so that it is as simple as http://mycouch/ to access from the local network.

Since CouchPotato is a python script, my other method of whitelisting the binary won’t work, an alternative is to use authbind to get around this by granting a user/group privileges to bind to one of those restricted ports (non-root can’t bind to ports 1024 or less).

Environment: LXC Container (Debian 9.0 Stretch) image, with couchpotato defaults running on port 5050 and systemd init script setup (couchpotato user is named gmedia)

#  groupadd -g 3200 gmedia
# useradd -u 3200 -g gmedia -M gmedia
# apt-get install authbind
# touch /etc/authbind/byport/80
# chown gmedia /etc/authbind/byport/80
# chmod 500 /etc/authbind/byport/80

Now edit the startup settings (Exec/user/group):
# nano /etc/systemd/system/couchpotato.service

Should look something like this:

[Unit]
Description=CouchPotato application instance
After=network.target

[Service]
ExecStart=/usr/bin/authbind --deep /opt/CouchPotatoServer/CouchPotato.py
Type=simple
User=gmedia
Group=gmedia

[Install]
WantedBy=multi-user.target

Now its time to test:

# systemctl daemon-reload
# systemctl start couchpotato.service
# systemctl status couchpotato.service

Confirm all is hunky dory.

root@couchpotato:~# systemctl status couchpotato.service
● couchpotato.service - CouchPotato application instance
Loaded: loaded (/etc/systemd/system/couchpotato.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-06-29 08:35:32 UTC; 2s ago
Main PID: 1203 (python)
Tasks: 9 (limit: 4915)
CGroup: /system.slice/couchpotato.service
└─1203 python /opt/CouchPotatoServer/CouchPotato.py

Jun 29 08:35:32 couchpotato systemd[1]: Started CouchPotato application instance.
root@couchpotato:~# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 1203 gmedia 49u IPv4 6008724 0t0 TCP *:http (LISTEN)
python 1203 gmedia 52u IPv4 6024843 0t0 TCP 192.168.200.140:http->192.168.200.5:56928 (ESTABLISHED)
root@couchpotato:~#

In *nix any usage of well-known ports (aka 1024 or less) requires special privileges or a kernel setting. In FreeBSD a simple sysctl net.inet.ip.portrange.reservedhigh =1 was enough to allow the BSD jail to use any port on the jail.

On LXC, I had to figure out how to do the same thing and its quite different. My environment is a debian stretch LXC container but should work on other linux versions.

# apt-get install libcap2-bin
# setcap 'cap_net_bind_service=+ep' /usr/bin/transmission-daemon

In the example above, the binary /usr/bin/transmission-daemon is now able to open any port, or port 80 http in my case all while running a service as a non-root user.

Hopefully these helps folks out there, the answer took some digging but I already had an idea on what was needed thanks to my FreeBSD experience in zones

I have a pair of Samsung 840 Pro 256GB SSDs that I wanted to use for my new homelab that I am currently building (moving from vmware to proxmox). You may be wondering why I want to install the operating system on a partition instead of an entire disk. Several reasons:

1. Proxmox (ZFS-on-Linux) does not yet support SSD TRIM, FreeBSD does support it so migrating from FreeNAS into Proxmox I should be aware of it.
2. Data redundancy for the root filesystem does not need to be large. Even if I do RAID1 with my two SSDs I won’t be storing my critical data or VMs in the rpool – I want a smaller sized root pool that has fault-tolerance (RAID1). A partition of 60GB mirrored in two SSDs should fit the bill here.
3. ZIL Intent Log experimentation, I also want to experiment by using the same two SSDs to speed up my ZFS writes. I want a small partition in a stripe (RAID0) for performance, 45GB total (22.5gb per ssd) is plenty for this.
4. The left over unused space will be left untouched so that the SSD will have more available blocks during the controller’s built-in garbage collection (not the same as TRIM)

I don’t have enough time to go into a lot of details (it’s past 4am), so I will get to how to do it. If you are trying to follow my same steps, you will need at least 3 hard drives.

1. On a hard drive or device you don’t care to use in the final outcome, install Proxmox as you would normally. Wipe the entire partition table and let it install RAID0 on the whole disk.
2. Boot into your new installation, have the two new disks you want to keep attached to the system and ensure linux sees them fdisk should help with this.
3. You will now need to create the partitions on the new disks (not rpool):

You will need to know how to calculate hard disk sectors and multiply by your block size. I don’t have time to go over it but I will do a quick TL;DR example to give you an idea:

We want 25GB slice so that is around 25000000000 bytes / 512 (block size) = 48828125 total sectors to allocate this storage amount.

Take a look at the partition table to make sure you create something similar, fdisk -l /dev/sd$ (your rpool disk). We will leave 8MB disk at the end of the partition, Proxmox by default creates 3 partitions: GRUB_BOOT, ZFS data, Solaris 8MB.

This command creates the partitions for my new array, I’ve described them for you by the -c command. It should be self-explanatory.

# sgdisk -z /dev/sdb
# sgdisk -a1 -n1:34:2047 -t1:EF02 -c1:”BIOS boot” -n2:2048:156252048 -t2:BF01 -c2:”mirror” -n3:156252049:205080174 -t3:BF01 -c3:”stripe” -n4:205080175:205096559 -t4:BF0 /dev/sda

# sgdisk -a1 -n1:34:2047 -t1:EF02 -c1:”BIOS boot” -n2:2048:156252048 -t2:BF01 -c2:”mirror” -n3:156252049:205080174 -t3:BF01 -c3:”stripe” -n4:205080175:205096559 -t4:BF0 /dev/sdc
# zpool create -f stripe -o ashift=13 /dev/sda3 /dev/sdc3
# zpool create -f newroot -o ashift=13 mirror /dev/sda2 /dev/sdc2
# grub-install /dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSADB46090M
# grub-install /dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S12RNEACC59063B

Backup & moving stuff.
# zfs snapshot -r rpool@fullbackup
# zfs list -t snapshot
# zfs send -R rpool@fullbackup | zfs recv -vFd newroot
root@pve:/# zpool get bootfs
NAME PROPERTY VALUE SOURCE
newroot bootfs – default
rpool bootfs rpool/ROOT/pve-1 local
stripe bootfs – default
root@pve:/# zpool set bootfs=newroot/ROOT/pve-1 newroot
zpool export newroot
zpool import -o altroot=/mnt newroot
— rebooted with freenas live cd, enter shell, import newroot with new name rpool. rebooted
— boot into proxmox recovery — once it boots, do recovery
grub-install /dev/sdb
grub-install /dev/sda
update-grub2
update-initramfs -u

#zpool set bootfs=newroot rpool could also work without renaming via FreeNAS but didn’t try.

My needs for more CPU power and memory is driven by the idea of hyperconvergence. Which means I use a single machine to be my router/firewall, VPN gateway, network storage as well as virtual machine host.

Those themes have been part of my home network design since 2010 or so, today’s hot technologies are focusing on containers (LXC), Docker, etc. So I need a more powerful server in order to be able to expand my playground into those technologies. The 32gb maximum on my old server is simply not enough when you have 5 different VMs that consume almost all your memory resources (windows 10 VM, OSX one and my FreeNAS one being the top users of 75%+).

On my new machine I have decided to move towards the Xeon E5 v4 CPU series and DDR4 which has lower memory consumption than my current LPDDR3 (1.2v vs 1.35v per ram stick).

The components of choice is a Supermicro X10SRL-F with remote management (IPKVM), and 64gb DDR4 to start.

For server chassis I’ll be reusing my Lenovo TS440, but first I’ll assemble and test my new server on a different chassis as to not impact my home router/network design.

Since I will most likely be moving away from VMware ESXi into Proxmox or another open source alternative this means that there will be a steep learning curve as I try to do the initial configuration of the network to run on a single node (hyperconverged). I will have to learn OpenVswitch with is a virtual switch that runs on unix.

However in the past couple of years the free version of esxi has moved to HTML5 web management, and in the latest ESXi version the Windows client (vSphere client) requires you to pay for a license a run a central vcenter server/vm in order to manage via GUI (non-web).

There are a few articles posted on how limited the web UI may be in contrast to all the features of the original windows GUI so I started pondering other products that may replace ESXi on my homelab (been an ESXi user since 3.x) but it looks like Xenserver 7.1 was just released and Citrix has been including a lot of Enterprise features on their free Xenserver product and offer a very comparable GUI on Windows as well.

A few days ago (February 23) Citrix just released the latest Xenserver 7.1 version (release link/downloads/changelog). The feature I am most excited about? Docker integration via installing “container management supplemental pack”

Xenserver 7.1 seems to be based on Linux CentOS so installing packages (via rpm) should be pretty easy. I’ll post more information when I get more time to dig into it deeper as I am just installing it on my homelab for testing.