Linux Boot with No Networking

GLOTRENDS PA09-HS M.2 NVMe to PCIe 4.0 X4 Adapter

I recently wanted to install an M.2 NVMe to PCIe 4.0 X4 Adapter on an existing server. The idea was to install a new NVMe SSD drive, and the motherboard had no more M.2 sockets available.

The server is running Proxmox with Linux Kernel 6.8.12. I thought this should be a 15-minute exercise. How wrong I was. After installing all the hardware, the system booted up but there was no networking access. This was especially painful because I could no longer remote into the server. I had to go pull out an old monitor and keyboard and perform diagnostics.

I used the journalctl command to diagnose the issue, and found the following entry:

Feb 01 13:36:21 pvproxmox networking[1338]: error: vmbr0: bridge port enp6s0 does not exist
Feb 01 13:36:21 pvproxmox networking[1338]: warning: vmbr0: apply bridge ports settings: bridge configuration failed (missing ports)
Feb 01 13:36:21 pvproxmox /usr/sbin/ifup[1338]: error: vmbr0: bridge port enp6s0 does not exist
Feb 01 13:36:21 pvproxmox /usr/sbin/ifup[1338]: warning: vmbr0: apply bridge ports settings: bridge configuration failed (missing ports)

The above error message indicates that enp6s0 no longer exists. When I looked at earlier messages, I noticed this one:

Feb 01 13:36:15 pvproxmox kernel: r8169 0000:07:00.0 enp7s0: renamed from eth0

It looks like the interface name has been changed from enp6s0 to enp7s0. Therefore the correct remedy is to edit the /etc/network/interfaces to reflect the name change. Below is the new content of the file.

# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp7s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.188.2/24
        gateway 192.168.188.1
        bridge-ports enp7s0
        bridge-stp off
        bridge-fd 0

iface wlp5s0 inet manual

This would be very annoying if the old interface name was used in many other configuration files. There is one other reference that I found on the Internet (https://www.baeldung.com/linux/rename-network-interface) detailing a way to change the network interface name using the udev rules. I did not try this, but something to keep in mind in the future.

In a previous post and on another home server, I did fix the name using netplan, but Proxmox is not using it.

Simple File Transfer – NOT

Recently I needed to transfer a private binary file from one household to my server. We wanted this transfer to remain private because the file contains sensitive content.

In the past, I set up a WebDAV server using Apache2.4:

First I had to enable the DAV modules using the following command line on my Ubuntu server:

sudo a2enmod dav
sudo a2enmod dav_fs

I already had a directory set up on my file system called: /mnt/Sites/public_share. I made the following changes to my Apache2 configuration files.

<VirtualHost *:80>
    ServerName share.lufamily.ca
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://share.lufamily.ca
</VirtualHost>

<VirtualHost *:443>
    ServerName share.lufamily.ca
    ServerAdmin xxxxxxxx@gmail.com
    DocumentRoot /mnt/Sites/public_share

    <Directory /mnt/Sites/public_share>
        AllowOverride All
    </Directory>

    <Location />
        AuthType None
        DAV On
        Options +Indexes
        RewriteEngine off
    </Location>

    Include /home/xxxxx....xxxxxxx/ssl.lufamily.ca
</VirtualHost>

I did not have any authentication, because I restricted access to this directory with an override .htaccess file which contains the following:

<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set X-Robots-Tag "noindex, nofollow"
</IfModule>

<Files ".htaccess">
  Order Allow,Deny
  Deny from all
</Files>

<RequireAny>
    Require ip 192.168.0.0/16
    Require ip 172.16.0.0/12
    Require ip 10.0.0.0/8

    # Sending computer external IP
    Require ip AAA.BBB.CCC.DDD
</RequireAny>

With the above setup, the other party just needs to open up a Finder on macOS or a Files Explorer on Windows with the above URL of https://share.lufamily.ca, and copy, delete, and open files like they normally would. The access will be private because it is restricted by their external IP address. With macOS, copying many gigabytes via WebDAV posed no issues.

Unfortunately, Windows is another matter. This worked for small files. For large files in the gigabytes range, Windows seemed to be stuck on 99% complete. This is because Windows locally caches the large transfer and reports it is 99% completed in a very short time, as the physical transfer catches up. But the actual time needed for the copying across the Internet is so long that Windows became confused thinking that we are copying a file that already exists yielding an unwanted error.

I had to come up with an alternative. We briefly dabbled with the idea of using FTP, but after a few minutes, this was simply a non-starter. The FTP passive mode requires ports to be opened on my firewall which is unrealistic for a long-term solution.

SFTP is a very secure protocol that uses OpenSSH. I also like this technique because the usage is more secure and will be governed by a pair of SSH Keys. The private key on the remote user side and the public key will be used to configure SSH on my server. I set up a ssh user called sftpuser. To prepare for this user to only have sftp access I made the following changes to the sshd configuration file /etc/ssh/sshd_config.

# Added the internal-sftp
Subsystem sftp /usr/lib/openssh/sftp-server internal-sftp

# Configure the local user scpuser to only do sftp
Match User sftpuser
    ChrootDirectory /home/sftpuser
    PasswordAuthentication no
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
    AllowAgentForwarding no

I then created the sftpuser using the following command:

sudo adduser sftpuser                                                                                                                  sudo chown root:root /home/sftpuser                                                                                                    
sudo mkdir /home/sftpuser/uploads                                                                                                      sudo chown sftpuser:sftpuser /home/sftpuser/uploads                                                                                    
sudo chmod -R 0755 /home/sftpuser/uploads

This user will not be able to login into a shell and can only use sftp. I also disable the password authentication just in case. For the remote party to upload the file, they will need to provide a public ssh key which needs to be stored in the .ssh/authorized_keys file. The contents of which look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCliK6NZx6JJBcK0+1GtEe8H6QpN1BHDRgq/vtiEAfwzcjN1dBtQhfplyDxEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF+OLV9qWMsE/g+1H4oyLRqzQnD8w7S4RBUJzrrZIpLEzYRf43pWSW9Y3220swlIEYxIOIcJIc8prgzDbECt3CR/BsRDYNZA5uxdPYLwh1YtTX8GEqoctJifLrC4OomKkczDek9k/MHdFbWZ0LdK3AB287nr/Q4Lb8GgfU3bEhF+AMSWM8r/OHC1QBPYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYbH8npyFsC3rADnjfFsB4VkkiNDDIZbZkV2vBf3sJ49Q1Y3uHugWxITWImKjfl+YUdGMalbSfP8UueKSx3sDGQQDXZjzrwnX3KPie0Qiz2rQtrppB7dA5CvOb86Q== guest

The above is just a single line in the file.

With the above setup, a Linux user can simply do the following to transfer a file to my server in a very secure way.

sftp -P55522 sftpuser@lufamily.ca <<< 'put /usr/bin/bash uploads/sample.bin'

The above command will upload the bash binary to my server.

An attacker trying to login using ssh will get the following:

❯ ssh -p 55522 sftpuser@lufamily.ca
This service allows sftp connections only.
Connection to lufamily.ca closed.

On Linux or macOS, the remote user can use ssh-keygen to create the public key which by default resides in ~/.ssh/id_dsa.pub. All I need to do is copy the contents of the public key and add it to my .ssh/authorized_keys.

For Windows users, they can generate the key using Windows PowerShell. Below is an example:

> ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\kang/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\kang/.ssh/id_rsa
Your public key has been saved in C:\Users\kang/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:hV6vcChUwpxXXXXXXXXXXXXXXXXXXXXXXXXXX0aTkJZ2M kang@win10
The key's randomart image is:
+---[RSA 4096]----+
|  . Eo.==..      |
|   * *+++=+      |
|  . @ oo.=+* .   |
| . = o..B+=.* .  |
|  .   .oSO.o..   |
|       ..oo.     |
|          .      |
|                 |
|                 |
+----[SHA256]-----+

> cat .\.ssh\id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZQQWgIVShifqFxq78MWQEJrM2xrVQXlPHUncNosEm6P/l0LdWu1nRbIccKMNsmpPK7JOv9XF+CsrtlltnhwDqiuflCGftzhrlmBz8BOJRiwD0Fl1IfQ+Qg7Z1nvIo6+kpkBw7SGPN7fbJxDPPHmc9iPB4RnlG46v6ymd4KM0h1cGlReCly2PTxTG1dcPuDbrBIIdEHoN/40hojrooQf+cQNprvYZY59EjvC0NoZsfiKGDHHq3S7HRPGns9Oo4y8vFl1DrJZFIvBVdjjL28JsmIdeKbMhCynkzIkPLPvsiplxkEF0RQ9fFcIsucuD8leJmMDNPas+8EdueQ== kang@win10

To copy a binary you can do the following:

> sftp -P55522 sftpuser@lufamily.ca
Connected to lufamily.ca.
sftp> put "C:\Windows\System32\tar.exe" uploads/junk.exe
Uploading C:/Windows/System32/tar.exe to /uploads/junk.exe
tar.exe                                                                               100%   54KB  13.1MB/s   00:00
sftp> ls
uploads
sftp> cd uploads
sftp> ls
junk.exe    sample.bin
sftp>

The above is very similar to Linux and the Mac. Windows and its PowerShell have come a long way in terms of adopting Posix-like capabilities.

For those who want to use WinSCP, a much nicer GUI on Windows, you will need to convert the .ssh/id_rsa private key into ppk format. Use the command below to achieve this.

"c:\Program Files (x86)\WinSCP\WinSCP.com" /keygen id_rsa /output=id_rsa.ppk

You can then set up WinSCP authentication and load the ppk file.

So what I thought would be a simple matter turned out to be quite a deep rabbit hole. Hopefully with this in place, future transfers can be done quite quickly and securely.

Zhou Shen 周深 9.29Hz World Tour

Both my wife and I are Zhou Shen’s fans. We have been following him since 2019, just when we first started to follow Chinese media content. This is the same time when the Covid-19 pandemic hit. We watched a variety show called Our Song (我们的歌), and he was one of the many talented young singers.

Ever since I have been following his shows as well as listening to his songs. In December 2024 when he concluded his national tour in China, he announced that he would extend his tour to other countries. We were pretty excited but held our excitement in check because Toronto may not be one of the cities.

As it turned out, he will hold an event here in Toronto on March 14, 2025 (𝛑 day) at the Coca-Cola Coliseum!

Today is the actual date when tickets went on sale. Carol found the promotional code ZS929TO so that we can be eligible for presales at 1:00pm EST.

Many days before today I made sure my TicketMaster account was in order with all of my payment information all up to date. Twenty minutes before 1:00pm, I was signed on to the site and ready to order. I don’t know if it is luck or it was standard procedure, but 10 minutes before 1:00pm I decided to refresh the page. After the refresh, I was in the official queue!

We started out in the mid-5000’s and the above screenshot showed that it came down pretty fast, still we were pretty pessimistic about our chances. It took about 15 minutes for us to finally enter ticket sales and seat selections.

The seat selection process was also pretty difficult because every time we chose the seats, they were already taken. I finally just asked the system to give me the most expensive seats and was lucky enough to find two.

And… We Got Them! They were not cheap, but glad that we secured two tickets.

I double-checked that the tickets were recognized on the TicketMaster app on my iPhone, and added the tickets to my Apple Wallet. Can’t wait!

Cellphone Roaming on our China Trip

We just returned from our month-long China trip, and I wanted to comment on our roaming strategy.

While in Canada, our cell service provider is Koodo, which offers Easy Roam packages. Effectively when you land in a foreign country, the first time you answer or make a voice call, or send a text message, it automatically engages roaming at $14/day when you are in the US, and $16/day for other countries. I believe other cell providers like Rogers, Telus, and Bell offer a similar service at comparable costs. With this approach for 30 days, it will cost us $480 for each number and almost $1,000/month for both numbers.

Both my wife and I recently acquired iPhone 16 Pros, which are eSIM capable and unlocked phones. We can, therefore, consider eSIM services for travel. One of the most popular services is Airalo. Airalo provides various packages for different countries or regions. Each package will give you a different data capacity within a certain date range. For example, at the time of this writing, they have a $40.50 per 30 days that will give you 10GB of data with the option of topping up should you need more in China. You can already see that this is ten times less than Easy Roam!

I have used Airalo in Mauritius, France, Dubai, Hong Kong, Japan, and China. The trick is to download the Airalo App. Use the App to purchase the package you want that matches your travel itinerary, and be sure to install the eSim on your phone while you have a stable Wi-Fi connection before you travel. Once the eSim is installed it will try to activate. This will usually fail and is the expected behavior because you typically install your eSim in your home country and not in the country of service. I usually turn off the eSim before arrival, and when you arrive, simply turn on the eSim and ensure Data Roaming is turned on. The clock starts ticking as soon as your eSim is activated. Also, ensure that your Cellular Data is set to your Airalo eSim, which is usually named “Secondary” or “Travel”. You can customize the label under “Cellular Plan Label”.

The relevant iOS 18.1.1 setting screens

The downside to using something like Airalo is that it only provides data. For voice, you typically have to use something like FaceTime, WhatsApp, or WeChat substitutes. This is a bit inconvenient but definitely workable.

Some like to turn off their “Primary” line, which is my original Koodo line. The reason for this recommendation is that you do not accidentally use this line while roaming. I personally like to keep my primary line on so that I continue to receive two-factor authentication text messages. However, if I make a mistake in answering a call from my primary line, then I automatically incur the $16/day Easy Roam charge, so beware! If you are not sure, then turn off your “Primary” line to avoid this risk.

Although Airalo worked in China, we wanted a more permanent solution for China since it is a country that we frequently visit. We decided to opt for a local cell plan from one of the three major service providers, which are: China Mobile, China Telecom, and China Unicom. We decided to go with China Mobile. For this to work, your phone must be unlocked and also have a physical SIM tray. Chinese service providers do not support eSim for their normal plans. This also provided us with a voice plan as well, which is another advantage. We ended up paying for a 19 RMB (< $4 CAD) per month plan that will give us 5GB of data and 100 minutes per month. Unfortunately for us to be eligible, we had to spend 1,500 RMB (~$300 CAD) upfront for a giveaway Vivo Y37 phone. Carol is using that phone as an audiobook player, so it is not all lost.

Going with a local provider like China Mobile also means we can receive two-factor text messages while in Canada. This is important as we use certain financial service apps like banking apps that are tied to our Chinese numbers. We also found that using China Mobile while touring in China means problem-free when using Chinese mobile services, such as booking train trips, hotels, renting bikes, and ordering takeout. Previously when we were using the Nihao service. We found that certain services like renting a bike were either not available or extremely tedious to set up, such as requiring registration of your passport.

Having a China Mobile subscription also means that we can have a local bank account tied to our WeChat account. This also makes buying things more convenient and allows us to avoid a 3% surcharge with Alipay when paying with your linked credit card. Our preference is to use WeChat Pay which is either tied with our Hong Kong bank account or with one of our Chinese bank accounts. Unfortunately, opening a Chinese bank account is an exercise in patience in itself. I will not get into that here.

One final bonus with a China Mobile subscription is that I now also have the option of using China Mobile roaming plans, which I found are either equal or lower than the Airalo options. I tried this in both Hong Kong and Dubai. The roaming plan worked but I am still behind the Great Chinese Firewall (GCF) while roaming. However, I do have voice roaming with this option.

To get access to things outside of the GCF, I find LetsVPN is the best VPN service. It worked in all the Chinese provinces and cities that I visited. I needed this VPN service to access my work online assets as well as our Koodo voicemail. To gain access to our Koodo voicemail, I used a Softphone App on my iPhone to use my company’s VOIP.ms account to call the Koodo voicemail access number in North America, which is ‭+1 (647) 580-4001‬. Therefore when we get voicemail with our Koodo account, we can use this approach to check our voicemail without incurring roaming charges. The Softphone is also a great option to make voice calls to North America from China without incurring any long-distance charges. I could use my China Mobile or Koodo line to make the call then I will be charged either roaming or long distance or both.

I probably make it sound more complicated than it really is. Overall it should be very manageable and there are plenty of roaming options out there other than the $16/day Easy Roam option.

Retiring the Greenhouse

We have had a greenhouse in our backyard since the summer of 2015 (almost a decade ago). The greenhouse lasted much longer than we thought, given that it is just a thin aluminum structure with transparent plastic wall and roof sidings.

Greenhouse just before teardown

We are planning a sunroom extension and had to remove the greenhouse. This past Saturday, October 19, was the day marked for disassembly. A friend of mine agreed to disassemble the greenhouse and will later attempt to erect and reuse it on his property.

No more greenhouse!