Benchmarks have been conducted on a random KVM and WordPress. The latter’s plugins do not matter, because pages are only generated once and then cached.

The first blog, the one using a plain filesystem as cache, has been run with WP Super Cache plus on EXT4.
The second one utilized my plugin CDN Linker; see the caching branch for its source code. Nginx has been 1.1.12-r2 with HttpRedis 0.3.5; Redis 2.4.5.

Tests have been conducted by:

/usr/sbin/ab2 -n 50000 -c 5 -H 'Accept-Encoding: gzip' -k [url]

Results:

• filesystem – 17000 – 19000 requests per second, about 50-60 ns per request
• Redis – 5000 – 5200 requests per second, about 194 ns per request
• Redis w/o keepalive connection from Nginx – 1700-1900 rps, ~500 ns per request

I suspect that even if I connected Redis to Nginx through unix sockets (and not the usual TCP sockets) requests per second would only double, still significantly falling behind filesystem as cache. Nanoseconds per request would drop, though, but I do not believe that I will see anything near a three- or five-fold increase.

Ich kann es nicht mehr mit ansehen (hätte ich noch einen Fernseher) oder hören. “Studenten sind faul und ernähren sich ungesund. Wir helfen euch!” – ihr habt echt keine Ahnung oder nehmt nur selektiv wahr, um eure Shows oder Bücher abzusetzen.

Bedenkt, dass “Essen Machen” folgende Tätigkeiten beinhaltet:

1. Erwerb der Zutaten
2. ihr Vorhalten (Kühlschrank und so)
3. Zubereitung
4. Wiederherstellen von Küche, Geschirr und Werkzeug

… und das alles kostet Zeit. Wer davon wenig hat, der stellt selbst selten her, der hat als Student sicher schon Fermentation, Schimmel oder Fäulnis an Zutaten im Kühlschrank erlebt, die in bester Absicht zu Kochen (man kam ja nicht zu) erworben wurden. Nicht auf dem allmorgentlichen Frischmarkt – wir haben noch Veranstaltungen, Job und Klausuren! – sondern bei Gelegenheit in einem Supermarkt. Ohne Zutaten Frust beim Zubereiten, weniger auf Vorrat, weniger Grund ausschweifend Einkaufen zu gehen.

Während ihr in der Ausbildung Geld fürs Lernen bekommen habt, muss manch einer von uns auch noch Jobben. Darüberhinaus ich will euch sehen, wie ihr nach der Konstruktion eines Oszillographen (E-Tech), einem Semester Kryptologie (Informatik), dem Durcharbeiten von Kants Anthologie des Geistes (Philosophie oder Germanistik) oder der Beschäftigung mit Charismatikern zur Zeit Jesus (Theologie) samt abschließender Prüfung oder Hausarbeit noch energetisiert durch die Küche hüpft und in irgendeine Kamera lächelt. Und das war nur ein Zehntel eines Semesters. Vergesst die gute Note nicht. Etc. (Okay, wir könnten das. Aber nicht zehn Mal.)

Ich verrate euch auch ein Geheimnis: Gestern gab es bei uns Nürnberger Rostbratwürste samt kräutergefüllter Kartoffelecken; eine Mahlzeit davor Mousse au Chocolat mit Kornflakes. Und Rote Beete Suppe (Barszcz) macht man ohne Sahne, ihr Banausen. Ein wenig was können wir doch. Wenn wir Zeit dazu haben. Vielen Dank auch.

1. Sign up with Hurricane Electric for an IPv6 tunnel.
2. There, have a “regular tunnel” created.
3. Jot down the tunnel’s data.
4. Set up the tunnel at your router-to-be.
5. Turn on IPv6 at every of your local computers.

prerequisites

In this example I will use the data of my IPv6 subnet:

IPv6 Tunnel Endpoints
Server IPv4 Address: 216.66.80.98
Server IPv6 Address: 2001:470:145:76c::1/64
Client IPv4 Address: 92.196.95.188
Client IPv6 Address: 2001:470:145:76c::2/64
Routed IPv6 Prefixes
Routed /64: 2001:470:146:76c::/64

Make sure your Linux kernel has at least these features:

# zgrep -F IPV6 /proc/config.gz
CONFIG_IPV6=y
CONFIG_IPV6_SIT=y
CONFIG_IPV6_TUNNEL=y

… which is the case for most of the recent GNU distributions.

the tunnel network interface

Assuming you are running Gentoo Linux, edit /etc/conf.d/net with your favourite text editor so it looks like this:

dns_servers_eth0=(
        "::1"
        "127.0.0.1"
)

config_eth0=(
        "192.168.1.7 netmask 255.255.255.0 broadcast 192.168.1.255"
        "2001:470:146:76c::7/64"
)
routes_eth0=(
        "default via 192.168.1.1"
)

#### HE tunnel
RC_NEED_he6="net.eth0"
iptunnel_he6=(
        "mode sit remote 216.66.80.98 local 192.168.1.7 ttl 255 dev eth0"
)
mtu_he6="1280"
config_he6=( "2001:470:145:76c::2/64" )
routes_he6=( "default via 2001:470:145:76c::1 dev he6" )

I run a DNS server locally. If you don’t then skip lines 1-5.
Line 7, 192.168.1.7 is the local IPv4 address of my Linux box; nothing has been changed here.
What you see in line 8 is the IPv6 address of the box – an arbitrary one I have chosen from the “routed /64 IPv6 network”.

From line 14 on is the tunnel’s data. The “remote” is the IPv4 address which handles the other side of the tunnel. Make sure to use the address of the endpoint you have selected! Local address is the one from my and your LAN. Not your publicly visible IPv4 address, except the machine we are setting everything up is your actual router or in a DMZ. We can safely assume that is not the case.

Most probably you have noticed that the last two IPv6 addresses are not in the routed /64 subnet. Those are the “client” and “server” IPv6 addresses of the tunnel.

In order to have that new network interface started automatically you have to:

cd /etc/init.d
ln -s net.lo net.he6
rc-update add net.he6 default
/etc/init.d/net.he6 start

Although your tunnel is expected to work immediately, it took about two days for my (endpoint in Zurich) before it went online. The delay’s cause has been on Tunnelbroker’s side.

You can see if it is working by a ping to the endpoint’s IPv6 address:

ping6 -c2 2001:470:145:76c::1

distributing IPv6 addresses to your LAN

For that you will need radvd. Setup is straightforward:

emerge net-misc/radvd
rc-update add radvd default
nano /etc/radvd.conf
/etc/init.d/radvd start

Its configuration file looks like this:

interface eth0
{
        IgnoreIfMissing on;
        AdvSendAdvert on;
        AdvLinkMTU 1280;
        MaxRtrAdvInterval 300;
        prefix 2001:470:146:76c::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2001:470:146:76c::7
        {
        };
};

Yes, that is the “route IPv6 /64 network” from above and the bottom IPv6 address is the one from my Linux box which is the IPv6 router.

That’s all. You have IPv6 in your LAN and (eventually, due to the delay I experienced above) a fully working IPv6 upstream connection, dash tunnel. Now come some extras.

clients: ditch Windows’s transitory IPv6 protocols

You don’t need Teredo and all the other strange stuff you most probably have not used anyway, anymore. You can deactivate it easily by:

netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled

clients: enable IPv6 privacy extensions

If you don’t enable IPv6 privacy extensions on all your local computers, they will auto-configure themselves addresses from their MAC. Their unique network identifiers. These IPv6 addresses have always the same suffix – no matter what the prefix is – making them globally traceable. You can easily spot them by paying attention to the “ff:fe” substring in the second half of a particular IPv6 address.

Here is a list of popular devices and their IPv6 privacy extension status: http://www.heise.de/netze/artikel/IPv6-Privacy-Extensions-einschalten-1204783.html
(“Ab Werk aktiv” means “enabled by default”. One line is incorrect: Windows Server 2008 R2 has them enabled by default.)

For older Android versions you will want to use this app: https://market.android.com/details?id=to.doc.android.ipv6config (Ipv6 Config)

server: DNS for Ipv6

Your own local DNS server (if you run one, that is) should listen on IPv6 requests. Check whether this already is the case:

netstat -tuanp | grep -F -e :53 | grep -F 'cp6'

Otherwise, for BIND9 you will have to alter /etc/bind/named.conf:

options {
        forwarders {
                // HE
                2001:470:140::2; 74.82.42.42;
        };
        listen-on-v6 { any; };
        allow-recursion {
                127.0.0.1; ::1;
                192.168.0.0/16;
                2001:470:146:76c::/64; 2001:470:145:76c::2;
        };
};

PowerDNS is configured by /etc/powerdns/recursor.conf (note the brackets in line 1):

local-address=127.0.0.1, [::1]
allow-from=127.0.0.1, ::1, 192.168.0.0/16, 2001:470:146:76c::/64, 2001:470:145:76c::2
query-local-address6=::1, 2001:470:145:76c::2
aaaa-additional-processing=on

server: Google, Youtube and IPv6

Although Youtube’s sites are delivered by IPv4 only, videos are pulled in through IPv6 if available to you. Unfortunately Youtube’s country-of-origin takes into account the IPv4 address. That means, if you lived in Germany or any other country and received messages such as “this video is not available in your country” you will want to access everything via your new IPv6 endpoint which ends probably somewhere else. In the UK or Switzerland, for example. So you need an IPv6 address for that remaining pages.

Google currently provides IPv6 address for its services on a white-list basis only. Luckily Hurricane Electric’s network is listed on it. So, here we go:

# dig aaaa @2001:470:140::2 +short www.youtube.com
youtube-ui.l.google.com.
2a00:1450:8007::5d
2a00:1450:8006::68
2a00:1450:4008:c00::5d

fin

Sites are neither faster nor slower with IPv6. But the tunnelling will add about 20ms (or more) to the latency. Most games connect to IPv4 servers only; surfing you won’t notice that small delay.

For example, you can set nice(10) levels, or have runs excluded from being logged by nolog flag or suppress emails by mail(false). One of the things I like the most is first(5), which executes the given command 5 minutes after booting; @lavgor,lavg selects the best moment within an interval or time-span. Oh, before I forget it. Take a look on %nightly, %hourly and friends.

And to be honest, syntax like 10 4 */2 * * *is* rather cryptic. With fcron you can write 2d, which is not only shorter but easier to read.

My crontab begins as follows:

# &  -  classic cron syntax
# @  -  frequency or timespan (every 30 minutes; with options: best moment within every 30 minutes)
# %  -  (once) within time interval

# classic cron syntax:
#
# * * * * * command to be executed
# - - - - -
# | | | | |
# | | | | +- - - - day of week (0 - 6) (Sunday=0)
# | | | +- - - - - month (1 - 12)
# | | +- - - - - - day of month (1 - 31)
# | +- - - - - - - hour (0 - 23)
# +- - - - - - - - minute (0 - 59)

Want to delete files from /tmp which have not been accessed for week or more? That’s how:

@ 1d    root  "find /tmp -atime +7 -exec rm -r '{}' \;"

Using Gentoo? Have your portage tree updated when your server is idle:

@lavgor,lavg(0.3),nice(5),mail(no) 3d  root  "eix-sync"

Need to run some logfile analyzer? The intervals are seen as one and Awstats is run within it once per night:

%nightly,mail(no)  * 22-23,3-5  root  /root/bin/runawstats.sh

Have fun!

Kleine, vielleicht 1×1 Pixel große Bildchen werden ungesehen auf seiner Seite (oder HTML Email) eingebunden und von einem anderem Rechner geladen. Etwa einem anderen als dem deines Email-Anbieters. Dieser Rechner wiederum schreibt schlicht mit, wer – d.h. von welcher IP-Adresse oder mit welchem besonderen Code oder Cookie – das Bild abgerufen hat, wann und von welcher Seite aus (“Referrer”). Das Prinzip nennt man bei den Kleinstbildern “Webbug” und generell “Tracking” – das Verfolgen und Mitschneiden von Benutzerbewegungen durch das Informationsangebot des Internets.

Diese Spuren vermengt ergeben dann ein “Benutzerprofil”, eine Akte, ein Dossier über – dich. Google, Flattr, Facebook (FB) und andere sind leicht in der Lage solche Profile anzulegen. Facebooks “like” Button beispielsweise findest du häufiger. Er ist zwar kein Bild, wird aber dennoch immer von FBs Rechnern geladen und ermöglicht ihnen das Tracking. Viele Werbeanzeigen werden übrigens auch von Rechnern Dritter geholt und führen zur gleichen Problematik.

Du kannst das alles unterbinden, indem du diese Teile von Homepages von vornherein nicht durch deinen Browser herunterladen lässt. Am einfachsten geht das über ein, zwei Plugins. Für den Firefox empfehle ich zu AdBlock Plus noch Ghostery; beide gibt es auch für Google Chrome (Downloads hier: Ghostery, AdBlock). Der “Like” Knopf wird so nur noch auf der Facebook Seite angezeigt, sonst nirgends.

Die Lösung, eine solche Sammlung erst gar nicht zuzulassen, ist es leider nicht. Aber zumindest ein erster Schritt um die Schwere des Mißbrauchs deiner persönlichen Daten zu verringern.

Therefore, if you read my blog with some RSS reader then please visit it with your browser for a new RSS feed link. Else you won’t get any new updates in the future.
If you want to follow both categories, the one about development and technology related stuff or the new one, then I am afraid you will have to subscribe to the two feeds.

And well, yes, this time I have to disappoint Scott.

How do you think about my new blog structure? Room for improvement? Drop me a line or two.

Here’s how I have done that and what you can do to optimize your blog:

1. Examine what elements (pictures, css) are loaded on every page.
2. Concatenate your CSS and JS files, minimizing them, to only one each.
3. Embed pictures into CSS.
4. Embed some of the pictures directly into HTML code.

merge all CSS and JS files into a single one

The most easiest way to accomplish (2) is like that:

ALL_CSS="unified-$(date +%Y%m%d).css"
for FILE in your.css css.css files.css another.css; do
    cat $FILE >> $ALL_CSS
done
clean_and_minimize_css.sh $ALL_CSS

See my merger.sh script for inspiration, for which you will need the remove_comments.sed, too.

After that optimization the waterfall chart for my first page was:

before http request minimizations

embed images into CSS

The third “column” of six images was due to my WordPress theme, Spotlight. Like the CSS file they are loaded once and are expected to be cached by the browser. Therefore I have embedded the images into that style sheet file by:

cd myblog/wp-content/themes/
for I in spotlight/images/top.gif ...; do
    sed -i -e "s#/wp-content/themes/${I}#data:$(file -b --mime-type ${I});base64,$(base64 -w0 ${I})#g" unified-20110211.css;
done

Obviously unified-20110211.css is my merged CSS file. The result was six requests less at the cost of 0.5 KB more data due to the base64 encoding; despite gzip compression of the CSS afterwards, that is. But unlike snappier transfer of data, the time for requesting resources (the “request-response delay”) is not accelerated by faster Internet connections. Therefore it has been a good trade-off which resulted in that new loading graph:

after embedding of images into CSS

Most probably you will want to stop optimizing your blog here. The next steps do only pay off if you have some relatively popular and thus frequently read sites, whose readers seldom decide to read other articles.

embed CSS into HTML for the front page

To minimize the amount of requests per visitor clicking on the front page (and some very popular, too) I embedded CSS into HTML of these pages by modifying header.php of the template:

< ?php if (is_home() || is_front_page()) { ?>


< ?php } else { ?>

< ?php } ?>

(Click on “<>” if the code doesn’t display correctly.)
One request less, 0.1 KB more data; but the page is displayed slightly, unnoticeable faster:

CSS file in HTML HEAD

embed images into HTML

Finally I have embedded the three images which are displayed on every page into HTML. You can do that by this PHP fragment:

function img_embed($iurl, $mime = 'image/png') {
        if (is_home() || is_front_page()) {
                echo chunk_split('data:'.$mime.';base64,'
                    .base64_encode(
                        file_get_contents($_SERVER['DOCUMENT_ROOT'].$iurl)
                ));
        } else {
                echo get_option('siteurl').$iurl;
        }
} ?>

The same as above applies here: Better allow your visitor’s browser to cache the files, and don’t embed them.

Embedding data into CSS or HTML works with Firefox, Chrome and even Safari, but not with Internet Explorer 7 and older. For the latter I don’t care anymore and, well, version 9 is already in the wild.

result: 13 requests down to 3

From 13 requests down to 3 for the front- and popular pages, and 6 requests less for any other page. Here is the before and after:

before: 13 requests

after: only 3 requests

By the way, the new destination is several KVM instances on a server from Hetzner’s and Amazon CloudFront.

pyzmq-2.0.10.win32-py2.7.exe

To install them:

1. extract the ZIP
2. run pyzmq-2.0.10.win32-py2.7.exe – it is a distfiles installer
3. copy libzmq.dll into the directory where your Python.exe is (not in the DLL folder of Python, where it won’t get found)

Update 2011-04-10: The ZMQ team has begun to publish Windows binaries themself at their Github page (there, click on “Downloads->view wall”).

• You can set up a bridge by the means of net-misc/bridge-utils without adding an interface to it.
• Connect your guests to that bridge.
• On the host, enable IP forwarding and have requests to any guest IP forwarded to that bridge.
• On the guests, set the host’s IP as gateway address.

Without (4) no packets from the LAN, constituted by the bridge, can find their way to the Internet and by (3) vice versa.

Provided following IPs (which you should change to yours):

main and thus host’s IP

188.40.1.17

three additional IPs

188.40.1.43

188.40.1.44

188.40.1.51

additional subnet

178.40.1.40/27

You will have to do:

1. On the host, install packages:

   emerge -n net-misc/bridge-utils sys-apps/iproute2

2. On the host, edit /etc/conf.d/net so it reads:

   modules=( "iproute2")
   
   # IP with mask, and gateway - as assigned by Hetzner's DHCP
   config_eth0=( "188.40.1.17/26")
   routes_eth0=( "default via 188.40.1.1")
   
   # Hetzner nameserver; could be your DNS resolver
   dns_servers_eth0=(
           "213.133.98.98"
           "213.133.99.99"
           "213.133.100.100"
   )
   
   brctl_br0=( "setfd 0" "sethello 2" "stp off")
   config_br0=("188.40.1.17/32")
   depend_br0() {
           need net.eth0
   }
   
   postup() {
           if [ "${IFACE}" = "br0" ]; then
                   # repeat that line for every IP but host's IP
                   route add 188.40.1.43 br0
           fi
   }

3. On the host, enable IP forwarding:

   # add "net.ipv4.ip_forward = 1" to /etc/sysctl.conf
   sysctl -w net.ipv4.ip_forward=1

   You will have to restrict forwarding to your own IPs by iptables. (See Sven Lauritzen’s blogpost for an example.)

4. On the host, have the bridge started automatically:

   cd /etc/init.d
   ln -s net.lo net.br0
   rc-update add net.br0 default

   You could start br0 right away if you want.

5. On every guest /etc/conf.d/net should look like:

   modules=( "iproute2" )
   config_eth0=( "188.40.1.43/32 peer 188.40.1.17")
   routes_eth0=( "default via 188.40.1.17")
   dns_servers_eth0=(
           "213.133.98.98"
           "213.133.99.99"
           "213.133.100.100"
   )

   … where the first in eth0 is the guest’s IP and the other as well as the in routes_eth0 host’s. With the “peer” thing the host is reachable by that guest without having to be in the same subnet.

By that you won’t waste a single IP address.