Voodoo Business is a blog about technology and other things I consider magical such as carpentry and crafts, if you are looking for a different type of magic, I apologize, the name might be misleading.

And sometimes I cover some not so magical shit about not technical experiences that i sometimes go through (none yet but it is a possibility).

I understand that modern technology doesn’t provide all types of magic, (Getting your love life back, cursing someone, you know….) so I think it is appropriate to at least serve you a list of devices and tools to help you out…

• ouija boards
• Quality bakhour and sand
• Crystal balls
• Tarot cards

Part 1: About text to speech

Prerequisites

Prerequisites to this section: None

History

This is the part I personally skip all the time, but for the sake of completion, here it goes

Not really live by, it’s just a bullshit title, but take it for what it is, what i really meant was quotes that i need to convince myself of… anyway, here goes nothing…

It always seems impossible until it’s been done -Nelson Mandela

For website speed, I am considering tailwind, a CSS framework that acts more like a library than a framework

I will be adding my notes here, and the links at the bottom

Which is better, tailwind or bootstrap

Well, like i said above, you are comparing apples to oranges, while it is very easy to spot a bootstrap theme when you see one, tailwind is more like CSS extended, so you have elements that you can use in your design, but your design is yours 😉

Some of the cool tutorials I have found….

Traversy Media : Tailwind CSS Crash Course (30 minutes)
Traversy Media : Tailwind Crash Course | Project From Scratch (1:30)
Net Ninja – Tailwind CSS Tutorial

New plan

I sent a previous version of this to a friend to spare myself the need to explain to him what to do, and he found the tutorial confusing ! instead of the old arrangement, having colors to denote what lines are for what task, I have decided to SEPARATE THIS INTO FOUR PARTS….

1- LXC info
2- Shared system setup
3- Privilaged LXC step by step
4- Unprivilaged LXC run by new user step by step
5- Unprivilaged LXC run by root user step by step

I hope this clears things up, the color codes will still exist, mostly because I have already done the work !

Legend

Blue = Common (Both privileged and unprivileged
RED = Privileged containers (Less secure)
Green = Unprivileged containers (More secure)

Following Blue and Red instructions will end up with privileged containers (BAD), following Blue and Green will end up with unprivileged containers (Good).

How to read

If you know what you want, and are only interested in the guide, scroll down to Step 1 of the section you need, if i were in your shoes I would at least read all the titles before getting to Step 1 and see if there is anything interesting before I start

This post has a hands on tutorial for running unprivileged LXC containers, a step by step LXC guide so to speak, but before i get down to the steps, I decided to include all the things you might need to know about LXC and LXD, So if you know what you are looking for, Scroll down to the “Step by step guide”, make sure you took a look at the COLOR LEGEND

Why yet another tutorial ?

Most of the tutorials online focus on creating an extra user to use with LXC, that is one way to do it with a few drawbacks, the other way is to create a range of subordinate IDs for the root user, the advantages of this way of doing it are related to “Autostart” and filesystem sharing between host and guest.

As per usual, the primary goal of every post on this blog is my own reference, the internet is full of misleading and inaccurate stuff, and when i come back to a similar situation, I don’t want to do the research all over again

Privileged VS unprivileged

Privileged containers are generally unsafe, the only advantage of privileged containers is that is is very easy to setup.

Privileged containers share the same root user with the host, so if the container root user gets compromised, the attacker can sneak into the host system, hence, unprivileged is more secure but involves some work initially to setup

What is the problem with Privileged containers

It is relatively easy to deploy LXC (Which also happens to be what is powering LXD)… You install it, run a command to create a container, and voila, a whole new Linux system within your host Linux system sharing the same kernel as the host… But there is one caveat, if a malicious user/application compromises your container, he/she would have also compromised the host machine automatically, how, the root user on both is the same user !

The solution, unprivileged containers

In comes Unprivileged containers, in this setup, we simply either map a User ID to root within the container, or, still use root, but through subordinate IDs, so instead of having the Host’s user id for root (Usually Zero) being also root inside the container, we create a user outside the container (Or a subordinate ID of root), and instruct the kernel to map this user’s ID and treat it as ID zero inside the container, So if a malicious user gets access to the container and ends up breaking out of the container, they will find themselves logged on as a different user, with privileges very close to the privileges of the user nobody, or in other words, barely any privileges

nuff with the theory, What do i need to do ?

You setup LXC, then depending on the type of container and user you need, you may want to setup Linux kernel to use that user as root in the container, but to make that happen, you will need to take a few steps to give that user the required privileges and nothing more than what is required, nothing complicated about those steps either. So let us get started

Scenario 1- LXC, privileged, no complications, but low security

To clarify, making a privileged container does not stop you from making unprivileged containers later, BUT, the unprivileged containers need to be different containers 😉 so you might make a privileged one, then replace it with an unprivileged one

Step 1: Install LXC !

Enable Unprivileged User Namespaces

it is enabled by default, To make sure that it is, run the command below, if it returns “kernel.unprivileged_userns_clone = 1” you are good to go.

sysctl kernel.unprivileged_userns_clone

if for any reason it is not enabled (0), you can enable it by adding it to /etc/sysctl.d…. by editing the file “/etc/sysctl.d/00-local-userns.conf” and adding the following line, if the file does not exist, create it

kernel.unprivileged_userns_clone=1

Once done, run the command

service procps restart

Create the user

You can call the user whatever you want, I chose to call the user lxcadmin, this is an arbitrary choice, To create a user we issue the following command.

Configure AppArmor

App Armor is enabled on Debian 10 (buster) and after by default, AppArmor is recommended as it adds a layer of security which may prove vital for a system running your virtual machines.

to check whether it is enabled on your system or not, you can run the following command

cat /sys/module/apparmor/parameters/enabled

If the above returns the letter Y, AppArmor is enabled, and you need to set it up to allow for our unprivileged setup

Long gone are the days where you published a simple page and search engines sent you traffic, in this day and age, even that page, no matter how important the content in it is, needs to be on a website that meets certain criteria

• Privacy Policy: A privacy policy is essential, I will enumerate all the things that you will lose for not having a privacy policy right after this list
• Cookie banner: or any notification in general, asking the user for consent to use cookies
• Mobile and small screen compatibility: the most common form of that is a responsive design, no design at all can often be responsive as well, but that is a different topic altogether, this compatibility also includes the spacing of clickable content as well as showing elegantly on the small screens
• Speed: Search engines seem to like faster websites more, it improves their visitor’s experience
• Create distinctive favicons of various sizes, they help people identify your website in search results and other places, so whether they are looking for something they have seen on your website before, or want to find the tab in their browser, you make it easy for them

So you have a budget SSD, something like the Kingston A400, and half way through a multi gigabyte file it slows down !

Coming to think about it, this SSD does not have a DRAM cache, and should be slower but more consistent, right ? after all, you can’t run out of cache when there is no cache !

The answer is NO, just because it does not have RAM cache or even actual SLC flash, does not mean it is writing casually to its MLC flash, the controller uses trickery to speed up writing and sometimes reading

Most drives with no RAM cache (Examples below) use a method called Single Level Cell mode cache, but even this name is misleading, your cheap hard drive does not have “Single Level Cell flash memory” inside of it, Instead, it utilizes it’s own MLC by writing single entries to it (One bit of a multi level cell), then re-copying it the normal way

When you are copying a large file to the disk, all the blank space at that level has been consumed, and the disk is now writing directly to the 3 dimensional MLC flash, which is, in most cases, slower than a mechanical hard drive for sequential write !

The most common of such a controller is the Phison PS3111-S11-13, it is a relatively good controller if your purpose does not require super fast SSDs, the controller has some cool features including Bad Block management (Spare flash that automatically replaces bad cells), besides standard features like S.M.A.R.T., It also supports native command queuing (NCQ), EEC error correction, so all in all, this post is not advice to stay away, this post is just hee to explain that it will be slow

Examples of such disks:

Kingston A400
– 240GB = Phison PS3111-S11-13
Silicon Power A55
– 1TB = Phison PS3111-S11-13

Factors to consider

First of all, the choice depends on 3 things, or 4 but to me, the fourth is not very important

• PRICE for a given TLD (TLD = .com, .net, etc…) and it’s persistence
  This is probably the most important factor, there is no such thing as “Performance” as your registrar does not run the TLD’s registry, something to take into account is also the renewal price next year.
• whether or not you plan to use their “Usually free” nameservers (Most people will use their web host’s nameservers and not the registrar’s)
• The business stability of the registrar, when a registrar goes down, you might find your domains with a registrar who picked up all the domains the sunken registrar had, and if you were using the old registrar’s add on services, you will end up needing to redo them, and probably find a different registrar that you like to move those domains to.
• And last but not least, the interface and speed of the registrar’s website and tools, I don’t think this is very important as most registrars have a usable interface and you will only need to use it infrequently

Which one do i recommend ?

I personally use more than one registrar, for some TLDs, I use nameCheap, and for the more standard domain TLDs (Like .COM etc…) I used godaddy for a long time, then i switched to a godaddy reseller (PoloDomains), it has the same exact products (and phone support) as godaddy and in my experience this reseller has very persistent prices that are lower than those of godaddy themselves, not to mention that godaddy keeps surprising me with different pricing when the time comes to renew. Again, godaddy is a good registrar that checks all the boxes, but the reseller is more or less just cheaper. other good well known registrars include namesilo.com, google domains (Not recommended as google is selling it to another company), Name.com, domain.com and many others that you can research online…

Get it for free when it makes sense

Some web hosts offer free domain names for as long as you are paying for your hosting, this is not exactly a catch, but it might be, so what I do is decide on a web host through reviews and what have you, and if that web host offers free or cheap domains with their web hosting, then that is where I will get my domain, But mind you, when i make the choice, i subtract 1/12 of the normal domain price (that you would get if you used a separate registrar) from the monthly hosting fee, and then compare the web-hosts with the new discounted price tag, the last thing i want is to get stuck with a bad web host because they offer a free domain, that would be a very bad decision.

When is the registrar relevant to performance ?

The main function of a registrar is to sell you domains and register them with a registry, after registering them, the registrar also informs the registry of what nameservers to use with the domain name. after that, the registrar in it’s strict form has no technical function, up until you either want to renew that domain, or change the nameservers attached to that domain, a web request (from a website visitor for example) does not pass through your registrar.

The above remains true, unless you opt to use one of those free DNS services that are provided by many registrars, in this scenario you are using the registrar’s DNS servers instead of your host’s or a third party, which is not a bad idea depending on the quality of your registrar, godaddy (and it’s resellers) provides a free DNS service that uses anycast ! anycast is a cool internet technology where the user will be using the closest DNS server to them without knowing, effectively cutting down the latency of the DNS request.

if you are processing data with nginx and PHP-FPM, you might want to increase the following

“504 Gateway Timeout” is when nginx is waiting for a response from php-fpm for too long, you can fix that with

Increase PHP maximum execution time in /etc/php.ini: max_execution_time = 300
Increase PHP-FPM request terminate timeout in the pool configuration (/etc/php-fpm.d/www.conf): request_terminate_timeout = 300
Increase Nginx FastCGI read timeout (in /etc/nginx/nginx.conf): fastcgi_read_timeout 300;

Why update the firmware !

My answer here is a bit unconventional, and certainly not a fact.. I even think I am wrong, but it can’t hurt, so here it goes

Seagate recommends you update the disk’s firmware to improve performance and longevity of the hard drive, I on the other hand have an extra mission…

The firmware on a hard drive is stored partially on a chip on the PCB, and partially on the disk itself ! I know that disk platters have a data retention life of 10 years, the area where the firmware is written is never refreshed since it is read only when the disk boots up, So i am hoping (even though doubtful) that the firmware update might re-write this area of the disk and breath new life into it.

A disk certain application claims to refresh the data on that area of the disk, After testing that application I will come here and add my findings accordingly

Getting the firmware

Let us start by downloading the firmware ! To download firmware from seagate’s website, you will need to know your hard drive serial number, to do just that, open the command prompt elevated, and run the following command

wmic diskdrive get model,serialnumber

The result of me running that command is as follows

The results of executing the command above show that I have a hard drive of the model (ST2000DM001-1CH164) as you can see with a serial number that I now have (Masking serial numbers just in case seagate has a problem with me publishing them as it allows you to download the firmware using the serial number)…..

Now that I have the serial number, I can go to seagate’s firmware download page here and grab the firmware… once done, I unzip it, and the following folders appear

Creating a bootable USB flash disk

Now, inside the Bootable tools, there is a file (SeaChest_RC_2.7.4_10-18-2018.usbBootMaker.exe) that will create a bootable flash stick for you, insert a flash stick of any size that is to be deleted by this application, run the application, and now you have a bootable drive, but without the firmware, so copy the firmware folder you see above into the flash stick, and now you are ready to boot from it, for instructions how to boot from a flash stick, you will need to check with your motherboard’s manufacturer documentation, it is usually a simple thing such as hitting F11 at boot time.

Updating the firmware

Once booted, you should be presented with a linux command prompt, where we can run commands to update the firmware

To see what disks are on your system, run the following command

SeaChest_Firmware --scan

The scan should give you the handle for the drive, if you have never used linux before, the handle started with /dev/ (Short for device), and sata disks usually start with sdX (Where X starts with A and ends with a letter corresponding to the last disk you have in your system) old PATA disks usually start with hdX… but that is usually not something you need as PATA disks are virtually non existent at this stage

Now, execute the firmware update command like so

SeaChest_Firmware -d /dev/sg3 --downloadFW /firmware/filename.LOD

Now, if you want to know whether the update was successful or not, just run the scan command again, and note the firmware on it !

My Problem !

As you can see from the image below, I have 3 firmware files, named 1TB, 2TB, and 3TB, when i ran the command above, The system claimed that the update was successful, but didn’t really update the firmware, I was still stuck with 26 rather than 29 !

So i decided to use Seagates own configuration file to do the update with the command

SeaChest_Firmware -d /dev/sg3 --fwdlConfig GPCC2949.CFS

Surprise was that I got the following error

model matched but the current firmware version does not match the available updates

So, I went back in time and remembered that for this particular disk, I had changed the PCB before (Trying to get a 3TB disk to work by moving a certain chip from one board to the other, diagnosis turned out the problem is not the PCB)… So instead of flashing the 2TB firmware file, I flashed the 3TB, and what do you know, It worked.

Anyway, I will come back with screenshots of the whole thing… and more data for those who are having trouble updating their firmware, until then, hang in there