Multiplay Labs

tech hits and tips from Multiplay

Quick way to upgrade php dependencies using FreeBSD’s pkgng

without comments

Even though the new FreeBSD package manager, first introduced 10.0-RELEASE, is significantly better than the old one it still doesn’t deal with all dependency issues when performing an upgrade.

One case where it trips up is when upgrade php that has pecl or pear modules install due to the fact that the ports tree doesn’t have the required dependency information.

This can result in a broken php install which modules that fail to load as they haven’t been upgraded.

As of pkg v 1.3.5, which fixed the -f option to upgrade, a simple fix for this is to run the following:

pkg upgrade
pkg upgrade -f `pkg info -x pecl pear | awk -F'-' '{for (i=1;i<NF-1;i++) { printf $i FS } print $i NL }'`

If your running php-fpm then restart it:

/usr/local/etc/rc.d/php-fpm restart

Written by Steven Hartland

August 15th, 2014 at 5:42 pm

Posted in FreeBSD

Tagged with , , ,

Using up-to-date ports on FreeBSD before 8.4

without comments

As you’ll likely have found the ports tree is now incompatible with FreeBSD before 8.4 so if you haven’t migrated off earlier versions e.g. 8.3 (which is now EOL) then the latest ports tree will no longer compile due to missing features in make and a missing native unzip.

The following will get it all working again.

First update make with a copy from 8.4 (this assumes your running amd64:

mdconfig -f FreeBSD-8.4-RELEASE-amd64-livefs.iso
mount_cd9660 /dev/md0 /mnt
cp -p /usr/bin/make /usr/bin/make.bak
cp /mnt/usr/bin/make /usr/bin/make
umount /mnt
mdconfig -d -u 0

Next install unzip, its actually in the 8.3 source but was never installed due to a missing line in /usr/src/usr.bin/Makefile

cd /usr/src/usr.bin/unzip
make && make install

Now you’ll be good to update your ports tree and compile :)

Written by Steven Hartland

June 8th, 2014 at 4:13 am

Posted in FreeBSD

LANcache – Dynamically Caching Game Installs at LAN’s using Nginx

with 45 comments

Last year we posted our Caching Steam Downloads @ LAN’s article which has been adopted by many of the LAN event organisers in the community as the baseline for improving download speeds and helping avoid internet saturation when you have 10′s – 1000′s of gamers at events all updating and installing new games from Steam.

This rework builds on the original concepts from our steam caching, brings in additional improvements from the community, such as the excellent work by the guys @ as as well as other enhancements.

Due to the features used in this configuration it requires nginx 1.6.0+ which is the latest stable release at the time of writing.

Nginx Configuration
In order to make the configuration more maintainable we’ve split the config up in to a number of smaller includes.

In the machines directory you have lancache-single.conf which is the main nginx.conf file that sets up the events and http handler as well as the key features via includes: custom log format, cache definition and active vhosts.

include lancache/log_format;
include lancache/caches;
include vhosts/*.conf;

The custom log format adds three additional details to the standard combined log format “$upstream_cache_status” “$host” “$http_range”. These are useful for determine the efficiency of each segment the cache.

In order to support the expanding number of downloads supported by LANcache we’ve switched the config from static mirror to using nginx’s built in caching.

In our install we’re caching data to 6 x 240GB SSD’s configured in ZFS RAIDZ so we have just over 1TB of storage per node.
To ensure we don’t run out of space we’ve limited the main installs cache size to 950GB with custom loader details to ensure we can init the cache quicker on restart.
The other cache zone is used for none install data so is limited to just 10GB.

We also set proxy_temp_path to a location on the same volume as the cache directories so that temporary files can be moved directly to the cache directory avoid a file copy which would put extra stress on the IO subsystem.

proxy_cache_path /data/www/cache/installs levels=2:2 keys_zone=installs:500m inactive=120d max_size=972800m loader_files=1000 loader_sleep=50ms loader_threshold=300ms;
proxy_cache_path /data/www/cache/other levels=2:2 keys_zone=other:100m inactive=72h max_size=10240m;
proxy_temp_path /data/www/cache/tmp;

Here we define individual server entries for each service we’ll be caching, we do this so that each service can configure how its cache works independently.
In order to allow for direct use of the configs in multiple setups without having to edit the config files themselves we made use of named entries for all listen addresses.

The example below shows the origin server entry which listens on lancache-origin and requires the spoof entries

We use server_name as part of the cache_key to avoid cache collisions and so add _ as the wildcard catch all to ensure all requests to this servers IP are processed.

For performance we configure the access log with buffering.

# origin
server {
        listen lancache-origin accept_filter=httpready default;
        server_name origin _;
        # DNS entries:
        # lancache-origin
        access_log /data/www/logs/lancache-origin-access.log main buffer=128k flush=1m;
        error_log /data/www/logs/lancache-origin-error.log;
        include lancache/node-origin;

The include is where all the custom work is done, in this case lancache/node-origin. There are currently 5 different flavours of node: blizzard, default, origin, pass and steam.

Origin’s CDN is pretty bad in that currently prevents the caching of data, due to this we’re force to ignore the Cache-Control and Expires headers. The files themselves are very large 10GB+ and the client uses range requests to chunk the downloads to improve performance and provide realistic download restart points.

By default nginx proxy translates a GET request with a Range request to a full download by stripping the Range and If-Range request headers from the upstream request. It does this so subsequent range requests can be satisfied from the single download request. Unfortunately Origin’s CDN prevents this so we have to override this default behaviour by passing through the Range and If-Range headers. This means the upstream will reply with a 206 (partial content) instead of a 200 (OK) response and hence we must add the range to the cache key so that additional requests are correctly.

The final customisation for Origin is to use $uri in the proxy_cache_key, we do this as the Origin client uses a query string parameter sauth=<key>

Blizzard have large downloads too, so to ensure that requests are served quickly we cache 206 responses in the same way as for Origin.

All Steam downloads are located under /depot/ so we have a custom location for that which ignores the Expires header as Steam sets a default Expires header.

We also store the content of requests /serverlists/ as these requests served by give us information about hosts used by Steam to process download request. The information in these files could help identify future DNS entries which need spoofing.

Finally the catch all / entry caches all other items according to the their headers.

This is the default which is used for riot, hirez and sony it uses standard caching rules which caches based on the proxy_cache_key "$server_name$request_uri"

Required DNS entries
All of the required DNS entries are for each service are documented their block server in vhosts/lancache-single.conf which as of writing is:
lancache-steam * *






You’ll notice that each entry starts with lancache-XXXX this is entry used in the listen directive so no editing of the config is required for IP allocation to each service. As we’re creating multiple server entries and each is capturing hostnames using the _ wildcard each service must have its own IP e.g. lancache-steam =, lancache-riot =, lancache-blizzard =, lancache-hirez =, lancache-origin = and lancache-sony =

Hardware Specifications
At Insomnia 51 we used a hybrid of this configuration which made use of two machines working in a cluster with the following spec:

  • Dual Hex Core CPU’s
  • 128GB RAM
  • 6 x 240GB SSD’s ZFS RAIDZ
  • 6 x 1Gbps Nics
  • OS – FreeBSD 10.0

These machines where configured in a failover pair using CARP @ 4Gbps lagg using LACP. Each node served ~1/2 of the active cache set to double the available cache space to ~1.8TB, with internode communication done on using a dedicated 2Gbps lagg

LANcache Stats from Insomnia 51
For those that are interested at its initial outing at Insomnia 51 LANcache:

  • Processed 6.6 million downloads from the internet totalling 2.2TB
  • Served 34.1 million downloads totalling 14.5TB to the LAN
  • Peaked at 4Gbps (the max capacity) to the LAN

Config Downloads

Written by Steven Hartland

April 30th, 2014 at 3:33 pm

Posted in FreeBSD,Gaming,Nginx

Battle.Net Installer Error Code: 2600 Fix

without comments

If you’re installing Battle.Net, required and installed as the initial part of Blizzard games such as Starcraft II & Hearthstone, and the installer fails with the message:

Whoops! Looks like something broke. Error Code: 2600

This can be caused by a bad download, which can be the result of a proxied web connection.

Proxies, particularly caching proxies, can translates the Blizzard downloaders HTTP request with the Range header into a full request, which is subsequently returned as is to the client i.e. 200 OK response containing the full file. The downloader was expecting a 206 Partial Content response but appears to only check for 20X response, hence it doesn’t spot the issue and builds its full file incorrectly.

To make matters worse the downloader stores this file in the Windows temporary directory and doesn’t delete it either on failure or before trying to download it again such as if the installer is restarted.

If you’re using nginx prior to 1.5.3 as a caching proxy then this will happen if your the first person to download the file, after which 206 responses are correctly returned for Range requests using the cached file. This behaviour was changed in 1.5.3 when an enhancement to return 206 for on the fly caching responses was added. To be clear this isn’t technically a bug in nginx, the spec allows for a server to return 200 OK response to a Range request, its the Blizzard downloader that’s at fault for not correctly processing 200 OK then its expecting 206 Partial Content.

If you have your Battle.Net installer bugged like this simply delete the Blizzard directory from your Windows temporary directory %TEMP% and re-run the installer after fixing or disabling your proxy.

Written by Steven Hartland

April 15th, 2014 at 12:23 am

Posted in Gaming,Nginx

ruby bundle gems to vendor

without comments

It should be easy but the commands to use bundle to setup gems into a rails vendor directory for production are a little longer than expected so here goes for reference:

bundle install --without development:test --path vendor/bundle -j4 --deployment

And to test everything is working as expected:-

bundle exec rails console production

If things don’t work make sure you’ve previously not run bundle install without a --path, if you have clean up the gems that where installed into the system path and try again.

Written by Steven Hartland

April 11th, 2014 at 4:14 pm

Posted in Rails

FreeBSD ZFS mmap corruption fix

without comments

Recently there was a corruption bug fixed in FreeBSD when running with ZFS the fix corrects the boundaries of the cleared range in page_busy.
The main patch required is:
* r258353

For those running FreeBSD 8.3 the following two patches are also required:
* r248946
* r248960

Written by Steven Hartland

November 24th, 2013 at 5:09 pm

Posted in FreeBSD,ZFS

Installing Intel 82579V drivers on Windows 2008 R2

without comments

We recently found ourselves trying to install Windows 2008R2 on a 2 year old Intel Sandy Bridge system with an Intel 82579V onboard network card.

As part of the install, we pushed out the standard Intel ProWinx64 drivers, along with Intel Chipset Software installer to install all missing drivers.
Annoyingly this left us without a working network card, which is slightly bit problematic when trying to finish off the install remotely.

After debugging and searching on google we found this thread on the Microsoft Technet forums where the user MGerio is having a very similar issue to ourselves.

It turns out the fix is to extract the ProWinx64.exe file to a folder on the desktop and update a single inf file:

Edit PRO1000\Winx64\NDIS62\e1c62x64.inf
Find the following section

ExcludeFromSelect = \

This needs replacing with just:

ExcludeFromSelect =

Further down in this file, you’ll need to update the [Intel.NTamd64.6.1] block to also include:

; DisplayName Section DeviceID
; ----------- ------- --------
%E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502
%E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503

Following on from this, you should be able to run APPS\PROSETDX\Winx64\DxSetup.exe
This will then do the install with the local edited files and install the missing drivers

Written by Dan Offord

November 22nd, 2013 at 5:11 pm

Posted in Networking,Windows

Tagged with , ,

Adding a certificate to certdata.txt

without comments

First off you’ll need addbuiltin, which is part of nss tools.

On FreeBSD this is built but not installed as part of /usr/ports/security/nss.

Next you’ll need your cert in der format. If you have the cert in pem format openssl can convert it for you:

openssl x509 -in cert.crt -outform der -out cert.der

Finally append your certificate to certdata.txt using:

addbuiltin -n "Nickname for Certificate" -t "CT,C,C" < cert.der >> certdata.txt

Written by Steven Hartland

November 20th, 2013 at 10:45 am

Posted in FreeBSD

Fix for MMC could not create snap-in for Group Policy Object editor

without comments

If when you run gpedit.msc you just get the following error

MMC could not create snap-in because of the current user policies.
Name: Group Policy Object editor
CLSID :{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

The one reason is that the Group Policy Object editor has been restricted for the current user. You can check and possibly change this with the registry entry:


If the value of Restrict_Run is 1 then you will get the error, if you have enough permissions simply setting it to 0 will allow you to run the Group Policy Object Editor without any further issues.

Written by Steven Hartland

November 10th, 2013 at 10:57 pm

Posted in Windows

sftp-server umask not working under older versions

without comments

Older versions of openssh’s sftp-server, such as the version shipped in 8.3-RELEASE, includes a bug which means the command line option for umask is not processed correctly.

This can be used to support chroot’ed sftp only as done via the following block in

Subsystem   sftp    internal-sftp
Match group chroot
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -u 0477

The following patch fixes this issue:

--- crypto/openssh/sftp-server.c.orig	2013-09-27 15:10:32.089496594 +0000
+++ crypto/openssh/sftp-server.c	2013-09-27 15:12:06.128649706 +0000
@@ -1378,7 +1378,7 @@ sftp_server_main(int argc, char **argv, 
 	SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
 	char *cp, buf[4*4096];
 	const char *errmsg;
-	mode_t mask;
+	long mask;
 	extern char *optarg;
 	extern char *__progname;
@@ -1412,11 +1412,11 @@ sftp_server_main(int argc, char **argv, 
 				error("Invalid log facility \"%s\"", optarg);
 		case 'u':
-			mask = (mode_t)strtonum(optarg, 0, 0777, &errmsg);
-			if (errmsg != NULL)
-				fatal("Invalid umask \"%s\": %s",
-				    optarg, errmsg);
-			(void)umask(mask);
+			mask = strtol(optarg, &cp, 8);
+			if (mask < 0 || mask > 0777 || *cp != '\0' ||
+			    cp == optarg || (mask == 0 && errno != 0))
+				fatal("Invalid umask \"%s\"", optarg);
+			(void)umask((mode_t)mask);
 		case 'h':

Written by Steven Hartland

September 27th, 2013 at 3:41 pm

Posted in Code,FreeBSD