Category: Technology

Posted on

Solo tre parole: benchmarking local LLMs

“Solo tre parole: non sei solo.”

Six Italian words. The first three announce “only three words”. The last three deliver “you are not alone”. Read it again, slowly. The same word “solo” opens and closes the sentence, but it does different work each time: first as the adverb “only”, then as the adjective “alone”. And the supposedly three-word reassurance, non sei solo, contains exactly three words. The sentence is about itself. It is also, quietly, a little gem1.

I gave it to a small zoo of local language models running on a laptop, asking each to translate it into English while preserving every nuance it could. What followed was more interesting than the question deserved. One model invented wordplay that did not exist. Another saw the cleverness with full clarity, articulated it precisely, and then ignored it. A third produced a candidate translation so contorted it was almost charming. And the model that most clearly understood the puzzle took sixteen minutes to say so.

This is the story of that afternoon.

Why the phrase is sneakier than it looks

Translation, at its dullest, is word substitution. At its more interesting, it is constraint satisfaction under aesthetic pressure: keep the meaning, keep the tone, keep the rhythm, and if there is a clever trick in the source, ideally keep that too. Translating is a highly skilled job.

Solo tre parole: non sei solo hides three small tricks in plain sight.

The first is lexical polysemy. Italian solo is doing two jobs in the same sentence: a quantifying adverb at the start, an existential adjective at the end. Same form, different role, different meaning. English has no single word that pulls double duty in quite the same way; we are forced to split the echo into two distinct lexical items, and the gentle internal rhyme of the original collapses.

The second is self-reference. The opening clause announces the length of the second clause, and the second clause delivers exactly that length. Non sei solo is genuinely three words. The sentence describes itself accurately. Most English candidate translations, like “you are not alone”, break this property: four words, not three. To preserve the self-reference, you need a contraction (“you’re not alone”) or some less natural construction.

The third is register. The sentence is intimate, minimalist, the kind of thing one writes on a postcard or sends as a message at a hard moment. It is not florid, it is not formal. Anything that translates the meaning but reaches for “you are not in solitude” misses the point entirely.

So that is the brief: hold polysemy, self-reference, and register together in six English words, or any possible alternative. Possible, but only just.

The setup

I tested everything through Ollama on an M4 MacBook Air with 24GB of RAM, using the same prompt across all models. Although, I have a PC with a better GPU and cooling, but the GPU memory would not be able to handle most of the tested models. That’s why my passively-cooled MacBook was transformed into a LLM powerhouse.

The prompt asks the model to do five things, in order:

  1. Provide a literal gloss.
  2. Identify any wordplay, double meanings, self-referential structure, register choices, or cultural framing.
  3. Explain the genuinely hard parts.
  4. Offer two or three candidate translations, each with what it preserves and what it sacrifices.
  5. Pick a recommended translation and justify the choice.

The structure is deliberately fussy. Small local models tend to leap straight from “I see Italian” to “here is a translation”, missing every interesting layer along the way. Forcing a literal gloss first slows them down. Forcing multiple candidates with explicit trade-offs makes them name what they are giving up. Asking for justifications stops them waving their hands.

The lineup, more or less in order of running:

  • llama3.1:8b
  • granite4.1:8b
  • mistral-small3.2:24b
  • gemma4:e4b (small) and gemma4:26b (large), both with native thinking mode
  • deepseek-r1:8b and deepseek-r1:14b, both with native thinking
  • qwen3.6:27b, with thinking
  • gpt-oss:20b, with thinking

All Q4_K_M quantisation, except gpt-oss which uses MXFP4. So roughly comparable on the quantisation front, with one small caveat for the gpt-oss numbers.

How small models fail when asked to be clever

The most striking failure was llama3.1:8b. Asked to find subtlety in the source, it confidently told me that tre is phonetically similar to t’re, “which sounds like ‘there'”. This is invented. There is no such pun. The model, faced with a request to find wordplay, hallucinated wordplay rather than admit it could not find any.

This is the worst sort of small-model failure. A miss is recoverable; a fabrication looks like analysis and is not. If you do not speak the source language, you have no way to check. The model produced clean prose, confident structure, and made-up linguistics underneath.

granite4.1:8b did better as it identified the solo/solo polysemy but its account of what the polysemy actually did in the sentence collapsed into incoherence. It missed the self-referential count entirely.

These are the small-model results in a nutshell: 8B parameters at Q4 quantisation does not appear to be enough capacity to hold polysemy, structural self-reference, and register all at once. Something has to give, and it does.

The analysis–translation gap

A more interesting failure showed up in the larger models. gpt-oss:20b is the cleanest example.

It saw the polysemy: “solo occurs twice, first as the adverb ‘only’, then as the adjective ‘alone'”. It saw the self-reference: “the phrase claims that the whole sentence consists of just three words”. Then in step 3, it noted, in plain English: “the English equivalent — ‘Only three words: you are not alone’ — has four words, so the exact numeric precision is lost.”

It saw the problem with full clarity. Then it proposed three candidates, none of which solved the problem, and recommended one that did not either.

deepseek-r1:14b showed the same shape. Sharp analysis, all candidates fail the count, recommendation flat.

This is more interesting than “didn’t see the problem”. These models did see it. They simply could not turn the seeing into a generation constraint. Identifying a problem and constructively satisfying it are, apparently, separate skills. Constraint identification looks like memorisation and pattern-matching; constraint satisfaction in English requires the model to feel its way to “you’re not alone” (counting the contraction as one word, which is the cleanest fix available) rather than describe its way there.

What thinking mode actually buys you

gemma4:26b with thinking mode enabled was the only model in the batch that caught everything and knew it had caught everything. Its analysis used phrases like “lexical echo” and “semantic mirror”. Its recommended translation, Just three words: you’re not alone, came with an explicit note: treating the contraction “you’re” as a single word preserves the 3:3 word count of the original. It did not stumble into the answer; it reasoned to it.

I then ran the same model with /set nothink. Same weights. Same prompt. Different answer.

The non-thinking version flatly stated, “there is no linguistic wordplay in the sense of puns.” This is wrong. With thinking off, Gemma’s failure mode collapsed neatly onto Mistral’s, missing the polysemy entirely.

That single comparison — same model, same query, thinking on versus off, opposite verdicts on whether wordplay even exists — is the cleanest demonstration I have seen of what reasoning-at-inference-time actually contributes. It is not just a quality boost. It is the ability to revise a first impression. Without thinking, the first pass is the answer, and a confident first pass can be confidently wrong.

A small experiment with Mistral

mistral-small3.2:24b does not have native thinking. So I tried to fake it.

Upon a suggestion from Claude (see credits at the bottom of this post), I added a “step 0” to the prompt:

Before writing the visible sections, work through the source carefully: list the words individually, check whether any word appears more than once, decide for each repeated word whether the meanings are the same or different, and check whether the announced word count matches any clause in the sentence.

With this addition, Mistral suddenly caught the solo/solo polysemy it had missed completely on its first pass. The capability was in the base model; what had been missing was the procedure for using it. The hypothesis was cleanly confirmed as Mistral could see polysemy, which it simply did not bother in one pass.

There was a twist. With the new instruction, Mistral lost track of the self-referential count, which it had caught in the original run. As if attention is a budget: spend it forcing one feature, lose it on another. Whether that is a real effect or a coincidence on this single sentence, I genuinely cannot tell.

The same run also gave me a textbook example of confabulation under structural pressure. One of Mistral’s candidate translations claimed to “preserve the shift from ‘only’ to ‘alone'” while sacrificing “the explicit count of three words”, but the candidate phrase was Three words only: you’re not alone. The words “three” and “words” are right there. The count is preserved. The model invented a sacrifice that did not exist, because the prompt asked for three differentiated candidates and only two of them were genuinely different.

The cost of cleverness

Capability is one axis. Speed is another, and there were surprises here too.

ModelEval rate (tok/s)Wall clock
gpt-oss:20b25,640 s
gemma4:26b25,653 s
llama3.1:8b20,821 s
deepseek-r1:8b19,01m 14s
granite4.1:8b18,627 s
deepseek-r1:14b10,81m 41s
mistral-small3.2:24b7,250 s
qwen3.6:27b2,815m 57s

A 24B model running at 7,2 tok/s on the same hardware as a 26B model running at 25,6 tok/s is not what parameter-count instinct would predict. The biggest single factor turns out to be embedding dimension. Mistral’s 5.120-wide embeddings cost roughly 3,3× more compute per token than Gemma’s 2.816-wide ones, and that ratio matches the speed gap almost exactly. On Apple Silicon, where memory bandwidth is the binding constraint for inference, narrow-and-deep beats wide-and-shallow.

qwen3.6:27b is more puzzling. It has the same 5.120 embedding as Mistral and DeepSeek 14B, yet ran at 2,8 tok/s, far slower than width alone explains. With 17GB, the model is comparable in size with gemma4:26b, and it is at the limit of what a MacBook Air with 24GB can run without memory pressure being too high. But the Gemma model was able to answer in less than a minute, so likely it is deeper, or has unoptimised inference paths in Ollama for that architecture, or pays an overhead for its 262.144-token context length. Whatever the cause, sixteen minutes for a single-sentence translation is not interactive. Quality-wise it was strong. Usability-wise it is unusable.

And the commercial chatbots?

A fair sanity check: how do the cloud-hosted models do on the same prompt?

ChatGPT (free version, GPT-5.5 as of writing) and Perplexity in default mode both performed at roughly the level of mistral-small3.2 or granite4.1: identifying one of the two layers, missing the other, recommending a flat translation. Defaulting to a consumer-friendly model presumably trades depth for cost, and the trade-off shows.

Perplexity with the Sonar model reached the gemma4:26b level: both layers caught, count preserved. Gemini in Fast+Thinking mode matched it too. So far, no surprises.

Claude with Opus 4.7 in Adaptive mode (which appears to engage thinking) also matched gemma4:26b on the first pass. But when I pushed it to convey everything from its own analysis in the translation rather than declaring trade-offs, it came back with something none of the other models had produced:

Three words alone: you’re not alone.

That is genuinely clever. The word “alone” appears twice, doing different work each time — first as a postpositive adverb meaning “merely” or “by themselves”, then as the predicate adjective meaning “solitary” — directly mirroring the solo/solo echo of the original. The post-colon clause is exactly three words. Register holds. It is the only translation across the entire test, local or commercial, that preserves all three constraints simultaneously.

The wider observation, perhaps: the gap between the best commercial cloud chatbot and the best local model on a MacBook Air is now smaller than the gap within either category. A well-chosen local model beats a default-mode commercial chatbot. And the difference between a thinking and non-thinking variant of the same model is larger than the difference between one good thinking model and another, regardless of where it runs.

Takeaways, more or less

A few things I will be carrying forward from this afternoon.

Parameter count is a poor proxy for almost everything. A 24B model can be slower than a 26B one and produce weaker analysis. Architecture, training, and inference mode all dominate. “Size class” is a simplification that hides every interesting variable.

Thinking mode does real work. When a task requires anything more than one-pass pattern-matching — counting, cross-referencing, constraint satisfaction — disabling thinking will silently cripple the model. The same gemma4:26b confidently denied wordplay existed without thinking, and confidently dissected it with thinking. If your local model supports /set think, leave it on for anything subtle.

Identification is not satisfaction. Several models cleanly described the problem and then produced answers that ignored their own description. Knowing the constraint and respecting it during generation are separate capabilities, and the second one is rarer.

Confabulation is the worst failure mode. Llama 3.1’s invented phonetic pun, and Mistral’s invented preserves/sacrifices justifications, are more dangerous than missing an answer. Missing leaves you uncertain; confabulating leaves you confidently wrong. Smaller models do it more, but no model is immune.

Local LLMs on a laptop are remarkable but not magical. A MacBook Air can now run models that catch literary wordplay in a foreign language. It can also run models that hallucinate confidently and sound convincing whilst doing it. The gap between those two modes is, increasingly, the more important question.

For what it is worth, my favourite translation remains the one gemma4:26b reasoned its way to:

Just three words: you’re not alone.

Three words. Precisely. With deliberate intent — and in a sentence about being seen, that is the whole point.

1: I got the idea while reading this article from The Guardian: ‘Being human helps’: despite rise of AI is there still hope for Europe’s translators? by P. Oltermann.

The full prompt and raw model outputs are available on request.

Credits: The translation prompt and the draft of this post were developed in conversation with Claude Opus 4.7 (Anthropic). Any errors of judgement remain mine 😉.

Posted on

How to make a Docker container read-only

There are many ways to harden a Docker container, one is to make the container layer read-only.

This might be a marginal improvement to security, first your application should not run as root or has special privileges (e.g. CAP_DAC_OVERRIDE), so there is limited risk that an attacker exploiting a vulnerability of your application can modify sensitive applications. However, if you install your application within a Dockerfile as the application user (e.g. using bundle install) make the base layer read-only might protect it from unwanted modification.

I also like the idea of an immutable base layer and clearly identifying the writing data and if they should be persisted or not. I also relate that to security, because the better you know the behaviour of an application, the better you can adapt a confinement for it.

Setting the base layer read-only is somewhat challenging. Setting a container image to read-only is simple, there is a --read-only flag to the docker run command. But identifying which data is written by the containerised application can be a challenge One task is thus to identify all written data and defining of they should be persisted in a volume or not persisted. In the latter case, one could then use a tmpfs volume or a local volume (in a Swarm cluster).

We are going to use Docker layering approach to identify the written data. How to check the difference varies depending on the storage backend and they are too numerous for me to list each cases, I might complete the article in the future but today I will show how to use the BTRFS and Overlay2 backend.

What I am going to explain is based on the current implementation of the Docker storage backend as described in their respective guides. Each guide explains how the backend works, and by extracting that information I could find a way to compare the layers.

Continue reading “How to make a Docker container read-only”
Posted on

Revisiting getting docker-compose on Raspberry Pi (ARM) the easy way

Whale

Two years ago I was publishing a post to build docker-compose on an ARM machine. Nowadays, you can find docker-compose on PyPI. However, if you intent to run docker-compose on a platform without Python dependencies, you might still be interested in my guide which generates an ELF binary executable.

My previous guide has worked well until release 1.22.0 after which the Dockerfile.armhf (which was merged) has been upgraded to match the changes for the X86-64 platform but broke my build instructions. The builds seems to work and generate an executable but it fails to run due to missing dependencies:

+ dist/docker-compose-Linux-armv7l version
[446] Failed to execute script docker-compose
 Traceback (most recent call last):
   File "bin/docker-compose", line 5, in 
     from compose.cli.main import main
   File "/code/.tox/py36/lib/python3.6/site-packages/PyInstaller/loader/pyimod03_importers.py", line 627, in exec_module
     exec(bytecode, module.dict)
   File "compose/cli/main.py", line 13, in 
     from distutils.spawn import find_executable
 ModuleNotFoundError: No module named 'distutils'

I have not found the root-cause of the problem as I am not familiar with tox, but it looks like a configuration problem of that tool. So I decided to simply use Python3 built-in virtualenv.

As in my previous guide, you need to clone the repository and choose a branch. You can take the release branch or a specific version branch (e.g. bump-1.23.2).

$ git clone https://github.com/docker/compose.git
$ cd compose
$ git checkout bump-1.23.2

The two next shell commands should modify the original build script to use virtualenv and to add the missing dependencies (which are correctly installed in the tox environment but would be missing in ours).

$ sed -i -e 's:^VENV=/code/.tox/py36:VENV=/code/.venv; python3 -m venv $VENV:' script/build/linux-entrypoint
$ sed -i -e '/requirements-build.txt/ i $VENV/bin/pip install -q -r requirements.txt' script/build/linux-entrypoint

Now you can follow the exact same steps as in the previous guide. In summary:

$ docker build -t docker-compose:armhf -f Dockerfile.armhf .
$ docker run --rm --entrypoint="script/build/linux-entrypoint" -v $(pwd)/dist:/code/dist -v $(pwd)/.git:/code/.git "docker-compose:armhf"
$ sudo cp dist/docker-compose-Linux-armv7l /usr/local/bin/docker-compose
$ sudo chown root:root /usr/local/bin/docker-compose
$ sudo chmod 0755 /usr/local/bin/docker-compose
$ docker-compose version
docker-compose version 1.23.2, build 1110ad01
docker-py version: 3.6.0
CPython version: 3.6.8
OpenSSL version: OpenSSL 1.1.0j  20 Nov 2018
Posted on

Linux kernel 5.0+ switching to Multi-Queue Block as default

Hard Disk Drive
For one of my Raspberry Pi, I am maintaining myself my own kernel. By that I mean that I’m using the kernel repository from the Raspberry Pi Foundation but I am defining the configuration of the kernel myself. My goal is to make the kernel low latency, hardened and with specific drivers compiled instead of given as modules.

Recently I upgrade it to kernel version 5.0.0-rc8 and now to 5.0.0. At first I thought there was an error in the RC8 because I did not see the CFQ (Complete Fair Queue) or Deadline I/O schedulers (block layer I/O schedulers). But when the stable version was out, there was no longer a doubt, either they had been moved to a new section or removed. The new default scheduler was the mq-deadline Multi-Queue Block scheduler and there are two other alternatives as module: BFQ (Budget Fair Queueing) and Kyber.

Linux kernel 5.0+ is defaulting to blk-mq

I then discovered that Linux kernel 5.0.0 has dropped support for the legacy block schedulers and now only support the multi-queue block (blk mq) schedulers. That is a very interesting move, the multi-queue schedulers should provide better scalability so performances by using parallelism in hardware. On the desktop or a Raspberry Pi, I do not expect to see any improvements, but for servers there could be a win.

Sources:
Posted on

Home network improvements – Setting up a Firewall

Closed Door at Gateway in Forbidden City

This is the fourth blog post about my home network improvements series. I am sorry it is taking me so long to write all those posts, but each takes a lot of hours to write and I am balancing my life more towards family at the moment. I hope you can bear with me until the end.

Great Wall winding over the mountains
Walls need to adapt to their environment

In the previous post, we presented installed the OS and set up networking and routing.

We will now see how to add another very important feature the firewall.

  1. Router features list (published)
  2. Creating a basic router, defining the network and routing (published)
  3. Adding a firewall to our router (this post)
  4. Providing basic network services, DHCP and DNS (to be published)
  5. Testing the firewall (to be published)
  6. Extra services (to be published, could be splitted in more than one post)

So today’s post will present a simple but secure firewall installation.

As I have said in a previous article, I want to try out nftables instead of using iptables. But we will continue iterating on the previous post and use iptables instead one more time. I want to have a working router and then I can think of switching to nftables and solving integration with other tools.

A Basic Firewall

Firewall - Forbidden City Gateway
Firewall

We will use iptables command line to populate the firewall rules. As changing those rules from the command line is not persistent, a simple reboot will restore your OS in the previous configuration so if things do not workout or if we get locked out by a wrong rule, just reboot and restart to setup your firewall. Once we will be happy with the firewall, we will save the rule set and make it permanent.

For rules, we obviously do not want any traffic coming from the WAN to establish new connections inside our LAN or on our router. Only established connections should be allowed through, e.g. an HTTP response is allowed through the firewall so that we can browse the internet. We want some network services to still function, like ICMP or DNS messages to pass through the firewall. We do not want to filter the outgoing traffic for the moment, so everything from the LAN is allowed to reach the WAN.

I like to set default policies for the different iptables chains instead of relying on the last rule to do the policy for me. However, in order to avoid getting locked out, we will set those policies at the very end and always start by defining what is allowed. In order to define our firewall, we will work first with the main chains of the filter table (the default one). Mostly caring of incoming packets and IP forwarding rules.

Continue reading “Home network improvements – Setting up a Firewall”

Posted on

Home network improvements – Building a Basic Router

Loop Junction in Chicago

This is the third blog post about my home network improvements series.

Gateway Appliance Picture - License CC BY-SA by Cuda-mwolfe
Gateway Appliance – License CC BY-SA by Cuda-mwolfe

In the previous post, we presented what feature should we implement in our router.

We will now see how to implement the basic features which are routing, firewall and NAT, DHCP and DNS.

  1. Router features list (published)
  2. Creating a basic router, defining the network and routing (this post)
  3. Adding a firewall to our router (to be published)
  4. Providing basic network services, DHCP and DNS (to be published)
  5. Extra services (to be published, could be splitted in more than one post)

So today’s post will present in order:

  1. OS installation
  2. Network interfaces configuration
  3. Discussion on what is routing, with activation of packet forwarding, Network Address Translation (NAT) and IP Masquerading

For some items we will see today, we will start with basic functionalities that we will improve or iterate in subsequent posts. As I have said in a previous article, I want to try out nftables instead of using iptables. But many tools I would like to use to quickly create a router are still only supporting iptables as backend, and you cannot mix iptables and nftables. Such tools include systemd-networkd, Docker, or the version of firewalld which Ubuntu is currently supporting (note that firewalld version 0.6+ does support nftables as a backend). So in this first iteration and in order to relatively quickly create a basic router, we will use mostly iptables either through systemd-networkd support or via other tools.

Continue reading “Home network improvements – Building a Basic Router”

Posted on

Containers, volumes and file permissions

Permission Denied for Container’s Volume

There is a subject which seems to be completely abstruse to many users of containers on Linux, it is about sharing data between a host and a container or between containers.

I do think that solving this problem is not much different than it is without containers on Linux and on Unix. From my perspective, there is no much difference between managing file permissions with or without containers, the big change for me is the introduction of namespaces, especially the user namespaces.

So what is exactly the problem? And where does it come from?

The problem is that when running a process within a container, that process will run with a certain user and group ID (respectively UID and GID) and that those IDs might differ from the ones of the caller (the user creating and running the container), this might not be obvious. This is especially true with container technologies like Docker which by default will run the process within the container as root (unless overridden in the Dockerfile or command line) when any user with write access to the Docker socket can create such container. So you have by default a discrepancy for the UID and GID between the caller – probably a standard user – and a random Docker container.

In traditional Unix / Linux, this is “normal” or “expected” behaviour. You usually cannot run a process as root from your normal user unless you use sudo or a setuid program, so usually you do not have the problem that a program you launch might have different UID/GID than your own user. And when you use a program with sudo you understand that this might become a problem, so if you use sudo to run `tcpdump -w net-trace.pcap` you know the file net-trace.pcap will be owned by root and that you might not be able to access or delete it. This reflex needs to apply to running a container as well.

When you have done Unix/Linux development most of your career – and that you have adopted the principle of least privileges … I still know of few people only using the root account ;-) – you are used to create application that will run in the background (as a service) under a dedicated user and for which you need to handle the permissions for the data this application might need to use. So introducing containers (without user namespaces) should not bring any surprise here, it is part of the expectations. But you will see later that you can still be bitten by some edge cases from the container implementation.

So, let us see how to fix this problem of User/Group ID and file permissions. Note that the solution would be similar if you would use containers or not, and applies to all container implementations (e.g. LXC, Docker, etc.). Then, for everyone, we will see how to handle file permissions when using user namespaces (hint, the principles are the same, but it requires a few extra steps to understand what will be the effective UID/GID). Finally, in the case of Docker, we will see a few edge cases where you can still get off guard with respect to file permissions and volume declaration inside a Dockerfile.

Continue reading “Containers, volumes and file permissions”

Posted on

Home network improvements – What does a Router can do?

This is the second blog post about my home network improvements series.

Gateway Appliance Picture - License CC BY-SA by Cuda-mwolfe
Gateway Appliance – License CC BY-SA by Cuda-mwolfe

In the previous post, we have evaluated our options for a new router and the conclusion was to build the hardware from PC parts and to install OPNsense. However, given that our selected PC parts are a bit too recent, the embedded NIC (a i219V) inside the intel B360 chipset is not yet recognised by the underlying FreeBSD core.

Therefore, we will now see how to build a router from scratch based on Ubuntu 18.04 LTS. I will only configure it for IPv4 as currently my ISP provides only IPv4 connectivity. I am currently planning a series of several posts including that one, I will update that list along the newer articles:

  1. Router features list (this post)
  2. Creating a basic router (to be published, could be splitted in more than one post)
  3. Extra services (to be published, could too be splitted in more than one post)

Disclaimer: I am not a security engineer, although I am very familiar with many aspects of security and security analysis. I am also not a network engineer, although I am very knowledgeable in network protocols, network programming and network security. This article is an exercise for me to see how far I can build a router for SOHO purpose. I make no warranty that it works as intended, nor that I will maintain this article to keep it up to date with respect to network technology and threats. Use at your own risk.

Note: I am mostly going to avoid using any Ubuntu specific tools but of course some will be unavoidable (e.g. network IP address configuration). So this guide should apply to other Linux distributions. Of course there will be some adaptations to do, especially with respect to configuring the network interfaces as there are so many different tools to do that.

Continue reading “Home network improvements – What does a Router can do?”

Posted on

Home network improvements

Currently my home network is pretty simple … at least for a computer scientist! ;-)

Gateway Appliance Picture - License CC BY-SA by Cuda-mwolfe
Gateway Appliance – License CC BY-SA by Cuda-mwolfe

My ISP provided an all-in-one box with TV, landline and network router. The latter being very limited and with a crap WiFi access point (AP). So I’ve been using my old Asus RT-AC68U router as a gateway, a 24 ports switch and a Ubiquiti Unifi AP for providing WiFi in the complete house (and garden). The router and switch went into the basement whereas I’ve placed the AP roughly in the house centre. The ISP box could not be configured as bridge but supported to set a DMZ host, so I’ve configure the Asus router to be the DMZ.

Here is the basic setup:

+--------+             +--------+
|        |    DMZ      |        |          +------------------------+
|ISP Box +-------------+ Router +----------+ Switch                 |
|        |             |        |          +--+------+---+---+---+--+
+--------+             +--------+             |      |   |   |   |
                                              |      |   |   |   |
                                           +--+--+   +   +   +   +
                                           | AP  | Home Network / Lab
                                           +-----+

So I’m using only 2 ports on my router (or more exactly network gateway), the WAN and one on the LAN. This router is the peace in my current network I want to change and I will explain why and how.

Post updated on 2018-06-13.

Continue reading “Home network improvements”

Posted on

Ubuntu 18.04 (Bionic Beaver) – Some notable changes for sysadmin and Java dev

If you administer a Ubuntu server or if you are a power user, you might have a look at these particular changes in Ubuntu before and after upgrading. They can impact your installation and the way you use it.

  • NTP is no longer supported (part of Universe), you should use now Chrony. My opinion is that Chrony is not a bad choice either, it’s perhaps smoother in handling leap seconds (via smearing) but obviously less accurate than NTP in the case.
  • The local DNS resolver is no longer dnsmasq but systemd-resolvd. For most user this should be transparent. Note that if systemd-resolvd does not receive a DNS configuration, it will fallback to using Google Public DNS.
  • Network will be now managed by systemd-networkd (or still by NetworkManager on the desktop) for new installation. If you upgrade, you will still have the old `/etc/network/interfaces` file (and al) and the ifup and ifdown scripts. But this is no longer installed on new installation. Instead you have systemd-networkd and netplan. For people upgrading there is (not yet) clear path to switch to the new tools if wished.

Ubuntu 18.04 offers many more changes and I’m looking forward to upgrade my desktop and server. There are other changes not mentioned above which should be evaluated before upgrading. But I consider the above ones as core element which everybody needs whatever the purpose of the server is.

For developers, I would take care with Java and the OpenJDK. Ubuntu 16.04 LTS came with OpenJDK 8 which is the current LTS version of Java. The next LTS version of Java is 11 which is not yet published. Ubuntu 18.04 will come with OpenJDK 10 (a short-term support edition) by default and will switch the default to OpenJDK 11 when it will be released (hopefully only for new installation). Ubuntu will still provide OpenJDK 8 in universe for 18.04 with security support provided until EOL of Ubuntu 16.04 LTS (so until April 2021) to offer developer a transition time (while waiting for Java 11 to be published, matured and application migrated/validated on this new platform).

Privacy Policy Proudly powered by WordPress