Smokes your problems, coughs fresh air.

Author: halfgaar (Page 19 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe's day job is as a senior software developer and system administrator at YTEC.

In his free time, he built the free, open-source FlashMQ software. Together with Jeroen and Rowan, he is now building a managed MQTT hosting business around his open masterpiece.

Preventing syntax errors with old shell scripts

I was trying to install Unreal Tournament GOTY on one of my Linux machines. I downloaded and ran the script ut-install-436-GOTY.run but I got this error:

cannot open `+6' for reading: No such file or directory 

This line caused it:

sum1=`tail +6 $0 | cksum | sed -e 's/ /Z/' -e 's/   /Z/' | cut -dZ -f1`

To fix it, I set this environment variable:

export _POSIX2_VERSION=199209

Apparently, this makes programs behave differently. Research is required to find out exactly what it does…

Saving and loading iptables rules on Debian

For some reason, Debian can’t do “/etc/init.d/iptables save”. So, we have to fix something ourselves. I used this article as source, which also has some useful comments. Apparently, the iptables initscript used to exist…

To save, type:

iptables-save > /etc/iptables.rules

Make /etc/network/if-pre-up.d/iptables:

#!/bin/sh
iptables-restore < /etc/iptables.rules

Don’t forget to make it executable:

chmod +x /etc/network/if-pre-up.d/iptables

Installing Windows on Xen

Just a a kind of bookmark, I used this blog post as a base to find out how to install Windows as a DomU on Xen. I might at some point reconstruct my steps, but for now this link is all… (judging by the URL the blog won’t exist much longer, but oh well…)

Installing Xen with Lenny guest on a Debian machine

This is supersceeded by my install on Debian Squeeze). On Lenny, everything is just too outdated.

This will explain how to install the paravirtualization software Xen on Debian. It is more involved than KVM, but more elegant if you can setup up a dedicated machine to run virtual machines (in fact, KVM on Debian seems quite clunky). I use this Debian wiki page as base.

First some terminology. On Xen, everything runs virtualised, including what in KVM would be called the “Host OS”. This is because every OS instance shares some kernel space. Xen has a primary virtual machine with which you configure the other virtual machines. This is called Domain-0, or Dom0. The guests are DomU’s.

Begin by installing xen-linux-system-2.6.26-2-xen-686 and xen-tools. It will install all necessary dependencies:

aptitude -P install xen-hypervisor-3.2-1-i386 linux-image-2.6-xen-686 xen-tools

(The wiki page suggests to install linux-image-2.6.26-2-xen-686, but that confuses me. See my forum post. I will update this blogpost if my insights change).

A new kernel is installed and is configured in Grub as primary kernel. (As a sidenote, I wonder what will happen if the standard kernel is upgraded at some point in the future; will that be installed as primary again? Should the standard kernel be uninstalled?)

Before you reboot, add “xenblktap” to /etc/modules. This module is needed to be able to use tap:xxx (like tap:aio) storage back-ends. These are preferred over “file:”, especially when using NFS to store images (although that link also states that ENBD is preferred over NFS. (I was having problems with tap:aio and then I discovered the module problem. It still doesn’t work for me, but the problem lies elsewhere now.)

If you boot into the new kernel you can do “xm list” and you will see that your Domain-0 is active.

You want to setup an ethernet bridge configuration next, because that way, you can plug your virtual machines into your existing ethernet network. You can do this by configuring this in the config file /etc/xend-config.xsp (The network-script option is already defined, so all you have to do is change it):

(network-script network-bridge)

Configuring “vnc-listen” might also be a good idea (although not really needed for linux, since you’ll be using the xen console). Setting it to localhost and then tunnling through SSH would be the safest, obviously.

Now it’s time to add DomU’s. Because the guests need to have DomU support, the OS cannot be installed with the normal installer (although I’m not sure this is still the case for Lenny, because the Wiki says: “In Lenny the distinction between the Xen and non-Xen flavours of the kernel (with respect to domU support) is no longer present.”).

First edit /etc/xen-tools/xen-tools.conf to set some good defaults. You can remove the noatime mount options for ext2 and ext3, for example. I can also set the default mirror to “http://ftp.nl.debian.org/debian/”.

xen-create-image --hostname=virtualnode --size=2Gb --dist=lenny --memory=256M --dhcp --dir /root/xen-images/ --swap 256Mb

You have to mount the image to make some corrections. In my case, the image was still mounted somewhere in /tmp. I assume this is bug. Begin by editing /etc/inittab. Comment out the existing “1:…” tty and add the line :

1:2345:respawn:/sbin/getty 38400 hvc0

to /etc/inittab, otherwise your console won’t work.

Start the virtual machine and attach a console (the -c option) like this:

xm create -c virtualnode.cfg

One of the first things you want to install is udev, because you can’t even ssh to the box without it.

The resulting Debian installation is very bare; it doesn’t even have a mail infrastructure.

On the Dom0, you can mkdir /etc/xen/auto and symlink the config file for this virtual host there to have it auto started by the xendomains bootscript.

Xen console

To get the console of your Linux guests on a Xen machine, type “xm console “. Then to exit, press “ctrl-]”. When in screen, do “ctrl-a, a, ctrl-]”.

Configuring a static IP address on Debian

This is a simple netconfig for a static IP address on a Debian machine. In /etc/network/interfaces, replace your eth0 (or whatever) with this:

auto eth0
iface eth0 inet static
    address 192.168.1.65    
    netmask 255.255.255.0
    gateway 192.168.1.251

Edit: I removed the network and broadcast statements because they are superfluous.

Debian volatile: keep fast moving packages working on Debian stable

The concept of Debian stable is kind of nice, since you don’t have to be affraid of upgrade breakages all the time, but it can also be annoying, because things like spamfilters and virusscanners are fast-moving and you often end up with old versions of those. That is why the Debian volatile project exists.

On new installs, the packages sources will already be in /etc/apt/sources.list, but the sources.list doesn’t seem to be upgraded on old systems, so you may need to add them by hand. These are the sources:

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main 

It’s speaks for itself that you have to change lenny to whatever the release will be…

Configuring VPN server and client on Linux

Basically, there are two types of VPN’s: IP route and ethernet bridge. I configured an IP route VPN, based on this document.

First you need to generate certicifcates. The example scripts for that are located in “/usr/share/doc/openvpn/examples/easy-rsa/2.0”. I copied these to /etc/openvpn/easy-rsa for convenience.

Cd to /etc/openvpn/easy-rsa and edit vars to enter the data that is going to be included in your certifcates. You can also set the expiration time and key size here. Then do:

source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2
./build-key client3 (repeat as necessary. You can also name the keys properly, of course)
./build-dh

Then I’d copy the keys dir to /etc/openvpn.

You need to copy the ca.crt file to each client, as well as the clientx.crt and clientx.key, but then per client.

The server conf is this:

port 1194
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh dh2048.pem
server 10.66.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# Redirect all traffic through VPN by setting 'almost default' gateway
push 'redirect-gateway def1'
# Replace DNS config with a server you specify, which can be access on the VPN.
push "dhcp-option DNS 10.66.0.1"

Then on the server, you need to configure SNAT (I don’t know if you also need to put “net.ipv4.ip_forward = 0” in /etc/sysctl.conf). If I understand correctly, you need to have such a rule per eth device you have. If you have a machine that has both a WAN and LAN and you want them to allow access on both the local net and internet, you need a rule like this for both ports.

iptables -t nat -A POSTROUTING -s 10.66.0.0/24 -o lan-eth-device -j MASQUERADE --match comment --comment "Allow VPN users to connect to things on this LAN."

Then on the client:

client
dev tun0
proto udp
remote <serveraddress> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
comp-lzo
verb 3

You should then be able to connect. Remember to allow IPtables access on all the machines. Configuring a proper firewall can be tricky. You can’t just use simple connection tracking; you must allow certain forward rules on the server (and client as well, I believe). On the client, you must allow everything on the input with UDP source port 1194. On the server, you must open incoming UDP target port 1194 as well, of course

It depends on the distro you’re using how to include the config into the boot procedure. Debian starts all config files per default (which can be configured in /etc/default/openvpn), Gentoo needs a specially named symlink in /etc/init.d.

« Older posts Newer posts »

© 2024 BigSmoke

Theme by Anders NorenUp ↑