squeeze container on a wheezy host

Notes on putting a Debian squeeze Linux Container on a Debian Wheezy host.

The requirement; the Squeeze system in the container runs a TCP/IP application that should be accessible only by the host.



Create a bridge between a dummy network interface and the network interface used by the container.

Load dummy module (with numdummies=1) at startup.
# echo dummy >> /etc/modules


Install the Linux ethernet bridge utilities.
# apt-get install bridge-utils


Add stanzas that create an inhost bridge that contains a dummy to /etc/network/interfaces
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0



Load one dummy interface and restart networking.
# modprobe dummy
# /etc/init.d/networking restart




Install lxc and prerequisites.
# apt-get install lxc
which also installs debootstrap libcap2-bin and libpam-cap.

Mount control groups hierarchy now and at boot.
# mount /sys/fs/cgroup/
# echo "cgroup /sys/fs/cgroup  cgroup  defaults  0  0" >> /etc/fstab


Check your kernel for lxc support.
# lxc-checkconfig


Get the squeeze template.
# wget https://raw.githubusercontent.com/ipduh/lxc-squeeze/master/lxc-squeeze -O /usr/share/lxc/templates/lxc-squeeze


Allow execution to all.
# chmod 755 /usr/share/lxc/templates/lxc-squeeze


Create the Squeeze Container.
# lxc-create -n squeezie -t squeeze


Start the container in the background.
# lxc-start -n squeezie -d


Console into the squeezie container.
# lxc-console -n squeezie

Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Debian GNU/Linux 6.0 squeezie tty1

squeezie login: root
Password: 
Linux squeezie 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

root@squeezie:~#
The password set by the template is squeezie.
Alternatively, you may ssh to squeezie from the host.

Change the root password
root@squeezie:~# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully



Give Temporary Internet Connectivity to the Squeeze Container.
root@squeezie:~# route add default gw 172.16.17.18
and in the host
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 172.16.17.0/25
To disable the Internet Connectivity reset your Firewall e.g.
# /etc/bif


Forward the application's TCP ports e.g. for port 80 and port 443.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.17.16:80
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.17.16:443




Squeeze LXC on Wheezy

linux dummy interface



Linux Pseudo Device i.e. Dummy Interface Notes.



Create interface dummy0.
# modprobe dummy


I need (more dummies)
# rmmod dummy
# modprobe dummy numdummies=3
to Create 3 pseudo interfaces.

Set the Pseudo Interface(s ') MAC address(es).
# ifconfig dummy0 hw ether fc:de:ad:be:ef:10
# ifconfig dummy1 hw ether fc:de:ad:be:ef:11
# ifconfig dummy2 hw ether 00:00:0c:f0:00:0d
(: 00:00:0c:f0:00:0d :)

Set the Pseudo Interface(s ') IP address(es).
# ifconfig dummy0 172.16.17.18/25
# ifconfig dummy1 172.16.17.19/25
# ifconfig dummy2 192.0.2.8/26


Show dummy0 configuration.
# ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr fc:de:ad:be:ef:10  
          inet addr:172.16.17.18  Bcast:172.16.17.127  Mask:255.255.255.128
          inet6 addr: fe80::fede:adff:febe:ef10/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:210 (210.0 B)


Create a bridge.
# brctl addbr etherisland


Set forwarding delay to 0 seconds.
# brctl setfd etherisland 0


Bridge dummy0 and dummy1 dummies.
# brctl addif etherisland dummy0 dummy1


List bridge(s).
# brctl show
bridge name bridge id          STP enabled interfaces
etherisland 8000.fcdeadbeef10  no          dummy0
                                           dummy1







Make an ethernet inhost island --a bridge that contains a pseudo interface-- stick.

Load dummy module (with numdummies=1) at system startup.
# echo dummy >> /etc/modules


The /etc/network/interfaces stanzas.
auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0
  bridge_hello 1





Linux pseudo interface i.e. dummy



PostgreSQL Notes

PostgreSQL Debian Notes.

Install PostgreSQL on debian
Login, login using psql, list databases and users , set postgres password.
Authentication Modes and Access.

Create a new user and a new database.
Delete database
Vacuum
Enable remote Access
Logical backup with pg_dump




Install PostgreSQL from debian packages.
# apt-get install postgresql
Now, the debian package postgresql installs all dependencies and the client.
libpq5 postgresql-9.1 postgresql-client-9.1 postgresql-client-common postgresql-common
Alternatively, you may install PostgreSQL from apt repositories maintained by the PostgreSQL Global Development Group.



Login as the postgres user using psql--the PostgreSQL interactive terminal.
# su - postgres -c psql 
psql (9.1.14)
Type "help" for help.

postgres=#


The default authentication mode is 'ident' or 'peer' i.e. system user x can only login as PostgreSQL user x.

The PostgreSQL Client Authentication Configuration File in debian is at
/etc/postgresql/*/main/pg_hba.conf


The 'trust' authentication mode allows connections unconditionally and the mode 'password' requires the client to supply an unencrypted password.

Since the default local authentication mode is 'peer', applications that make use of the database locally may give authentication errors if running as another system user. You may want to check if setting the mode to 'trust' fixes the problem.
# "local" is for Unix domain socket connections only
#local   all             all                                     peer
local   all             all                                     trust 
But not settle for 'trust' i.e. allow local connections unconditionally.

By default PostgreSQL binds to 127.0.0.1:5432 --you can change it at
/etc/postgresql/*/main/postgresql.conf 
'listen_addresses' if you need to enable remote access.

List databases.
postgres=# \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
(3 rows)

Most new databases are created by copying tempate1 of the templates.

List users.
postgres=# \du
                             List of roles
 Role name |                   Attributes                   | Member of 
-----------+------------------------------------------------+-----------
 postgres  | Superuser, Create role, Create DB, Replication | {}



Set the password for the PostgreSQL user postgres.
postgres=# \password postgres
Enter new password: 
Enter it again: 


Exit psql.
postgres-# \q
#


Create a new PostgreSQL user.
# su - postgres -c "createuser -P puser"
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n


Create the database puser that belongs to user puser.
# su - postgres -c "createdb -O puser puser"


List PostgreSQL databases and user roles.
# su - postgres -c psql
psql (9.1.14)
Type "help" for help.

postgres=# \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 puser     | puser    | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
(4 rows)

postgres=# \du
                             List of roles
 Role name |                   Attributes                   | Member of 
-----------+------------------------------------------------+-----------
 postgres  | Superuser, Create role, Create DB, Replication | {}
 puser     |                                                | {}

postgres=# \q
#


Delete the database puser.
# su - postgres -c "dropdb puser"


Calculate statistics for use by the optimizer(-z) and Garbage-Collect i.e. full vacuum(-f) all(-a) PostgreSQL databases in this host.
# su - postgres -c "vacuumdb -a -f -z"
Vacuumdb is a VACUUM wrapper (pg_wrapper) written in Perl.



pg_dump - Logical Backups

Pg_dump extracts a PostgreSQL database into a script file or other archive file.

Create a compressed sql script file with the schema and data of the database puser that belongs to the PostgreSQL user puser in host a.
a# pg_dump -o -U puser -h localhost puser |gzip > puser.dump.gz
Password: 


Restore PostgreSQL database in host b.
b# gunzip  puser.dump.gz
b# su - postgres -c "createuser -P puser"
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n
b# su - postgres -c "createdb -O puer puser"
b# psql -U puser -h localhost < puser.dump 
Password for user puser:




PostgreSQL Notes



simple AP with hostapd

Notes on configuring transient WiFi APs with linux and hostapd



hostapd config
node9:~# cat /etc/hostapd/hostapd.wlan0.conf |grep -v "#"
interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
ctrl_interface=/var/run/hostapd.wlan0
ctrl_interface_group=0
channel=6
hw_mode=g
macaddr_acl=0
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
ssid=node9
wpa_passphrase=incellll
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP



To enable 802.11n add to the hostapd.conf
ieee80211n=1
wmm_enabled=1
and do not change
hw_mode=g


go
node9:~# hostapd /etc/hostapd/hostapd.wlan0.conf 
or run the hostapd deamon in the background
node9# hostapd -B /etc/hostapd/hostapd.wlan0.conf


Connect to node9
node7:~# wpa_supplicant -i wlan1 -c <(wpa_passphrase node9 incellll)
or put wpa_supplicant in the background
node7:~# wpa_supplicant -B -i wlan1 -c <(wpa_passphrase node9 incellll)


Check the client's wireless interface
node7:~# iwconfig wlan1
wlan1     IEEE 802.11abgn  ESSID:"node9"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 30:14:4A:15:B7:94   
          Bit Rate=54 Mb/s   Tx-Power=27 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=64/70  Signal level=-46 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:20   Missed beacon:0



List the AP client(s)
node9:~# iw dev wlan0 station dump 
Station 30:14:4a:15:bb:72 (on wlan0)
 inactive time: 2893 ms
 rx bytes: 871
 rx packets: 22
 tx bytes: 537
 tx packets: 3
 tx retries: 0
 tx failed: 0
 signal:   -42 dBm
 signal avg: -46 dBm
 tx bitrate: 1.0 MBit/s
 authorized: yes
 authenticated: yes
 preamble: short
 WMM/WME: no
 MFP:  no
 TDLS peer:  no



Network
node9:~# ifconfig wlan0 192.168.10.9/24
node7:~# ifconfig wlan1 192.168.10.7/24
node7:~# ping -c 1 192.168.10.9
PING 192.168.10.9 (192.168.10.9) 56(84) bytes of data.
64 bytes from 192.168.10.9: icmp_req=1 ttl=64 time=1.66 ms

--- 192.168.10.9 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.668/1.668/1.668/0.000 ms







logrotate notes

Logrotate notes.





The logrotate directions for a daemon named app put at /etc/logrotate.d/app.
# cat /etc/logrotate.d/app

/logs/app/gen.log {
    daily
    missingok
    rotate 7
    compress
    copytruncate
    notifempty    
}

/logs/app/sec.log {
    weekly
    mail administratotator@sys.ipduh.com
    missingok
    rotate 4
    shred
    create 640 app app
}




Directives explanation ( from the manual ).
daily, weekly , monthly 
  Handle time period
  (The handling trigger may be the file size) 

missingok
  If the log file is missing, go on to the next one without issuing an error message.

rotate count
  Log files are rotated count times before being removed or mailed to the address specified in a mail directive. 
  If count is 0, old versions are removed rather than rotated.

compress
  Old versions of log files are compressed with gzip(1) by default.

copytruncate
  Truncate  the original log file to zero size in place after creating a copy, instead of moving the old log file and optionally creating a new one.
  It can be used when some program cannot be told to close its logfile and thus might continue writing (appending) to the previous log file forever.
  Note that  there  is a very small time slice between copying the file and truncating it, so some logging data might be lost.  When this option is used, the create option will
  have no effect, as the old log file stays in place.

notifempty
  Do not rotate the log if it is empty (this overrides the ifempty option).

create mode owner group
  Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the  log  file  just  rotated).   mode
  specifies  the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who will own the log file, and group specifies the
  group the log file will belong to. Any of the log file attributes may be omitted, in which case those attributes for the new file will  use  the  same
  values as the original log file for the omitted attributes.

shred  
  Delete  log  files  using  shred -u instead of unlink().  This should ensure that logs are not readable after their scheduled deletion; this is off by
  default.  See also noshred.









Run now (to test) logrotate directions for app.
# logrotate --force app


Debug logrotate directions for app.
# logrotate --force --debug app




Logrotate Notes



devz howto II

devz Howto





Get devz
$ git clone https://github.com/ipduh/devz.git
$ cd devz


Install devz as root
$ su
# ./install_devz_as_root.sh
# source ~/.bashrc


Install devz for a user
# exit
$ ./install_devz_as_user.sh
$ source ~/.bashrc


Configure devz
  • 1) Copy public SSH key to remote system(s)
  • 2) Adjust ~/.devzconfig/production-servers
1) Create SSH key pair and copy the public key to a remote "production" server.
$ ssh-keygen -t dsa
$ scp ~/.ssh/id_dsa.pub production_server:~/.ssh/authorized_keys2
2) An example ~/.devzconfig/production-servers
# production servers
# IP address , SSH TCP port, user
192.0.2.22,44,usar
192.0.2.23,22,usar


Use devz

Initialize SSH agent.
$ devz-setagent


Stor
$ stor blah
devz:The directory ./stor does not exist! I will create it.
devz:blah is at ./stor/blah.0


Toprod
$ toprod blah 
devz:/home/usar/blah to usar@192.0.2.22:44:/home/usar/blah
blah                                                                                                          100%    6     0.0KB/s   00:00  
devz:/home/usar/blah to usar@192.0.2.23:22:/home/usar/blah
blah                                                                                                          100%    6     0.0KB/s   00:00


Ctoprod
$ ctoprod "cat blah"
devz: usar@192.0.2.22:44 "cat blah"
***Start 192.0.2.22***
blah

***End 192.0.2.22***
devz: usar@192.0.2.23:22 
***Start 192.0.2.23***
blah

***End 192.0.2.23***


Fromprod
$ fromprod blah
devz:blah exists! Please stor it and delete it or rename it.
$ rm blah
$ fromprod blah
devz:ipduh@192.0.2.22:44:/home/usar/blah to /hom/usar/blah
blah                                                                                                          100%    6     0.0KB/s 00:00                                       


get help-cheatsheet
$ devz
******
devz
DEVeloper'S Stupid Servant.
A bash extention that helps the administrator of similar dev and production systems.
g0 2010 - http://ipduh.com/contact
http://sl.ipduh.com/devz-howto
******
devz verbs:
*
'toprod' or 'devz toprod'
 toprod file
 scp a file to the production server(s)
*
'ctoprod' or 'devz ctoprod'
 ctoprod 'command;command;'
 send command(s) to poduction server(s)
*
'fromprod' or 'devz fromprod'
 fromprod file
 scp a file from the first production server here.
*
'stor' or 'devz stor'
 stor file
 creates the directory stor in the current directory if it does not exist.
 makes a copy of the file in stor
 the file gets a version number like file.n where n [0,n]
*
'devz-setagent' or 'devz setagent'
 setagent
 start an ssh-agent login session
*
'devz-showconfig' or 'devz showconfig'
 showconfig
 See the Current devz configuration
*
'devz-setconfig' or 'devz setconfig'
 setconfig
 add server to the production-servers list file
 setconfig cannot configure much, check the devz-howto for your first setup
*
'devz-prodsrvexists' or 'devz prodsrvexists'
 prodsrvexists
 check if ${DEVZ_PRO_SRV} exists and  print an example ${DEVZ_PRO_SRV} file
*
******





devz-howto