aLog.IPduh: 2014

ipduh v3

Finally! done "upgrading" ipduh to v3 ...

Some of the most noticeable changes-improvements are:

no more Java in the anonymity checker !!!1
2013-2014 Generic TLD awareness e.g. wtf and diet
an updated tor-exit checker
and a "better" IP address checker.

ipduh v3

dovecot imap over ssl in debian notes

IMAP over SSL with dovecot in debian

Install the Dovecot IMAP deamon

# apt-get install dovecot-imapd

For a quick (& perhaps sloppy) debian setup just append the following to /etc/dovecot/dovecot.conf

listen = 192.0.2.1
syslog_facility = mail
mail_location = maildir:~/Maildir
ssl = yes
ssl_cert = </etc/ssl/certs/imap.signed.crt
ssl_key = </etc/ssl/private/imap.private.pem
ssl_verify_client_cert = no
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
}
auth_mechanisms = plain login

The IMAP daemon listens at 192.0.2.1
and Maildir mailboxes are used by the Mail system.
The imap_client_workarounds definition is used to work around Thunderbird peculiarities and the auth_mechanisms definition to add login --work around Outlook pecularities.

For a cleaner configuration file you may do the following.

# cd /etc/dovecot
# stor dovecot.conf
# doveconf -n > dovecot.conf

Restart the imap daemon

# /etc/init.d/dovecot restart

However, it seems like it speaks up to SSLv3 and not TLS at all.

dovecot SSL IMAP

Trust the ipduh CA certificate in debian

Trust the ipduh CA certificate in debian.

# wget https://raw.githubusercontent.com/ipduh/ipduhca/master/ipduhca.crt -O /usr/local/share/ca-certificates/ipduhca.crt
# update-ca-certificates

Trust the ipduh CA

clone a KVM guest

"Clone" a KVM debian guest notes.

Shutdown or Suspend the host.

Create a clone of the host democritos.

# virt-clone -o democritos -n thales -f /home/vm/thales.qcow2 -d
...
Clone 'thales' created successfully.
...

The clone disk is at /home/vm/thales.qcow2

This is good enough if we just need a clone with a different MAC Address and a different UUID. However, if we need a host that can work simultaneously with the original host we (most likely) need a bit more variation.

Log in to the clone or mount it's image to change hostname, IP address(es), etc.

Change Hostname.

# cd /etc
# grep -ril `hostname -f` |tee hostname.file.list
apache2/sites-available/000.dup.ipduh.awmn.conf
postfix/main.cf
hostname
hosts
mailname
ssh/ssh_host_ecdsa_key.pub
ssh/ssh_host_rsa_key.pub
ssh/ssh_host_dsa_key.pub
aliases.db
# perl -i.0 -p -e 's/demokritos/thales/g;' `cat hostname.file.list`

Change IP address.

# grep -ril '192.0.2.61' /etc |tee ip.file.list
/etc/network/interfaces
/etc/hosts
# perl -i.old_ip -p -e 's/192.0.2.61/192.0.2.62/g;' `cat ip.file.list`

Reboot Clone

# shutdown -r now

# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
a6:fc:76:OF:F1:33:7C:04:77:07:ce:5a:cf:23:48:3a root@thales
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|             .   |
|            . .  |
|        S  . ----|
|     . o   .=  o.|
|      +   o..o..=|
|       ..E....o++|
|       ....  o=++|
+-----------------+

Overwrite the DSA SSH key with a new one.

# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

Overwrite the ECDSA SSH key with a new with the largest (practical) key-size (allowed).

# ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

In a debian based system you may use dpkg to replace the SSH keys

# dpkg-reconfigure openssh-server

clone a KVM guest

move kvm guest notes

Move (not live migration) a KVM VM from a host B to a host C.

Assuming that the guest VM is bridged and that both KVM hosts are in the same ethernet segment.

Shutdown guest VM.

Copy guest VM image from host B to host C.

b# scp /vm/vm2.qcow2 root@c:/vm

Dump XML definition and copy it to the destination host.

b# virsh dumpxml vm2 > vm2.xml
b# scp vm2.xml root@c:/etc/libvirt/qemu

On host C (the destination host) define the quest xml definition.

c# virsh define /etc/libvirt/qemu/vm2.xml
Domain vm2 defined from /etc/libvirt/qemu/vm2.xml

Start VM guest on the destination system.

c# virsh start vm2
Domain vm2 started

Disable autostart for the VM guest in B (the original host).

b# virsh autostart vm2 --disable
Domain vm2 unmarked as autostarted

Enable autostart for the moved VM guest in C (the destination host).

c# virsh autostart vm2
Domain vm2 marked as autostarted

Move KVM guest to another Host

install debian-packaged awstats

Notes on installing and using debian-packaged AWStats to analyze Apache logs.

Install debian packaged awstats ( now v7.0 )

# apt-get install awstats

I would use the following setup in apache2 installations with site(s) or virtual host(s) that belong to the same person-organization and I would NOT use it in a shared hosting environment.

Get the apache configuration file.

# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf -O /etc/apache2/conf.d/awstats.conf

Restart Apache.

# /etc/init.d/apache2 restart

Enable ipduh_intel awstats plugin and disable PTR lookups.

# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf.local -O /etc/awstats/awstats.conf.local

IP numbers relay much more information than PTR names and PTR names can be (and commonly are) abused-manipulated.

Install the ipduh_intel awstats plugin.

# wget https://raw.githubusercontent.com/ipduh/awstats_plugins/master/ipduh_intel.pm -O /usr/share/awstats/plugins/ipduh_intel.pm

Create the apache password file and add the user 'user' with password 'userpass'

# htpasswd -cb /etc/awstats/A2Passwords user userpass

Add the user 'user2' with password 'user2pass' to the apache passwords file

# htpasswd -b /etc/awstats/A2Passwords user2 user2pass

Create an awstats configuration file for each (virtual) host in /etc/awstats. The configuration files should have the form awstats.host.conf e.g. for a host named example.com the configuration file would be awstats.example.com.conf and it could look like the following.

Include "/etc/awstats/awstats.conf"
SiteDomain="example.com"
HostAliases="www.example.com"
DirData="/logs/sites/example.com/awstats"
LogFile="/logs/sites/example.com/access_all"

Analyze for first time the access logs of one host.

# cat /logs/sites/example.com/access/* >> /logs/sites/example.com/access_all
# /usr/lib/cgi-bin/awstats.pl --configdir=/etc/awstats/ -config=example.com

View the awstats analysis with a web browser at http://example.com/awstats/awstats.pl?config=example.com

Get rid of debian package cronjob

# rm /etc/cron.d/awstats

Install debian packaged awstats

kismet server and drones

Kismet Drone(s) Setup -- Voyage Linux

Install prerequisites

# apt-get update
# apt-get install libpcap-dev
# apt-get install libnl-dev
# apt-get install pkg-config

Get kismet

# wget http://www.kismetwireless.net/code/kismet-2013-03-R1b.tar.xz

Create the kismet user

# mkdir /var/log/kismet
# adduser kismet --home /var/log/kismet

Compile kismet

# tar xf kismet-2013-03-R1b.tar.xz 
# cd kismet-2013-03-R1b/
# ./configure --disable-client
# make dep
# make

Install kismet and kismet_drone

# make suidinstall
# usermod -a -G kismet kismet

Configure kismet_drone (the Kismet Server is at 10.0.0.225/24)

# grep \#g0 kismet_drone.conf |sed -e s/\#g0//
servername=drone4
dronelisten=tcp://0.0.0.0:2502 
allowedhosts=127.0.0.1,10.0.0.0/255.255.255.0 
gps=false 
ncsource=wlan0

This is what I changed in the default kismet_drone.conf file.

Drone Test Run


# su - kismet -c "/root/kismet-2013-03-R1b/kismet_drone -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf"

# /root/kismet-2013-03-R1b/kismet_drone --daemonize -f /root/kismet-2013-03-R1b/conf/kismet_drone.conf

Kismet Server --Collector and Client --Debian

# apt-get install kismet

To add drones to the Kismet sources in /etc/kismet/kismet.conf you may use the following syntax

 ncsource=drone:host=10.0.0.3,port=2502,name=dr0ne3
 ncsource=drone:host=10.0.0.4,port=2502,name=dr0ne4

Kismet collector,server and client test run

# kismet

BGP as IGP with next-hop-self RR vs Fully Connected Mesh

A comparison of BGP as iGP with next-hop-self in a fully connected mesh vs BGP as iGP with next-hop-self with two Route Reflectors.

This is an effort to figure out the best of the two setups in terms of configuration and maintenance cost and it is inspired by a quest in the AWMN mailing list to find the best setup for AWMN nodes with many routers .

( AWMN is a wireless BGP internet where each wireless node has an Autonomous System Number and 1 to 15 routers with wireless interfaces. The routing within each node is done with static Routes or some iGP --usually OSPF-- or iBGP with next-hop-self. )

I assume that:

The maintenance cost is equal to the number of iBGP sessions --the number of connections in the mesh.

The total configuration cost is equal to the number of (neighbor) configuration stanzas for all iBGP connections.

The cost of adding a router is equal to the number of (neighbor) iBGP configuration stanzas needed in all the nodes in the mesh.

Get a little program that prints tables of maintenance and configuration costs for both setups.

$ wget https://raw.githubusercontent.com/ipduh/fmvsrr/master/fmvsrr.pl && chmod 755 fmvsrr.pl

Print costs for 2 to 27 routers.

$ ./fmvsrr.pl 27
N    = Number of routers
Πfm  = Maintenance Cost in a Fully Connected Mesh
Πrr  = Maintenance Cost in a Two Route Reflectors Setup
Kfm  = Total Configuration Cost in a Fully Connected Mesh
Krr  = Total Configuration Cost in a Two Route Reflectors Setup
Nfm  = Cost of adding one router in a Fully Connected Mesh
Nrr  = Cost of adding one router in a Two Route Reflectors Setup

N=2 Πfm=2  Πrr=2+  Kfm=2  Krr=2+  Nfm=2  Nrr=2+
N=3 Πfm=3  Πrr=3+  Kfm=6  Krr=3+  Nfm=6  Nrr=3
Ν=4  Πfm=6  Πrr=6  Kfm=12  Krr=9  Nfm=6  Nrr=3
Ν=5  Πfm=10  Πrr=7  Kfm=20  Krr=11  Nfm=8  Nrr=3
Ν=6  Πfm=15  Πrr=8  Kfm=30  Krr=13  Nfm=10  Nrr=3
Ν=7  Πfm=21  Πrr=9  Kfm=42  Krr=15  Nfm=12  Nrr=3
Ν=8  Πfm=28  Πrr=10  Kfm=56  Krr=17  Nfm=14  Nrr=3
Ν=9  Πfm=36  Πrr=11  Kfm=72  Krr=19  Nfm=16  Nrr=3
Ν=10  Πfm=45  Πrr=12  Kfm=90  Krr=21  Nfm=18  Nrr=3
Ν=11  Πfm=55  Πrr=13  Kfm=110  Krr=23  Nfm=20  Nrr=3
Ν=12  Πfm=66  Πrr=14  Kfm=132  Krr=25  Nfm=22  Nrr=3
Ν=13  Πfm=78  Πrr=15  Kfm=156  Krr=27  Nfm=24  Nrr=3
Ν=14  Πfm=91  Πrr=16  Kfm=182  Krr=29  Nfm=26  Nrr=3
Ν=15  Πfm=105  Πrr=17  Kfm=210  Krr=31  Nfm=28  Nrr=3
Ν=16  Πfm=120  Πrr=18  Kfm=240  Krr=33  Nfm=30  Nrr=3
Ν=17  Πfm=136  Πrr=19  Kfm=272  Krr=35  Nfm=32  Nrr=3
Ν=18  Πfm=153  Πrr=20  Kfm=306  Krr=37  Nfm=34  Nrr=3
Ν=19  Πfm=171  Πrr=21  Kfm=342  Krr=39  Nfm=36  Nrr=3
Ν=20  Πfm=190  Πrr=22  Kfm=380  Krr=41  Nfm=38  Nrr=3
Ν=21  Πfm=210  Πrr=23  Kfm=420  Krr=43  Nfm=40  Nrr=3
Ν=22  Πfm=231  Πrr=24  Kfm=462  Krr=45  Nfm=42  Nrr=3
Ν=23  Πfm=253  Πrr=25  Kfm=506  Krr=47  Nfm=44  Nrr=3
Ν=24  Πfm=276  Πrr=26  Kfm=552  Krr=49  Nfm=46  Nrr=3
Ν=25  Πfm=300  Πrr=27  Kfm=600  Krr=51  Nfm=48  Nrr=3
Ν=26  Πfm=325  Πrr=28  Kfm=650  Krr=53  Nfm=50  Nrr=3
Ν=27  Πfm=351  Πrr=29  Kfm=702  Krr=55  Nfm=52  Nrr=3

When the full mesh topology is used in a node with 10 routers the configuration and maintenance cost is ~4.5 times larger from a two-route-reflectors setup and the 11th router would cost me ~20 configuration stanzas and logging in 11 routers instead of ~3 stanzas in three routers ...

Full Mesh vs Route Reflectors

TSIG authenticated zone transfers in Bind

Notes on setting up secret key authenticated TSIG zone transfers in Bind 9.8.

Create an 128b HMAC-SHA256 of type HOST key to use as the shared secret.

# dnssec-keygen -a hmac-sha256 -b 128 -n HOST gemlocgem
Kgemlocgem.+163+12752

The previous command creates two files.

# ls Kgemlo*
Kgemlocgem.+163+12752.key  Kgemlocgem.+163+12752.private

The 128b base-64 string we need for the shared secret is in both files.

# cat Kgemlocgem.+163+12752.key
gemlocgem. IN KEY 512 3 163 Wh47ever64iPdUhb9nd8hg==

Create a named.conf.keys file.

# cat named.conf.keys

key gemlocgem. {
  algorithm hmac-sha256;
  secret  "Wh47ever64iPdUhb9nd8hg==";
};

Make secret and named.conf.keys files non-readable by all in this system.

# chmod 640 Kgemlocgem.+163+12752.*
# chmod 640 named.conf.keys

Send named.conf.keys to the slave.

# toprod named.conf.keys

Include named.conf.keys and add server-key stanza in the named.conf of the server at 192.0.2.111

# cat named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.222 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};

One of the name servers ( e.g. the slave) is at 192.0.2.222 and the other name server at 192.0.2.111

The named.conf file in the other server.

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.external";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.keys";

server 192.0.2.111 {
  transfer-format many-answers;
  keys { gemlocgem.; };
};

Adjust allow-updates and allow-transfer directives to use TSIG in the options of both servers e.g.

  allow-transfer { key gemlocgem. ; };
  allow-update { key gemlocgem. ; };

You may use and other allow-transfer directives that specify IP addresses.

The systems used.

# named -v
BIND 9.8.4-rpz2+rl005.12-P1
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.7

TSIG authenticated zone transfers between Bind Servers

Change hostname in debian

A better way to change the hostname in debian systems.

# hostname -f
geminus

Sanity-check the list of /etc/* files in which the hostname appears.

# cd /etc
# grep -ril `hostname -f` /etc |tee hostname.files.list
/etc/mailname
/etc/hostname
/etc/exim4/update-exim4.conf.conf
/etc/hosts
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub

The above list seems fine but imagine what it would happen if the hostname was eth or work.

Save each file that contains the hostname to file.0 and replace geminus (old hostname) with gem (new hostname).

# perl -i.0 -p -e 's/geminus/gem/g;' `cat ./hostname.files.list`

Restart services (ssh and exim in this case) or better reboot the system if you can afford it.

# reboot

Change the hostname in debian systems

LXC container start at boot

Start a Linux Container at boot time

See the containers ' status.

# lxc-list
RUNNING

FROZEN

STOPPED
  squeezie

Link the container's config file to /etc/lxc/auto so it starts at boot time.

# ln -s /var/lib/lxc/squeezie/config /etc/lxc/auto/squeezie

squeezie is the name of the container.

Test if you can afford to reboot the host.

# reboot

...

# lxc-list 
RUNNING
  squeezie (auto)

FROZEN

STOPPED

start a LinuX Container at boot

change container root password from the host

Change a container's root password (you forgot) from the host.

I think that the easiest way is to run passwd chrooted to the container's root.

e.g. for the squeezie host created by the squeeze template

# chroot /var/lib/lxc/squeezie/rootfs/ passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Change a container's root password from the host

debian - gnome - disable log out lock screen etc

Disable automatic log-out / screen lock on debian gnome desktops ...

bad idea for your workstation, even worst for your laptop but a friend desperately wants it and he could not figure it out.

Check which values-keys are set to true in the relative section of the 'registry'
$ dconf list /org/gnome/desktop/lockdown

Set disable-lock-screen and disable-log-out to true
$ dconf-editor
and check /org/gnome/desktop/lockdown/disable-lock-screen and /org/gnome/desktop/lockdown/disable-log-out

( dconf write /org/gnome/desktop/lockdown/x false|0|... does not work the way I expected it to work )

> System Settings > Brightness And Lock > Lock > OFF

debian gnome disable lock screen and user logout

virtualbox debian guest with tiny screen

To 'fix' display issues of a virtualbox debian(6) guest with tiny not-usable screen
...
ssh into the guest and

# apt-get install virtualbox-ose-dkms
# reboot

Fix display issues of virtual box debian guest

mp3 tags - id3v2

Install id3v2 --A command line id3v2 tag editor

# apt-get install id3v2

$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
id3v2 tag info for Thievery Corporation 2hr mix.mp3:
COMM (Comments): (simpleyoutubeconverter.com)[eng]: Downloaded from simpleyoutubeconverter.comn
TIT2 (Title/songname/content description): Thievery Corporation 2hr mix
Thievery Corporation 2hr mix.mp3: No ID3v1 tag

$ id3v2 -d Thievery\ Corporation\ 2hr\ mix.mp3
Stripping id3 tag in "Thievery Corporation 2hr mix.mp3"...id3v2 stripped.

$ id3v2 -s Thievery\ Corporation\ 2hr\ mix.mp3
Stripping id3 tag in "Thievery Corporation 2hr mix.mp3"...id3v1 stripped.

$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
Thievery Corporation 2hr mix.mp3: No ID3 tag

$ id3v2 -a "Thievery Corporation" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -c "two hour mix" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -g "(27)" Thievery\ Corporation\ 2hr\ mix.mp3
$ id3v2 -l Thievery\ Corporation\ 2hr\ mix.mp3
id3v1 tag info for Thievery Corporation 2hr mix.mp3:
Title  :                                 Artist: Thievery Corporation
Album  :                                 Year:     , Genre: Trip-Hop (27)
Comment: two hour mix                    Track: 0
id3v2 tag info for Thievery Corporation 2hr mix.mp3:
TPE1 (Lead performer(s)/Soloist(s)): Thievery Corporation
COMM (Comments): ()[]: two hour mix
COMM (Comments): (ID3v1 Comment)[XXX]: two hour mix
TCON (Content type): Trip-Hop (27)

ID3v1 Genre List

  0. Blues
  1. Classic Rock
  2. Country
  3. Dance
  4. Disco
  5. Funk
  6. Grunge
  7. Hip-Hop
  8. Jazz
  9. Metal
 10. New Age
 11. Oldies
 12. Other
 13. Pop
 14. R&B
 15. Rap
 16. Reggae
 17. Rock
 18. Techno
 19. Industrial
 20. Alternative
 21. Ska
 22. Death Metal
 23. Pranks
 24. Soundtrack
 25. Euro-Techno
 26. Ambient
 27. Trip-Hop
 28. Vocal
 29. Jazz+Funk
 30. Fusion
 31. Trance
 32. Classical
 33. Instrumental
 34. Acid
 35. House
 36. Game
 37. Sound Clip
 38. Gospel
 39. Noise
 40. AlternRock
 41. Bass
 42. Soul
 43. Punk
 44. Space
 45. Meditative
 46. Instrumental Pop
 47. Instrumental Rock
 48. Ethnic
 49. Gothic
 50. Darkwave
 51. Techno-Industrial
 52. Electronic
 53. Pop-Folk
 54. Eurodance
 55. Dream
 56. Southern Rock
 57. Comedy
 58. Cult
 59. Gangsta
 60. Top 40
 61. Christian Rap
 62. Pop/Funk
 63. Jungle
 64. Native American
 65. Cabaret
 66. New Wave
 67. Psychadelic
 68. Rave
 69. Showtunes
 70. Trailer
 71. Lo-Fi
 72. Tribal
 73. Acid Punk
 74. Acid Jazz
 75. Polka
 76. Retro
 77. Musical
 78. Rock & Roll
 79. Hard Rock

id3v2

edit mp3 tags, comments, etc with id3v2

rs232 to terminal emulator debian

Find out if your RS232 interface is seen and to the serial port attached to

$ lsusb |grep 23
Bus 003 Device 007: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port
$ dmesg |grep tty |grep pl
[ 3881.178720] usb 3-1: pl2303 converter now attached to ttyUSB0

(Install) Start minicom

$ su
# apt-get install minicom
# minicom -s

a) to set Serial Device and so forth
...
and then Exit to apply configuration and start the terminal emulator

rs232 to terminal emulator debian

squeeze container on a wheezy host

Notes on putting a Debian squeeze Linux Container on a Debian Wheezy host.

The requirement; the Squeeze system in the container runs a TCP/IP application that should be accessible only by the host.

Create a bridge between a dummy network interface and the network interface used by the container.

Load dummy module (with numdummies=1) at startup.

# echo dummy >> /etc/modules

Install the Linux ethernet bridge utilities.

# apt-get install bridge-utils

Add stanzas that create an inhost bridge that contains a dummy to /etc/network/interfaces

auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0

Load one dummy interface and restart networking.

# modprobe dummy
# /etc/init.d/networking restart

Install lxc and prerequisites.

# apt-get install lxc

which also installs debootstrap libcap2-bin and libpam-cap.

Mount control groups hierarchy now and at boot.

# mount /sys/fs/cgroup/
# echo "cgroup /sys/fs/cgroup  cgroup  defaults  0  0" >> /etc/fstab

Check your kernel for lxc support.

# lxc-checkconfig

Get the squeeze template.

# wget https://raw.githubusercontent.com/ipduh/lxc-squeeze/master/lxc-squeeze -O /usr/share/lxc/templates/lxc-squeeze

Allow execution to all.

# chmod 755 /usr/share/lxc/templates/lxc-squeeze

Create the Squeeze Container.

# lxc-create -n squeezie -t squeeze

Start the container in the background.

# lxc-start -n squeezie -d

Console into the squeezie container.

# lxc-console -n squeezie

Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Debian GNU/Linux 6.0 squeezie tty1

squeezie login: root
Password: 
Linux squeezie 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

root@squeezie:~#

The password set by the template is squeezie.
Alternatively, you may ssh to squeezie from the host.

Change the root password

root@squeezie:~# passwd
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Give Temporary Internet Connectivity to the Squeeze Container.

root@squeezie:~# route add default gw 172.16.17.18

and in the host

# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 172.16.17.0/25

To disable the Internet Connectivity reset your Firewall e.g.

# /etc/bif

Forward the application's TCP ports e.g. for port 80 and port 443.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.16.17.16:80
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 172.16.17.16:443

Squeeze LXC on Wheezy

linux dummy interface

Linux Pseudo Device i.e. Dummy Interface Notes.

Create interface dummy0.

# modprobe dummy

I need (more dummies)

# rmmod dummy
# modprobe dummy numdummies=3

to Create 3 pseudo interfaces.

Set the Pseudo Interface(s ') MAC address(es).

# ifconfig dummy0 hw ether fc:de:ad:be:ef:10
# ifconfig dummy1 hw ether fc:de:ad:be:ef:11
# ifconfig dummy2 hw ether 00:00:0c:f0:00:0d

(: 00:00:0c:f0:00:0d :)

Set the Pseudo Interface(s ') IP address(es).

# ifconfig dummy0 172.16.17.18/25
# ifconfig dummy1 172.16.17.19/25
# ifconfig dummy2 192.0.2.8/26

Show dummy0 configuration.

# ifconfig dummy0
dummy0    Link encap:Ethernet  HWaddr fc:de:ad:be:ef:10  
          inet addr:172.16.17.18  Bcast:172.16.17.127  Mask:255.255.255.128
          inet6 addr: fe80::fede:adff:febe:ef10/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:210 (210.0 B)

Create a bridge.

# brctl addbr etherisland

Set forwarding delay to 0 seconds.

# brctl setfd etherisland 0

Bridge dummy0 and dummy1 dummies.

# brctl addif etherisland dummy0 dummy1

List bridge(s).

# brctl show
bridge name bridge id          STP enabled interfaces
etherisland 8000.fcdeadbeef10  no          dummy0
                                           dummy1

Make an ethernet inhost island --a bridge that contains a pseudo interface-- stick.

Load dummy module (with numdummies=1) at system startup.

# echo dummy >> /etc/modules

The /etc/network/interfaces stanzas.

auto dummy0
  iface dummy0 inet static

auto etherisland
  iface etherisland inet static
  address 172.16.17.18
  netmask 255.255.255.128
  bridge_ports dummy0
  bridge_stp  off
  bridge_waitport 0
  bridge_fd 0
  bridge_hello 1

Linux pseudo interface i.e. dummy

PostgreSQL Notes

PostgreSQL Debian Notes.

Install PostgreSQL on debian
Login, login using psql, list databases and users , set postgres password.
Authentication Modes and Access.
Create a new user and a new database.
Delete database
Vacuum
Enable remote Access
Logical backup with pg_dump

Install PostgreSQL from debian packages.

# apt-get install postgresql

Now, the debian package postgresql installs all dependencies and the client.

libpq5 postgresql-9.1 postgresql-client-9.1 postgresql-client-common postgresql-common

Alternatively, you may install PostgreSQL from apt repositories maintained by the PostgreSQL Global Development Group.

Login as the postgres user using psql--the PostgreSQL interactive terminal.

# su - postgres -c psql 
psql (9.1.14)
Type "help" for help.

postgres=#

The default authentication mode is 'ident' or 'peer' i.e. system user x can only login as PostgreSQL user x.

The PostgreSQL Client Authentication Configuration File in debian is at

/etc/postgresql/*/main/pg_hba.conf

The 'trust' authentication mode allows connections unconditionally and the mode 'password' requires the client to supply an unencrypted password.

Since the default local authentication mode is 'peer', applications that make use of the database locally may give authentication errors if running as another system user. You may want to check if setting the mode to 'trust' fixes the problem.

# "local" is for Unix domain socket connections only
#local   all             all                                     peer
local   all             all                                     trust

But not settle for 'trust' i.e. allow local connections unconditionally.

By default PostgreSQL binds to 127.0.0.1:5432 --you can change it at

/etc/postgresql/*/main/postgresql.conf

'listen_addresses' if you need to enable remote access.

List databases.

postgres=# \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
(3 rows)

Most new databases are created by copying tempate1 of the templates.

List users.

postgres=# \du
                             List of roles
 Role name |                   Attributes                   | Member of 
-----------+------------------------------------------------+-----------
 postgres  | Superuser, Create role, Create DB, Replication | {}

Set the password for the PostgreSQL user postgres.

postgres=# \password postgres
Enter new password: 
Enter it again:

Exit psql.

postgres-# \q
#

Create a new PostgreSQL user.

# su - postgres -c "createuser -P puser"
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n

Create the database puser that belongs to user puser.

# su - postgres -c "createdb -O puser puser"

List PostgreSQL databases and user roles.

# su - postgres -c psql
psql (9.1.14)
Type "help" for help.

postgres=# \l
                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges   
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 puser     | puser    | UTF8     | en_US.UTF-8 | en_US.UTF-8 | 
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres          +
           |          |          |             |             | postgres=CTc/postgres
(4 rows)

postgres=# \du
                             List of roles
 Role name |                   Attributes                   | Member of 
-----------+------------------------------------------------+-----------
 postgres  | Superuser, Create role, Create DB, Replication | {}
 puser     |                                                | {}

postgres=# \q
#

Delete the database puser.

# su - postgres -c "dropdb puser"

Calculate statistics for use by the optimizer(-z) and Garbage-Collect i.e. full vacuum(-f) all(-a) PostgreSQL databases in this host.

# su - postgres -c "vacuumdb -a -f -z"

Vacuumdb is a VACUUM wrapper (pg_wrapper) written in Perl.

pg_dump - Logical Backups

Pg_dump extracts a PostgreSQL database into a script file or other archive file.

Create a compressed sql script file with the schema and data of the database puser that belongs to the PostgreSQL user puser in host a.

a# pg_dump -o -U puser -h localhost puser |gzip > puser.dump.gz
Password:

Restore PostgreSQL database in host b.

b# gunzip  puser.dump.gz
b# su - postgres -c "createuser -P puser"
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) n
b# su - postgres -c "createdb -O puer puser"
b# psql -U puser -h localhost < puser.dump 
Password for user puser:

PostgreSQL Notes

simple AP with hostapd

Notes on configuring transient WiFi APs with linux and hostapd

hostapd config

node9:~# cat /etc/hostapd/hostapd.wlan0.conf |grep -v "#"
interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
ctrl_interface=/var/run/hostapd.wlan0
ctrl_interface_group=0
channel=6
hw_mode=g
macaddr_acl=0
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
ssid=node9
wpa_passphrase=incellll
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

To enable 802.11n add to the hostapd.conf

ieee80211n=1
wmm_enabled=1

and do not change

hw_mode=g

node9:~# hostapd /etc/hostapd/hostapd.wlan0.conf

or run the hostapd deamon in the background

node9# hostapd -B /etc/hostapd/hostapd.wlan0.conf

Connect to node9

node7:~# wpa_supplicant -i wlan1 -c <(wpa_passphrase node9 incellll)

or put wpa_supplicant in the background

node7:~# wpa_supplicant -B -i wlan1 -c <(wpa_passphrase node9 incellll)

Check the client's wireless interface

node7:~# iwconfig wlan1
wlan1     IEEE 802.11abgn  ESSID:"node9"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 30:14:4A:15:B7:94   
          Bit Rate=54 Mb/s   Tx-Power=27 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=64/70  Signal level=-46 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:20   Missed beacon:0

List the AP client(s)

node9:~# iw dev wlan0 station dump 
Station 30:14:4a:15:bb:72 (on wlan0)
 inactive time: 2893 ms
 rx bytes: 871
 rx packets: 22
 tx bytes: 537
 tx packets: 3
 tx retries: 0
 tx failed: 0
 signal:   -42 dBm
 signal avg: -46 dBm
 tx bitrate: 1.0 MBit/s
 authorized: yes
 authenticated: yes
 preamble: short
 WMM/WME: no
 MFP:  no
 TDLS peer:  no

Network

node9:~# ifconfig wlan0 192.168.10.9/24
node7:~# ifconfig wlan1 192.168.10.7/24
node7:~# ping -c 1 192.168.10.9
PING 192.168.10.9 (192.168.10.9) 56(84) bytes of data.
64 bytes from 192.168.10.9: icmp_req=1 ttl=64 time=1.66 ms

--- 192.168.10.9 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.668/1.668/1.668/0.000 ms

logrotate notes

Logrotate notes.

The logrotate directions for a daemon named app put at /etc/logrotate.d/app.

# cat /etc/logrotate.d/app

/logs/app/gen.log {
    daily
    missingok
    rotate 7
    compress
    copytruncate
    notifempty    
}

/logs/app/sec.log {
    weekly
    mail administratotator@sys.ipduh.com
    missingok
    rotate 4
    shred
    create 640 app app
}

Directives explanation ( from the manual ).

daily, weekly , monthly
Handle time period
(The handling trigger may be the file size)

missingok
If the log file is missing, go on to the next one without issuing an error message.

rotate count
Log files are rotated count times before being removed or mailed to the address specified in a mail directive.
If count is 0, old versions are removed rather than rotated.

compress
Old versions of log files are compressed with gzip(1) by default.

copytruncate
Truncate the original log file to zero size in place after creating a copy, instead of moving the old log file and optionally creating a new one.
It can be used when some program cannot be told to close its logfile and thus might continue writing (appending) to the previous log file forever.
Note that there is a very small time slice between copying the file and truncating it, so some logging data might be lost. When this option is used, the create option will
have no effect, as the old log file stays in place.

notifempty
Do not rotate the log if it is empty (this overrides the ifempty option).

create mode owner group
Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the log file just rotated). mode
specifies the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who will own the log file, and group specifies the
group the log file will belong to. Any of the log file attributes may be omitted, in which case those attributes for the new file will use the same
values as the original log file for the omitted attributes.

shred
Delete log files using shred -u instead of unlink(). This should ensure that logs are not readable after their scheduled deletion; this is off by
default. See also noshred.

Run now (to test) logrotate directions for app.

# logrotate --force app

Debug logrotate directions for app.

# logrotate --force --debug app

Logrotate Notes

devz howto II

devz Howto

Get devz

$ git clone https://github.com/ipduh/devz.git
$ cd devz

Install devz as root

$ su
# ./install_devz_as_root.sh
# source ~/.bashrc

Install devz for a user

# exit
$ ./install_devz_as_user.sh
$ source ~/.bashrc

Configure devz

1) Copy public SSH key to remote system(s)
2) Adjust ~/.devzconfig/production-servers

1) Create SSH key pair and copy the public key to a remote "production" server.

$ ssh-keygen -t dsa
$ scp ~/.ssh/id_dsa.pub production_server:~/.ssh/authorized_keys2

2) An example ~/.devzconfig/production-servers

# production servers
# IP address , SSH TCP port, user
192.0.2.22,44,usar
192.0.2.23,22,usar

Use devz

Initialize SSH agent.

$ devz-setagent

Stor

$ stor blah
devz:The directory ./stor does not exist! I will create it.
devz:blah is at ./stor/blah.0

Toprod

$ toprod blah 
devz:/home/usar/blah to usar@192.0.2.22:44:/home/usar/blah
blah                                                                                                          100%    6     0.0KB/s   00:00  
devz:/home/usar/blah to usar@192.0.2.23:22:/home/usar/blah
blah                                                                                                          100%    6     0.0KB/s   00:00

Ctoprod

$ ctoprod "cat blah"
devz: usar@192.0.2.22:44 "cat blah"
***Start 192.0.2.22***
blah

***End 192.0.2.22***
devz: usar@192.0.2.23:22 
***Start 192.0.2.23***
blah

***End 192.0.2.23***

Fromprod

$ fromprod blah
devz:blah exists! Please stor it and delete it or rename it.
$ rm blah
$ fromprod blah
devz:ipduh@192.0.2.22:44:/home/usar/blah to /hom/usar/blah
blah                                                                                                          100%    6     0.0KB/s 00:00

get help-cheatsheet

$ devz
******
devz
DEVeloper'S Stupid Servant.
A bash extention that helps the administrator of similar dev and production systems.
g0 2010 - http://ipduh.com/contact
http://sl.ipduh.com/devz-howto
******
devz verbs:
*
'toprod' or 'devz toprod'
 toprod file
 scp a file to the production server(s)
*
'ctoprod' or 'devz ctoprod'
 ctoprod 'command;command;'
 send command(s) to poduction server(s)
*
'fromprod' or 'devz fromprod'
 fromprod file
 scp a file from the first production server here.
*
'stor' or 'devz stor'
 stor file
 creates the directory stor in the current directory if it does not exist.
 makes a copy of the file in stor
 the file gets a version number like file.n where n [0,n]
*
'devz-setagent' or 'devz setagent'
 setagent
 start an ssh-agent login session
*
'devz-showconfig' or 'devz showconfig'
 showconfig
 See the Current devz configuration
*
'devz-setconfig' or 'devz setconfig'
 setconfig
 add server to the production-servers list file
 setconfig cannot configure much, check the devz-howto for your first setup
*
'devz-prodsrvexists' or 'devz prodsrvexists'
 prodsrvexists
 check if ${DEVZ_PRO_SRV} exists and  print an example ${DEVZ_PRO_SRV} file
*
******

devz-howto

debian gnome nvidia notes

Notes The OS

# uname -a
Linux red 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64 GNU/Linux

The Debian software system

# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 8 \n \l

8.1

The hardware

# lspci | egrep "3D|VGA"
00:02.0 VGA compatible controller: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06)
01:00.0 3D controller: NVIDIA Corporation Device 139b (rev a2)

# apt-get install nvidia-driver
# apt-get install nvidia-xconfig
# nvidia-xconfig
# reboot

mysql administration notes

MySQL server on debian administration notes .

Install on debian
debian-sys-maint user
Passwordless administration commands or SQL statements
Configuration files and MySQL system variables
mysqladmin
Using the standard client for an elementary database exploration.
Binary Backups
mysqlhotcopy
mysqldump --Logical Backups.
Master-Slave Replication.
mysqlcheck.

Now, with the debian MySQL server packet installation

# apt-get install mysql-server

you get the MySQL server version 5.5 along with its prerequisites, basic MySQL tools like the standard MySQL client and the Perl DBI, and some other stuff like mailx.

heirloom-mailx libaio1 libdbd-mysql-perl libdbi-perl libhtml-template-perl
libmysqlclient18 mysql-client-5.5 mysql-common mysql-server-5.5 mysql-server-core-5.5

The debian-sys-maint user.

The debian package adds the debian-sys-maint MySQL user that can do pretty much everything if logging in locally.

mysql> show grants for 'debian-sys-maint'@'localhost';
+----------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for debian-sys-maint@localhost                                                                                                              |
+----------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'debian-sys-maint'@'localhost' IDENTIFIED BY PASSWORD '*0123456789ABCDEF12346789082F1970A47EDCBA' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select Host,Super_priv,Create_priv,Grant_priv,Drop_priv from mysql.user where user='debian-sys-maint';
+-----------+------------+-------------+------------+-----------+
| Host      | Super_priv | Create_priv | Grant_priv | Drop_priv |
+-----------+------------+-------------+------------+-----------+
| localhost | Y          | Y           | Y          | Y         |
+-----------+------------+-------------+------------+-----------+
1 row in set (0.01 sec)

The debian-sys-maint user has a "random" password stored at /etc/mysql/debian.cnf.

# ls -l /etc/mysql/debian.cnf 
-rw------- 1 root root 333 Oct 23 16:04 /etc/mysql/debian.cnf

Skip the Password Prompts.

The debian-sys-maint user is used by system scripts, but it is convenient for an administrator to use it in his commands and scripts.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf create yo
# mysqladmin --defaults-file=/etc/mysql/debian.cnf drop yo
Dropping the database is potentially a very bad thing to do.
Any data stored in the database will be destroyed.

Do you really want to drop the 'yo' database [y/N] y
Database "yo" dropped

Another way to skip the password prompt when running a SQL command.

# mysql -u root -p"password" -e "command;"

As far as I know since at least version 5.1.41-3 and upwards commands like the above, do not reveal your password in the current processes snapshot (ps)

root     30510  0.0  0.1  40280  2696 pts/0    S+   07:41   0:00          \_ mysql -u root -px xxxxxx

Configuration files and MySQL system variables.

Default options are read from the following files in the given order: /etc/my.cnf /etc/mysql/my.cnf /usr/etc/my.cnf ~/.my.cnf

Within the MySQL configuration or option files we may define groups for which we want to set options. A Group name often matches a MySQL helper program name. An options group named "group" starts with [group] in the options or configuration files.

The debian debian-package puts the configuration files in /etc/mysql.

The database table and DB specific options files are stored in /var/lib/mysql

An easy way to display MySQL system variables and their values.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf variables

A quick reference of the MySQL daemon options along with some MySQL system variables and their values.

# mysqld --h -v

MySQL has many logging options (look for log in the MySQL system variables).
General query log keeping is expensive and disabled by default. It may may be enabled permanently in the configuration file /etc/mysql/my.cnf

#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1

As of version 5.1, general log keeping may be enabled or disabled at runtime.

# mysql -u root -p"root_paswd"
mysql> show variables like 'general%';
+------------------+-------------------------------+
| Variable_name    | Value                         |
+------------------+-------------------------------+
| general_log      | OFF                           |
| general_log_file | /var/lib/mysql/anaxagoras.log |
+------------------+-------------------------------+
2 rows in set (0.00 sec)
mysql> SET GLOBAL general_log=1;
Query OK, 0 rows affected (0.00 sec)
mysql> show variables like 'general%';
+------------------+-------------------------------+
| Variable_name    | Value                         |
+------------------+-------------------------------+
| general_log      | ON                            |
| general_log_file | /var/lib/mysql/anaxagoras.log |
+------------------+-------------------------------+
2 rows in set (0.00 sec)
mysql> SET GLOBAL general_log=0;
Query OK, 0 rows affected (0.08 sec)
mysql> quit
Bye
# cat /var/lib/mysql/anaxagoras.log 
/usr/sbin/mysqld, Version: 5.5.40-0+wheezy1 ((Debian)). started with:
Tcp port: 3306  Unix socket: /var/run/mysqld/mysqld.sock
Time                 Id Command    Argument
141026 13:21:22    37 Query show variables like 'general%'
141026 13:24:35    37 Query SET GLOBAL general_log=0

mysqladmin and a few usage examples.
mysqladmin is an agent-client suitable for administering MySQL servers.

Check whether the server is alive.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf ping
mysqld is alive

See status.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf status
Uptime: 10189  Threads: 2  Questions: 172  Slow queries: 0  Opens: 171  Flush tables: 1  Open tables: 41  Queries per second avg: 0.016

To view an extended status try.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf extended-status |less

List processes.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf processlist
+----+------------------+-----------+----+---------+------+-------+------------------+
| Id | User             | Host      | db | Command | Time | State | Info             |
+----+------------------+-----------+----+---------+------+-------+------------------+
| 40 | root             | localhost |    | Sleep   | 1940 |       |                  |
| 47 | debian-sys-maint | localhost |    | Query   | 0    |       | show processlist |
+----+------------------+-----------+----+---------+------+-------+------------------+

Kill process with ID 40 and show processes (proc).

# mysqladmin --defaults-file=/etc/mysql/debian.cnf kill 40 proc
+----+------------------+-----------+----+---------+------+-------+------------------+
| Id | User             | Host      | db | Command | Time | State | Info             |
+----+------------------+-----------+----+---------+------+-------+------------------+
| 46 | debian-sys-maint | localhost |    | Query   | 0    |       | show processlist |
+----+------------------+-----------+----+---------+------+-------+------------------+

Reload the MySQL server mysql database grant tables.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf reload

# mysqladmin -u root -p"root_passwd" flush-privileges

Clear MySQL status variables in a MySQL instance running on host 192.0.2.10

# mysqladmin -h 192.0.2.10 -u root -p"0210_root_passwsd" flush-status

Shutdown MySQL server.

# mysqladmin --defaults-file=/etc/mysql/debian.cnf ping
mysqld is alive
# mysqladmin --defaults-file=/etc/mysql/debian.cnf shutdown
# mysqladmin --defaults-file=/etc/mysql/debian.cnf ping 2>/dev/null
# echo $?
1

Start MySQL server.

# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were 
not closed cleanly..

Use the standard client in an elementary database exploration.

Log in to MySQL as the root using the standard mysql client.

# mysql -u root -p"root_passwd"

Show databases.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| foodb              |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

The mysql , information_schema and performance_schema databases come with the MySQL server and they are used by the MySQL server in its operation. The mysql database holds information about users,servers,plugins,timezone,etc and the users may write to it (eg: this is how you add a MySQL user ). The information_schema (read-only to the users) stores information about all the other databases that MySQL maintains. The performance_schema database is used by the MySQL system to provide low level execution monitoring.

Use the foodb database.

mysql> use foodb;

Show all tables in the foodb database.

mysql> show tables;
+------------------+
| Tables_in_foodb  |
+------------------+
| exits            |
+------------------+
1 row in set (0.00 sec)

Describe the schema of the 'exits' table in the 'foodb' DB.

mysql> describe exits;
+------------+------------------+------+-----+---------+-------+
| Field      | Type             | Null | Key | Default | Extra |
+------------+------------------+------+-----+---------+-------+
| su         | int(10) unsigned | NO   | PRI | NULL    |       |
| first_test | datetime         | YES  |     | NULL    |       |
| last_test  | datetime         | YES  |     | NULL    |       |
+------------+------------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

Find out the number of rows in the table exits.

mysql> SELECT COUNT(*) FROM exits;
+----------+
| COUNT(*) |
+----------+
|   260472 |
+----------+
1 row in set (0.00 sec)

exit

mysql> quit
Bye
#

Binary Database Backup.
If a database contains only MyISAM tables (*.frm,*.MYD,or *.MYI) and the db.opt file you may simply copy it.

Lock tables before copying.

# mysql --defaults-file=/etc/mysql/debian.cnf -e "LOCK TABLES foodb.exits READ;"

The database tables are in /usr/lib/mysql. To copy.

# cp -rp /var/lib/mysql/foodb /bak/mysql/foodb

Unlock tables after copying.

# mysql --defaults-file=/etc/mysql/debian.cnf -e "UNLOCK TABLES;"

To restore the foodb to the same or another MySQL server
copy it to /var/lib/mysql.

# cp -rp  /bak/mysql/foodb /var/lib/mysql/foodb

If you are copying to another MySQL server and you are missing or you do not want to mess with the old /var/lib/mysql/mysql you may want to create a user for the foodb.

mysql> grant all on foodb.* to foodbuser;
mysql> set password for foodbuser = password('foodbuser_passwd');

When I did copy the foodb DB directory to another MySQL server everything worked fine, the origin MySQL server was version 5.1.41-3, and the destination MySQL was version 5.5.40-0.

mysqlhotcopy

A more robust way for doing binary backups of MyISAM tables is mysqlhotcopy --a Perl script that comes with the standard MySQL distribution.
Eg: to copy foodb to another MySQL server using mysqlhotcopy.

dest# mkdir /var/lib/mysql/foodb
orig#mysqlhotcopy --method='scp' --user=root --password=mysqlrootpasswd foodb root@192.0.2.26:/var/lib/mysql

mysqldump --Logical Backups

Good for all storage engines. Logical Backups are text files that contain SQL statements used to restore schemata and data.

Dump backup of foodb in a file.

orig# mysqldump -u root -p"root_passwd" foodb > foodb.sql

Restore the foodb to another MySQL server.

dest# mysqladmin --defaults-file=/etc/mysql/debian.cnf create foodb
dest# mysql --defaults-file=/etc/mysql/debian.cnf foodb < foodb.sql

Master-Slave Replication

Prepare Master ( anaxagoras ) and Slave ( democritus ) MySQL servers.
Enable binary logging, set a server ID number and listen on all interfaces.

Master --host anaxagoras
add in /etc/mysql/my.cnf -configuration group mysqld

[mysqld]
server-id               = 11
log_bin                 = /var/log/mysql/mysql-bin.log
bind-address            = 0.0.0.0
innodb_flush_log_at_trx_commit=1
sync_binlog             = 1  
binlog_do_db            = foodb

Restart MySQL

anaxagoras# service mysql restart

Punch Firewall holes.

Slave --host democritus
Add in /etc/mysql/my.cnf -configuration group mysqld

[mysqld]
server-id               = 12
log_bin                 = /var/log/mysql/mysql-bin.log
binlog_do_db            = foodb

Restart MySQL

democritus# service mysql restart

Create a user for replication on the master.

anaxagoras# mysql -u root -p"root_passwd"
mysql> CREATE USER 'repuser'@'192.0.2.0/255.255.255.128';
mysql> SET PASSWORD FOR 'repuser'@'192.0.2.0/255.255.255.128' = password('repuser_password');
mysql> GRANT REPLICATION SLAVE ON *.* TO 'repuser'@'192.0.2.0/255.255.255.128';
mysql> FLUSH PRIVILEGES;

Obtain master's binary log coordinates.

mysql> USE foodb
mysql> FLUSH TABLES WITH READ LOCK;
Query OK, 0 rows affected (0.17 sec)

mysql> SHOW MASTER STATUS;
+------------------+----------+--------------+------------------+
| File             | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+------------------+----------+--------------+------------------+
| mysql-bin.000003 |      107 | foodb        |                  |
+------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

Copy the database with mysqldump , mysqlhotcopy , a cold copy, or something else.

Cold Super Copy.
Copy raw data files to the slave MySQL.
If you are using any InnoDB tables, shutdown MySQL

anaxagoras# mysqladmin --defaults-file=/etc/mysql/debian.cnf shutdown 
anaxagoras# rsync -avz -e ssh /var/lib/mysql/ root@democritus:/var/lib/mysql
anaxagoras# scp /etc/mysql/debian.cnf root@democritus:/etc/mysql/

Remove master' s lock.

mysql> UNLOCK TABLES;

Configure the slave MySQL server and start the replication.

democritus# mysql -u root -p"root_passwd"
mysql> CHANGE MASTER TO MASTER_HOST='anaxagoras', MASTER_USER='repuser', MASTER_PASSWORD='repuser_password', MASTER_LOG_FILE='mysql-bin.000003', MASTER_LOG_POS=107;
mysql> START SLAVE;

See the status in the slave MySQL server.

mysql> SHOW SLAVE STATUS\G

mysqlcheck --A MySQL tables maintance program.

Check all tables in all databases.

# mysqlcheck --defaults-file=/etc/mysql/debian.cnf -A

Analyze tables in database foodb.

# mysqlcheck --defaults-file=/etc/mysql/debian.cnf --analyze foodb

Optimize tables in database foodb.

# mysqlcheck --defaults-file=/etc/mysql/debian.cnf -0 foodb

Repair tables in foodb. Make backups of the tables before 'repairing' them.

# mysqlcheck --defaults-file=/etc/mysql/debian.cnf --debug-info --auto-repair foodb

MySQL administration notes

DELETE tun interfaces

A quick note on killing a bug in a previous recipe and deleting protocol 41 tunnel interfaces in linux.

datun is an interface used as one of the edges in a 6in4 tunnel set with

ip tunnel add datun mode sit remote 192.0.2.49 local 198.51.100.50 ttl 64 
ip link set datun up

seen as

# ifconfig datun
datun Link encap:IPv6-in-IPv4

and taken down with

# ip link set datun down

at the 6in4 tunnels to the IPv6 Internet how-to, even in places we needed to delete the tunnel instead of putting it down, causing all kinds of errors and confusion.

To delete a tunnel interface.

ip tunnel del datun

Instead of "restarting" the 6in4 tunnel it may be better to destroy it and set it again.

# ip tunnel del datun
# /etc/network/if-up.d/ipv6-tunnel.sh

delete tun interface

tripwire notes

Yet another tripwire ( as in the open source file integrity checker for Unix Systems ) how-to for debian , like tripwire ... but, hopefully, easier to follow.

Assuming you trust your repositories, your distribution, etc

# apt-get install tripwire

and then click the no, no, and OK buttons.

Ideally, the tripwire binaries and the tripwire database are stored in a read only medium that can be mounted as read-write for updates. I would use an SD card or some other medium that I can set "mechanically" to read-only. Some administrators put the binaries and the DB in an NFS.I think that putting the binaries and the DB in an NFS would increase the attack surface. If you are not in the mood or do not have the resources to take the extra steps to secure further the integrity of the tripwire binaries and the tripwire DB at least save copies of the files and their cryptographically secure checksums in other hosts.

In debian the tripwire binaries are statically linked and located in /usr/sbin and the DB is located in /var/lib/tripwire.

# sha256sum /usr/sbin/tripwire |tee ~/twsums
0e4791bb58dfc4095dba902621b72111d61bf1838d77aff4ae00d3c7432d5739  /usr/sbin/tripwire
# sha256sum /usr/sbin/tw* |tee -a ~/twsums
bc01ac66aa421d2e5324983150bea573b2e2d3ee004293501b0dcc4ce1560898  /usr/sbin/twadmin
e1b097eaf28f3ec54114cba7cc82a1ab4122a9fb82590422d9820711c884e5e9  /usr/sbin/twprint
# sha256sum /usr/sbin/siggen |tee -a ~/twsums 
e5e72b264f9b4fa86aa88e0f893b6031457e30b510f28bcb31ea1296b38566bd  /usr/sbin/siggen

Tripwire uses $HOSTNAME a lot in the configuration and policy files. Make sure that you are happy with hostname, if not change the hostname before continuing the tripwire configuration.

Create a site key.

# cd /etc/tripwire/
# twadmin --generate-keys --site-keyfile site.key
# chmod 400 site.key

The site key is used to secure the integrity of the tripwire configuration files.

Create a local key.

# twadmin --generate-keys --local-keyfile `hostname`-local.key
# chmod 400 *cal.key

The local key is used to protect the integrity of the local tripwire database.

Create and sign tw.cfg --the tripwire configuration file.

# stor twcfg.txt
# vi twcfg.txt 
# twadmin --create-cfgfile --cfgfile tw.cfg --site-keyfile site.key twcfg.txt
Please enter your site passphrase: 
Wrote configuration file: /etc/tripwire/tw.cfg

Create and sign tw.pol --the tripwire policy file.

# stor twpol.txt
# vi twpol.txt
# twadmin --create-polfile --cfgfile tw.cfg --site-keyfile site.key twpol.txt
Please enter your site passphrase: 
Wrote policy file: /etc/tripwire/tw.pol

Make the policy and configuration files readable and writable only by the root user.

# chmod 600 *txt
# chmod 600 *cfg
# chmod 600 *pol

Initialize the tripwire database.

# tripwire --init
Please enter your local passphrase: 
Parsing policy file: /etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
# ...
Wrote database file: /var/lib/tripwire/anaxagoras.twd
The database was successfully generated.

Test that tripwire can send email.

# tripwire --test --email example@example.net

Check integrity and produce report.

# tripwire --check

View report.

# twprint -m r --twrfile /var/lib/tripwire/report/hostname-latest.twr |less

It is highly unlikable that you are using all the files in the "Root config files" rulename in the debian default twpol.txt. Also you may want to adjust the "Devices & Kernel information" rulename since /proc (meaning recursive /proc/*) may be too much to track in normal servers.

Adjust the tripwire policy and initialize a new tripwire database.

# stor twpol.txt
# vi twpol.txt
# twadmin -m P -S site.key twpol.txt 
# tripwire --init

Check for integrity, create a report and OK changes if any.
Once the editor opens look for [x] and delete the x if you are not OK with that change.

# tripwire --check --interactive
Integrity check complete.
Please enter your local passphrase: 
Wrote database file: /var/lib/tripwire/anaxagoras.twd

You may enter an `interactive` mode from a report as well. eg:

# tripwire --update --twrfile /var/lib/tripwire/report/hostname-date-time.twr

and again look for [x] and delete the x if you are not OK with that change.

Email alerts.
To email an alert we need to add an emailto definition to at least one rulename.
So we need to update the tripwire policy. eg:

#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI),
  emailto = root,
  emailto = systembot@ares.ipduh.rox
)
{
        /lib                    -> $(SEC_BIN) ;
}

If /lib is changed an alert will be sent to root and systembot@ares.ipduh.rox.

Check integrity, produce report and email alerts.

# tripwire --check --email-report

The debian package sets a cronjob that creates reports and emails alerts daily.

#!/bin/sh -e

tripwire=/usr/sbin/tripwire

[ -x $tripwire ] || exit 0

umask 027

$tripwire --check --quiet --email-report

View the tripwire database.

# twprint -m d --print-dbfile |less

View tripwire information for a file eg:/var/test

# twprint -m d --print-dbfile /lib/test

The system used in this how-to.

ii  tripwire                           2.4.2.2-2                     amd64        file and directory integrity checker
# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.6

Links:
The Design and Implementation of Tripwire: A File System Integrity Checker

Tripwire how-to

apache disable SSLv3

Notes on disabling SSLv3 in apache.

Test if SSLv3 is available.

$ openssl s_client -connect ipduh.com:443 -ssl3

In Debian SSLv2 is disabled by default but SSLv3 is available.

# grep SSLProtocol /etc/apache2/mods-available/ssl.conf
SSLProtocol all -SSLv2

To disable SSLv3 add '-SSLv3' in /etc/apache2/mods-available/ssl.conf

# vi /etc/apache2/mods-available/ssl.conf

If you are using SSL Virtual Hosts you may need to add

SSLProtocol All -SSLv2 -SSLv3

in each VirtualHost definition.

Restart Apache

# /etc/init.d/apache2 restart

Test again if SSLv3 is disabled.

$ openssl s_client -connect ipduh.com:443 -ssl3
CONNECTED(00000003)
140330958718632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
140330958718632:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

apache disable SSLv3

libguestfs notes

Libguestfs basics.

Install.

# apt-get install libguestfs-tools 
# apt-get install guestfish

guestfish

The libguestfs Filesystem Interactive SHell.

An example: explore, read and write to disk image file within the libguestfs VM.

# guestfish --rw -a /home/vm/anaxagoras.qcow2
> run
 100% ⟦▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓⟧ 00:00
> list-filesystems
/dev/vda1: ext4
/dev/vda2: unknown
/dev/vda5: swap
> mount /dev/vda1 /

Add a file to the disk image file system.

> touch /etc/guestfish_play
> edit /etc/guestfish_play
> quit
#

virt-cat

Display files in a virtual machine.

eg:

# virsh list
 Id    Name                           State
----------------------------------------------------
 9     anaxagoras                     running

# virt-cat anaxagoras /etc/issue
Debian GNU/Linux 7 \n \l
# virt-cat anaxagoras /etc/hostname
anaxagoras

guestmount

Mount a guest filesystem on the host using FUSE and libguestfs

Install

# apt-get install guestmount

Mount rw a filesystem contained in a disk image file.

# mkdir /mnt/anax
# guestmount -a /home/vm/anaxagoras.qcow2 -m /dev/vda1 --rw /mnt/anax/

# cat /mnt/anax/etc/guestfish_play
hi
# echo "hi kosme" > /mnt/anax/etc/guestfish_play
# mv /mnt/anax/etc/guestfish_play /mnt/anax/etc/guestmount_play
# umount /mnt/anax

guestmount is and looks traditionally-scriptable. However, guestfish is as or more scriptable. Also, libguestfs has cute C , Perl and Python APIs.

virt-df

List free space on virtual filesystems.

# virt-df anaxagoras
Filesystem                           1K-blocks       Used  Available  Use%
anaxagoras:/dev/sda1                  19751804     840608   17907832    5%

virt-filesystems

List filesystems, partitions, block devices, LVM in a virtual machine or a disk image file.

eg:

# virt-filesystems --long --parts --blkdevs -a /home/vm/anaxagoras.qcow2 -h
Name       Type       MBR  Size  Parent
/dev/sda1  partition  83   19G   /dev/sda
/dev/sda2  partition  05   1.0K  /dev/sda
/dev/sda5  partition  82   880M  /dev/sda
/dev/sda   device     -    20G   -

# virt-filesystems --long -h --all -a anaxagoras.qcow2 
Name       Type        VFS      Label  MBR  Size  Parent
/dev/sda1  filesystem  ext4     -      -    19G   -
/dev/sda2  filesystem  unknown  -      -    1.0K  -
/dev/sda5  filesystem  swap     -      -    880M  -
/dev/sda1  partition   -        -      83   19G   /dev/sda
/dev/sda2  partition   -        -      05   1.0K  /dev/sda
/dev/sda5  partition   -        -      82   880M  /dev/sda
/dev/sda   device      -        -      -    20G   -

virt-list-filesystems

List filesystems in a virtual machine or disk image.

eg:

# virt-list-filesystems anaxagoras.qcow2 
/dev/sda1
# virt-list-filesystems anaxagoras
/dev/sda1

virt-resize

Resize a virtual disk image file.

Eg: Expand the 20GB anaxagoras qcow2 disk image file to a 30GB qcow2 disk image file.

# truncate -r anaxagoras.qcow2 anaxagoras30G.qcow2
# truncate -s +10G anaxagoras30G.qcow2
# virt-resize --expand /dev/sda1 anaxagoras.qcow2 anaxagoras30G.qcow2 
Examining anaxagoras.qcow2 ...
**********

Summary of changes:

/dev/sda1: This partition will be resized from 19.1G to 29.1G.  The 
    filesystem ext4 on /dev/sda1 will be expanded using the 'resize2fs' 
    method.

/dev/sda2: This partition will be left alone.

**********
Setting up initial partition table on anaxagoras30G.qcow2 ...
Copying /dev/sda1 ...
 100% ⟦▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓⟧ 00:00
Copying /dev/sda2 ...
 100% ⟦▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓⟧ 00:00
Expanding /dev/sda1 using the 'resize2fs' method ...

Resize operation completed with no errors.  Before deleting the old 
disk, carefully check that the resized disk boots and works correctly.

Test resized image.

# cd /etc/libvirt/qemu/
# stor anaxagoras.xml
# virsh
virsh # edit anaxagoras
virsh # define anaxagoras.xml
virsh # start anaxagoras
virsh # quit
# ssh anaxagoras
root@anaxagoras:~# df -h
Filesystem                                              Size  Used Avail Use% Mounted on
rootfs                                                   29G  822M   27G   3% /
udev                                                     10M     0   10M   0% /dev
tmpfs                                                   202M  172K  202M   1% /run
/dev/disk/by-uuid/8ca4bd34-120c-45ff-bd0b-86d8de552d10   29G  822M   27G   3% /
tmpfs                                                   5.0M     0  5.0M   0% /run/lock
tmpfs                                                   579M     0  579M   0% /run/shm

More virt-.* tools.

virt-alignment-scan    virt-filesystems       virt-ls                virt-tar-in
virt-cat               virt-format            virt-make-fs           virt-tar-out
virt-clone             virt-host-validate     virt-pki-validate      virt-viewer
virt-convert           virt-image             virt-rescue            virt-win-reg
virt-copy-in           virt-inspector         virt-resize            virt-xml-validate
virt-copy-out          virt-install           virt-sparsify          
virt-df                virt-list-filesystems  virt-sysprep           
virt-edit              virt-list-partitions   virt-tar

The system used.

# cat /etc/debian_version /etc/issue
7.6
Debian GNU/Linux 7 \n \l

libguestfs basics

mount qcow disk image files

Notes on mounting qcow disk image files.
Use this method to mount qcow2 disk image files you trust.

Load the network block device -- nbd -- module with partition support.

# modprobe nbd max_part=8

See - list nbd devices.

# ls /dev/nbd*
/dev/nbd0  /dev/nbd10  /dev/nbd12  /dev/nbd14  /dev/nbd2  /dev/nbd4  /dev/nbd6 /dev/nbd8
/dev/nbd1  /dev/nbd11  /dev/nbd13  /dev/nbd15  /dev/nbd3  /dev/nbd5  /dev/nbd7 /dev/nbd9

Make sure that the qcow2 disk image is not used by a virtual machine.

Connect a qcow2 disk image to the Qemu Disk Block Device Server.

# qemu-nbd -c /dev/nbd0 /home/vm/anaxagoras.qcow2

List nbd0* devices

# ls /dev/nbd0*
/dev/nbd0  /dev/nbd0p1 /dev/nbd0p2  /dev/nbd0p5

Mount partitions.

# mkdir /mnt/imgs
# mount /dev/nbd0p1 /mnt/imgs/

Check mounted partition.

# ls /mnt/imgs/
bin   dev  home        lib    lost+found  mnt  proc  run   selinux  sys  usr  vmlinuz
boot  etc  initrd.img  lib64  media   opt  root  sbin  srv     tmp  var

Unmount and Clean up.

# umount /dev/nbd0p1
# mount |grep nbd
#

Disconnect from the Qemu Disk Block Device Server.

# qemu-nbd -d /dev/nbd0
# ls /dev/nbd0*
/dev/nbd0

Unload nbd.

# modprobe -r nbd

The system used.

# cat /etc/debian_version /etc/issue
7.6
Debian GNU/Linux 7 \n \l

# uname -r
3.2.0-4-amd64

Mount qcow2 files in the host

debian on debian KVM II

An attempt to simplify an older debian on debian KVM how-to.

The system.

# cat /etc/debian_version /etc/issue
7.6
Debian GNU/Linux 7 \n \l

# uname -r
3.2.0-4-amd64
# grep "model\ name" /proc/cpuinfo -m1
model name : Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz
# egrep "vmx|svm" /proc/cpuinfo -c
4

Install qemu-kvm, libvirt-bin and virtinst

# apt-get update
# apt-get install qemu-kvm libvirt-bin virtinst

Create a bridge (containing) to the host's physical interface

Create a debian guest that uses a virtual interface attached to a bridge interface named b0.

# mkdir /home/vm
# virt-install --connect qemu:///system -n anaxagoras -r 2048 -vcpus=1 --disk path=/home/vm/anaxagoras.qcow2,size=20 -c /insigdato/OS.iso/debian-7.6.0-amd64-netinst.iso --vnc --noautoconsole --os-type linux --description anaxagoras --network=bridge:b0 --hvm

To console into the new KVM guest from another host
( assuming you are working on a remote host ).

Find out where the KVM guest VNC console socket is in the KVM host.

# netstat -putan|grep kvm
tcp        0      0 127.0.0.1:5900          0.0.0.0:*               LISTEN      7499/kvm

Set up SSH socket forwarding in another host

$ ssh -lroot -L 5900:localhost:5900 192.0.2.29

where 192.0.2.29 is the KVM_host IP address.

and console into the forwarded socket.

$ vncviewer localhost

5900 is the default port. For ports above 5900 use port_number-5900 to find out the vncviewer `port`.

Install.

I don 't like vnet0, vnet1 etc and prefer better names for the virtual interfaces attached to the bridge b0. To give a more descriptive name to the virtual interface and possibly circumvent a few issues I had in previous versions of virtinst and libvirt.

# virsh
virsh # edit anaxagoras

add

<target dev='anaxagoras'/>

in <interface ... --Naming, the second toughest problem in CS :)

Set the KVM guest to autostart.

virsh # autostart anaxagoras
Domain anaxagoras marked as autostarted

and start it.

virsh # start anaxagoras
Domain anaxagoras started

List running guests.

virsh # list 
 Id    Name                           State
----------------------------------------------------
 2     anaxagoras                     running

virsh # exit

Inspect the ethernet bridge.

# brctl show
bridge name bridge id         STP enabled interfaces
b0          8000.40167e6d6745 yes         anaxagoras
                                          eth0

bridged KVM guest how-to

bridging for kvm

A basic layer 2 bridging how-to for virtualization like KVM in debian.

Many times, in KVM hosts we need to bridge the host's physical network interface with the virtual network interfaces used by the KVM guests.

Install the bridge utilities

# apt-get install bridge-utils

List network interfaces

# ip a|grep ":\ "
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
2: eth0:  mtu 1500 qdisc pfifo_fast state UP qlen 1000

Inspect the ethernet bridge(s)

# brctl show
bridge name bridge id  STP enabled interfaces
#

None yet.

Create a bridge instance that you can access from an interface named b0.

# brctl addbr b0

Show bridge

# brctl show
bridge name bridge id  STP enabled interfaces
b0  8000.000000000000 no

You may add the physical interface(s) to the bridge.

# brctl addif b0 eth0

However, do not try it if you are working on a remote host.
See below how to adjust the interfaces file instead.

Delete b0

# brctl delbr b0

Adjust /etc/network/interfaces to create a "persistent" bridge and restart networking.

# vi /etc/network/interfaces
# /etc/init.d/networking restart

An example /etc/network/interfaces file where the host has the IP address 192.0.2.29 /25 and the interface to the bridge is called b0.

auto lo
iface lo inet loopback


auto eth0
iface eth0 inet manual

auto b0
iface b0 inet static
 address 192.0.2.29
 netmask 255.255.255.128
 network 192.0.2.0
 broadcast 192.0.2.127
 gateway 192.0.2.10
 dns-nameservers 192.0.2.4
 dns-search ipduh.rocks
        bridge_ports eth0
        bridge_stp on           #spanning tree 
        bridge_waitport 0       #no delay before a port becomes available
        bridge_fd 0             #no forwarding delay
        bridge_maxwait 0

Inspect bridge.

# brctl show
bridge name bridge id         STP enabled interfaces
b0          8000.40167e6d6745 yes         eth0

List network interfaces.

# ip a|grep ":\ "
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN 
2: eth0:  mtu 1500 qdisc pfifo_fast master b0 state UP qlen 1000
4: b0:  mtu 1500 qdisc noqueue state UP

Add a KVM host (anaxagoras) and inspect the bridge.

# brctl show
bridge name bridge id         STP enabled interfaces
b0          8000.40167e6d6745 yes         anaxagoras
                                          eth0

The system used.

# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.6
# uname -r
3.2.0-4-amd64

L2 bridging for KVM

directadmin mysql open files limit

directadmin mysql open_files_limit notes

The directadmin `root` mysql password is called da_admin and you may find its password at

# ls -l /usr/local/directadmin/conf/mysql.conf
-r-------- 1 diradmin diradmin 30 Nov  5  2013 /usr/local/directadmin/conf/mysql.conf
# cat /usr/local/directadmin/conf/mysql.conf

# mysql -u da_admin -p 
Enter password:

Find out current open files limit

mysql> show variables like 'open%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| open_files_limit | 1024  |
+------------------+-------+
1 row in set (0.00 sec)

mysql> exit;
Bye

Set limit to 10240

# echo "open_files_limit = 10240" >> /etc/my.cnf

Restart the mysql daemon

# /etc/init.d/mysqld restart

Check new open_files_limit

# mysql -u da_admin -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.5.9 MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show variables like 'open%';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| open_files_limit | 10240 |
+------------------+-------+
1 row in set (0.00 sec)

mysql> exit
Bye
#

directadmin mysql open_files_limit

Files as storage devices for KVM guests

A note on adding extra raw files for extra storage to KVM guests.

Create the "empty" "image" 1GB file named vm4_xtra.img

# dd if=/dev/zero of=/home/vm/vm4_xtra.img bs=1M count=1024

For larger files you would not want to use dd. Use fallocate instead eg:

# fallocate -l 50G vm4_xtra.img

Backup KVM host configuration

# cd /etc/libvirt/qemu/
# stor vm4.xml 
devz:vm4.xml is at ./stor/vm4.xml.0

Add the new virtual drive to the KVM guest configuration. eg:

 
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/home/vm/vm4_xtra.img'/>
      <target dev='hda' bus='ide'/>
    <address type='drive' controller='0' bus='1' unit='0'/>
   </disk>

Redefine KVM guest

# virsh
virsh # define /etc/libvirt/qemu/vm4.xml 
Domain vm4 defined from /etc/libvirt/qemu/vm4.xml

Start KVM guest

virsh # start vm4
Domain vm4 started
virsh # quit

Log into the KVM guest and list drives

# fdisk -l

The new virtual HD should be /dev/sdb

Partition /dev/sdb

# fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x54ac0969.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-2097151, default 2048): 
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-2097151, default 2097151): 
Using default value 2097151

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): 83

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Format

# mkfs.ext4 /dev/sdb1

Adjust root reserved blocks percentage

# tune2fs -m 0 /dev/sdb1
tune2fs 1.42.5 (29-Jul-2012)
Setting reserved blocks percentage to 0% (0 blocks)

Mount

# mkdir /vm4_xtra
# mount /dev/sdb1 /vm4_xtra/

Adjust fstab

# echo "/dev/sdb1  /vm4_xtra  ext4  defaults  0  2" >> /etc/fstab

The system used

# cat /etc/issue /etc/debian_version
Debian GNU/Linux 6.0 \n \l

6.0.7
# uname -r
2.6.32-5-amd64

adding file storage devices in KVM guests

mongoDB on debian wheezy notes

Notes on setting up MongoDB on Debian Wheezy

The system

# cat /etc/issue /etc/debian_version 
Debian GNU/Linux 7 \n \l

7.9

import the mongodb.org debian repositories key

# apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

add the mongodb.org debian wheezy repository to the apt sources

# echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list

update repositories

# apt-get update

Install the latest release of mongodb-org-shell , mongodb-org-server , mongodb-org-mongos and mongodb-org-tools

# apt-get install mongodb-org

Hold mongodb-org packages

# echo "mongodb-org hold" | dpkg --set-selections
# echo "mongodb-org-server hold" | dpkg --set-selections
# echo "mongodb-org-shell hold" | dpkg --set-selections
# echo "mongodb-org-mongos hold" | dpkg --set-selections
# echo "mongodb-org-tools hold" | dpkg --set-selections
# grep -A 1 "Package: mongodb-org" /var/lib/dpkg/status
Package: mongodb-org-mongos
Status: hold ok installed
--
Package: mongodb-org-tools
Status: hold ok installed
--
Package: mongodb-org-server
Status: hold ok installed
--
Package: mongodb-org-shell
Status: hold ok installed
--
Package: mongodb-org
Status: hold ok installed

Create an Administrator

# mongo
> use admin
> db.createUser(
... {
... user: "admin" ,
... pwd: "passwd" ,
... roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
... }
... )

Enable authentication and change the IP address the mongo server daemon binds to


# egrep -A 1 "bind|security" /etc/mongod.conf 
  #bindIp: 127.0.0.1
  bindIp: 192.168.101.86

--
security:
  authorization: enabled

you may use bindIp: 0.0.0.0 to to bind the MongoDB daemon to all the system IP addresses

restart the mongodb server

# service mongod stop
# service mongod start

# mongo --host 192.168.101.86 --port 27017 -u "admin" -p "passwd" --authenticationDatabase "admin"

Log in from a remote host
You better uninstall the official debian repositories mongo stuff and install mongo-org-shell from mongodb.org. I did not encounter any issues using wheezy repositories on jessie hosts. Many "Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } " errors are caused when old mongo clients or driver-libraries are trying to talk to new versions of mongodb servers.

# apt-get remove mongodb mongodb-clients mongodb-dev mongodb-server
# echo "deb http://repo.mongodb.org/apt/debian wheezy/mongodb-org/3.0 main" > /etc/apt/sources.list.d/mongodb-org-3.0.list
# apt-get update
# apt-get install mongodb-org-shell
# echo "mongodb-org-shell hold" | dpkg --set-selections

and finally login from a remote host

$ mongo 192.168.101.86/admin -u admin -p passwd
MongoDB shell version: 3.0.7
connecting to: 192.168.101.86/admin
>

Create a database

use amongodb

Create a user that can read and write on the amongodb

> db.createUser(
        ... { user: "amongouser" ,
        ... pwd: "somepasswd" ,
        ... roles: [ {  role: "readWrite", db: "amongodb" } ]
        ... }
        ... )

and login from a remote host

$ mongo 192.168.101.86/amongodb -u amongouser -p somepasswd

MongoDB on debian notes

addressbooks across thunderbird or icedove profiles or installations

A note on moving addressbooks across thunderbird or icedove profiles or installations ( so I do not need to jabber it :)

If you are trying to recover an icedove or thunderbird address book from backups,
backup and then export to *.LDIF at least one of you default address books
( 'Personal Address Book'(abook.mab) and 'Collected Addresses'(history.mab) )

You will find the abook.mab and history.mab files in ~/.icedove/randomprofilename.default/
or ~/.thunderbird/randomprofilename.default/

If it is a new installation you may skip the step above and just

name the address-book you want to import abook.mab or history.mab,
put the *.mab in an icedove or thunderbird profile
and check it out with

$ icedove --addressbook

you may export it to an *.ldif which can be imported to thunderbird or icedove

if you want to have old and new address-books in one installation you may concatenate old and new *.ldifs and then import them ( hmm, err, I don 't know how it handles duplicates )
... just import *.ldifs as additional address-books

( .mab files are weird -- a classic case of over-complication )

also: http://kb.mozillazine.org/Moving_address_books_between_profiles

Moving address books across icedove or thunderbird profiles or installations

▼ aLog.IPduh

Pages

Search aLog

Box Office

Follow by Email

pop

Pick

SEARCH THE INTERNETZ

Partial Arc