The notes here will primarily be technology projects I am working on or occasionally a photography outing. If the information is on Google on the first page, I probably won’t have it here. If the information took half a dozen sites and a weekend to implement, I will memorialize it here so we can both find it.
You can view some of my photography at www.capturinglife.org.
The portrait workshop was a great success. We had 20 people with a mix of photographers and models and got some great photos. You can see pictures at http://www.mckinnisphotography.com/p101656003
If you missed this free opportunity to play with studio lighting and portrait, I encourage you to sign up for the mailing list so you can find out when we have another photo opportunity! http://www.zoegames.com/lists/?p=subscribe&id=2
We lost power while we were out on Thursday and did not get power again until about noon on Saturday. The spare box I built the router in was not setup in bios to power on after a power outage and the xen box (owl) did not come back up.
The biggest problem on owl was a combination of selinux and a xen bug, so I upgraded the kernel and moved the virtual machines to /var/lib/xen/images where selinux thinks they should exist. I did create a soft link to /xen so the configs would work. On an up note, the VMs now start on boot correctly which had been a problem.
My brother was caring for our dog while we traveled last week. Oreo was on a chain with a clasp and someone stole her while my parents were out and my brother was sleeping. Now I have two crying girls - my wife and daughter - and my 2 year old son doesn’t understand that she is gone and not coming back.
If you care to read the extended version of my upgrade and relinking it is in the “More…”
Read the rest of this entry »
I found a good document at http://kristof.vanhertum.be/?p=3 and used it as a base for building up my Linux Router. I bought a CompactFlash to IDE adapter several years ago from http://cfd.linnix.com and a 4 port 10/100 network interface on ebay.
Build the distribution
I will walk through the steps I used, and they do deviate from the original author on some points. Because of the limited write cycles on flash memory, it is important to limit paging, journaling and files that are constantly updated. I used a Debian virtual machine that I had handy to build up the filesystem.
mkdir /cf
apt-get install debootstrap
debootstrap –arch i386 etch /cf http://ftp.debian.org
Now that the base OS is present we can chroot.
mount -t proc none /cf/proc
mount –bind /dev /cf/dev
LC_ALL=C chroot /cf /bin/bash
I’m not sure what the LC_ALL=… is for because you can “chroot /cf” and it will work too. I needed a kernel, bootloader, udev and ssh. I chose dropbear for ssh because it is a little more compact.
apt-get install dropbear linux-kernel grub udev
Since this will be my gateway router I chose to put a few network utilities on it so they would be available to track, and provide additional functionality.
apt-get install dhcpd ntop iptraf ngrep tshark dnsmasq screen less dnsutils ethtool
Now it is clean-up time. mtab gets written to frequently, and the proc filesystem reports the same information. resolve.conf needs to be writeable and our filesystem will be read-only most of the time so we will move it and create a link.
rm /etc/mtab
ln -s /proc/mounts /etc/mtab
mv /etc/resolv.conf /var/log/
ln -s /var/log/resolv.conf /etc/
We need to create some config files. From the link at the top, with a modification to fstab to use labels instead.
|
|
|
touch /var/log/resolv.conf |
A lot of the more active directories for writes are created in a ram disk. This will prevent errors.
Kristof suggests a couple of aliases to make changing read-only to read-write and back easier. Edit /root/.bashrc and at the end add:
alias ro=”/sbin/cleanup all;mount -o remount,ro /”
alias rw=”mount -o remountrw /”
The cleanup file is available on the link at the top of this post. It removes man pages, doc files and cleans up Debian cached packages so your filesystem will stay compact. I’ve quoted it below.
#!/bin/bash
function doc() {
echo "Removing documentation ..."
find / -type d -regex '.*\(/doc/\|/info/\).*' -exec rm -r {} \; 2>/dev/null
}
function man() {
echo "Removing man pages ..."
find / -type d -regex '.*\(/man/\).*' -exec rm -r {} \; 2>/dev/null
}
function deb() {
echo "Removing Debian packages and cleaning apt-cache ..."
find / -type f -regex '.*\(\.deb$\).*' -exec rm -r {} \; 2>/dev/null
rm /var/cache/apt/*.bin
rm /var/lib/apt/lists/*dists*
}
if [ $# -ne 1 ]; then
echo "Usage: $0 doc|man|deb|all"
exit 1
fi
if [ $1 == "all" ]; then
echo "remove all"
doc
man
deb
else
eval \$1
fi
When you have finished building the installation, exit the chroot (type “exit” and hit enter). Unmount the dev and proc in /cf and this is a good time to tar a backup copy. Then use fdisk to remove existing partitions and make a single partition (default is type “Linux” which is correct).
umount /cf/dev
umount /cf/proc
tar czvf ~/cf.tar.gz /cf
fdisk /dev/sda
(d for delete, n for new, primary partition 1)
mkdir /mnt/cf
mount /dev/sda1 /mnt/cf
cp -aR /cf/* /mnt/cf
mount -t proc none /cf/proc
mount –bind /dev /cf/dev
After you have finished copying, cd /mnt/cf and create a chroot. Then we will install grub on the MBR and configure the bootloader.
cd /mnt/cf
chroot ./
grub-install /dev/sda
update-grub
When it offers, create a new config file. Because we are using labels instead of dev nodes, we will edit /boot/grub/menu.lst
Make sure that hdd(0,0) and not 1,0. Find the kernel lines and locate the section (your device name may vary):
root=/dev/sda1
Change it to:
root=LABEL=/root
You should now be able to boot to the new flash memory OS.
A little more configuration
# vi /etc/hostname router
# vi /etc/resolv.conf nameserver 192.168.0.36
# vi /etc/network/interfaces
auto lo eth0 eth1 eth2 eth3
#allow-hotplug eth0
#iface eth0 inet dhcp
iface lo inet loopback
# outside
iface eth0 inet static
address 151.x.y.z
netmask 255.255.255.252
gateway 151.x.y.z
# dns-search somedomain.org
dns-nameservers 192.168.0.36
# dmz
iface eth1 inet static
address 64.x.y.z
netmask 255.255.255.0
# inside (lan)
iface eth2 inet static
address 192.168.0.1
netmask 255.255.255.0
I used firewall builder from fwbuilder.org to build an iptables script. With my complex internal network it was fairly easy to create objects for each network segment and host, then build rules to allow limited network access in and out. I put the script in /etc/firewall/router.fw, used chmod to make it 500 (executable, read-only for root) and then added it to rc.local. I have the default behavior setup to not forward packets so until the firewall is active there is limited exposure - incoming ssh from the outside for a period of 30 seconds on a reboot.
resolv.conf is not persistent. I will revisit this later if it starts to matter. There would be negative effects on dnsmasq I believe, but I’m not using it at this time. It is also required for apt-get to work. As a side note, once cleanup runs you will need to run “apt-get update” again to download the package database.
Ringing in my ears?! Turn off the bell!
I had to turn off the bell before it drove me nuts. I used the blacklist method, but here are several that all work.
xset -b
in ~/.bashrc
Most easier is to set in ~/.inputrc
set bell-style none
sudo modprobe -r pcspkr
vi /etc/modprobe.d/blacklist
blacklist pcspkr
This article details how to setup a free standing OpenFiler SAN that will authenticate from the built-in LDAP server. This is a great approach if you only need file storage with no network authentication. While you could authenticate other systems from the LDAP in OpenFiler, I would advise you to look at the OpenFiler project - 2 servers article.
OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M
This article details how to setup a free standing LDAP server for authentication, and setup an OpenFiler SAN that will authenticate from the LDAP server.
LDAP Server
CentOS 5.1
2G hdd
256M RAM
OpenFiler Server
OpenFiler 2.2
2G system
2G data raid 5 member
2G data raid 5 member
2G data raid 5 member
256M
I am setting up an http proxy.
# cd /xen # mkdir www1 # cd www1/ # tar xjvf ../debian-4.0-20070801.tar.bz2 debian-4.0.img debian-4.0.xen3.cfg debian.swap # mv debian-4.0.xen3.cfg proxy.cfg # dd if=/dev/zero of=debian.swap bs=1M count=256 #dd if=/dev/urandom bs=1 count=3 2>/dev/null | od -tx1 | head -1 | cut -d' ' -f2- | tr -d ' ' | tr '[a-f]' '[A-F]' 7E0E41 # vi proxy.cfg kernel = "/boot/vmlinuz-2.6-xenU" memory = 128 name = "proxy" vif = [ 'bridge=xenbr0,mac=00:16:3e:7E:0E:41' ] dhcp = "dhcp" disk = ['file:/xen/debian/debian-4.0.img,sda1,w' , 'file:/xen/debian/debian.swap,sda2,w' ] root = "/dev/sda1 ro" ramdisk = "/boot/initrd-2.6-xenU.img" # xm create -c ./proxy.cfg ... DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5 receive_packet failed on eth0: Network is down DHCPOFFER from 192.168.0.36 DHCPREQUEST on eth0 to 255.255.255.255 port 67 DHCPACK from 192.168.0.36 bound to 192.168.0.215 -- renewal in 300 seconds. done. ... # ssh 192.168.0.215 Password: password # vi /etc/hostname proxy # passwd Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully # apt-get update ... # vi /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.0.52 netmask 255.255.255.0 gateway 192.168.0.1 auto lo iface lo inet loopback # /etc/init.d/networking restart ...lost network connection... # ssh 192.168.0.52 # apt-get install squid3 # apt-get dist-upgrade
I will continue the configuration tomorrow. It will only allow local connections (192.168.0.x).
nano /etc/squid3/squid.conf
I searched for acl all to find the area and added two acls.
acl privnat src 192.168.0.0/255.255.255.0
acl dmz src 10.0.0.192/255.255.255.224I searched a couple of times for “http_access all” and following the INSERT line, added my new rules:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow privnat
http_access allow dmzSave and close the file, then restart squid.
/etc/init.d/squid3 restartA couple of weeks ago I went and took a test for Mensa membership. It was mostly a whim inspired by someone at work that is a member and a discussion with some co-workers.
I have not failed a test in about 15 years, when I first sat for the Amateur Radio technician level test. Working with computers and IT, certification tests are common and even the Red Hat Certified Engineer exam was challenging but I completed it and knew that I had done well. When I left from the Mensa exam, I had not completed anything and had no gauge of how well I did.
I received an offer to join Mensa last Friday, so it looks like I did well enough. There are a number of Special Interest Groups including Amateur Radio and Photography and I was surprised to find no Linux or Open Source Software SIGs. I’m just a regular guy whose would like to meet folks and have interesting conversations. The local members I have met are not pretentious at all and have been altogether enjoyable to visit with.
There are great audio podcasts that instruct the Technician and General material, and coming this summer, Extra! I already have tech level and the general is about 6 hours of audio. Don’t have a license? Start with tech class. They have CDs available in addition to the free MP3s
I setup some user permission controls on irked…
First, I created a separate home and tmp so I could setup quotas:
lvcreate -L1G -n irked-home VolGroup00
lvcreate -L512M -n irked-tmp VolGroup00
mkfs -t ext3 /dev/VolGroup00/irked-home
mkfs -t ext3 /dev/VolGroup00/irked-tmpUpdated the irked config:
, 'phy:VolGroup00/irked-home,sda5,w'
, 'phy:VolGroup00/irked-tmp,sda6,w'I used the flip script to rotate the filesystem to the new partitions.
Added the new filesystems to /etc/fstab
/dev/sda5 /home ext3 usrquota 0 0
/dev/sda6 /tmp ext3 usrquota 0 0Remounted to get the usrquota option
mount -o remount /home
mount -o remount /tmpTouched the quota files and installed the quota packages
touch /home/aquota.user
touch /tmp/aquota.user
apt-get install quota quotatool# edquota charles
Filesystem blocks soft hard inodes soft hard
/dev/sda5 160 40000 50000 10 0 0
/dev/sda6 0 20000 25000 0 0 0USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
charles 2031 0.0 2.5 7712 1688 ? S 13:47 0:00 sshd: charles@pts/2,pts/3
charles 2032 0.0 2.6 3216 1760 pts/2 Ss 13:47 0:00 -sh
charles 2033 0.0 2.6 3212 1752 pts/3 Ss+ 13:48 0:00 -sh
charles 2054 0.0 1.8 2288 1224 pts/2 S+ 13:49 0:00 nano testThat is an RSS of 6424. RSS is resident memory or something close to that.
Added users to the users group so the limits.conf will apply. The group restrictions in /etc/security/limits.conf apply if you are a member of a group even if it is not your primary group.
@users soft maxlogins 1
@users hard maxlogins 2
@users soft nproc 3
@users hard nproc 4
@users soft rss 8000
@users hard rss 10000apt-get install libpam-umask
# nano /etc/pam.d/common-session
session optional pam_umask.so umask=077
session required pam_unix.soSetting libpam-umask did not work so I changed /etc/skel/.bash_profile, root and my user to umask=077 just for good measure.