LinuxPizza

Personal notes and occasional posts

There is many reasons why you would like to have local docker registry, and being cool is one of them. This is how you do it on Debian.

Well, lets go!

1 Install the package:

apt install docker-registry

2 Tell the machine where you are going to pull to, that the registry is “unsafe” (non-https):

{
  "insecure-registries":
    [
      "docker.internal:5000",
      "registry.linux.pizza:5000"
    ]
}

3 Create a basic-auth on your registry:

   htpasswd -Bbn dockeruser registrypassword >/etc/docker/registry/.htpasswd

4 Login to the registry from your host:

   docker login -u dockeruser registry.linux.pizza:5000

Dont forget to restart docker!

Have fun!

#docker #dockerregistry #registry #debian #linux

This fall, has been busy for me, and when I am busy I like to experiment and play with stuff – especially IT and nerdy stuff.

This brings me back to the days when I started with Linux, for me it was new, cool and different. Nowadays I feel like it is not so different.

So, being the hipster that I am, I set out to find something new. I've already tried and played with OmniOS a couple of years back and I liked it. And during my quest to get it on a iPXE server – I found out about Tribblix.

Tribblix is a Illumos distribution with a retro feel. And that I liked. The iPXE setup was easy since Peter Tribble – the creator and maintainer of Tribblix – already have an iPXE server up and running. So I just used the already ready target at (http://pkgs.tribblix.org/m24/ipxe.txt) and got it up and running according to the installation instructions provided by Tribblix here: http://www.tribblix.org/install.html

Enter Tor – and the recent news that Russia has decided to block Tor nationwide. I must say that I do understand why they did it from a IT-security perspective – alot of crap is originating from Russia. That is an undisputed fact. However, from a freedom perspective – this is making an already bad situation even worse. So what a perfect opporunity to run a Tor-relay on a SunOS machine! Currently, there is only 5 relays that is running on a Solaris/SunOS based kernel (including one of mine). Lets change that – more diversity in the Tor-network is a good thing.

So, assuming that you have installed Tribblix. Lets pull down the Tribblix overlay called “develop”

zap install develop

This takes a couple of minutes, and what it does is that it download and installs all the nessecary packages you need to build Tor.

We also need LibEvent, since Tor requires it. And the TRIBlibev is like libevent – but not really – we need to manually compile it.

Download the latest stable version from github, and extract it like shown below:

wget https://github.com/libevent/libevent/releases/download/release-2.1.12-stable/libevent-2.1.12-stable.tar.gz
tar -xvf libevent-2.1.12-stable.tar.gz

Lets also pull down the Tor-source code and extract:

wget https://dist.torproject.org/tor-0.4.6.9.tar.gz
tar -xvf tor-0.4.6.9.tar.gz

Great, now you should have everything you need in order to get started.

Navigate to the libevent catalogue you just extracted, and run the following:

./configure --prefix=/tmp/mc --enable-static --disable-shared
gmake
gmake install

This will create a static and temporary copy of LibEvent in the /tmp/mc catalogue. we will use that in the compilation of Tor.

When the compilation of LibEvent is done, nagivate to the Tor-catalogue and run the following:

./configure --with-libevent-dir=/tmp/mc MAKE="gmake"
gmake
gmake install

The proceedure is quite similar to the LibEvent compilation.

When the gmake install procedure is done, you can find the tor-config files in /usr/local/etc/tor/ and the binaries in /usr/local/bin/.

Configure the torrc file according to your needs, read the Tor Projects Post Install Guide and follow the recommendations.

You can now run tor by just typing /usr/local/bin/tor in your terminal – and you now have a relay running.

For now, you can use tmux in order to run it in the background.

Thanks to Peter Tribble, who told me how to get LibEvent into the system.

Took myself ages to figure this out, so I am noting this down for my future self. Just a note – this is not the indented workflow, but rather a “getting started with kubernetes” step.

First, we need to add NFS as a storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: managed-nfs-storage
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:
  archiveOnDelete: "false"

Then, we can add the actual storage:

kind: PersistentVolume
apiVersion: v1
metadata:
  name: nfs-persistentvolume
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
  nfs:
    path: "/path/to/share"
    server: "xxx.xxx.xxx.xxx"
    readOnly: false
  claimRef:
    name: nfs-persistentvolumeclaim
    namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nfs-persistentvolumeclaim
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
  volumeName: nfs-persistentvolume

Hope this helps

Bonus – run a Minecraft Bedrock inside K8S using your newly created PVC as storage

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mc-bedrock
  labels:
    app: mc-bedrock
spec:
  replicas: 1
  template:
    metadata:
      name: mc-bedrock
      labels:
        app: mc-bedrock
    spec:
      containers:
        - name: mc-bedrock
          image: itzg/minecraft-bedrock-server
          imagePullPolicy: Always
          resources:
            requests:
              cpu: 500m
              memory: 4Gi
          env:
            - name: EULA
              value: "TRUE"
            - name: GAMEMODE
              value: survival
            - name: DIFFICULTY
              value: normal
            - name: WHITE_LIST
              value: "false"
            - name: ONLINE_MODE
              value: "true"
            - name: ALLOW_CHEATS
              value: "true"
          volumeMounts:
            - mountPath: /data
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: nfs-persistentvolumeclaim
  selector:
    matchLabels:
      app: mc-bedrock
---
apiVersion: v1
kind: Service
metadata:
  name: mc-bedrock
  labels:
    app: mc-bedrock
spec:
  selector:
    app: mc-bedrock
  ports:
    - port: 19132
      protocol: UDP
  type: LoadBalancer

Get the IP assigned for the service

kubectl get service mc-bedrock -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

Restart the pods in the deployment

kubectl logs -f deployment/mc-bedrock

In some cases – especielly with older systems – you might not be able to run your VM with a SCSI-drive since the drivers is missing from the system.

This was the case for me when I wanted to move a older VM (Debian 5) into Nutanix AHV from ESXi.

In order to mitigate this, you have to change the bus-type of the drive from SCSI to IDE or PCI:

Login to you CVM via SSH, and execute the following

acli vm.get NameOfTheVM

You will see some output similar to the following:

NameOfTheVM {
  can_clear_removed_from_host_uuid: True
  config {
    affinity {
...

  host_uuid: "d17a25a0-6a8a-4b30-993d-323f824eb383"
  logical_timestamp: 83
  state: "kOn"
  uuid: "5ea5288b-d3fb-40d9-83ce-9356db75129b"

Look for disk list and vmdisk_uuid: similar to the following:

    disk_list {
      addr {
        bus: "scsi"
        index: 0
      }
      container_id: 1416
      container_uuid: "f20a220c-f237-43eb-9465-200f17a3306e"
      device_uuid: "53d01e6b-43bf-41dd-a8c5-c82cd3f673cb"
      naa_id: "naa.6506b8d135b478f0803c4c2944a37187"
      source_nfs_path: "/ntnx01-container01/xtract-vm//349a1ace-f328-40df-867e-6                                                                c7f0d46ac7f/500a3a5a-741b-6de2-7ca3-4927a3c621e1/2000_NameOfTheVM.vmdk"
      vmdisk_size: 107374182400
      vmdisk_uuid: "315bb83c-7629-401a-a522-b350a3387dca"
    }

The procedure here is simple, we will just create a new disk as a clone of an existing disk, using the vmdisk_uuid:

acli vm.disk_create NameOFTheVM clone_from_vmdisk=01f68633-06ab-4fe7-b819-90fec3e8d08a bus=pci

This create and attaches a disk to the VM NameOfTheVM, change the UUID to the one you have. To create a disk with the bus ide, change pci to ide.

Done!

First, list the users that you have in your system:

sasldblistusers2
selea@mailserver.linux.pizza: userPassword
pizza@localhost: userPassword

Next, change the password of the specific user you want to change:

saslpasswd2 pizza@localhost                                            
Password:
Again (for verification):

That's it!

If you want to create a new user

saslpasswd2 -c -u domain.tld smtprelay

You can also test a SASL-user with the following:

testsaslauthd -u smtprelay -r domain.tld -p PASSWORD

Luckily, this is quite easy – for now.

Just add the “Permissions-Policy: interest-cohort=()” header in your webserver. This can be done as following:

In Apache (including .htaccess):

   Header always set Permissions-Policy: interest-cohort=()

In Nginx

   add_header Permissions-Policy: interest-cohort=()

That's it!

Edit: In January 2022, Google announced that they would abandon FLOC

I am a fan of jalapeños and chilies in general, and this year I had some luck with the weather so my only jalapeñoplant did pretty well. So today, where are going to pickle the jalapeños.

freshly picked jalapenos

What you will need

  • Garlic (couple of smashed cloves or powder is fine)
  • 0.45 dl Sugar
  • 15 ml Salt
  • 3dl White Vinegar
  • 3dl Water
  • ~400grams of fresh Jalapeños (or other chilies)

The procedure

I decided to slice the jalapeños together with three quite big cloves of garlic: Sliced Jalapeños

Then, mix water, vinegar, salt and sugar into a pot. Let the sugar and salt dissolve and wait until the mix starts to boil a little.

a soon boiling pot

Then, just add the jalapeños and garlic. Let it putter for 5 minutes. Jalapeños and garlic in a pot

Lastly, put it into your glass-container of choice! Jalapeños and garlic in a container

This should last a couple of month, and serves well with taco, pizza or if you are like me – on EVERYTHING!

Done and easy! Everyone can do this, and it works with almost anything. I also did this with unriped tomatoes, and it tasted very good too! Tomatoes, unriped

Modsecurity is an open-source Web Application Firewall for the modern webserver such as Apache and Nginx. In this short guide we are going to install Modsecurity for Apache on Debian 10, enable it and add additional rules.

Installation of the Modsecurity module

The installation is very simple:

root@debian:~# apt install libapache2-mod-security2 -y

Great, now we just have to activate the module. It is currently running in “Detection Mode” which means that is will only log attempts and not perform any blocking. This can be useful for testing.

cd /etc/modsecurity/
mv modsecurity.conf-recommended modsecurity.conf
sed -i -e s/"SecRuleEngine DetectionOnly"/"SecRuleEngine On"/g modsecurity.conf

That's about it! If you want to run mod_security2 with the recommended ruleset including the ones from OWASP top 10 – you are now done! You only need to restart apache:

systemctl apache2 restart

Done! Simple and easy!

Copy the sshd_config file to a separate file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_vhost_config

Append the following to the file:

AllowTCPForwarding no
ChrootDirectory /path/to catalogue
ForceCommand internal-sftp

Match User user1
  ChrootDirectory /path/to catalogue/user1

Match User user2
  ChrootDirectory /path/to catalogue/user2
USER # ssh

Also, you can have to change the port because we will run the SFTP-server separately from the SSH service. So edit the following line:

Port 2222

Create a systemD service in /etc/systemd/system/sshvirtual.system

[Unit]
Description=OpenBSD Secure Shell server for lue
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run  

[Service]
ExecStartPre=/usr/sbin/sshd -f /etc/ssh/sshd_vhost_config -t
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_vhost_config
ExecReload=/usr/sbin/sshd -f /etc/ssh/sshd_vhost_config -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure 

[Install]
WantedBy=multi-user.target
Alias=sftp-sshd.service

You would also like to have it start when the system starts:

systemctl daemon-reload; systemctl enable sshvirtual; systemctl start sshvirtual

And now, you are able to connect to the SSH server on port 2222.

And the possible future it has

The TL;RD of this post is: – Linux.Pizza will not actively deploy new services – Linux.Pizza are going to discontinue some services within 12 month (from this post have been made) – Linux.Pizza will focus on Mastodon, Mirroring distros and DNS.

You might wonder why, if so – please continue to read.

The short version is – I have realized that I am not able to deliver quality services anymore. And this is due to lack of time, funding and increased stress at my main job.

And the longer version: One year ago, I was “forced” to change job in order to make things work with my family – kids started school and wife returned to studies. I could'nt work 40 minutes from home anymore and needed something more closer to home.

So I switched, even if I hated the fact that I had to.

Anyway, the new job is great! And as the only Systems Administrator I am responsible for everything IT and I have alot of freedom when it comes to the software stack the company will use and so on. I recently deployed Nextcloud and Matrix which has been great!

Family takes more time

My kids are getting bigger, and I have decided to spend more time with them instead of in front of the PC. I have actually realized that I can't miss the time that I have with my family, so I have to prioritize while I can.

Work takes alot of time aswell

My new role and the new job that I got has brought a lot of “unwanted” responsibilities – I tend to take stuff way to personal when it comes to IT stuff where I work. If something goes wrong – I blame myself very much. And that needs to stop aswell.

Linux.Pizza is not going to dissappear

While Linux.Pizza is down-scaling – it will not dissappear! The social aspect of mastodon has been very good and important for me atleast – I see it as a “premium social network”. It costs some money every month but I think it is worth it actually since I have gotten to know many good people from different cultures, geographic locations, religions and political backgrounds and that has been very refreshing!

mirror.linux.pizza is also going to be a thing – it is a official mirror for many distros and shutting down that would be very irresponsible.

FreeDNS is also going to stay active aswell.

So in short – Linux.Pizza will offer some service, but only those that I want and I will not wake up in the middle of the night anymore to fix broken services as I have used to the past years.

“It it ain't fun – don't do it!” – Someone on Mastodon

I hope that you understand, and if you are in need of other services similar to those Linux.Pizza has offered – please check out The Librehosters Network.