# LinuxPizza

Personal notes and occasional posts

## Creating a PV and PVC on NFS for K8s

Took myself ages to figure this out, so I am noting this down for my future self.

#### First, we need to add NFS as a storage class:

apiVersion: storage.k8s.io/v1
kind: StorageClass
name: managed-nfs-storage
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
parameters:
archiveOnDelete: "false"


#### Then, we can add the actual storage:

kind: PersistentVolume
apiVersion: v1
name: nfs-persistentvolume
spec:
capacity:
storage: 1Gi
accessModes:
storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
nfs:
path: "/path/to/share"
server: "xxx.xxx.xxx.xxx"
claimRef:
name: nfs-persistentvolumeclaim
namespace: default
---
apiVersion: v1
kind: PersistentVolumeClaim
name: nfs-persistentvolumeclaim
namespace: default
spec:
accessModes:
resources:
requests:
storage: 1Gi
storageClassName: "nfs" # Empty string must be explicitly set otherwise default StorageClass will be set / or custom storageClassName name
volumeName: nfs-persistentvolume



Hope this helps

## Bonus – run a Minecraft Bedrock inside K8S using your newly created PVC as storage

apiVersion: apps/v1
kind: Deployment
name: mc-bedrock
labels:
app: mc-bedrock
spec:
replicas: 1
template:
name: mc-bedrock
labels:
app: mc-bedrock
spec:
containers:
- name: mc-bedrock
image: itzg/minecraft-bedrock-server
imagePullPolicy: Always
resources:
requests:
cpu: 500m
memory: 4Gi
env:
- name: EULA
value: "TRUE"
- name: GAMEMODE
value: survival
- name: DIFFICULTY
value: normal
- name: WHITE_LIST
value: "false"
- name: ONLINE_MODE
value: "true"
- name: ALLOW_CHEATS
value: "true"
volumeMounts:
- mountPath: /data
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: nfs-persistentvolumeclaim
selector:
matchLabels:
app: mc-bedrock
---
apiVersion: v1
kind: Service
name: mc-bedrock
labels:
app: mc-bedrock
spec:
selector:
app: mc-bedrock
ports:
- port: 19132
protocol: UDP


#### Get the IP assigned for the service

kubectl get service mc-bedrock -o jsonpath='{.status.loadBalancer.ingress[0].ip}'


#### Restart the pods in the deployment

kubectl logs -f deployment/mc-bedrock


## Changing bus-type on a Nutanix AHV Virtual Machine

In some cases – especielly with older systems – you might not be able to run your VM with a SCSI-drive since the drivers is missing from the system.

This was the case for me when I wanted to move a older VM (Debian 5) into Nutanix AHV from ESXi.

In order to mitigate this, you have to change the bus-type of the drive from SCSI to IDE or PCI:

Login to you CVM via SSH, and execute the following

acli vm.get NameOfTheVM


You will see some output similar to the following:

NameOfTheVM {
can_clear_removed_from_host_uuid: True
config {
affinity {
...

host_uuid: "d17a25a0-6a8a-4b30-993d-323f824eb383"
logical_timestamp: 83
state: "kOn"
uuid: "5ea5288b-d3fb-40d9-83ce-9356db75129b"


Look for disk list and vmdisk_uuid: similar to the following:

    disk_list {
bus: "scsi"
index: 0
}
container_id: 1416
container_uuid: "f20a220c-f237-43eb-9465-200f17a3306e"
device_uuid: "53d01e6b-43bf-41dd-a8c5-c82cd3f673cb"
naa_id: "naa.6506b8d135b478f0803c4c2944a37187"
source_nfs_path: "/ntnx01-container01/xtract-vm//349a1ace-f328-40df-867e-6                                                                c7f0d46ac7f/500a3a5a-741b-6de2-7ca3-4927a3c621e1/2000_NameOfTheVM.vmdk"
vmdisk_size: 107374182400
vmdisk_uuid: "315bb83c-7629-401a-a522-b350a3387dca"
}


The procedure here is simple, we will just create a new disk as a clone of an existing disk, using the vmdisk_uuid:

acli vm.disk_create NameOFTheVM clone_from_vmdisk=01f68633-06ab-4fe7-b819-90fec3e8d08a bus=pci


This create and attaches a disk to the VM NameOfTheVM, change the UUID to the one you have. To create a disk with the bus ide, change pci to ide.

Done!

## Change password of an existing SASL user

First, list the users that you have in your system:

sasldblistusers2


Next, change the password of the specific user you want to change:

saslpasswd2 pizza@localhost
Again (for verification):


That's it!

#### If you want to create a new user

saslpasswd2 -c -u domain.tld smtprelay


You can also test a SASL-user with the following:

testsaslauthd -u smtprelay -r domain.tld -p PASSWORD


## Opting out of Google's New tracking Method – FLoC

Luckily, this is quite easy – for now.

In Apache (including .htaccess):

   Header always set Permissions-Policy: interest-cohort=()


In Nginx

   add_header Permissions-Policy: interest-cohort=()


That's it!

## Pickled Jalapenos

### What you will need

• Garlic (couple of smashed cloves or powder is fine)
• 0.45 dl Sugar
• 15 ml Salt
• 3dl White Vinegar
• 3dl Water
• ~400grams of fresh Jalapeños (or other chilies)

### The procedure

I decided to slice the jalapeños together with three quite big cloves of garlic:

Then, mix water, vinegar, salt and sugar into a pot. Let the sugar and salt dissolve and wait until the mix starts to boil a little.

Then, just add the jalapeños and garlic. Let it putter for 5 minutes.

Lastly, put it into your glass-container of choice!

This should last a couple of month, and serves well with taco, pizza or if you are like me – on EVERYTHING!

Done and easy! Everyone can do this, and it works with almost anything. I also did this with unriped tomatoes, and it tasted very good too!

## Enable mod-security2 on your Apache webserver

### Installation of the Modsecurity module

The installation is very simple:

root@debian:~# apt install libapache2-mod-security2 -y


Great, now we just have to activate the module. It is currently running in “Detection Mode” which means that is will only log attempts and not perform any blocking. This can be useful for testing.

cd /etc/modsecurity/
mv modsecurity.conf-recommended modsecurity.conf
sed -i -e s/"SecRuleEngine DetectionOnly"/"SecRuleEngine On"/g modsecurity.conf


That's about it! If you want to run mod_security2 with the recommended ruleset including the ones from OWASP top 10 – you are now done! You only need to restart apache:

systemctl apache2 restart


Done! Simple and easy!

## SFTP and multiple users

Copy the sshd_config file to a separate file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_vhost_config


Append the following to the file:

AllowTCPForwarding no
ChrootDirectory /path/to catalogue
ForceCommand internal-sftp

Match User user1
ChrootDirectory /path/to catalogue/user1

Match User user2
ChrootDirectory /path/to catalogue/user2
USER # ssh


Also, you can have to change the port because we will run the SFTP-server separately from the SSH service. So edit the following line:

Port 2222


Create a systemD service in /etc/systemd/system/sshvirtual.system

[Unit]
Description=OpenBSD Secure Shell server for lue
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
ExecStartPre=/usr/sbin/sshd -f /etc/ssh/sshd_vhost_config -t
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_vhost_config

## Day 2, Bye Manjaro – Hi Debian

I am not a fan of Manjaro, and trust me – I have really tried to like it! My personal feeling is that Manjaro is messy – but that is probably because I do not like Arch Linux at all. Anyway, I was thinking about switching over to Debian instead since I am more used to it and the image has come a long way since the first version. I flashed a MicroSD card with this Debian image, booted it and downloaded this scripts that installs Debian for you on the eMMC card. The installation took 15-20 minutes for me since I am blessed with a fast and stable internet connection. I did have trouble getting into the Desktop Environment on Bullseye (Testing), so I installed Debian Buster instead and that seems to have solved it. And I am want to use it as a daily driver so a stable system is not wrong :)

## Day 3, why the (“%¤ does it take a day to charge the Pinebook?

One thing that has started to bother me, is the battery take several hours to fully charge from zero. I have given that alot of thoughts and I think the reason is that I have become used to fast-charging that exist in most modern smartphones today. The VERY BIG PLUS, is that you can charge it several way's. You can use the official ROCKPRO PSU (the one that is stuck in my outlet), you can use a USB to “power” adapter, and you can also charge it with USB-C. The latter one is a HUGE advantage and one of the biggest “cool factor” in the Pinebook. That means that I can charge the Pinebook on the go. With an ordinary Powerbank, in my car or at someone elses house even if I forgot my own PSU.

# What do I like/dislike?

### The keyboard

After a few days of typing on the machine, I have come to like the keyboard of it. It does not feel bad at all. Since it is a ISO keyboard with a physical UK layout, I can use it with a Swedish layout in Debian. Luckily, I am very used to typing so I am not noticing that the physical layout is different since I dont look at the keyboard when I type. Writing this blogpost feels great too!

I started to watch a movie on the Pinebook with my headphones that I just plugged into the headphone jack, and suddenly all my kids came up to me and wondered what I was looking at so I took my headphones of and realized that the sounds was playing on the speakers and my headphone at the same time. I do realize that this is probably something that Debian Buster has issues with. I connected my Bluetooth headset instead and could watch in peace.

### Charging takes many hours

I wrote about that earlier, but it is worth mentioning here too. Charging the PineBook Pro does take a very long time. I have tested the charger that arrives with the machine and other supposedly “stronger” USB-chargers aswell. I think that the reason is that I have gotten used to Fast-Charging my phone and the ability to wait is something that we have lost the last few years. Anyway, the battery last 7-9 hours with normal use on Debian Buster with maximum screen brightness and “tilda” running in fullscreen with tmux with a couple of ssh-sessions – perfectly fine! Remember that you can charge it practically anywhere with almost any USB-charger whether it is a wall-plugged one, solar-driven or other powerbanks. That fact makes this machine very portable and flexible. Perfect for the trip!

# Closing words

I can compress my experience to this sentence: The more I use the PineBook Pro – The more I realize that THIS is the laptop I always wanted!

Wow, that's is pretty big words! I will try to explain why. First of all – The Pinebook Pro is the result of the hard work of the team over at Pine64. The machine have been made “as a community service” to provide a cheap, hackable and fun laptop to hackers, advanced users and pioneers on the AARCH64 platform. I really get the feeling that there is no greed for revenue unlike other companies – that is worth supporting!

The machine is not made for with planned obsolesce – the scary and sad trend that is going on with Tech-companies nowadays. You can buy every single part of this machine from the Pine64 shop so you can repair it if you need to.

The community is great! I have been hanging out in the Pinebook Pro chat on Matrix and the folks over there is very helpful and exited over the product that Pine64 has released.

Atlast, I think most of the Pinebook Pro users would love to use Manjaro ARM that is by default shipped with the machine. Manjaro has done a great job on increasing performance and stability of the builds and it does not seems to stop! I will cover more aspects of the Pinebook Pro in the future, like Multimedia performance such as video-playback, simple gaming, USB-C docking capabilites and Installation of the M2 drive.

## Deploy TLSA records (DANE) on your email-server with Let's Encrypt

### TLSA records – or more commonly known as DANE(DNS-based Authentication of Named Entities) is a protocol that is being used to “bind” TLS-certificates to a server. It is most used on email-servers to secure communication between different servers. The reason that DANE exist is to provide an additional layer of security and trust between server and client.

#### In this guide, I will walk your thru the following steps:

• How to check if a SMTP-server uses DANE
• How to configure postfix to start use DANE-verification on outgoing and incoming emails.
• Generation of TLSA-records
• DANE + Let's Encrypt – A Walkaround

Currently, DANE is not something that is widely deployed by big organisations and companies world wide. Instead, smaller companies, organisations and individuals with more flexibility in their IT-infrastructure has been able to contribute to SMTP-security. The only really big company that has announced their plans for a DANE-implementation is Microsoft – they announced their plans for DANE in april 2020 and hope the implementation to be finished in 2021. DANE does also require that the domain is DNSSEC signed for it to work, there is some mail-servers that can do DANE-verification without DNSSEC (like postfix), but I am not going to cover that part today.

But you are not here in order to wait for it to happend! Let's get started!

## Does this server have a TLSA-record deployed?

First, does your email-server have TLSA-record deployed already? We can test it the simple way, with tools that already exist online, like this from sys4 and the one from Simon Huque.

Or, if you are as me – we will do the checks from the terminal with the tools our system provides.

Enter “dig”, a command that can be found in the package “dnsutils” on debian-based systems (“bind-utils” on RHEL based ones). So let's check the TLSA-record of the mailserver of linux.pizza:

dig _25._tcp.kebab.linux.pizza TLSA +short


This gives us the following answer:

3 1 1 2B4685AC11110AC51D117607C0E58D98AF3FD9A417EF3B5B61210578 67D92111


So, what we just did here was checking the host _25._tcp.hashmal.selea.se for a TLSA record. The first part – _25. represents the port. Second part – _tcp. represent the protocol. The third part – kebab.linux.pizza. represent the actual hostname of the server.

## Deploy DANE-verification in postfix

This is probably the easiest step of them all: Add this into your main.cf file

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec


Now, postfix does validate DANE for outgoing and incoming SMTP-connections – Nice!

## Let's Encrypt + DANE

Since the hash in the TLSA-record is based on the private TLS-key, it does not really make sense to deploy it with Let's Encrypt since Certbot (the most used tool to deploy Let's Encrypt) generates a new private key every time a certificate is being requested.

We will generate the certificate using Certbot, feel free to use whatever client you'd like. Just keep in mind that you have to reuse the same .csr.

We will have to do the issuing and renewal via HTTP/HTTPS, so I assume that you have a webserver installed on your machine. Create this config-file and place it in a good location (like /usr/share/etc/leconfig/mx.your.host):

domains = mx.your.hostname
webroot-path = /path/to/webserver/root

rsa-key-size = 4096
email = info@your.hostname
text = True
authenticator = webroot
renew-by-default = true
agree-tos = true


certbot -c /usr/share/etc/leconfig/mx.your.hostname certonly


Once the certificate have been issued, you can find it in /etc/letsencrypt/live/mx.your.hostname, for sanity sake, we will copy the entire folder to another location.

mkdir -p /usr/local/etc/letsencrypt/live/
cp /etc/letsencrypt/live/mx.your.hostname /usr/local/etc/letsencrypt/live/


Let's copy the .csr file also (most important!), assuming that this is the first certificate issued – take the one starting with 0000, otherwhise you can match the csr timestamp with the certificate you just generated:

cp /etc/letsencrypt/csr/0000_csr-certbot.pem /usr/local/etc/letsencrypt/live/mx.your.hostname/mx.your.hostname.csr


And lets modify the configuration file that we did before accordingly in order to tell certbot where the .csr file is, and where to place the certicate:

domains = mx.your.hostname
webroot-path = /path/to/webserver/root

csr = /usr/local/etc/letsencrypt/live/mx.your.hostname/mx.your.hostname.csr
cert-path = /etc/letsencrypt/live/mx.your.hostname/cert.pem
fullchain-path = /etc/letsencrypt/live/mx.your.hostname/fullchain.pem
chain-path = /etc/letsencrypt/live/mx.your.hostname/chain.pem

rsa-key-size = 4096
email = info@your.hostname
text = True
authenticator = webroot
renew-by-default = true
agree-tos = true


You can try reissuing the certificate with:

certbot -c /usr/share/etc/leconfig/mx.your.hostname certonly


Awesome! Your certificate should have been renewed with the same .csr file and private key. Now we can proceed to configuring postfix to use the certificate, private key and intermediate certificate. Look for the following lines:

smtpd_tls_key_file
smtpd_tls_cert_file
smtpd_tls_CAfile


And we will add the path to the certificate-chain:

smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mx.your.hostname/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.your.hostname/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mx.your.hostname/chain.pem


Restart postfix, and you are ready for the next step!

We will use the “hash-slinger” package, and it is very simple! Just issue the following on any computer that has a https-connection to your mailserver:

tlsa --create mx.your.hostname


You will get something like this:

_443._tcp.mx.your.hostname. IN TLSA 3 0 1 54f3fd877632a41c15b0ff4e50e254ed8d1873486236dc6cd5e9c1c1993d1e4e


Perfect, you now has the record that you should deploy at your DNS-provider, with a slight modification:

_25._tcp.mx.your.hostname. IN TLSA 3 0 1 54f3fd877632a41c15b0ff4e50e254ed8d1873486236dc6cd5e9c1c1993d1e4e


Notice how we change the first part – the port. After you have published your record, wait for a little while and check if it valid with this tool.

Thank you for making Email awesome again!

## End

I hope that you found this little guide helpful! Let me know what you think, hook me up on Mastodon on @selea@social.linux.pizza