LinuxPizza

linux

I dont claim responsibility for anything being done on your router. This short TODO is written for myself – dont follow if you are not familiar with certificates and PKI.

1 SSH into your machine 2. Navigate to /data/unifi-core/config 3. Replace unifi-core.key with your private key 4. Replace unifi-core.crt with your TLS-certificate 5. Restart Unifi Core:

systemctl restart unifi-core

Done! A screenshot, showing a valid certificate on udr.selea.se, located on a Unifi Dream Router

#linux #pki #certificates #unifi

LVM stuff

WARNING: PV /dev/sda2 in VG vg0 is using an old PV header, modify the VG to update.

Update the metadata with the vgck command – where the “vg0” is your own pool.

vgck --updatemetadata vg0

curl stuff

Curl a specific IP with a another host-header

curl -H "Host: subdomain.example.com" http://172.243.6.400/

git stuff

tell git.exe to use the built-in CA-store in Windows

git config --global http.sslBackend schannel

random stuff

See which process is using a file

fuser file

Import RootCert into Java-keystore example

sudo /usr/lib/java/jdk8u292-b10-jre/bin/keytool -import -alias some-rootcert -keystore /usr/lib/java/jdk8u292-b10-jre/lib/security/cacerts -file /usr/share/ca-certificates/extra/someRoot.crt`

Apache2 configs example

Enable AD-authentication for web-resources

<Location />
   AuthName "AD authentication"
   AuthBasicProvider ldap
   AuthType Basic
   AuthLDAPGroupAttribute member
   AuthLDAPGroupAttributeIsDN On
   AuthLDAPURL ldap://IP:389/OU=Users,OU=pizza,DC=linux,DC=pizza? 
   sAMAccountName?sub?(objectClass=*)
   AuthLDAPBindDN cn=tomcat7,ou=ServiceAccounts,ou=Users,OU=pizza,dc=linux,dc=pizza
  AuthLDAPBindPassword "exec:/bin/cat /etc/apache2/ldap-password.conf"
  Require ldap-group 
  CN=some_group,OU=Groups,OU=pizza,DC=linux,DC=pizza
  ProxyPass "http://localhost:5601/"
  ProxyPassReverse "http://localhost:5601/"

</Location>

Insert Matomo tracking script in Apache using mod_substitute

AddOutputFilterByType SUBSTITUTE text/html
Substitute "s-</head>-<script type=\"text/javascript\">var _paq = _paq || [];_paq.push(['trackPageView']);_paq.push(['enableLinkTracking']);(function() {var u=\"https://matomo.example.com/\";_paq.push(['setTrackerUrl', u+'matomo.php']);_paq.push(['setSiteId', '1']);var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);})();</script></head>-n"

Load balance backend-servers

<Proxy balancer://k3singress>
	BalancerMember http://x.x.x.1:80
	BalancerMember http://x.x.x.2:80
	BalancerMember http://x.x.x.3:80
	BalancerMember http://x.x.x.4:80
	ProxySet lbmethod=bytraffic
	ProxySet connectiontimeout=5 timeout=30
	SetEnv force-proxy-request-1.0 1
	SetEnv proxy-nokeepalive 1
</Proxy>
       ProxyPass "/" "balancer://k3singress/"
       ProxyPassReverse "/" "balancer://k3singress/"
       ProxyVia Full
       ProxyRequests On
       ProxyPreserveHost On

Basic Apache-config for PHP-FOM

<VirtualHost *:80>
  ServerName www.example.com
  DocumentRoot /srv/www.example.com/htdocs
  <Directory /srv/www.example.com/htdocs>
    AllowOverride All
    Require all granted
    DirectoryIndex index.html index.htm index.php
    <FilesMatch "\.php$">
      SetHandler proxy:unix:/run/php/www.example.com.sock|fcgi://localhost
    </FilesMatch>
  </Directory>
  SetEnvIf x-forwarded-proto https HTTPS=on
</VirtualHost>

Basic PHP-fpm pool

[www.example.com]
user = USER
group = GROUP

listen = /var/run/php/$pool.sock

listen.owner = www-data
listen.group = www-data

pm = ondemand
pm.process_idle_timeout = 10
pm.max_children = 1

chdir = /

php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f no-reply@ftp.selea.se
php_admin_value[mail.log] = /srv/ftp.selea.se/log/mail.log
php_admin_value[open_basedir] = /srv/ftp.selea.se:/tmp
php_admin_value[memory_limit] = 64M
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
php_admin_value[max_execution_time] = 180
php_admin_value[max_input_vars] = 1000

php_admin_value[disable_functions] = passthru,exec,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mail

Netplan – use device MAC instead of /etc/machine-id for DHCP

network:
  ethernets:
    eth0:
      dhcp4: true
      dhcp-identifier: mac
  version: 2

HPs apt repo for various utilities for proliant machines

deb http://downloads.linux.hpe.com/SDR/repo/mcp buster/current non-free

psql stuff

CREATE DATABASE yourdbname;
CREATE USER youruser WITH ENCRYPTED PASSWORD 'yourpass';
GRANT ALL PRIVILEGES ON DATABASE yourdbname TO youruser;

Get entity for AD/SMB based user so you can put it in /etc/passwd:

getent passwd USERNAME

#linux #kubernetes #netplan #php-fpm #apache #LVM

Imagine my suprise when I could not tail the syslog anymore..

Debian 12 has moved the syslog to journalctl. So just run journalctl -f and you will be greeted with the logs running throu the screen :)

If you want to check the logs from for example apache:

journalctl -u apache2.service

If you want to format the logs as json, just append o json-pretty

#linux #debian #logging

8 years ago, I saw a post somewhere about a pretty small niché distro that was looking for a mirror for its packages. That got me thinking about the possibility to provide a public mirror for Linux packages for various distros.

It started back then in my home office, with redundant ISP and the two HP Microservers and the Supermicro box that I had running. My ambitions did not stop, and I applied to be an official mirror for Debian, Ubuntu, Parabola, Linux-Libre and more in the weeks after.

One year after that, I got access to a nice environment that my friends had. With 100TB of storage and unlimited bandwidth – I moved the mirror there, and it has been living there ever since.

Fast forward a couple of years...

The small distros that mirror.linux.pizza was the sole mirror for has dissappeared, and the other projects such as Parabola, EndeavourOS and PureOS where I was the first one to start mirroring them – has gotten plenty of more mirrors to help out.

I've decided to shut mirror.linux.pizza down, the reason is financial and I want to focus my effort on the community that is social.linux.pizza instead.

I've already notified the different projects about the shut down, and I will take steps to ensure that systems does not break after the mirror goes offline, such as HTTP-redirects to other mirrors in the nordic.

I've also reached out to the hosting providers that have been using the mirror exclusively to notify them about the upcoming change, so they can prepare for that aswell.

I am thankful that I have been able to give something back to the community by hosting this mirror – around 100k unique IP-addresses connect to it every day. So it did definitely help out!

#linux #mirror #mirrorlinuxpizza #sunset #debian #ubuntu #pureos

Just some random #kubectl commands for myself. I have tested these on 1.20 <> 1.25

Get all ingress logs (if your ingress is nginx)

kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx

Get all logs from Deployment

kubectl logs deployment/<deployment> -n <namespace> --watch

Why is the pod stuck in “ContainerCreating”?

kubectl get events --sort-by=.metadata.creationTimestamp --watch

Restart your deployment, nice and clean

kubectl rollout restart deployment/<deployment> -n <namespace>

I'll add more when I find more usefull stuff

#linux #k8s #kubernetes #kubectl #ingress #nginx #deployment #logs

Hopefully this will save some of you alot of time, energy, and save you day.

I recently had troubles getting a job to work. The short story is:

Download all files in a remote catalogue, over SFTP, on certain times.

I had a working solution with curl, but when the naming of the files changed (such as whitespaces) – the function broke.

lftp – the saver

After have spent a couple of hours trying to grasp lftp via the manpage, I came up with a solution:

lftp -c '
open sftp://USER:PASSWORD@remoteserver.example.com:22
mirror --verbose --use-pget-n=8 -c /remote/catalogue/ /local/catalogue/
'

And if you want to remove the source-files after download:

lftp -c '
open sftp://USER:PASSWORD@remoteserver.example.com:22
mirror --Remove-source-files --verbose --use-pget-n=8 -c /remote/catalogue/ /local/catalogue/
'

This download all files in the specified remote catalogue to the specified local one, then exits.

#linux #bash #sftp #lftp

Have you ever installed packages from third party repositories to later realize that it was not the best idea? No? Well – I have.

But from now on, I wont do it. And instead utilize chroot!

In this section, we'll cover how you do it on your Debian-based system aswell as on Fedora.

Install the package debootstrap

apt update; apt install debootstrap

Or if you are on Fedora:

dnf install debootstrap

Now, create a catalogue anywhere of your choosing, for example in /srv

mkdir /srv/chroot

Great. Now depending on what you want. Perform any of the following:

debootstrap bullseye /srv/chroot http://ftp.us.debian.org/debian
debootstrap  jammy /srv/chroot http://archive.ubuntu.com/ubuntu

You should see it pull down all the packages needed for the distro to start, and when it is complete – you can enter the chroot:

chroot /srv/chroot

That's it! Now you can install, test or compile your packages as usual.

And when you are done, you can simply remove the catalogue and start fresh – if you want.

Here is a quick demo of the actual process:

asciicast

#linux #chroot #sysadmin #debian #ubuntu #fedora

Personal note, I always forget

docker stop $(docker ps -aq) && docker rm $(docker ps -aq)

Also run a docker system prune -a afterwards.

Now I'll remember it.

#linux #docker

This short writeup will guide you on how to do it on Debian-based and Fedora systems.

We begin with installing posfix and the required packages for authentication.

First – doublecheck that your machine has a Fully Qualified Domain Name set in the hostfile, this will remove alot of headaches from you in the future.

My machine is named “T15.domain.tld” – so emails will be arriving from “user@T15.domain.tld”.

Debian:

apt-get install postfix mailutils libsasl2-2 libsasl2-modules

Fedora:

dnf install postfix mailx mailx cyrus-sasl cyrus-sasl-plain

Next, we will create the sasl-password file and hash it:

echo "[relay.domain.tld]:587 username:password" > /etc/postfix/sasl
postmap /etc/postfix/sasl

Great, now we have to tell postfix that all emails sent via it should be relayed throu the smtp-relay:

relayhost = [relay.domain.tld]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Restart postfix and check the log, so everything looks good.

Test your setup:

echo "This is a test" | mail -s "Just a test" destination_email@domain.tld

You can check the status of the mailqueue with the command mailq.

And that's about it!

#linux #postfix #smtp #sysadmin #email

There is many reasons why you would like to have local docker registry, and being cool is one of them. This is how you do it on Debian.

Well, lets go!

1 Install the package:

apt install docker-registry

2 Tell the machine where you are going to pull to, that the registry is “unsafe” (non-https):

{
  "insecure-registries":
    [
      "docker.internal:5000",
      "registry.linux.pizza:5000"
    ]
}

3 Create a basic-auth on your registry:

   htpasswd -Bbn dockeruser registrypassword >/etc/docker/registry/.htpasswd

4 Login to the registry from your host:

   docker login -u dockeruser registry.linux.pizza:5000

Dont forget to restart docker!

Have fun!

#docker #dockerregistry #registry #debian #linux