How to compile Quagga with SNMP support

Posted on by Jan

Since the default Quagga package in Ubuntu doesn’t have SNMP support enabled, the Quagga package has to be compiled locally. The following instructions may work for Debian as well but I only tested it in Ubuntu Server 14.04 LTS.

Now, edit /etc/quagga/daemons and enable at least zebra and bgpd and let’s create some empty config files for Quagga:
touch /etc/quagga/bgpd.conf ; touch /etc/quagga/zebra.conf

To enable SNMP support in Quagga, the line agentx has to be inserted into bgpd.conf and zebra.conf:

drfalken@wopr:/etc/quagga# head bgpd.conf
hostname AS65535
log file /var/log/quagga/bgpd.log

agentx
debug bgp events
debug bgp filters
debug bgp updates

router bgp 65535
bgp router-id 1.2.3.4

I wont dwelve into how to setup the SNMP daemon but don’t forget to add the following lines to the snmpd.conf configuration file and restart the SNMP daemon afterwards:
master agentx
agentxsocket /var/agentx/master
agentxperms 777 777

Make sure to set proper permissions for the agentx directory with a
chmod 755 /var/agentx/
or you will get error messages like snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL])

Once Quagga is able to connect to the local SNMP daemon, a message like this will show up in Quagga’s log file:
snmp[info]: NET-SNMP version 5.7.2 AgentX subagent connected

Monitoring Quagga BGP sessions using SNMP

Monitoring BGP sessions works fantastically using LibreNMS. You can chose to receive push notifications and/or emails if a BGP session goes down/up or is flapping. However, there’s some tinkering involved to display 32-bit ASNs properly in LibreNMS (let me know in the comments if you’re interested) because the MIB only handles 16-bit integers. Unfortunately, there’s no IPv6 support in Quagga’s current SNMP implementation as well.

quagga-librenms-bgp-graphs

quagga-librenms-bgp

Waking up a NAS from OS X at boot time using Wake-on-LAN (WOL)

Posted on by Jan

Since OS X 10.11 El Capitan protects certain system directories from modifications, my NASwake solution to wake a NAS once the Mac starts up published back in 2010 is no longer working.

I decided against building another .pkg installer since it requires root permissions and I also prefer using Homebrew instead of some obscure binary for sending the magic WOL packet. Here are the four steps to start your Wake-on-Lan-capable NAS once your Mac starts up:

  1. Install “Homebrew” (required for the wakeonlan script)
  2. Install the wakeonlan script using the Homebrew package manager
  3. Save the naswake plist to /Library/LaunchDaemons
  4. Save the naswake shell script to /usr/local/bin and set your NAS’s MAC-address

1. Install Homebrew

See http://brew.sh for instructions. Once installed, check with brew doctor if Homebrew was installed properly.

2. Install the wakeonlan script using the Homebrew package manager

brew install wakeonlan

This will install the wakeonlan Perl script. See man wakeonlan for details.

3. Save the naswake plist to /Library/LaunchDaemons

sudo nano /Library/LaunchDaemons/com.trick77.wol2.plist

Paste the XML below into the editor.

4. Save the naswake shell script to /usr/local/bin

sudo nano /usr/local/bin/naswake.sh
sudo chmod +x /usr/local/bin/naswake.sh

Paste the script below into the editor. Don’t forget to set your NAS’ MAC address in the last line of the script!

That’s it! Make sure WOL is enabled in the NAS.

Tips & tricks for the PC Engines APU

Posted on by Jan

Being somewhat addicted to Linux mini computers, I just had to lay my hands on a PC Engines APU. A lot of information about the APU is strewn all over the Internet so I wanted to consolidate it all in one single post.

Installing Ubuntu Server using the serial console

To boot the Ubuntu Server installer using the serial console, some startup config files have to be modified. See this post for instructions.

On the Mac, I’m using serial. It already contains the drivers for my PL2303 based USB serial adapter. As a free alternative, Prolific’s PL2303 OS X drivers work pretty well together with minicom from the brew project. If output is being displayed with minicom but input doesn’t work, make sure to turn off hardware flow control. The screen command may work as well.

Show network devices as eth0, eth1, eth2 instead of p4p1, p4p2, p4p3

Edit /etc/default/grub as follows:

GRUB_CMDLINE_LINUX_DEFAULT="biosdevname=0"

Update grub configuration
# update-grub
and
# reboot

Don’t forget to update /etc/network/interfaces accordingly.

Show output during boot

Edit /etc/default/grub as follows:

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

Update grub configuration
# update-grub
and
# reboot

Enable NMI Watchdog

# modprobe sp5100_tco && echo "sp5100_tco" >> /etc/modules

Enable temperatur sensor

apt-get install lm-sensors

# sensors
k10temp-pci-00c3
Adapter: PCI adapter
temp1:        +52.0°C  (high = +70.0°C)
                       (crit = +100.0°C, hyst = +97.0°C)

Enable LEDs and reboot button

Check out the apu-led-button repository on Github.

Use max. cpufreq

Ubuntu will always set the CPU governor to ondemand during boot.

# cat /proc/cpuinfo
vendor_id	: AuthenticAMD
model name	: AMD G-T40E Processor
cpu MHz		: 800.000

For the APU this means the CPU will be run at 800 MHz instead of 1 GHz. If you prefer the CPU to run at full speed at all times:

# wget -O /usr/local/sbin https://gist.githubusercontent.com/trick77/21cfc65c769609be29e2/raw/076e21c7b844a9eeb67ca4184544ec27d11164f7/gov

Insert into /etc/rc.local just above exit 0 :

/usr/local/sbin/gov performance

Or as an alternative, just disable the Ubuntu ondemand init script from the command line:

# update-rc.d ondemand disable

# cat /proc/cpuinfo
vendor_id	: AuthenticAMD
model name	: AMD G-T40E Processor
cpu MHz		: 1000.000

Enable beep

apt-get install beep
modprobe pcspkr && echo pcspkr >> /etc/modules

Comment pcspkr in /etc/modprobe.d/blacklist.conf to unblacklist the module.

Imperial March:

beep -l 350 -f 392 -D 100 -n -l 350 -f 392 -D 100 -n -l 350 -f 392 -D 100 -n -l 250 -f 311.1 -D 100 -n -l 25 -f 466.2 -D 100 -n -l 350 -f 392 -D 100 -n -l 250 -f 311.1 -D 100 -n -l 25 -f 466.2 -D 100 -n -l 700 -f 392 -D 100 -n -l 350 -f 587.32 -D 100 -n -l 350 -f 587.32 -D 100 -n -l 350 -f 587.32 -D 100 -n -l 250 -f 622.26 -D 100 -n -l 25 -f 466.2 -D 100 -n -l 350 -f 369.99 -D 100 -n -l 250 -f 311.1 -D 100 -n -l 25 -f 466.2 -D 100 -n -l 700 -f 392 -D 100 -n -l 350 -f 784 -D 100 -n -l 250 -f 392 -D 100 -n -l 25 -f 392 -D 100 -n -l 350 -f 784 -D 100 -n -l 250 -f 739.98 -D 100 -n -l 25 -f 698.46 -D 100 -n -l 25 -f 659.26 -D 100 -n -l 25 -f 622.26 -D 100 -n -l 50 -f 659.26 -D 400 -n -l 25 -f 415.3 -D 200 -n -l 350 -f 554.36 -D 100 -n -l 250 -f 523.25 -D 100 -n -l 25 -f 493.88 -D 100 -n -l 25 -f 466.16 -D 100 -n -l 25 -f 440 -D 100 -n -l 50 -f 466.16 -D 400 -n -l 25 -f 311.13 -D 200 -n -l 350 -f 369.99 -D 100 -n -l 250 -f 311.13 -D 100 -n -l 25 -f 392 -D 100 -n -l 350 -f 466.16 -D 100 -n -l 250 -f 392 -D 100 -n -l 25 -f 466.16 -D 100 -n -l 700 -f 587.32 -D 100 -n -l 350 -f 784 -D 100 -n -l 250 -f 392 -D 100 -n -l 25 -f 392 -D 100 -n -l 350 -f 784 -D 100 -n -l 250 -f 739.98 -D 100 -n -l 25 -f 698.46 -D 100 -n -l 25 -f 659.26 -D 100 -n -l 25 -f 622.26 -D 100 -n -l 50 -f 659.26 -D 400 -n -l 25 -f 415.3 -D 200 -n -l 350 -f 554.36 -D 100 -n -l 250 -f 523.25 -D 100 -n -l 25 -f 493.88 -D 100 -n -l 25 -f 466.16 -D 100 -n -l 25 -f 440 -D 100 -n -l 50 -f 466.16 -D 400 -n -l 25 -f 311.13 -D 200 -n -l 350 -f 392 -D 100 -n -l 250 -f 311.13 -D 100 -n -l 25 -f 466.16 -D 100 -n -l 300 -f 392.00 -D 150 -n -l 250 -f 311.13 -D 100 -n -l 25 -f 466.16 -D 100 -n -l 700 -f 392

How to receive Cymru’s IPv6 Bogon list using Quagga

Posted on by Jan

The provided BGP sample configuration for Quagga on Cymru’s web site didn’t work for me. Since my AS is IPv6-only, I’m only interested in the IPv6 Bogon feed. Here’s an excerpt from my Quagga bgpd.conf:

router bgp aut-num
bgp router-id id
bgp log-neighbor-changes
no bgp default ipv4-unicast

neighbor cymru-bogon peer-group
neighbor cymru-bogon remote-as 65332
neighbor cymru-bogon timers 3600 10800
neighbor cymru-bogon description AS65332 Cymru FullBogon Feed
neighbor cymru-bogon ebgp-multihop 255
neighbor cymru-bogon password changeme
neighbor cymru-bogon activate
neighbor cymru-bogon prefix-list pl-cymru-ipv4-in in
neighbor cymru-bogon prefix-list pl-cymru-out out
neighbor 38.xx.xx.xx peer-group cymru-bogon
neighbor 193.xx.xx.xx peer-group cymru-bogon

address-family ipv6
  neighbor cymru-bogon activate
  neighbor cymru-bogon soft-reconfiguration inbound
  neighbor cymru-bogon route-map rm-cymru-ipv6-in in
  neighbor cymru-bogon prefix-list pl-cymru-ipv6-out out
  neighbor 38.xx.xx.xx peer-group cymru-bogon
  neighbor 193.xx.xx.xx peer-group cymru-bogon
exit-address-family

ip prefix-list pl-cymru-ipv4-in seq 5 deny any
ip prefix-list pl-cymru-out seq 5 deny any
ipv6 prefix-list pl-cymru-ipv6-out seq 5 deny any
ip community-list 10 permit 65332:888

route-map rm-cymru-ipv6-in permit 10
  match community 10
  set ip next-hop 192.0.2.1
  set ipv6 next-hop global 100::dead:beef:1

Since Zebra won’t install routes learned over BGP that are not routable, I also needed to make sure that 100::dead:beef:1 is (null-)routed. My solution was to install a Cisco-style Null0 interface in /etc/network/interfaces:

# blackhole
iface Null0 inet manual
  pre-up ip link add dev Null0 type dummy
  pre-up ip link set Null0 up
  up ip -6 route add 100::/64 dev Null0 proto static metric 255
  up ip -4 route add 192.0.2.1/32 dev Null0 proto static metric 255
  down ip link del dev Null0

By the way, that 100::/64 I’m using to null-route is a designated (RFC6666) IPv6 discard-only address block.

Once the BGP session is up, only IPv6 routes will be learned from Cymru’s bogon feed. I’m using IPv4 transport for the BGP session but it should work using IPv6 transport as well.

BGP neighbor is 38.xx.xx.xx, remote AS 65332, local AS xxxxx, external link
 Member of peer-group cymru-bogon for session parameters
  BGP version 4, remote router ID 38.xx.xx.xx
  BGP state = Established, up for 18:52:18
  Last read 00:11:49, hold time is 10800, keepalive interval is 3600 seconds
  Configured hold time is 10800, keepalive interval is 3600 seconds
  Neighbor capabilities:
    4 Byte AS: advertised and received
    Route refresh: advertised and received(old & new)
    Address family IPv4 Unicast: advertised and received
    Address family IPv6 Unicast: advertised and received
  Message statistics:
    Inq depth is 0
    Outq depth is 0
                         Sent       Rcvd
    Opens:                  1          1
    Notifications:          0          0
    Updates:                0        118
    Keepalives:            20         19
    Route Refresh:          0          0
    Capability:             0          0
    Total:                 21        138
  Minimum time between advertisement runs is 30 seconds

 For address family: IPv4 Unicast
  cymru-bogon peer-group member
  AF-dependant capabilities:
    Outbound Route Filter (ORF) type (128) Prefix-list:
      Send-mode: received
  Community attribute sent to this neighbor(both)
  Inbound path policy configured
  Outbound path policy configured
  Incoming update prefix filter list is *pl-cymru-ipv4-in
  Outgoing update prefix filter list is *pl-cymru-out
  0 accepted prefixes

 For address family: IPv6 Unicast
  cymru-bogon peer-group member
  Inbound soft reconfiguration allowed
  Community attribute sent to this neighbor(both)
  Inbound path policy configured
  Outbound path policy configured
  Outgoing update prefix filter list is *pl-cymru-ipv6-out
  Route map for incoming advertisements is *rm-cymru-ipv6-in
  60088 accepted prefixes

  Connections established 1; dropped 0
  Last reset never
  External BGP neighbor may be up to 255 hops away.
Local host: 185.xx.xx.xx, Local port: 59623
Foreign host: 38.xx.xx.xx, Foreign port: 179
Nexthop: 185.xx.xx.xx
Nexthop global: 2001:xxxx:xxxx::
Nexthop local: fe80::225:xxxx:xxxx:xxxx
BGP connection: non shared network
Read thread: on  Write thread: off

Setting up a Huawei E3276-150 4G/LTE USB modem on Ubuntu Server/Desktop

Posted on by Jan

I just received an unlocked Huawei E3276s-150 4G/LTE USB modem/surfstick I bought on eBay the other day. I went for the E3276s-150 because the 150 seemed to be the most compatible option for European 4G mobile networks. There are even cheaper Huawei E3276 models like the E3276-920 which you can buy for less than 20 bucks. However, the 920 seems to be frequency-optimized for Asian mobile networks and may not perform as well as a E3276s-150 in Western Europe.
huawei_e3276_lte_cat4_usb_dongle
To my great surprise, setting up the Huawei E3276 on Ubuntu 15.04 Desktop was literally plug & play. After a few seconds after plugging it in, I was greeted with a “Connection Established” message. Nicely done, Canonical!

On Ubuntu Server, like most Huawei modems, the stick is recognised as a memory card reader. It has to be switched to a USB modem device first using the usb_modeswitch command in order to establish a mobile network connection. If it’s not already installed, usb_modeswitch can be installed using apt-get -y install usb-modeswitch.

Memory card reader mode:

drfalken@wopr:~# lsusb
Bus 001 Device 007: ID 12d1:1f01 Huawei Technologies Co., Ltd.

To turn the E3276 into a modem:

drfalken@wopr:~# usb_modeswitch -v 12d1 -p 1f01 -M '55534243123456780000000000000011062000000101000100000000000000'

If the change was successful, lsusb shows a different USB product id now:

drfalken@wopr:~# lsusb
Bus 001 Device 007: ID 12d1:14db Huawei Technologies Co., Ltd.

At the same time, dmesg should output something like this:

drfalken@wopr:~# dmesg -T
[Fri May 29 20:55:41 2015] usb 1-1: New USB device found, idVendor=12d1, idProduct=14db
[Fri May 29 20:55:41 2015] usb 1-1: New USB device strings: Mfr=2, Product=1, SerialNumber=0
[Fri May 29 20:55:41 2015] usb 1-1: Product: HUAWEI Mobile
[Fri May 29 20:55:41 2015] usb 1-1: Manufacturer: HUAWEI Technology
[Fri May 29 20:55:41 2015] cdc_ether 1-1:1.0 eth1: register 'cdc_ether' at usb-0000:00:14.0-1, CDC Ethernet Device, 57:2d:70:33:22:10

Since the modem registered itself on eth1 (the name depends on the number of network devices, it doesn’t HAVE to be on eth1), we now simply fetch an IP address from the modem using:

drfalken@wopr:~# dhclient -v eth1
Internet Systems Consortium DHCP Client 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth1/57:2d:70:33:22:10
Sending on   LPF/eth1/57:2d:70:33:22:10
Sending on   Socket/fallback
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 3 (xid=0x3b73326b)
DHCPREQUEST of 192.168.1.100 on eth1 to 255.255.255.255 port 67 (xid=0x3b73326b)
DHCPOFFER of 192.168.1.100 from 192.168.1.1
DHCPACK of 192.168.1.100 from 192.168.1.1
bound to 192.168.1.100 -- renewal in 36557 seconds.

Yay, the modem has made itself available on 192.168.1.100 (it even has a web interface on port 80) with a /24 prefix and a gateway at 192.168.1.1.
By the way, make sure none of your local networks use 192.168.1.0/24 or it will collide with the Huawei’s local network.

Depending on a few factors dhclient may or may not have changed the default gateway. If the default gateway points to the modem, it will be at 192.168.1.1 on eth1:

drfalken@wopr:~# ip route show | grep default
default via 192.168.1.1 dev eth1

If this is not the case, you may have to remove the existing default gateway and replace it using:

drfalken@wopr:~# ip route del default ; ip route add default via 192.168.1.1

And… connected!

drfalken@wopr:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=22.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=34.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=39.7 ms

Make sure /etc/resolv.conf contains a valid nameserver if you can’t resolve domain names.

To switch the Huawei E3276 into a modem at boot time, create /etc/udev/rules.d/70-usb-modeswitch.rules and insert this line:

ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="12d1", ATTRS{idProduct}=="1f01", RUN+="/usr/sbin/usb_modeswitch -v 12d1 -p 1f01 -M '55534243123456780000000000000011062000000101000100000000000000'"

To automatically add a valid nameserver in /etc/resolv.conf when eth1 comes up, add these lines to /etc/dhcp/dhclient.conf:

interface "eth1" {
  prepend domain-name-servers 8.8.8.8;
  request subnet-mask, broadcast-address, time-offset, routers,
          domain-name, domain-name-servers, domain-search, host-name,
          dhcp6.name-servers, dhcp6.domain-search,
          netbios-name-servers, netbios-scope, interface-mtu,
          rfc3442-classless-static-routes, ntp-servers,
          dhcp6.fqdn, dhcp6.sntp-servers;
  require routers, domain-name-servers;
}

If you don’t want to run dhclient manually, you can either add an eth1 dhcp section in /etc/network/interfaces or add the dhclient eth1 command to /etc/rc.local.

Just FYI: I’ve been using Vivid Vervet’s (Ubuntu 15.04) 3.19 kernel in Ubuntu Server 14.04 LTS. Vivid’s newer kernel can be installed using apt-get install linux-image-generic-lts-vivid. Not sure if it makes a difference compared to 14.04’s default kernel though.

Dockerflix: Docker-based SNI proxy for watching U.S. Netflix, Hulu, MTV, Vevo, Crackle, ABC, NBC, PBS…

Posted on by Jan

Recently, I published a new project on Github called Dockerflix. Instead of HAProxy, Dockerflix uses sniproxy. To make the installation a breeze, I boxed the proxy into a Docker container and wrote a small, Python-based Dnsmasq configuration generator. And voilà: DNS-unblocking as a service (DAAS) ;-)

Thanks to sniproxy’s ability to proxy requests based on a wildcard/regex match it’s now so much easier to add support for a service. Now it’s usually enough to just add the main domain name to the proxy and DNS configuration and Dockerflix will be able to hop the geo-fence in most cases. Since most on-demand streaming media providers are using an off-domain CDN for the video stream, only web site traffic gets sent through Dockerflix. A few exceptions may apply though, notably if the video stream itself is geo-fenced.

Dockerflix only handles requests using plain HTTP or TLS using the SNI extension. Some media players don’t support SNI and thus won’t work with Dockerflix.
If you need to proxy plain old SSLv1/v2 for a device, have a look at the non-SNI approach shown in tunlr-style-dns-unblocking.
A few media players (i.e. Chromecast) ignore your DNS settings and always resort to a pre-configured DNS resolver which can’t be changed (it still can be done though by rerouting these requests using iptables).

Check it out: https://github.com/trick77/dockerflix

How to encrypt an ODROID-C1’s Ubuntu root filesystem with DM-crypt LUKS

Posted on by Jan

The starting point is a running ORDOID-C1 with the Ubuntu minimal image. Make sure the Ubuntu installation has been dist-upgraded and to use the latest linux-image-c1 kernel image available (3.10.72-78 as of this writing). The ODROID-C1 has to be running the lastest kernel available, check with uname -r. Some of the early Ubuntu minimal images may suffer from a dist-upgrade problem, see here how to fix it. I’m using an 8 GB eMMC card but if you change the /dev ids throughout the installation process, it may work with an SD-card too.

root@c1:/# apt-get -y install lvm2 cryptsetup parted nano rsync

Since we can’t convert a running root partition, we’re going to add a 3rd partition which will be our encrypted root filesystem. Check with parted -l where the 2nd partition ends because we’re going to add the new partition right there.

root@c1:~# parted -l
Model: MMC 008G92 (sd/mmc)
Disk /dev/mmcblk0: 7818MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 1049kB 135MB 134MB primary fat16 lba
2 135MB 4295MB 4160MB primary ext4

In this case, the 2nd partition ends at 4295MB, which will be the starting value for the new partition.

root@c1:~# parted
(parted) mkpart primary ext4
Start? 4295MB
END? 100%
q

Now we’re going to tag the new partition for LVM:
root@c1:~# fdisk /dev/mmcblk0
Command (m for help): t
Partition number (1-4): 3
Hex code (type L to list codes): 8e

Command (m for help): w

The next step is to setup LVM and to encrypt our new root partition. I’m going to name the physical volume (PV) lvm, the volume group vg and the logical root volume root.

root@c1:~# cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/mmcblk0p3
root@c1:~# cryptsetup luksOpen /dev/mmcblk0p3 lvm
root@c1:~# pvcreate /dev/mapper/lvm
root@c1:~# vgcreate vg /dev/mapper/lvm
root@c1:~# lvcreate -l 100%FREE -n root vg
root@c1:~# mkfs.ext4 /dev/mapper/vg-root

Let’s try to mount the new, encrypted root volume:

root@c1:~# mount /dev/mapper/vg-root /mnt

Copy the existing root volume to the new, enrypted root volume:

root@c1:~# rsync -av --exclude=/media --exclude=/mnt --exclude=/proc --exclude=/dev --exclude=/sys / /mnt

These are the commands to chroot our new root volume from the old root partition. You can always use them to gain access to the encrypted root volume from the old root partition.

mkdir -p /mnt/dev
mkdir -p /mnt/mnt
mkdir -p /mnt/proc
mkdir -p /mnt/sys
mkdir -p /mnt/media
cryptsetup luksOpen /dev/mmcblk0p3 lvm
mount /dev/mapper/vg-root /mnt
mount -o rbind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -t vfat /dev/mmcblk0p1 /mnt/media
chroot /mnt

The following actions take place in the chrooted environment on the new, encrypted root LV. Make sure you don’t modify the existing root partition!

Register the encrypted volume in /etc/crypttab:

echo lvm UUID=$(cryptsetup luksUUID /dev/mmcblk0p3) none luks|tee /etc/crypttab

Add a line in /etc/fstab for the root volume:

/dev/mapper/vg-root / ext4 errors=remount-ro 0 1

Being chrooted to the encrypted volume, we can now regenerate the initrd.img using

root@c1:~# update-initramfs -u -k $(uname -r)

Since support for dm-crypt has already been built into the kernel of the minimal image, we don’t have to add any crypto-modules to /etc/initramfs-tools/modules/. initramfs also does a pretty good job (thanks to the MODULES=most setting) determining what to add for lvm and dm-crypt support. Just to make sure, let’s have a look what has been placed into the new initrd.img:

root@c1:~# lsinitramfs /boot/initrd.img-$(uname -r) | grep crypt
sbin/cryptsetup
conf/conf.d/cryptroot
scripts/local-top/cryptopensc
scripts/local-top/cryptroot
scripts/local-bottom/cryptopensc
lib/libcryptsetup.so.4
lib/modules/3.10.72-78/kernel/arch/arm/crypto
lib/modules/3.10.72-78/kernel/arch/arm/crypto/aes-arm.ko
lib/modules/3.10.72-78/kernel/crypto
lib/modules/3.10.72-78/kernel/crypto/rmd160.ko
lib/modules/3.10.72-78/kernel/crypto/seed.ko
lib/modules/3.10.72-78/kernel/crypto/michael_mic.ko
lib/modules/3.10.72-78/kernel/crypto/rmd320.ko
lib/modules/3.10.72-78/kernel/crypto/cast6_generic.ko
lib/modules/3.10.72-78/kernel/crypto/rmd128.ko
lib/modules/3.10.72-78/kernel/crypto/rmd256.ko
lib/modules/3.10.72-78/kernel/crypto/lzo.ko
lib/modules/3.10.72-78/kernel/crypto/blowfish_generic.ko
lib/modules/3.10.72-78/kernel/crypto/khazad.ko
lib/modules/3.10.72-78/kernel/crypto/serpent_generic.ko
lib/modules/3.10.72-78/kernel/crypto/fcrypt.ko
lib/modules/3.10.72-78/kernel/crypto/camellia_generic.ko
lib/modules/3.10.72-78/kernel/crypto/twofish_generic.ko
lib/modules/3.10.72-78/kernel/crypto/async_tx
lib/modules/3.10.72-78/kernel/crypto/async_tx/async_tx.ko
lib/modules/3.10.72-78/kernel/crypto/async_tx/async_pq.ko
lib/modules/3.10.72-78/kernel/crypto/async_tx/async_raid6_recov.ko
lib/modules/3.10.72-78/kernel/crypto/async_tx/async_xor.ko
lib/modules/3.10.72-78/kernel/crypto/async_tx/async_memcpy.ko
lib/modules/3.10.72-78/kernel/crypto/cast5_generic.ko
lib/modules/3.10.72-78/kernel/crypto/tea.ko
lib/modules/3.10.72-78/kernel/crypto/xts.ko
lib/modules/3.10.72-78/kernel/crypto/xor.ko
lib/modules/3.10.72-78/kernel/crypto/ansi_cprng.ko
lib/modules/3.10.72-78/kernel/crypto/wp512.ko
lib/modules/3.10.72-78/kernel/crypto/cast_common.ko
lib/modules/3.10.72-78/kernel/crypto/tgr192.ko
lib/modules/3.10.72-78/kernel/crypto/zlib.ko
lib/modules/3.10.72-78/kernel/crypto/lrw.ko
lib/modules/3.10.72-78/kernel/crypto/anubis.ko
lib/modules/3.10.72-78/kernel/crypto/blowfish_common.ko
lib/modules/3.10.72-78/kernel/crypto/sha512_generic.ko
lib/modules/3.10.72-78/kernel/crypto/twofish_common.ko
lib/modules/3.10.72-78/kernel/crypto/salsa20_generic.ko
lib/modules/3.10.72-78/kernel/crypto/gf128mul.ko
lib/cryptsetup
lib/cryptsetup/askpass
lib/arm-linux-gnueabihf/libgcrypt.so.11

Looking good, the scripts/local-top/cryptroot script is now part of initrd.img. It will be called during the first phase of the Linux boot and ask for the root volume passphrase once initramfs is executed.

To update the uInitrd file in the FAT32 boot partition we first have to recreate the image using the new initrd.img containing lvm and crypto support:

root@c1:~# mkimage -A arm -O linux -T ramdisk -C none -a 0 -e 0 -n "uInitrd $(uname -r)" -d /boot/initrd.img-$(uname -r) /tmp/uInitrd-$(uname -r)

If everything went well, copy the uInitrd to /boot and /media:

root@c1:~# cp /tmp/uInitrd-$(uname -r) /boot
root@c1:~# cp /tmp/uInitrd-$(uname -r) /media/uInitrd

Edit /media/boot.ini (make a backup copy first) and replace the root UUID and add cryptdevice in the setenv booargs line:

# Boot Arguments
setenv bootargs "root=/dev/mapper/vg-root cryptdevice=/dev/mmcblk0p3:lvm ...and so on

Important: leave the rest of the setenv bootargs line intact!

That’s it.

root@c1:~# shutdown -r now

initramfs should now aks for the passphrase to decrypt the root volume during boot. Make sure to have a keyboard nearby ;-)

Free multi-domain SSL certificates from WoSign and HAProxy OCSP stapling

Posted on by Jan

Since everyone now can get free 2-year multi-domain certificates from WoSign, I grabbed one for one of my web sites. However, WoSign’s OCSP server is located in China which may, depending on your and your server’s location, increase latency once the web browser is verifying the certificate’s revocation status. In my case from Europe:

PING ocsp6.wosign.com (111.206.66.61) 56(84) bytes of data.
64 bytes from 111.206.66.61: icmp_seq=1 ttl=53 time=428 ms
64 bytes from 111.206.66.61: icmp_seq=2 ttl=53 time=347 ms
64 bytes from 111.206.66.61: icmp_seq=3 ttl=53 time=312 ms
64 bytes from 111.206.66.61: icmp_seq=4 ttl=53 time=328 ms
64 bytes from 111.206.66.61: icmp_seq=5 ttl=53 time=313 ms

OCSP stapling comes in handy to reduce the latency for the revocation status check, again, depending on your clients and your server’s location.

Here’s the all-in-one shell script in /etc/cron.daily I’m using…

  1. to create the domain’s OCSP file for HAProxy
  2. to inject the latest OCSP data into a running HAProxy instance using its stats socket
#!/bin/sh
ROOT_CERT_FILE=/etc/ssl/private/wosign-root-bundle.crt
SERVER_CERT_FILE=/etc/haproxy/certs.d/domain.crt
HAPROXY_SOCKET=/var/run/haproxy.socket
OCSP_URL=`/usr/bin/openssl x509 -in $SERVER_CERT_FILE -text | grep -i ocsp | cut -d":" -f2-2,3`
OCSP_FILE=${SERVER_CERT_FILE}.ocsp

/usr/bin/openssl ocsp -noverify -issuer $ROOT_CERT_FILE -cert $SERVER_CERT_FILE -url "$OCSP_URL" -respout $OCSP_FILE -header Host `echo "$OCSP_URL" | cut -d"/" -f3`
echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 $OCSP_FILE)" | socat stdio $HAPROXY_SOCKET

To check if OCSP stapling works:

openssl s_client -connect mydomain.xyz:443 -tls1 -tlsextdebug -status

or for SNI-only configurations:

openssl s_client -connect mydomain.xyz:443 -servername mydomain.xyz -tls1 -tlsextdebug -status

If it works, there should be an OCSP section in the response like this:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2)
    Produced At: Mar  8 14:01:14 2015 GMT
    .
    .
    .

A few notes:

  1. HAProxy’s stats socket needs to be enabled
  2. wosign-root-bundle.crt was taken from the Apache bundle in the certificate .zip file I received from WoSign
  3. /etc/haproxy/certs.d/domain.crt contains the private key and the certificate bundle from the “for Other Server” directory, however you could remove the last certificate since it’s the root CA cert.
  4. Requires HAProxy >= 1.5
  5. If socat is missing: apt-get install socat in Debian/Ubuntu
  6. Always aim for an A or A+ grade: SSL Server Test

How to set up a transparent VPN Internet gateway tunnel using OpenVPN

Posted on by Jan

I created a transparent VPN Internet gateway tunnel (sorry, couldn’t come up with a better name for it) using OpenVPN and my new Odroid-C1 Linux mini computer. However, this will work with any Linux PC (including the Raspberry Pi). The beauty of a transparent VPN gateway is that a device in the LAN doesn’t have to know anything about the VPN. I don’t have to remember to turn on the VPN nor does it drain the battery on mobile devices to encrypt and decrypt the packets. The VPN is just “there”. On the other hand, mostly for performance reasons, I don’t want to encrypt all traffic leaving my home LAN, that’s why I didn’t set up the VPN in the existing router. vpn-gatewayI wanted to be able to choose, on a per-device basis, which devices will route their traffic unencrypted to my ISP and which devices will get their traffic encrypted and forwarded to the remote VPN server using a second gateway in my LAN. And all this without additional subnets in my LAN, VLANs or additional WiFi or Ethernet-adapters. This may not look like the brightest idea to everyone but it works for me and I wanted to document it to save time if I have to set it up again. This is not a step-by-step tutorial but should provide enough pointers to get started.

Continue reading

How to install Kodi on an ODROID-C1 as a standalone mediacenter

Posted on by Jan

The ODROID-C1 ist just too cool not to have. This feature-packed ARM7 quad core Linux mini computer comes with an incredible price tag of $35. However, with all the accessories (RTC-battery, power supply, case, mini-HDMI cable, eMMC card, remote control…) and shipping from Korea, the final price is around $100. It’s going to replace my Raspberry Pi which I initially intended to use as a media center but it always felt a little too slow for the task, even with the highly tuned Raspbmc.

Since I wanted the ODROID-C1 to run Kodi without a desktop manager (but with an Ubuntu repository), I started off with the Ubuntu 14.04 minimal image provided by Hardkernel. Don’t forget to resize the root partition to its true size once the ODROID-C1 is up and running (and reboot again!). I’m recommending the Odroid-Utility for doing this. And while you’re at it, make sure to “Update udev rules for ODROID subdevices” in the “Update your Kernel/Firmware” menu. If you forget this step, Kodi might abort with ERROR: failed to initialize egl display.

odroid-c1-kodi-summary

I’m assuming here that the ODROID-C1 has network connectivity and you’re logged in as root.

With a few adaptations, this information was taken from my existing post on how to install Kodi on an Ubuntu 14.04 server. Continue reading

How to set up a virtual KVM/VNC console on your OVH server

Posted on by Jan

Want to install your own image on a OVH Kimsufi or SoYouStart server? Want to install an official image on your server instead of the pre-built OVH OS templates? Want to encrypt the home directory at install-time? Want to use RAID 5 using mdadm on one of those SSD equipped SoYouStart servers? Or do you want to use a more refined, custom partition layout which is not supported by the OVH partitioner? And you want this without having access to or having to pay for a KVM console?
Continue reading

KVM VM waits forever / stuck at kernel selection screen

Posted on by Jan

If a KVM virtual machine has not been properly shutdown, it may wait forever at the boot up kernel selection screen for user input. You won’t see any output when trying to virsh console into the VM from the host. You have to fire up a remote VNC session in order to press enter.

In Ubuntu Server you can override this behaviour by adding the following line to /etc/default/grub:

GRUB_RECORDFAIL_TIMEOUT=2

Don’t forget to run update-grub afterwards.

How to install Kodi on Ubuntu Server 14.04

Posted on by Jan

I have a small Shuttle Barbebone computer which I’m mainly using as a KVM hypervisor on top of Ubuntu Server 14.04 to run a few VMs. Since the Barebone also sports a HDMI port and the CPU comes with an integrated Intel HD GPU I thought it would be a great Kodi (ex XBMC) mediacenter as well. However, I’ve been unable to find a working walk-through on how to install it on Ubuntu Server. Most likely because nobody ever does this on a server OS. Anyway, here’s how to install the latest Kodi release on Ubuntu Server 14.04 including hardware acceleration for the Intel HD GPU. Continue reading

QEMU on Haswell causes spurious MCE events

Posted on by Jan

A few dozen times each day, the Xeon E3-1275 v3 CPU on my SuperMicro X10SLM-F board generates a Machine Check Event (MCE). The Linux kernel logs all MCEs in /var/log/syslog:

mce: [Hardware Error]: Machine check events logged
mce: [Hardware Error]: Machine check events logged
CMCI storm detected: switching to poll mode
CMCI storm subsided: switching to interrupt mode
mce_notify_irq: 14 callbacks suppressed
mce: [Hardware Error]: Machine check events logged
mce: CPU supports 9 MCE banks
mce: [Hardware Error]: Machine check events logged

After installing mcelog I was able to pull some more detailed information about the check events:

Hardware event. This is not a software error.
MCE 0
CPU 3 BANK 0
TIME 1415087019 Tue Nov  4 08:43:39 2014
MCG status:
MCi status:
Corrected error
Error enabled
MCA: Internal parity error
STATUS 90000040000f0005 MCGSTATUS 0
MCGCAP c09 APICID 6 SOCKETID 0
CPUID Vendor Intel Family 6 Model 60

The MCEs all look the same (affected is always BANK 0), just the CPU and the APICID may differ. I updated the BIOS, replaced the ECC RAM, replaced the mainboard but the errors kept showing up. Continue reading

OS X Yosemite installer shows blank/black screen when using Clover

Posted on by Jan

This is a heads up for everybody with an Nvidia GTX 760 (other Nvidia cards may be affected as well) trying to install OS X Yosemite 10.10 using Clover on a Hackintosh. If you’re getting a blank/black screen at the start of the installation, try to add the boot flag nv_disable=1. My screen was getting dark just after the installer displayed DSMOS has arrived when using the -v verbose boot flag. It always happened right after the installer was switching from text mode to graphics mode.

        <key>Boot</key>
        <dict>
                <key>Arguments</key>
                <string>dart=0 -v kext-dev-mode=1 nv_disable=1</string>
        ...(more)

Once OS X Yosemite has been installed, the nv_disable boot flag is no longer required and should be removed.