Posts by jselea@blogs.linux.pizza
(DIR) Post #9vBI1BqEnoLco7RNLs by jselea@blogs.linux.pizza
2020-05-18T21:42:56+02:00
0 likes, 2 repeats
TLSA records – or more commonly known as DANE(DNS-based Authentication of Named Entities) is a protocol that is being used to “bind” TLS-certificates to a server. It is most used on email-servers to secure communication between different servers. The reason that DANE exist is to provide an additional layer of security and trust between server and client.In this guide, I will walk your thru the following steps:How to check if a SMTP-server uses DANEHow to configure postfix to start use DANE-verification on outgoing and incoming emails.Generation of TLSA-recordsDANE + Let's Encrypt – A WalkaroundCurrently, DANE is not something that is widely deployed by big organisations and companies world wide. Instead, smaller companies, organisations and individuals with more flexibility in their IT-infrastructure has been able to contribute to SMTP-security.The only really big company that has announced their plans for a DANE-implementation is Microsoft – they announced their plans for DANE in april 2020 and hope the implementation to be finished in 2021.DANE does also require that the domain is DNSSEC signed for it to work, there is some mail-servers that can do DANE-verification without DNSSEC (like postfix), but I am not going to cover that part today.But you are not here in order to wait for it to happend!Let's get started!Does this server have a TLSA-record deployed?First, does your email-server have TLSA-record deployed already?We can test it the simple way, with tools that already exist online, like this from sys4 and the one from Simon Huque.Or, if you are as me – we will do the checks from the terminal with the tools our system provides.Enter “dig”, a command that can be found in the package “dnsutils” on debian-based systems (“bind-utils” on RHEL based ones).So let's check the TLSA-record of the mailserver of linux.pizza:dig _25._tcp.kebab.linux.pizza TLSA +shortThis gives us the following answer:3 1 1 2B4685AC11110AC51D117607C0E58D98AF3FD9A417EF3B5B61210578 67D92111So, what we just did here was checking the host _25._tcp.hashmal.selea.se for a TLSA record.The first part – _25. represents the port.Second part – _tcp. represent the protocol.The third part – kebab.linux.pizza. represent the actual hostname of the server.Deploy DANE-verification in postfixThis is probably the easiest step of them all:Add this into your main.cf filesmtp_tls_security_level = danesmtp_dns_support_level = dnssecNow, postfix does validate DANE for outgoing and incoming SMTP-connections – Nice!Let's Encrypt + DANESince the hash in the TLSA-record is based on the private TLS-key, it does not really make sense to deploy it with Let's Encrypt since Certbot (the most used tool to deploy Let's Encrypt) generates a new private key every time a certificate is being requested.We will generate the certificate using Certbot, feel free to use whatever client you'd like. Just keep in mind that you have to reuse the same .csr.We will have to do the issuing and renewal via HTTP/HTTPS, so I assume that you have a webserver installed on your machine.Create this config-file and place it in a good location (like /usr/share/etc/leconfig/mx.your.host):domains = mx.your.hostnamewebroot-path = /path/to/webserver/root rsa-key-size = 4096email = info@your.hostnametext = Trueauthenticator = webrootrenew-by-default = trueagree-tos = trueNow, issue your initial certificate:certbot -c /usr/share/etc/leconfig/mx.your.hostname certonlyOnce the certificate have been issued, you can find it in /etc/letsencrypt/live/mx.your.hostname, for sanity sake, we will copy the entire folder to another location.mkdir -p /usr/local/etc/letsencrypt/live/cp /etc/letsencrypt/live/mx.your.hostname /usr/local/etc/letsencrypt/live/Let's copy the .csr file also (most important!), assuming that this is the first certificate issued – take the one starting with 0000, otherwhise you can match the csr timestamp with the certificate you just generated:cp /etc/letsencrypt/csr/0000_csr-certbot.pem /usr/local/etc/letsencrypt/live/mx.your.hostname/mx.your.hostname.csrAnd lets modify the configuration file that we did before accordingly in order to tell certbot where the .csr file is, and where to place the certicate:domains = mx.your.hostnamewebroot-path = /path/to/webserver/rootcsr = /usr/local/etc/letsencrypt/live/mx.your.hostname/mx.your.hostname.csrcert-path = /etc/letsencrypt/live/mx.your.hostname/cert.pemfullchain-path = /etc/letsencrypt/live/mx.your.hostname/fullchain.pemchain-path = /etc/letsencrypt/live/mx.your.hostname/chain.pemrsa-key-size = 4096email = info@your.hostnametext = Trueauthenticator = webrootrenew-by-default = trueagree-tos = trueYou can try reissuing the certificate with:certbot -c /usr/share/etc/leconfig/mx.your.hostname certonlyAwesome! Your certificate should have been renewed with the same .csr file and private key. Now we can proceed to configuring postfix to use the certificate, private key and intermediate certificate.Look for the following lines:smtpd_tls_key_filesmtpd_tls_cert_filesmtpd_tls_CAfileAnd we will add the path to the certificate-chain:smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mx.your.hostname/privkey.pemsmtpd_tls_cert_file = /etc/letsencrypt/live/mx.your.hostname/cert.pemsmtpd_tls_CAfile = /etc/letsencrypt/live/mx.your.hostname/chain.pemRestart postfix, and you are ready for the next step!Generate your own TLSA-recordWe will use the “hash-slinger” package, and it is very simple!Just issue the following on any computer that has a https-connection to your mailserver:tlsa --create mx.your.hostnameYou will get something like this:_443._tcp.mx.your.hostname. IN TLSA 3 0 1 54f3fd877632a41c15b0ff4e50e254ed8d1873486236dc6cd5e9c1c1993d1e4ePerfect, you now has the record that you should deploy at your DNS-provider, with a slight modification:_25._tcp.mx.your.hostname. IN TLSA 3 0 1 54f3fd877632a41c15b0ff4e50e254ed8d1873486236dc6cd5e9c1c1993d1e4eNotice how we change the first part – the port.After you have published your record, wait for a little while and check if it valid with this tool.Thank you for making Email awesome again!EndI hope that you found this little guide helpful!Let me know what you think, hook me up on Mastodon on @selea@social.linux.pizza
(DIR) Post #9voXMx7ZI3xwdylreK by jselea@blogs.linux.pizza
2020-06-06T20:10:38+02:00
0 likes, 5 repeats
The first time I heard about the PineBook Pro was the spring of 2019, when Pine64 posted their may update which contained information about the PineBook Pro.I have been able to try out the original PineBook, since one of my previous colleague did get one. She claimed it was a good buy and that she liked the machine. Well, considering that it only cost $99 – I think there is no real reason to think otherwhise!However, fast forward to March 2020. My own ThinkPad Helix broke down on me and I was suddenly without a laptop. That meant that I longer could travel while I was “on call” at work because I no longer could remote in to work when I needed to. I also had no place to store my stupid collection of webm's either.Also, I was not willing to spend to much on a machine – so I had two options: – Get an used Librebooted ThinkPad – Get the PineBook ProThe choice finally fell on the PineBook Pro, because I have started to get an urge to start using non-x86 machines as my daily drivers, such as the PineBook Pro and the Blackbird POWER9 Desktop from Raptor Computing.I've always been weak for stuff that is not used by to many people, like a specific car model with a specific color (like my old Mazda 3 2010 with the “Celestial Blue” color) or just plain Motorola Phones (not at all popular in Sweden). That was the reason I started with Linux back in 2001, because Windows was everywhere and I wanted to be different – lol.I placed the order on the 3th of April 2020, of the PineBook Pro together with some other essential stuff like: – PineBook Pro itself – USB-Barrel connector for charging – PCI-E to M.2 adapter – USB-UART(serial)I did forget the USB eMMC reader, but that is something I could get a hold of via a local shop.Finally, on June the 1st. I got the notification that the order has been shipped from Hong Kong. Pine64 has been very clear that there will be delay thanks to the current pandemic going on, and that is understandable.DeliveryI got the order delivered to my work on June the 4th, since I spend my days there and not at home. Here is what the package looked like:(yes yes, that's my lunch)Unboxing and first impressionI waited to open the package until I came home, since I wanted to show you how the packaging looks like and what you as a possible future customer to Pine64 can expect with some good music that have a high chance of making you feel nostalgics:The Pinebook Pro looks slick, feel sturdy and does not flex that much you would expect from a $200 laptop.The rest of Day 1 was spent on trying to like Manjaro as a system. Manjaro works very well on the Pinebook Pro – it is snappy and looks great on it. If you are buying the Pinebook just as a “browser + ssh” machine (as someone on fedi called it) – I would recommend with sticking with Manjaro that is delivered with the Pinebook Pro.Day 2, Bye Manjaro – Hi DebianI am not a fan of Manjaro, and trust me – I have really tried to like it! My personal feeling is that Manjaro is messy – but that is probably because I do not like Arch Linux at all.Anyway, I was thinking about switching over to Debian instead since I am more used to it and the image has come a long way since the first version.I flashed a MicroSD card with this Debian image, booted it and downloaded this scripts that installs Debian for you on the eMMC card.The installation took 15-20 minutes for me since I am blessed with a fast and stable internet connection.I did have trouble getting into the Desktop Environment on Bullseye (Testing), so I installed Debian Buster instead and that seems to have solved it. And I am want to use it as a daily driver so a stable system is not wrong :)Day 3, why the (“%¤ does it take a day to charge the Pinebook?One thing that has started to bother me, is the battery take several hours to fully charge from zero. I have given that alot of thoughts and I think the reason is that I have become used to fast-charging that exist in most modern smartphones today.The VERY BIG PLUS, is that you can charge it several way's.You can use the official ROCKPRO PSU (the one that is stuck in my outlet), you can use a USB to “power” adapter, and you can also charge it with USB-C. The latter one is a HUGE advantage and one of the biggest “cool factor” in the Pinebook. That means that I can charge the Pinebook on the go. With an ordinary Powerbank, in my car or at someone elses house even if I forgot my own PSU.What do I like/dislike?The keyboardAfter a few days of typing on the machine, I have come to like the keyboard of it. It does not feel bad at all. Since it is a ISO keyboard with a physical UK layout, I can use it with a Swedish layout in Debian. Luckily, I am very used to typing so I am not noticing that the physical layout is different since I dont look at the keyboard when I type.Writing this blogpost feels great too!Headphone jack?I started to watch a movie on the Pinebook with my headphones that I just plugged into the headphone jack, and suddenly all my kids came up to me and wondered what I was looking at so I took my headphones of and realized that the sounds was playing on the speakers and my headphone at the same time. I do realize that this is probably something that Debian Buster has issues with. I connected my Bluetooth headset instead and could watch in peace.Charging takes many hoursI wrote about that earlier, but it is worth mentioning here too.Charging the PineBook Pro does take a very long time. I have tested the charger that arrives with the machine and other supposedly “stronger” USB-chargers aswell. I think that the reason is that I have gotten used to Fast-Charging my phone and the ability to wait is something that we have lost the last few years. Anyway, the battery last 7-9 hours with normal use on Debian Buster with maximum screen brightness and “tilda” running in fullscreen with tmux with a couple of ssh-sessions – perfectly fine!Remember that you can charge it practically anywhere with almost any USB-charger whether it is a wall-plugged one, solar-driven or other powerbanks. That fact makes this machine very portable and flexible. Perfect for the trip!Closing wordsI can compress my experience to this sentence:The more I use the PineBook Pro – The more I realize that THIS is the laptop I always wanted!Wow, that's is pretty big words! I will try to explain why.First of all – The Pinebook Pro is the result of the hard work of the team over at Pine64. The machine have been made “as a community service” to provide a cheap, hackable and fun laptop to hackers, advanced users and pioneers on the AARCH64 platform. I really get the feeling that there is no greed for revenue unlike other companies – that is worth supporting!The machine is not made for with planned obsolesce – the scary and sad trend that is going on with Tech-companies nowadays. You can buy every single part of this machine from the Pine64 shop so you can repair it if you need to.The community is great! I have been hanging out in the Pinebook Pro chat on Matrix and the folks over there is very helpful and exited over the product that Pine64 has released.Atlast, I think most of the Pinebook Pro users would love to use Manjaro ARM that is by default shipped with the machine. Manjaro has done a great job on increasing performance and stability of the builds and it does not seems to stop! I will cover more aspects of the Pinebook Pro in the future, like Multimedia performance such as video-playback, simple gaming, USB-C docking capabilites and Installation of the M2 drive.
(DIR) Post #9x2JzX4NjjHF8pH984 by jselea@blogs.linux.pizza
2020-07-13T09:39:12+02:00
0 likes, 2 repeats
And the possible future it hasThe TL;RD of this post is:– Linux.Pizza will not actively deploy new services– Linux.Pizza are going to discontinue some services within 12 month (from this post have been made)– Linux.Pizza will focus on Mastodon, Mirroring distros and DNS.You might wonder why, if so – please continue to read.The short version is – I have realized that I am not able to deliver quality services anymore. And this is due to lack of time, funding and increased stress at my main job.And the longer version:One year ago, I was “forced” to change job in order to make things work with my family – kids started school and wife returned to studies. I could'nt work 40 minutes from home anymore and needed something more closer to home.So I switched, even if I hated the fact that I had to.Anyway, the new job is great! And as the only Systems Administrator I am responsible for everything IT and I have alot of freedom when it comes to the software stack the company will use and so on.I recently deployed Nextcloud and Matrix which has been great!Family takes more timeMy kids are getting bigger, and I have decided to spend more time with them instead of in front of the PC. I have actually realized that I can't miss the time that I have with my family, so I have to prioritize while I can.Work takes alot of time aswellMy new role and the new job that I got has brought a lot of “unwanted” responsibilities – I tend to take stuff way to personal when it comes to IT stuff where I work. If something goes wrong – I blame myself very much. And that needs to stop aswell.Linux.Pizza is not going to dissappearWhile Linux.Pizza is down-scaling – it will not dissappear! The social aspect of mastodon has been very good and important for me atleast – I see it as a “premium social network”. It costs some money every month but I think it is worth it actually since I have gotten to know many good people from different cultures, geographic locations, religions and political backgrounds and that has been very refreshing!mirror.linux.pizza is also going to be a thing – it is a official mirror for many distros and shutting down that would be very irresponsible.FreeDNS is also going to stay active aswell.So in short – Linux.Pizza will offer some service, but only those that I want and I will not wake up in the middle of the night anymore to fix broken services as I have used to the past years.“It it ain't fun – don't do it!” – Someone on MastodonI hope that you understand, and if you are in need of other services similar to those Linux.Pizza has offered – please check out The Librehosters Network.
(DIR) Post #9ycV3OX4AzHmyVUBii by jselea@blogs.linux.pizza
2020-08-29T18:23:55+02:00
0 likes, 1 repeats
I am a fan of jalapeños and chilies in general, and this year I had some luck with the weather so my only jalapeñoplant did pretty well. So today, where are going to pickle the jalapeños.What you will needGarlic (couple of smashed cloves or powder is fine)0.45 dl Sugar15 ml Salt3dl White Vinegar3dl Water~400grams of fresh Jalapeños (or other chilies)The procedureI decided to slice the jalapeños together with three quite big cloves of garlic:Then, mix water, vinegar, salt and sugar into a pot. Let the sugar and salt dissolve and wait until the mix starts to boil a little.Then, just add the jalapeños and garlic. Let it putter for 5 minutes.Lastly, put it into your glass-container of choice!This should last a couple of month, and serves well with taco, pizza or if you are like me – on EVERYTHING!Done and easy! Everyone can do this, and it works with almost anything.I also did this with unriped tomatoes, and it tasted very good too!
(DIR) Post #A6Snvf2bMcatKh1yPQ by jselea@blogs.linux.pizza
2021-04-21T07:05:22Z
0 likes, 1 repeats
Luckily, this is quite easy – for now.Just add the “Permissions-Policy: interest-cohort=()” header in your webserver. This can be done as following:In Apache (including .htaccess): Header always set Permissions-Policy: interest-cohort=()In Nginx add_header Permissions-Policy: interest-cohort=()That's it!
(DIR) Post #A90xfxADFa5bNTz90K by jselea@blogs.linux.pizza
2021-07-06T14:18:39Z
0 likes, 0 repeats
Took myself ages to figure this out, so I am noting this down for my future self.apiVersion: v1kind: PersistentVolumemetadata: name: k3s-pvspec: capacity: storage: 1Gi accessModes: - ReadWriteOnce nfs: path: /nfs/remote/k3s server: 1.1.1.1 persistentVolumeReclaimPolicy: Retain claimRef: namespace: default name: k3s-pvc---apiVersion: v1kind: PersistentVolumeClaimmetadata: name: k3s-pvcspec: accessModes: - ReadWriteOnce resources: requests: storage: 1GiHope this helps
(DIR) Post #AEV8G0mnISbPceJ8fA by jselea@blogs.linux.pizza
2021-12-17T16:46:39Z
0 likes, 2 repeats
This fall, has been busy for me, and when I am busy I like to experiment and play with stuff – especially IT and nerdy stuff.This brings me back to the days when I started with Linux, for me it was new, cool and different. Nowadays I feel liek it is not so different.So, being the hipster that I am, I set out to find something new. I've already tried and played with OmniOS a couple of years back and I liked it. And during my quest to get it on a iPXE server – I found out about Tribblix.Tribblix is a Illumos distribution with a retro feel. And that I liked. The iPXE setup was easy since Peter Tribble – the creator and maintainer of Tribblix – already have an iPXE server up and running. So I just used the already ready target at (http://pkgs.tribblix.org/m24/ipxe.txt) and got it up and running according to the installation instructions provided by Tribblix here:http://www.tribblix.org/install.htmlEnter Tor – and the recent news that Russia has decided to block Tor nationwide. I must say that I do understand why they did it from a IT-security perspective – alot of crap is originating from Russia. That is an undisputed fact.However, from a freedom perspective – this is making an already bad situation even worse. So what a perfect opporunity to run a Tor-relay on a SunOS machine! Currently, there is only 5 relays that is running on a Solaris/SunOS based kernel (including one of mine).Lets change that – more diversity in the Tor-network is a good thing.So, assuming that you have installed Tribblix. Lets pull down the Tribblix overlay called “develop”zap install developThis takes a couple of minutes, and what it does is that it download and installs all the nessecary packages you need to build Tor.We also need LibEvent, since Tor requires it. And the TRIBlibev is like libevent – but not really – we need to manually compile it.Download the latest stable version from github, and extract it like shown below:wget https://github.com/libevent/libevent/releases/download/release-2.1.12-stable/libevent-2.1.12-stable.tar.gztar -xvf libevent-2.1.12-stable.tar.gzLets also pull down the Tor-source code and extract:wget https://dist.torproject.org/tor-0.4.6.9.tar.gztar -xvf tor-0.4.6.9.tar.gzGreat, now you should have everything you need in order to get started.Navigate to the libevent catalogue you just extracted, and run the following:./configure --prefix=/tmp/mc --enable-static --disable-sharedgmakegmake installThis will create a static and temporary copy of LibEvent in the /tmp/mc catalogue. we will use that in the compilation of Tor.When the compilation of LibEvent is done, nagivate to the Tor-catalogue and run the following:./configure --with-libevent-dir=/tmp/mc MAKE="gmake"gmakegmake installThe proceedure is quite similar to the LibEvent compilation.When the gmake install procedure is done, you can find the tor-config files in /usr/local/etc/tor/ and the binaries in /usr/local/bin/.Configure the torrc file according to your needs, read the Tor Projects Post Install Guide and follow the recommendations.You can now run tor by just typing tor in your terminal – and you now have a relay running.For now, you can use tmux in order to run it in the background.Thanks to Peter Tribble, who told me to get LibEvent into the system.
(DIR) Post #AJVZeTnFJBaQzUxvsW by jselea@blogs.linux.pizza
2022-05-16T11:26:33Z
0 likes, 1 repeats
There is many reasons why you would like to have local docker registry, and being cool is one of them. This is how you do it on Debian.Well, lets go!Install the package:apt install docker-registryTell the machine where you are going to pull to, that the registry is “unsafe” (non-https):{"insecure-registries":[ "docker.internal:5000", "registry.linux.pizza:5000"]}Create a basic-auth on your registry: htpasswd -Bbn dockeruser registrypassword >/etc/docker/registry/.htpasswdLogin to the registry from your host:docker login -u dockeruser registry.linux.pizza:5000Dont forget to restart docker!Have fun!#docker #dockerregistry #registry #debian #linux
(DIR) Post #ANNmxJCHH5EZrwj2Aq by jselea@blogs.linux.pizza
2022-09-09T08:40:25Z
0 likes, 0 repeats
Personal note with example IPv4sMaybe this could be useful for your DNS-server aswellIPT="/sbin/iptables"# Flush old rules, old custom tables$IPT --flush$IPT --delete-chain# Set default policies for all three default chains$IPT -P INPUT DROP$IPT -P FORWARD DROP$IPT -P OUTPUT ACCEPT# Enable free use of loopback interfaces$IPT -A INPUT -i lo -j ACCEPT$IPT -A OUTPUT -o lo -j ACCEPT# All TCP sessions should begin with SYN$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s 0.0.0.0/0 -j DROP# Accept inbound TCP packets$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT# Traffic from Ports$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 192.168.69.0/24 -j ACCEPT$IPT -A INPUT -p udp -m udp --dport 53 -s 192.168.69.X/32 -j ACCEPT$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -s 192.168.69.X/32 -j ACCEPT$IPT -A INPUT -p tcp --dport 5666 -m state --state NEW -s 192.168.69.X/32 -j ACCEPT# Flood protection for DNS UDP# See: /proc/net/ipt_hashlimit/DNS#iptables -A INPUT -p udp --dport 53 -m state --state NEW \# -m hashlimit \# --hashlimit-above 300/sec \# --hashlimit-mode srcip \# --hashlimit-name DNS \# --hashlimit-htable-expire 60000 \# -j DROP$IPT -A INPUT -p tcp --dport 53 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT # - DNS# Accept inbound UDP packets$IPT -A INPUT -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT# Accept inbound ICMP packets #$IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
(DIR) Post #APIwlvjnZjhloNirs8 by jselea@blogs.linux.pizza
2022-09-10T18:41:49Z
1 likes, 1 repeats
This short writeup will guide you on how to do it on Debian-based and Fedora systems.We begin with installing posfix and the required packages for authentication.First – doublecheck that your machine has a Fully Qualified Domain Name set in the hostfile, this will remove alot of headaches from you in the future.My machine is named “T15.domain.tld” – so emails will be arriving from “user@T15.domain.tld”.Debian:apt-get install postfix mailutils libsasl2-2Fedora:dnf install postfix mailx mailx cyrus-sasl cyrus-sasl-plainNext, we will create the sasl-password file and hash it:echo "[relay.domain.tld]:587 username:password" > /etc/postfix/saslpostmap /etc/postfix/saslGreat, now we have to tell postfix that all emails sent via it should be relayed throu the smtp-relay:relayhost = [relay.domain.tld]:587smtp_use_tls = yessmtp_sasl_auth_enable = yessmtp_sasl_security_options =smtp_sasl_password_maps = hash:/etc/postfix/saslsmtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crtRestart postfix and check the log, so everything looks good.Test your setup:echo "This is a test" | mail -s "Just a test" destination_email@domain.tldYou can check the status of the mailqueue with the command mailq.And that's about it!
(DIR) Post #APQH22rUWG4XBk9Pfs by jselea@blogs.linux.pizza
2022-11-09T09:14:49Z
1 likes, 2 repeats
Personal note, I always forgetdocker stop $(docker ps -aq) && docker rm $(docker ps -aq)Now I'll remember it.
(DIR) Post #APry04Jpl1DKs0vcMS by jselea@blogs.linux.pizza
2022-11-22T17:51:14Z
2 likes, 2 repeats
Have you ever installed packages from third party repositories to later realize that it was not the best idea? No? Well – I have.But from now on, I wont do it. And instead utilize chroot!In this section, we'll cover how to create a Debian-chroot on your Debian-based system (yes, this works on Ubuntu aswell).Install the package debootstrapapt update; apt install debootstrapNow, create a catalogue anywhere of your choosing, for example in /srvmkdir /srv/chrootGreat. Now depending on what you want. Perform any of the following:debootstrap bullseye /srv/chroot http://ftp.us.debian.org/debiandebootstrap jammy /srv/chroot http://archive.ubuntu.com/ubuntuYou should see it pull down all the packages needed for the distro to start, and when it is complete – you can enter the chroot:chroot /srv/chrootThat's it! Now you can install, test or compile your packages as usual.And when you are done, you can simply remove the catalogue and start fresh – if you want.
(DIR) Post #AQEjpoM5KE6xk1H45o by jselea@blogs.linux.pizza
2022-12-03T15:46:53Z
1 likes, 1 repeats
Linux distant cousin – OmniOSNot so long ago, there where plenty of cousins alive and well in the world. You may have heard about Solaris, IRIX, AIX, HP-UX – in this post, we will install the grand-child so “SunOS” called OmniOSOmniOS is based on the Illumos kernel – a fork of the long forgotten and abandoned OpenSolaris kernel that famously was killed by Oracle shortly after the takeover from Sun Microsystems (rest in peace).I personally, are not fond of a homogeneous IT world, where every system is basically the same. I do think that diversity is good. So I hope that I can you as a reader interested in different Linux-alternatives (that is not BSD).So, pick the hypervisor you want (Proxmox, VMWare, AHV, VirtualBox) and navigate to https://omnios.org/download to download the latest stable .iso.The installation itself is very straight forward, so I'll be skipping that part here.When you have installed the system, and rebooted – we need to get networking up and running.Login to the machine with the user “root”, and no password.Lets enable networking, start by displaying the network-ports on your system. In my case – I'm using a virtualized Intel e1000 network card (available in basically every hypervisor)dladm show-link -o linkOutput:LINKe1000g0Great, since this virtual machine only have a single NIC – this output is expected.Lets create the interface, give it an IPv4 and add a default route via the network gateway:ipadm create-if e1000g0ipadm create-addr -T static -a 192.168.2.38/24 e1000g0/v4route -p add default 192.168.2.254Verify that you have network connection with ping:ping 8.8.8.88.8.8.8 is aliveDNS-resolution is not yet working, so we have to take care of that. Lets modify /etc/resolv.conf with the followingecho "domain local.lan" > /etc/resolv.confecho "nameserver 192.168.1.254" >> /etc/resolv.confIn some cases, I have had to overwrite nsswitch.conf aswell:cat /etc/nsswitch.dns > /etc/nsswitch.confWe should be able to resolve our way into the internet now:ping linux.pizzalinux.pizza is aliveCreate a user and enable SSH, most of you will probably recognize the steps, since they are fairly basic and do not differ that much from how you would to in on a modern Linux machineLet's start by create a user:useradd -m -d /home/jonathan -s /bin/bash jonathanAnd set a password for the user, you can do it for the root-user aswell:passwd jonathanNew password:...And last, enable the SSH-service:svcadm enable ssh Great, you should now be able to SSH-into the machine with the user you just created. You can elevate yourself into the root-user with the “su” command.Not that complicated, right?Let's update the system.Lets update the package-information from the repositoriespkg refreshpkg updateJust let this run, your system will be updated. In some cases, your system will have to reboot.And here, is where OmniOS shines – you can reboot your system – test it after you have performed the updates, and if stuff does not really work, you can simply rollback the changes you've made with beadmAfter you have rebooted your system, check the output of beadm listroot@omnios:~# beadm listBE Active Mountpoint Space Policy Createdomnios-r151038an - - 65.40M static 2022-12-03 15:35omnios-r151038ca NR / 1.35G static 2022-12-03 16:14You'll see to environments, and the one marked with “NR” is the current active one. If you want to rollback, you could execute (in my case) `beadm activate omnios-r151038anroot@omnios:~# beadm activate omnios-r151038anActivated successfullyroot@omnios:~# root@omnios:~# root@omnios:~# root@omnios:~# ls1root@omnios:~# beadm listBE Active Mountpoint Space Policy Createdomnios-r151038an R - 869.15M static 2022-12-03 15:35omnios-r151038ca N / 580.90M static 2022-12-03 16:14Then do a quick reboot to boot into the active one.Let's check the current active environment after the system has rebooted:root@omnios:~# beadm listBE Active Mountpoint Space Policy Createdomnios-r151038an NR / 872.95M static 2022-12-03 15:35omnios-r151038ca - - 583.64M static 2022-12-03 16:14And we can see that the old one, created at 15:35 is the one that is currently active. We can now remove the newer one, since we dont need it anymore:root@omnios:~# beadm destroy omnios-r151038caAre you sure you want to destroy omnios-r151038ca?This action cannot be undone (y/[n]): yDestroyed successfullyroot@omnios:~# beadm list BE Active Mountpoint Space Policy Createdomnios-r151038an NR / 748.05M static 2022-12-03 15:35So, what is the practical / real world use for OmniOS?Since OmniOS use ZFS, anything storage-related makes sense, such as a Network Attached Storage (NAS) even a Virtual Machine Host with the bhyve hypervisor – which itself is very interesting.If you are interested in more, you can check out my older post about Tribblix here.#unix #solaris #omnisos #illumos #tribblix #zfs
(DIR) Post #AQKZhFRLQDOWXmlvZw by jselea@blogs.linux.pizza
2022-12-06T13:06:45Z
0 likes, 1 repeats
Here is a post about Windows for a change.If you want to check if you can query a NTP-server from your Windows-machine, you can just use the followingw32tm /stripchart /computer:computernameFor example:w32tm /stripchart /computer:ntp.netnod.seIf everything works, you'll see something like this:Tracking ntp.netnod.se [194.58.200.20:123].The current time is 2022-12-06 14:06:13.14:06:13, d:+00.0260863s o:+00.0277480s [ * ]Have a pleasant tuesday#windows #ntp
(DIR) Post #ARWrcGhn81DgKAtq3E by jselea@blogs.linux.pizza
2023-01-11T08:58:22Z
0 likes, 1 repeats
Hopefully this will save some of you alot of time, energy, and save you day.I recently had troubles getting a job to work. The short story is:Download all files in a remote catalogue, over SFTP, on certain times.I had a working solution with curl, but when the naming of the files changed (such as whitespaces) – the function broke.lftp – the saverAfter have spent a couple of hours trying to grasp lftp via the manpage, I came up with a solution:lftp -c 'open sftp://USER:PASSWORD@remoteserver.example.com:22mirror --verbose --use-pget-n=8 -c /remote/catalogue/ /local/catalogue/'This download all files in the specified remote catalogue to the specified local one, then exits.#linux #bash #sftp #lftp
(DIR) Post #AT8H3fNpDHoMEAY2yW by jselea@blogs.linux.pizza
2023-02-28T08:04:47Z
1 likes, 1 repeats
Just some random #kubectl commands for myself. I have tested these on 1.21 <> 1.25Get all ingress logs (if your ingress is nginx)kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginxGet all logs from Deploymentkubectl logs deployment/<deployment> -n <namespace>Why is the pod stuck in “ContainerCreating”?kubectl get events --sort-by=.metadata.creationTimestampI'll add more when I find more usefull stuff#linux #k8s #kubernetes #kubectl #ingress #nginx #deployment #logs
(DIR) Post #AU2wvx9emFK9PmQmzg by jselea@blogs.linux.pizza
2023-03-27T16:33:51Z
2 likes, 2 repeats
6 years ago, I saw a post somewhere about a pretty small niché distro that was looking for a mirror for its packages. That got me thinking about the possibility to provide a public mirror for Linux packages for various distros.It started back then in my home office, with redundant ISP and the two HP Microservers and the Supermicro box that I had running.My ambitions did not stop, and I applied to be an official mirror for Debian, Ubuntu, Parabola, Linux-Libre and more in the weeks after.One year after that, I got access to a nice environment that my friends had. With 100TB of storage and unlimited bandwidth – I moved the mirror there, and it has been living there ever since.Fast forward a couple of years...The small distros that mirror.linux.pizza was the sole mirror for has dissappeared, and the other projects such as Parabola, EndeavourOS and PureOS where I was the first one to start mirroring them – has gotten plenty of more mirrors to help out.I've decided to shut mirror.linux.pizza down, the reason is financial and I want to focus my effort on the community that is social.linux.pizza instead.I've already notified the different projects about the shut down, and I will take steps to ensure that systems does not break after the mirror goes offline, such as HTTP-redirects to other mirrors in the nordic.I've also reached out to the hosting providers that have been using the mirror exclusively to notify them about the upcoming change, so they can prepare for that aswell.I am thankful that I have been able to give something back to the community by hosting this mirror – around 100k unique IP-addresses connect to it every day. So it did definitely help out!#linux #mirror #mirrorlinuxpizza #sunset #debian #ubuntu #pureos
(DIR) Post #AX9x62nZDVzc0AIOu0 by jselea@blogs.linux.pizza
2023-03-09T09:43:28Z
0 likes, 1 repeats
LVM stuffWARNING: PV /dev/sda2 in VG vg0 is using an old PV header, modify the VG to update.Update the metadata with the vgck command – where the “vg0” is your own pool.vgck --updatemetadata vg0curl stuffCurl a specific IP with a another host-headercurl -H "Host: subdomain.example.com" http://172.243.6.400/git stufftell git.exe to use the built-in CA-store in Windowsgit config --global http.sslBackend schannelrandom stuffSee which process is using a filefuser fileImport RootCert into Java-keystore examplesudo /usr/lib/java/jdk8u292-b10-jre/bin/keytool -import -alias some-rootcert -keystore /usr/lib/java/jdk8u292-b10-jre/lib/security/cacerts -file /usr/share/ca-certificates/extra/someRoot.crt`Apache2 configs exampleEnable AD-authentication for web-resources<Location /> AuthName "AD authentication" AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN On AuthLDAPURL ldap://IP:389/OU=Users,OU=pizza,DC=linux,DC=pizza? sAMAccountName?sub?(objectClass=*) AuthLDAPBindDN cn=tomcat7,ou=ServiceAccounts,ou=Users,OU=pizza,dc=linux,dc=pizza AuthLDAPBindPassword "exec:/bin/cat /etc/apache2/ldap-password.conf" Require ldap-group CN=some_group,OU=Groups,OU=pizza,DC=linux,DC=pizza ProxyPass "http://localhost:5601/" ProxyPassReverse "http://localhost:5601/"</Location>Insert Matomo tracking script in Apache using mod_substituteAddOutputFilterByType SUBSTITUTE text/htmlSubstitute "s-</head>-<script type=\"text/javascript\">var _paq = _paq || [];_paq.push(['trackPageView']);_paq.push(['enableLinkTracking']);(function() {var u=\"https://matomo.example.com/\";_paq.push(['setTrackerUrl', u+'matomo.php']);_paq.push(['setSiteId', '1']);var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);})();</script></head>-n"Load balance backend-servers<Proxy balancer://k3singress>BalancerMember http://x.x.x.1:80BalancerMember http://x.x.x.2:80BalancerMember http://x.x.x.3:80BalancerMember http://x.x.x.4:80ProxySet lbmethod=bytrafficProxySet connectiontimeout=5 timeout=30SetEnv force-proxy-request-1.0 1SetEnv proxy-nokeepalive 1</Proxy> ProxyPass "/" "balancer://k3singress/" ProxyPassReverse "/" "balancer://k3singress/" ProxyVia Full ProxyRequests On ProxyPreserveHost OnBasic Apache-config for PHP-FOM<VirtualHost *:80> ServerName www.example.com DocumentRoot /srv/www.example.com/htdocs <Directory /srv/www.example.com/htdocs> AllowOverride All Require all granted DirectoryIndex index.html index.htm index.php <FilesMatch "\.php$"> SetHandler proxy:unix:/run/php/www.example.com.sock|fcgi://localhost </FilesMatch> </Directory> SetEnvIf x-forwarded-proto https HTTPS=on</VirtualHost>Basic PHP-fpm pool[www.example.com]user = USERgroup = GROUPlisten = /var/run/php/$pool.socklisten.owner = www-datalisten.group = www-datapm = ondemandpm.process_idle_timeout = 10pm.max_children = 1chdir = /php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f no-reply@ftp.selea.sephp_admin_value[mail.log] = /srv/ftp.selea.se/log/mail.logphp_admin_value[open_basedir] = /srv/ftp.selea.se:/tmpphp_admin_value[memory_limit] = 64Mphp_admin_value[upload_max_filesize] = 64Mphp_admin_value[post_max_size] = 64Mphp_admin_value[max_execution_time] = 180php_admin_value[max_input_vars] = 1000php_admin_value[disable_functions] = passthru,exec,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mailNetplan – use device MAC instead of /etc/machine-id for DHCPnetwork: ethernets: eth0: dhcp4: true dhcp-identifier: mac version: 2HPs apt repo for various utilities for proliant machinesdeb http://downloads.linux.hpe.com/SDR/repo/mcp buster/current non-free
(DIR) Post #AplcQEhAwg93Fc1NKK by jselea@blogs.linux.pizza
2025-01-04T23:17:35Z
0 likes, 1 repeats
After 5 years, the Linux.Pizza Matrix-server is relauching. Last time, we housed over 3k active accounts.However, 3k active accounts is not something that we aim to achieve this time, but rather – a complement to the social.linux.pizza Mastodon account.We achieve this by just enabling social.linux.pizza as a OIDC-provider on the matrix-server – the same functionality that already is being used when you authenticate your mobile application.In order to login with your social.linux.pizza account. Just used the Matrix-client you prefer (Element(X), SchlidiChat/SchlidiChat Next, Cinny or even Thunderbird) – set “synapse.linux.pizza” as your “Homeserver”, and the option to login with social.linux.pizza should appear.Worth noting, is that this service will launch as a Beta-service, so every tester is welcome :)
(DIR) Post #B2wAp6Ngyac4w133Ts by jselea@blogs.linux.pizza
2026-02-03T07:30:55Z
0 likes, 1 repeats
It is actually pretty simple, for example with NGINX:certbot --nginx --required-profile shortlivedAs you can see, use the option --required-profile shortlived.It can also be used with DNS-validation, the Apache plugin and so on.Have fun!#linux #certbot #letsencrypt