community.riocities.com//community.riocities.com/2022-07-20T10:01:37+02:00An Alpine Linux XEN network driver domU2022-07-05T00:00:00+02:002022-07-05T00:00:00+02:00henrik, bengttag:community.riocities.com,2022-07-05:/alpine_v316_network_driver_domU.html
<h1 id="basic-setup-of-alpine-linux-xen-domu">Basic Setup of Alpine Linux XEN domU<a class="headerlink" href="#basic-setup-of-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure an basic XEN domU based on Alpine 3.16 and then setting it up as a network driver domain
As Dom0 we use <a href="alpine_v315_dom0.html">Alpine Dom0 V3.15</a>. But please make sure to upgrade that to 3.16 as well.</p>
<p>To …</p>
<h1 id="basic-setup-of-alpine-linux-xen-domu">Basic Setup of Alpine Linux XEN domU<a class="headerlink" href="#basic-setup-of-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure an basic XEN domU based on Alpine 3.16 and then setting it up as a network driver domain
As Dom0 we use <a href="alpine_v315_dom0.html">Alpine Dom0 V3.15</a>. But please make sure to upgrade that to 3.16 as well.</p>
<p>To do this it prefered to have this type of HW:
- Server with vt-d (or amd iommu) and unused NICs or NICs with virtual function support</p>
<p>If you do not have HW like that you can have the dom0 provide the network driver domain with a virtual nic instead, and
you will be fine with the <code>-virt</code> kernel flavour (see see below).</p>
<h2 id="basic-configuration">Basic configuration<a class="headerlink" href="#basic-configuration" title="Permanent link">¶</a></h2>
<h3 id="preparation">Preparation<a class="headerlink" href="#preparation" title="Permanent link">¶</a></h3>
<p><strong>NOTE</strong> You can most probably skip swap!</p>
<p>Memory we need 512MB
Recommended minimum rootfs size is 4GB for a simple network driver domain, this is due to that full xen must be installed in the domU,
and allows you space to use <code>linux-lts</code> and lots of firmware.</p>
<p>If you are tight on space and are only going to run the <code>linux-virt</code> kernel (you will probably need vf-function NICs for this) 1 to 2 GB will be enough, and
also 256MB of ram will be fine.</p>
<p><strong>NOTE</strong> -virt or -lts kernel
Bear in mind that if you are going to do physical devices passthrough, you will need to use the <em>-lts</em> kernel.
So, in that case, skip the section on changing the kernel to -virt in basic domU installation below.</p>
<h3 id="install-basic-domu">Install basic domU<a class="headerlink" href="#install-basic-domu" title="Permanent link">¶</a></h3>
<p>Perform an initial installation of a <a href="alpine_v316_basic_domU.html">Alpine basic domU</a></p>
<h1 id="configure-the-domu-as-network-driver-domain">Configure the domU as network driver domain<a class="headerlink" href="#configure-the-domu-as-network-driver-domain" title="Permanent link">¶</a></h1>
<h2 id="package-installation-in-domu">Package installation in domU<a class="headerlink" href="#package-installation-in-domu" title="Permanent link">¶</a></h2>
<p>Install the needed packages for the domU to act as a network driver domain</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add bridge xen
</pre></div>
<h2 id="enable-xl-devd">Enable xl devd<a class="headerlink" href="#enable-xl-devd" title="Permanent link">¶</a></h2>
<p>In order for the network driver domain to handle network device plugging when
other domUs needing the driver domain starts the <code>xl devd</code> service must be running</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> rc-update add xendriverdomain boot
<span class="gp">#</span> service xendriverdomain start
<span class="gp">#</span> etckeeper commit -m <span class="s2">"start xendriverdomain at boot"</span>
</pre></div>
<h2 id="network-setup-for-each-network">network setup for each network<a class="headerlink" href="#network-setup-for-each-network" title="Permanent link">¶</a></h2>
<h3 id="configuration-in-driver-domain">Configuration in driver domain<a class="headerlink" href="#configuration-in-driver-domain" title="Permanent link">¶</a></h3>
<p>The network driver domain handles networking for other domUs instead of the dom0,
hence the bridge devices is setup in the driver domain instead of in dom0.</p>
<p>Example configuration for a network to be used by a domU, this configuration
is added in <code>/etc/network/interfaces</code> in the network driver domain domU.</p>
<div class="codehilite"><pre><span></span><span class="na">auto br_<domU-name></span>
<span class="na">iface br_<domU-name> inet static</span>
<span class="na">bridge_ports none</span>
<span class="na">bridge_stp off</span>
<span class="na">bridge_maxwait 0</span>
<span class="na">bridge_fd 0</span>
<span class="na">address 192.168.14.1</span>
<span class="na">netmask 255.255.255.0</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">#</span> etckeeper commit -m <span class="s2">"Added bridge network to interfaces"</span>
</pre></div>
<h3 id="forward-ipv4-packets">Forward IPv4 packets<a class="headerlink" href="#forward-ipv4-packets" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"## Enable IPv4 packet forwarding"</span> >> /etc/sysctl.d/local.conf
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"net.ipv4.ip_forward = 1"</span> >> /etc/sysctl.d/local.conf
<span class="gp">#</span> sysctl -p /etc/sysctl.d/local.conf
<span class="gp">#</span> etckeeper commit -m <span class="s2">"Forward IPv4 packets"</span>
</pre></div>
<h3 id="ensure-vif-bridge-starts-at-boot">Ensure vif-bridge starts at Boot<a class="headerlink" href="#ensure-vif-bridge-starts-at-boot" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat << <span class="s1">'EOF'</span> > /etc/local.d/vif-bridge.start
<span class="gp">#</span>!/bin/sh -e
<span class="gp">#</span> Handle vif bridges added before xl devd was started
<span class="gp">#</span> xs is sometimes not responsive during boot
<span class="go">test_xs() {</span>
<span class="gp"> #</span> xenstore-read backend/vif/27/0/bridge
<span class="go"> for i in $(seq 1 5)</span>
<span class="go"> do</span>
<span class="go"> xenstore-read $1/bridge > /dev/null && return ||</span>
<span class="go"> sleep 2</span>
<span class="go"> done</span>
<span class="go">}</span>
<span class="go">if [ ! -e "/proc/xen/capabilities" ]; then</span>
<span class="go"> mount -t xenfs xenfs /proc/xen || exit 1</span>
<span class="go">fi</span>
<span class="go">export SUBSYSTEM=xen-backend</span>
<span class="go">export DRIVER=vif</span>
<span class="go">export XENBUS_TYPE=vif</span>
<span class="go">export ACTION=online</span>
<span class="go">export XENBUS_BASE_PATH=backend</span>
<span class="go">for vif in $(ifconfig -a | awk '/^vif/ {print $1}' | tr -d :)</span>
<span class="go">do</span>
<span class="gp"> #</span> <span class="nv">vif</span><span class="o">=</span>vif18.0 <span class="nv">XENBUS_PATH</span><span class="o">=</span>backend/vif/18/0 /etc/xen/scripts/vif-bridge online
<span class="go"> x=$(echo $vif | sed 's/^vif//' | sed 's/.[0-9]$//')</span>
<span class="go"> y=$(echo $vif | sed 's/^vif[0-9]*\.//')</span>
<span class="go"> export DEVPATH=/devices/vif-$x-$y</span>
<span class="go"> export XENBUS_PATH=backend/vif/$x/$y</span>
<span class="go"> export vif=$vif</span>
<span class="go"> test_xs $XENBUS_PATH</span>
<span class="go"> /etc/xen/scripts/vif-bridge online</span>
<span class="go">done</span>
<span class="go">exit 0</span>
<span class="go">EOF</span>
</pre></div>
<p>And we need to make the file executable, as well as start local at boot.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> chmod a+x /etc/local.d/vif-bridge.start
<span class="gp">#</span> rc-update add <span class="nb">local</span>
<span class="gp">#</span> etckeeper commit -m <span class="s2">"Added vif-bridge.start"</span>
</pre></div>
<h3 id="configuration-in-dom0">Configuration in dom0<a class="headerlink" href="#configuration-in-dom0" title="Permanent link">¶</a></h3>
<p>The <code>vif</code> lines in <code>xl.cfg</code> only needs a slight modification to use the driver domain.</p>
<p>Networking provided by dom0</p>
<div class="codehilite"><pre><span></span><span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'ip=192.168.14.10, mac=00:16:3E:XX:YY:ZZ, bridge=br_<domU-name>, backend=int-fw' ]</span>
</pre></div>
<p>Networking provided by network driver domain</p>
<div class="codehilite"><pre><span></span><span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'ip=192.168.14.10, mac=00:16:3E:XX:YY:ZZ, bridge=br_<domU-name>, backend=<network driver domain name>' ]</span>
</pre></div>
<p>That's all there is needed to get the networking out of dom0.</p>A Basic Alpine Linux XEN domU2022-07-02T00:00:00+02:002022-07-20T10:01:37+02:00bengttag:community.riocities.com,2022-07-02:/alpine_v316_basic_domU.html
<h1 id="a-basic-alpine-linux-xen-domu">A Basic Alpine Linux XEN domU<a class="headerlink" href="#a-basic-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure a basic XEN Domain based on Alpine 3.16.
As Dom0 we use <a href="alpine_v315_dom0.html">Alpine Dom0 V3.15</a>. But please make sure to upgrade that to 3.16 as well.</p>
<p>To do this I have the following extra hardware
- No extra hardware …</p>
<h1 id="a-basic-alpine-linux-xen-domu">A Basic Alpine Linux XEN domU<a class="headerlink" href="#a-basic-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure a basic XEN Domain based on Alpine 3.16.
As Dom0 we use <a href="alpine_v315_dom0.html">Alpine Dom0 V3.15</a>. But please make sure to upgrade that to 3.16 as well.</p>
<p>To do this I have the following extra hardware
- No extra hardware is needed.</p>
<h2 id="dom0-work">dom0 work<a class="headerlink" href="#dom0-work" title="Permanent link">¶</a></h2>
<p>We need to create the domU installation configuration file, mount installation image location, and start the installation</p>
<p>Download iso and unpack kernel and initramfs see here: <a href="alpine_v315_dom0.html#domu-preparation">domu-preparation</a></p>
<h3 id="create-installation-config">Create Installation config<a class="headerlink" href="#create-installation-config" title="Permanent link">¶</a></h3>
<p>Now we need to create the domU configuration file.</p>
<ul>
<li>Observe that the MAC address has to be uniq among dom0 and all domU. A tool to help you with this is to use <a href="https://gist.github.com/viz3/6591201">random_mac.py</a> for instance.</li>
<li>The cdrom points to the installer image which was prepared in the <a href="alpine_v315_dom0.html#prepare-for-domu">dom0</a> installation.</li>
</ul>
<p>If you do it manually, please start with "00:16:3E" followed by a unique combination for you.
For instance "00:16:3e:AA:AA:01"</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat << EOF > /etc/xen/<domU-name>.cfg
<span class="gp">#</span><span class="c1">####</span>
<span class="gp">#</span><span class="c1">#### <domU-name> domU</span>
<span class="gp">#</span><span class="c1">####</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '256'</span>
<span class="go">maxmem = '256'</span>
<span class="go">kernel = "/domU_installer/vmlinuz-lts"</span>
<span class="go">ramdisk = "/domU_installer/initramfs-lts"</span>
<span class="go">extra = "alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="go">disk = [</span>
<span class="go"> 'file://domU_installer/alpine-extended-3.16.1-x86_64.iso,hdc:cdrom,r',</span>
<span class="go"> 'phy:/<root disk path>/<root disk>,xvda1,w', </span>
<span class="go"> 'phy:/<swap disk path>/<swap disk>,xvda2,w', </span>
<span class="go"> ]</span>
<span class="go">name = '<domU-name>'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQUE!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">EOF</span>
</pre></div>
<p>Suggested size for a common alpine server's disk would be 1.5GB, and 512M for swap.</p>
<p>If you are using zfs disks, please see the Appendix.</p>
<p>If you are using LVM disks, it might look like this.</p>
<div class="codehilite"><pre><span></span><span class="go">'phy:/dev/vg_domU/<domU-name>-disk,xvda1,w'</span>
</pre></div>
<p>If you are using normal disks, it might look like this.</p>
<div class="codehilite"><pre><span></span><span class="go">'phy:/dev/sdb1,xvda1,w'</span>
</pre></div>
<p>If you are using an file as a disk, you need to create the file, and then use it. Something like this.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="c1"># Create a 3GB file to be used as a disk</span>
<span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/dev/zero <span class="nv">of</span><span class="o">=</span>/path/to/<domU-name>-disk.img <span class="nv">bs</span><span class="o">=</span>1M <span class="nv">count</span><span class="o">=</span><span class="m">3000</span>
<span class="gp">#</span> <span class="c1"># And then use this disk file in the configuration file</span>
<span class="go">‘file:/path/to/<domU-name>-disk.img,xvda,w’,</span>
</pre></div>
<p>If you want to use a qemu disk, its very similar.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> qemu-img create -f raw /path/to/<domU-name>-disk.img 3G
<span class="gp">#</span> <span class="c1"># And then use this disk file in the configuration file</span>
<span class="go">‘file:/path/to/<domU-name>-disk.img,xvda,w’,</span>
</pre></div>
<h3 id="mount-domu_installer">Mount /domU_installer<a class="headerlink" href="#mount-domu_installer" title="Permanent link">¶</a></h3>
<p>And last we need to make sure that /domU_installer is mounted.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # mount /domU_installer</span>
</pre></div>
<h3 id="start-domu">Start domU<a class="headerlink" href="#start-domu" title="Permanent link">¶</a></h3>
<p>It is time to start the installation, to do this we simple start the domU</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/<domU-name>.cfg -c</span>
</pre></div>
<p>To get back to the dom0 environment from the console, you press CTRL+]</p>
<p><strong>Hint</strong> If CTRL+] does not work, CTRL+5 could work instead. Please see here for more info <a href="https://wiki.xenproject.org/wiki/Xen_FAQ_Console#How_do_I_connect_to_or_detach_from_a_console.3F">Xen FAQ Console</a></p>
<p>At login prompt, simply enter root and no password (default at installation time)</p>
<h2 id="domu-work">domU work<a class="headerlink" href="#domu-work" title="Permanent link">¶</a></h2>
<h3 id="format-root-disk">Format root disk<a class="headerlink" href="#format-root-disk" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add e2fsprogs
<span class="gp">#</span> mkfs.ext4 /dev/xvda1
</pre></div>
<h3 id="mountpoints-etc">Mountpoints etc<a class="headerlink" href="#mountpoints-etc" title="Permanent link">¶</a></h3>
<p>Time to configure the mountpoints for root, as well as mount it. We will mount it under /mnt for the installation process.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t ext4 /dev/xvda1 /mnt
</pre></div>
<h3 id="setup-alpine">setup-alpine<a class="headerlink" href="#setup-alpine" title="Permanent link">¶</a></h3>
<p>Finally, time to configure (setup) the actual alpine part</p>
<p>Key things to remember</p>
<ul>
<li>Do not setup a normal user account (will be setup after first boot in this guide)</li>
<li>Answer <code>none</code> on last questions (Disks, config, and apk repository)</li>
<li>Which disk(s) would you like to use? (or '?' for help or 'none') [none]</li>
<li>Enter where to store configs ('floppy', 'usb' or 'none') [none]:</li>
<li>Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: <code>none</code></li>
</ul>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-alpine
<span class="go">Available keyboard layouts:</span>
<span class="go">af be cn fi hu it lk mm pl sy uz</span>
<span class="go">al bg cz fo id jp lt mt pt th vn</span>
<span class="go">am br de fr ie ke lv my ro tj</span>
<span class="go">ara brai dk gb il kg ma ng rs tm</span>
<span class="go">at by dz ge in kr md nl ru tr</span>
<span class="go">az ca ee gh iq kz me no se tw</span>
<span class="go">ba ch epo gr ir la mk ph si ua</span>
<span class="go">bd cm es hr is latam ml pk sk us</span>
<span class="go">Select keyboard layout: [none] us</span>
<span class="go">Available variants: us-alt-intl us-altgr-intl us-chr us-colemak us-colemak_dh us-colemak_dh_iso us-dvorak-alt-intl us-dvorak-classic us-dvorak-intl us-dvorak-l us-dvorak-r us-dvorak us-dvp us-euro us-haw us-hbs us-intl us-mac us-norman us-olpc2 us-rus us-symbolic us-workman-intl us-workman us</span>
<span class="go">Select variant (or 'abort'): us</span>
<span class="go"> * Caching service dependencies ...</span>
<span class="go"> [ ok ]</span>
<span class="go"> * Setting keymap ...</span>
<span class="go"> [ ok ]</span>
<span class="go">Enter system hostname (short form, e.g. 'foo') [localhost] `<domU-name>`</span>
<span class="go">Available interfaces are: eth0.</span>
<span class="go">Enter '?' for help on bridges, bonding and vlans.</span>
<span class="go">Which one do you want to initialize? (or '?' or 'done') [eth0]</span>
<span class="go">Ip address for eth0? (or 'dhcp', 'none', '?') [dhcp] `<domU-IP>/<domU-network-netmask>`</span>
<span class="go">Gateway? (or 'none') [none] `<your gateway>`</span>
<span class="go">Configuration for eth0:</span>
<span class="go"> type=static</span>
<span class="go"> address=`<domU-IP>`</span>
<span class="go"> netmask=`<domU-netmask>`</span>
<span class="go"> gateway=`<your gateway>`</span>
<span class="go">Do you want to do any manual network configuration? (y/n) [n]</span>
<span class="go">DNS domain name? (e.g 'bar.com') example.com</span>
<span class="go">DNS nameserver(s)? `<your dns server, or 8.8.8.8>`</span>
<span class="go">Changing password for root</span>
<span class="go">New password:</span>
<span class="go">Retype password:</span>
<span class="go">passwd: password for root changed by root</span>
<span class="go">Which timezone are you in? ('?' for list) [UTC] `<Your timezone, for instance Australia/Melbourne`></span>
<span class="go"> * Starting busybox acpid ...</span>
<span class="go"> [ ok ]</span>
<span class="go"> * Starting busybox crond ...</span>
<span class="go"> [ ok ]</span>
<span class="go">HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</span>
<span class="go">Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]</span>
<span class="go"> * service chronyd added to runlevel default</span>
<span class="go"> * Caching service dependencies ...</span>
<span class="go"> [ ok ]</span>
<span class="go"> * Starting chronyd ...</span>
<span class="go"> [ ok ]</span>
<span class="go">Available mirrors:</span>
<span class="go">1) dl-cdn.alpinelinux.org</span>
<span class="go">...</span>
<span class="go">13) mirror.aarnet.edu.au</span>
<span class="go">...</span>
<span class="go">55) alpine.northrepo.ca</span>
<span class="go">r) Add random from the above list</span>
<span class="go">f) Detect and add fastest mirror from above list</span>
<span class="go">e) Edit /etc/apk/repositories with text editor</span>
<span class="go">Enter mirror number (1-55) or URL to add (or r/f/e/done) [1] f</span>
<span class="go">Finding fastest mirror...</span>
<span class="go">0.56 http://dl-cdn.alpinelinux.org/alpine/</span>
<span class="go">...</span>
<span class="go">0.11 http://mirror.aarnet.edu.au/pub/alpine</span>
<span class="go">...</span>
<span class="go">0.09 http://alpine.northrepo.ca</span>
<span class="go">Added mirror alpine.northrepo.ca</span>
<span class="go">Updating repository indexes... done.</span>
<span class="go">Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]</span>
<span class="go"> * service sshd added to runlevel default</span>
<span class="go"> * Caching service dependencies ...</span>
<span class="go"> [ ok ]</span>
<span class="go">ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519</span>
<span class="go"> * Starting sshd ...</span>
<span class="go"> [ ok ]</span>
<span class="go">Available disks are:</span>
<span class="go"> xvda2 (0.5 GB )</span>
<span class="go">Which disk(s) would you like to use? (or '?' for help or 'none') [none]</span>
<span class="go">Enter where to store configs ('floppy', 'usb' or 'none') [none]</span>
<span class="go">Enter apk cache directory (or '?' or 'none') [/var/cache/apk] none</span>
</pre></div>
<h3 id="store-filesystem">Store filesystem<a class="headerlink" href="#store-filesystem" title="Permanent link">¶</a></h3>
<p>Time to install this domU to the filesystem on <code>/mnt</code> (which points to the disk for the / partition after first reboot)</p>
<p>We will use the -m (write system to disk) parameters.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-disk -m sys /mnt
<span class="go">Installing system on /dev/xvda1:</span>
<span class="go">extlinux: Not a directory: /mnt/boot</span>
<span class="go">100% ############################################==> initramfs: creating /boot/initramfs-vanilla</span>
<span class="go">/boot is device /dev/xvda1</span>
<span class="go">extlinux: no previous syslinux boot sector found</span>
<span class="go">You might need fix the MBR to be able to boot</span>
</pre></div>
<h3 id="update-grub">Update grub<a class="headerlink" href="#update-grub" title="Permanent link">¶</a></h3>
<p>We need to create a grub boot stanza</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkdir /mnt/boot/grub
<span class="gp">#</span> cat << EOF > /mnt/boot/grub/grub.cfg
<span class="go">set timeout=2</span>
<span class="go">set default=0</span>
<span class="go">menuentry "alpine" {</span>
<span class="go"> linux /boot/vmlinuz-lts modules=ext4 console=hvc0 root=/dev/xvda1</span>
<span class="go"> initrd /boot/initramfs-lts</span>
<span class="go">}</span>
<span class="go">EOF</span>
</pre></div>
<h3 id="time-to-halt">Time to halt<a class="headerlink" href="#time-to-halt" title="Permanent link">¶</a></h3>
<p>Time to halt this newly installed system, and go back to dom0 for some changes.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
</pre></div>
<h2 id="back-to-dom0">Back to dom0<a class="headerlink" href="#back-to-dom0" title="Permanent link">¶</a></h2>
<h3 id="fix-dom0s-domu-config-file">Fix dom0's domU config file<a class="headerlink" href="#fix-dom0s-domu-config-file" title="Permanent link">¶</a></h3>
<p>We need to update the domU configurationfile to use the pv grub bootloader, as well as remove the cdrom.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # cat << EOF > /etc/xen/<domU-name>.cfg</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="gp">#</span><span class="c1">### <domU-name> domU</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '256'</span>
<span class="go">maxmem = '256'</span>
<span class="go">kernel = "/usr/lib/grub-xen/grub-x86_64-xen.bin"</span>
<span class="go">disk = [</span>
<span class="go"> 'phy:/<root disk path>/<root disk>,xvda1,w', </span>
<span class="go"> 'phy:/<swap disk path>/<swap disk>,xvda2,w', </span>
<span class="go"> ]</span>
<span class="go">name = '<domU-name>'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">EOF</span>
</pre></div>
<p>Alternatively with pvh grub</p>
<div class="codehilite"><pre><span></span><span class="go">type = "pvh"</span>
<span class="go">kernel = "/usr/lib/grub-xen/grub-i386-xen_pvh.bin"</span>
</pre></div>
<p>And lastly we need to make these changes restart safe</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # etckeeper commit "Finalized domU configuration file"</span>
</pre></div>
<h3 id="start-domu_1">Start domU<a class="headerlink" href="#start-domu_1" title="Permanent link">¶</a></h3>
<p>Finally time to start the newly created domU, and see if it all works.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/<domU-name>.cfg -c</span>
</pre></div>
<h3 id="add-etckeeper">Add etckeeper<a class="headerlink" href="#add-etckeeper" title="Permanent link">¶</a></h3>
<p>Etckeeper will store whole /etc in a git repository, and keep track of every change
that is made there.<br/>
Just remember to do a <em>etckeeper commit "Describe the change"</em></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add etckeeper
</pre></div>
<h3 id="add-normal-user">Add normal user<a class="headerlink" href="#add-normal-user" title="Permanent link">¶</a></h3>
<p>As per normal security, we should not use the root account for normal operations, so we need to create a normal user, add it to wheel</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> adduser <username>
</pre></div>
<h3 id="add-doas">Add doas<a class="headerlink" href="#add-doas" title="Permanent link">¶</a></h3>
<p>For security reasons, and good practice, lets install <code>doas</code>, and if you
are more used with <code>sudo</code> command you can also install <code>doas-sudo-shim</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add doas
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"permit persist :wheel"</span> >> /etc/doas.d/doas.conf
<span class="gp">#</span> adduser <username> wheel
<span class="gp">#</span> etckeeper commit <span class="s2">"Configured doas"</span>
</pre></div>
<h3 id="add-sshguard">Add sshguard<a class="headerlink" href="#add-sshguard" title="Permanent link">¶</a></h3>
<p>And for good measure, lets add sshguard</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add sshguard nftables
<span class="gp">#</span> cat << EOF > /etc/sshguard.conf
<span class="gp">#</span>!/bin/sh
<span class="go">BACKEND='/usr/libexec/sshg-fw-nft-sets'</span>
<span class="go">FILES='/var/log/messages'</span>
<span class="go">EOF</span>
<span class="gp">#</span> rc-update add sshguard
<span class="gp">#</span> etckeeper commit <span class="s2">"Added sshguard"</span>
</pre></div>
<p>To view the rules in nftables (which IP's are beeing blocked (if any))</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> nft list ruleset
</pre></div>
<h3 id="optionally-but-recommended-enable-only-passwordless-ssh">Optionally, but recommended, enable only passwordless ssh<a class="headerlink" href="#optionally-but-recommended-enable-only-passwordless-ssh" title="Permanent link">¶</a></h3>
<p>Update sshd configuration and set the following options to no
For more detailed information, please check [this link] (https://linuxize.com/post/how-to-setup-passwordless-ssh-login/)</p>
<p>Copy your public key to your server</p>
<div class="codehilite"><pre><span></span><span class="go"><your local desktop/laptop> $ ssh-copy-id <username>@<domU IP></span>
<span class="go">Disable normal password when using ssh</span>
<span class="go">```console</span>
<span class="gp">#</span> sed -e <span class="s1">'s/#PasswordAuthentication yes/PasswordAuthentication no/'</span> -i /etc/ssh/sshd_config
<span class="gp">#</span> etckeeper commit <span class="s2">"Enforce passwordless authentication only"</span>
</pre></div>
<p>Verify that password less ssh works</p>
<div class="codehilite"><pre><span></span><span class="go"><your local desktop/laptop>$ ssh <domU IP> -l <username></span>
</pre></div>
<p>if all works fine, restart ssh on your newly created domU</p>
<div class="codehilite"><pre><span></span><span class="go"><domU> # /etc/init.d/sshd restart</span>
</pre></div>
<h3 id="add-swap">Add swap<a class="headerlink" href="#add-swap" title="Permanent link">¶</a></h3>
<p>We need to put the swap on the swap disk</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkswap /dev/xvda2
<span class="gp">#</span> swapon /dev/xvda2
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"/dev/xvda2 none swap sw 0 0"</span> >> /etc/fstab
<span class="gp">#</span> swapon -a
<span class="gp">#</span> rc-update add swap
<span class="gp">#</span> etckeeper commit <span class="s2">"Added swapvolume"</span>
</pre></div>
<h3 id="confirm-network-ok">Confirm network ok<a class="headerlink" href="#confirm-network-ok" title="Permanent link">¶</a></h3>
<p>Ensure we can ping google</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ping www.google.com
</pre></div>
<h3 id="update-system">Update system<a class="headerlink" href="#update-system" title="Permanent link">¶</a></h3>
<p>Good practice to update the system</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk update
<span class="gp">#</span> apk upgrade
</pre></div>
<h3 id="switch-to-the-virt-kernel-optional">Switch to the <code>-virt</code> kernel (optional)<a class="headerlink" href="#switch-to-the-virt-kernel-optional" title="Permanent link">¶</a></h3>
<p>The <code>-virt</code> kernel contains drivers for virtual function NICs, so
no need for the full blown <code>-lts</code> kernel and lots of firmware.</p>
<p><strong>Note</strong> if you will be doing pci passthrough of non vf nic
devices, you must use the <code>linux-lts</code> kernel!</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add linux-virt
<span class="gp">#</span> sed -i <span class="s1">'s/-lts/-virt/'</span> /boot/grub/grub.cfg
<span class="gp">#</span> apk del linux-lts
</pre></div>
<h3 id="fix-autostart-of-domu">Fix autostart of domU<a class="headerlink" href="#fix-autostart-of-domu" title="Permanent link">¶</a></h3>
<p>Time to fix so that this domU is automatically started on reboot</p>
<p>Lets stop domU</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
</pre></div>
<p>And on the <strong>dom0</strong> we create the auto start link, remember, do not forget to give the <strong>lbu commit</strong> command.</p>
<p>If you want to have some control of when this particular domU will be started, preceed the config file name with a numeric part, where 00 is first in priority, and 99 is last.
For instance, if you want this particular domU to be started first, you should give it the following link name. 00-<domu-name>.cfg</domu-name></p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # ln -s /etc/xen/<domU-name>.cfg /etc/xen/auto/<NN-domU-name>.cfg</span>
<span class="go">dom0 # etckeeper commit "Enabled autostart of domU"</span>
</pre></div>
<p>Reboot to verify</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # reboot</span>
</pre></div>
<p>or if you prefere to just restart the service</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # service xendomains restart</span>
</pre></div>
<p>and after dom0 is up and running again, check that the newly created domU domain is running</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl list</span>
</pre></div>
<h1 id="appendix">Appendix<a class="headerlink" href="#appendix" title="Permanent link">¶</a></h1>
<h2 id="disk-from-a-storage-driver-domain-running-zfs">Disk from a storage driver domain running ZFS<a class="headerlink" href="#disk-from-a-storage-driver-domain-running-zfs" title="Permanent link">¶</a></h2>
<p>If you are using a storage driver domU with <strong>ZFS</strong>, like <a href="alpine_v38_storage_domu.html">Alpine Storage DomU V3.8</a>, you need to add the <strong>backend=<storage domu="" driver="" name=""></storage></strong> to the disk specification.
For how to create the zfs based disks, please look at <a href="alpine_v38_storage_domu.html">Alpine Storage DomU V3.8</a></p>
<p>Example</p>
<div class="codehilite"><pre><span></span><span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'backend=<Storage driver domU name>,phy:/dev/zvol/tank/xen/<disk>,xvda1,w',</span>
<span class="s"> ]</span>
</pre></div>
<p>Example on my system</p>
<div class="codehilite"><pre><span></span><span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'backend=zfshost,phy:/dev/zvol/tank/xen/dns-disk,xvda1,w',</span>
<span class="s"> ]</span>
</pre></div>Openbsd 7.0 QEMU cf net55012022-01-15T00:00:00+01:002022-01-15T00:00:00+01:00henriktag:community.riocities.com,2022-01-15:/Openbsd_qemu_cf_net5501.html<p>Installing OpenBSD on CF under kvm (QEMU) on Debian for later net5501 deployment</p>
<p>Prerequisites</p>
<ul>
<li>Fast 1GB CF Card</li>
<li>Debian (or other GNU/Linux distribution)</li>
<li>CF-card reader</li>
</ul>
<p>Limitations, the system is too low on ram to be able to run <code>syspatch</code>, as that will require allocating
a big <code>/tmp</code> on <code>mfs …</code></p><p>Installing OpenBSD on CF under kvm (QEMU) on Debian for later net5501 deployment</p>
<p>Prerequisites</p>
<ul>
<li>Fast 1GB CF Card</li>
<li>Debian (or other GNU/Linux distribution)</li>
<li>CF-card reader</li>
</ul>
<p>Limitations, the system is too low on ram to be able to run <code>syspatch</code>, as that will require allocating
a big <code>/tmp</code> on <code>mfs</code> (Memory File System), and that will in turn make the kernel relinking fail due to too little free memory.</p>
<p>Preparations for installation</p>
<div class="codehilite"><pre><span></span>debian$ curl -O https://ftp.uni-stuttgart.de/pub/OpenBSD/7.0/i386/install70.iso
</pre></div>
<p>Plug-in the CF card in the cf card reader. If your system auto mounts the file system on the CF card, umount it.</p>
<p>Change the permission of <code>/dev/sdb</code> (or the device name your cf got when you plugged it in) so you can access it as non root user. e.g.</p>
<div class="codehilite"><pre><span></span>debian$ sudo chmod 777 /dev/sdb
</pre></div>
<p>Start kvm:</p>
<div class="codehilite"><pre><span></span>debian$ kvm -drive file=/dev/sdb,format=raw -cdrom install70.iso -boot d -m 512
</pre></div>
<p>IP-network settings: use dhcp for now (Note: change this later when you do system configuration after reboot)</p>
<p>Perform a normal OpenBSD install with the following partition table</p>
<div class="codehilite"><pre><span></span><span class="na">wd0a 100m /</span>
<span class="na">(wd0b 0 swap)</span>
<span class="na">wd0d 100m /var</span>
<span class="na">wd0e 40m /home</span>
<span class="na">wd0f 760(rest) /usr</span>
</pre></div>
<p>Note: skipping <code>/tmp</code> for later</p>
<p>I used the following sets</p>
<div class="codehilite"><pre><span></span> [X] bsd
[X] bsd.rd
[X] base70.tgz
[ ] comp70.tgz
[X] man70.tgz
[ ] game70.tgz
[ ] xbase70.tgz
[ ] xshare70.tgz
[ ] xfont70.tgz
[ ] xserv70.tgz
</pre></div>
<p>After installation (do not reboot before completing the following section), select "Exit to (S)shell"</p>
<p>Edit <code>/mnt/etc/fstab</code> and change the filesystem type on <code>/tmp</code> and <code>/var/run</code> to <code>mfs</code> to minimize the wear of the CF card</p>
<div class="codehilite"><pre><span></span>openbsd# echo "swap /tmp mfs rw,nodev,nosuid,-s=10m 0 0" >> /mnt/etc/fstab
openbsd# echo "swap /var/run mfs rw,nodev,nosuid,-s=4m 0 0" >> /mnt/etc/fstab
</pre></div>
<p>apply the following change to <code>/mnt/etc/rc</code></p>
<div class="codehilite"><pre><span></span># Unmount all filesystems except root.
umount -a >/dev/null 2>&1
# Mount all filesystems except those of type NFS and VND.
mount -a -t nonfs,vnd
<span class="gi">+chmod 1777 /tmp</span>
# Re-mount the root filesystem read/writeable. (root on nfs requires this,
# others aren't hurt.)
mount -uw /
chmod og-rwx /bsd
</pre></div>
<p>If you use ed</p>
<div class="codehilite"><pre><span></span>openbsd# ed /mnt/etc/rc
/mount -a -t nonfs/
a
chmod 1777 /tmp
ctrl-d
w
q
</pre></div>
<p>A word of warning, starting with OpenBSD 5.6 <code>/etc/rc</code> is no longer a config file so this need to be redone after unpacking <code>baseNN.tgz</code></p>
<p>Example of what should be done when you later upgrade</p>
<div class="codehilite"><pre><span></span># cp /bin/ed /bin/oed
# tar -C / -xzphf base71.tgz
# /bin/oed /etc/rc
/mount -a -t nonfs/
a
chmod 1777 /tmp
ctrl-d
w
q
</pre></div>
<p>Fix the domain name (will be my.domain by default)</p>
<div class="codehilite"><pre><span></span>openbsd# echo "<hostname>.<domain>" > /mnt/etc/myname # (e.g. calvin.example.com)
</pre></div>
<p>Now it's time to halt and restart the system</p>
<div class="codehilite"><pre><span></span>openbsd# halt
</pre></div>
<p>Exit QEMU (close the window) and restart QEMU</p>
<div class="codehilite"><pre><span></span>debian$ kvm -drive file=/dev/sdb,format=raw -m 512
</pre></div>
<p>System configuration after reboot</p>
<p>When the system is up after the first reboot we can use vi instead of ed to perform some more configurations.</p>
<p>Enable soft updates and disable atime by editing <code>/etc/fstab</code> (we will reboot later)</p>
<div class="codehilite"><pre><span></span><span class="na"><DUID> / ffs rw,softdep,noatime 1 1</span>
<span class="na"><DUID> /home ffs rw,nodev,nosuid,softdep,noatime 1 2</span>
<span class="na"><DUID> /usr ffs rw,wxallowed,nodev,softdep,noatime 1 2</span>
<span class="na"><DUID> /var ffs rw,nodev,nosuid,softdep,noatime 1 2</span>
<span class="na">swap /tmp mfs rw,nodev,nosuid,-s</span><span class="o">=</span><span class="s">10m 0 0</span>
<span class="na">swap /var/run mfs rw,nodev,nosuid,-s</span><span class="o">=</span><span class="s">4m 0 0</span>
</pre></div>
<p>Fix <code>/etc/hosts</code> by adding the real (FQDN) hostname (only localhost is there after installation), example after fixing:</p>
<div class="codehilite"><pre><span></span><span class="na">127.0.0.1 localhost</span>
<span class="na">::1 localhost</span>
<span class="na">192.168.1.1 calvin.example.com</span>
</pre></div>
<p>Install BASH, CURL, & NGREP</p>
<div class="codehilite"><pre><span></span>openbsd# pkg_add -v bash
openbsd# pkg_add -v curl
openbsd# pkg_add -v ngrep
</pre></div>
<p>Verify that bash is in <code>/etc/shells</code></p>
<div class="codehilite"><pre><span></span>openbsd# grep bash /etc/shells
/usr/local/bin/bash
</pre></div>
<p>Change shell to bash</p>
<div class="codehilite"><pre><span></span>openbsd# chsh -s bash
openbsd# chsh -s bash <user>
</pre></div>
<p>Continue configuring the system and before last QEMU shutdown (before moving CF to the <strong>net5501</strong> box):</p>
<p>Edit <code>/etc/ttys</code> and fix the <code>tty00</code> line</p>
<div class="codehilite"><pre><span></span><span class="gd">-tty00 "/usr/libexec/getty std.9600" unknown off</span>
<span class="gi">+tty00 "/usr/libexec/getty std.19200" vt200 on secure</span>
</pre></div>
<p>Add the file <code>/etc/boot.conf</code></p>
<div class="codehilite"><pre><span></span>stty com0 19200
set tty com0
</pre></div>Alpine v3.15 Linux as a XEN dom0 from a USB stick2022-01-12T00:00:00+01:002022-01-12T00:00:00+01:00bengttag:community.riocities.com,2022-01-12:/alpine_v315_dom0.html
<h1 id="guide-to-configure-an-xen-dom0-server-based-on-alpine-315">Guide to configure an XEN Dom0 server based on Alpine 3.15<a class="headerlink" href="#guide-to-configure-an-xen-dom0-server-based-on-alpine-315" title="Permanent link">¶</a></h1>
<p>I have the following configuration for my file server.</p>
<ul>
<li>Server HP ProLiant MicroServer Gen8 G1610T</li>
<li>Memory Kingston KCP316ED8/8 8GB DDR3 1600MHz ECC Module, 16GB total.</li>
<li>USB Boot USB 16GB Stick Cruzer</li>
</ul>
<p>During the installation we also need …</p>
<h1 id="guide-to-configure-an-xen-dom0-server-based-on-alpine-315">Guide to configure an XEN Dom0 server based on Alpine 3.15<a class="headerlink" href="#guide-to-configure-an-xen-dom0-server-based-on-alpine-315" title="Permanent link">¶</a></h1>
<p>I have the following configuration for my file server.</p>
<ul>
<li>Server HP ProLiant MicroServer Gen8 G1610T</li>
<li>Memory Kingston KCP316ED8/8 8GB DDR3 1600MHz ECC Module, 16GB total.</li>
<li>USB Boot USB 16GB Stick Cruzer</li>
</ul>
<p>During the installation we also need an USB stick (1G+), as well as a workstation/laptop.</p>
<ul>
<li>Temporary USB Stick, to be used as installation media.</li>
</ul>
<h1 id="various-references">Various references<a class="headerlink" href="#various-references" title="Permanent link">¶</a></h1>
<p>Here are some various references I have been looking at</p>
<ol>
<li><a href="hp_microserver_gen8.html">HP Microserver Gen8</a></li>
<li><a href="alpine_dom0.html">Alpine dom0</a></li>
<li><a href="alpine_domU.html">Alpine domU</a></li>
<li><a href="xen_storage_driver_domain.html">XEN Storage Driver domain</a></li>
</ol>
<h1 id="preparation">Preparation<a class="headerlink" href="#preparation" title="Permanent link">¶</a></h1>
<p>This chapter should be executed on your normal desktop/laptop.</p>
<p>First we need to download the Alpine XEN Image from <a href="https://alpinelinux.org/downloads/">Alpines download page</a> or use this direct <a href="https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/alpine-xen-3.15.0-x86_64.iso">link to alpine-xen-3.15.0-x86_64.iso</a>
Store the image under <code>/tmp</code>.</p>
<p>Insert the installation Media USB stick into your desktop/laptop, and check which device it is located at</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg <span class="p">|</span> tail
<span class="go">...</span>
<span class="go">[162562.819054] sd 5:0:0:0: [sdb] 2046240 512-byte logical blocks: (1.04 GB/999 MiB)</span>
<span class="go">[162562.823977] sdb: sdb1</span>
</pre></div>
<p>You can also check dmesg for removable disks, as per this example.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg <span class="p">|</span> grep -i removable
<span class="go">[14607526.725995] sd 16:0:0:0: [sdb] Attached SCSI removable disk</span>
<span class="go">[15742096.383712] sd 17:0:0:0: [sdb] Attached SCSI removable disk</span>
<span class="gp">#</span>
</pre></div>
<p>On my system, we can see that the Installation Media USB stick has been attached as <code>/dev/sdb</code>, but please <em>note</em> that this varies from system to system.</p>
<p>Please, ensure that the Installation Media USB stick has not been automatically mounted.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> mount <span class="p">|</span> grep <Removable Installation Media USB Stick>
<span class="gp">$</span> df <span class="p">|</span> grep <Removable Installation Media USB Stick>
</pre></div>
<p>If it had been auto-mounted, please unmount it. Since the <code>dd</code> command expects it to be unmounted.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> umount <Removable Installation Media USB Stick>
</pre></div>
<p>Time to move the just downloaded Alpine Xen 3.15 Image to the installation Media USB stick using <code>dd</code>.</p>
<p>The command we should use is <code>dd</code>, and syntax</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/tmp/alpine-xen-3.15.0-x86_64.iso <span class="nv">of</span><span class="o">=</span><Removable Installation USB Stick>
</pre></div>
<p>In my case the command would be</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo -i
<span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/tmp/alpine-xen-3.15.0-x86_64.iso <span class="nv">of</span><span class="o">=</span>/dev/sdb
<span class="go">430080+0 records in</span>
<span class="go">430080+0 records out</span>
<span class="go">220200960 bytes (220 MB, 210 MiB) copied, 76.6593 s, 2.9 MB/s</span>
<span class="gp">#</span> sync
</pre></div>
<p>At this time, we are done working on our workstation, time to move over to the new server.</p>
<h1 id="prepare-boot-usb-stick">Prepare Boot USB Stick<a class="headerlink" href="#prepare-boot-usb-stick" title="Permanent link">¶</a></h1>
<p>Time to start the installation on the new Alpine Server. Insert the newly created Installation Media USB Stick, and reboot the server. Ensure that you boot from the installation media.</p>
<p>When server has booted, insert the Boot USB Stick (16GB USB Cruzer in my case)</p>
<p>At login prompt, login as <code>root</code>, no password at this stage.</p>
<div class="codehilite"><pre><span></span><span class="go">Login: root</span>
</pre></div>
<p>Time to figure out which device the Boot USB Stick device has.</p>
<p>Look in the <code>dmesg</code> output and search for your USB stick. In my case <strong>Cruzer</strong>.
It should be located towards the end of the <code>dmesg</code> output.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg
<span class="go">[ 12.296717] usb 1-1.1: new high-speed USB device number 3 using ehci-pci</span>
<span class="go">[ 12.313381] usb 2-1.3: new high-speed USB device number 3 using ehci-pci</span>
<span class="go">[ 12.398454] usb 1-1.1: New USB device found, idVendor=0781, idProduct=5571</span>
<span class="go">[ 12.398457] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3</span>
<span class="go">[ 12.398459] usb 1-1.1: Product: Cruzer Fit</span>
<span class="go">[ 12.398461] usb 1-1.1: Manufacturer: SanDisk</span>
<span class="go">[ 12.398463] usb 1-1.1: SerialNumber: 4C530001231102113292</span>
<span class="go">[ 12.398886] usb-storage 1-1.1:1.0: USB Mass Storage device detected</span>
<span class="go">[ 12.399172] scsi host8: usb-storage 1-1.1:1.0</span>
<span class="go">[ 13.410934] scsi 8:0:0:0: Direct-Access SanDisk Cruzer Fit 1.00 PQ: 0 ANSI: 6</span>
<span class="go">[ 13.412237] sd 8:0:0:0: [sde] 30595072 512-byte logical blocks: (15.7 GB/14.6 GiB)</span>
<span class="go">[ 13.414122] sd 8:0:0:0: [sde] Write Protect is off</span>
<span class="go">[ 13.414126] sd 8:0:0:0: [sde] Mode Sense: 43 00 00 00</span>
<span class="go">[ 13.415246] sd 8:0:0:0: [sde] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA</span>
<span class="go">[ 13.420719] sde: sde1 sde2</span>
<span class="go">[ 13.423963] sd 8:0:0:0: [sde] Attached SCSI removable disk</span>
</pre></div>
<p>In my case the device we will be using is <code>sde</code> (Cruzer)</p>
<p>We need to format the Boot USB stick with two partitions</p>
<ul>
<li>We need a small bootable boot partition for dom0, about 1GB is enough.</li>
<li>The rest will be used as a LVM partition, for holding supporting domU's</li>
</ul>
<p>We will format using <code>fdisk</code>. Make sure you target the Boot USB stick.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> fdisk /dev/sde
</pre></div>
<p>End result should look like this</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> fdisk -l /dev/sde
<span class="go">Disk /dev/sde: 15 GB, 15664676864 bytes, 30595072 sectors</span>
<span class="go">1904 cylinders, 255 heads, 63 sectors/track</span>
<span class="go">Units: cylinders of 16065 * 512 = 8225280 bytes</span>
<span class="go">Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type</span>
<span class="go">/dev/sde1 * 0,1,1 122,254,63 63 1975994 1975932 964M c Win95 FAT32 (LBA)</span>
<span class="go">/dev/sde2 123,0,1 1023,254,63 1975995 30587759 28611765 13.6G 8e Linux LVM</span>
</pre></div>
<p><strong>NOTE</strong> observe that <code>sde1</code> is a bootable partition.</p>
<p><strong>NOTE</strong> you might need to unplug/replug the stick after partitioning it.</p>
<p>Or run</p>
<div class="codehilite"><pre><span></span># partprobe; sleep 2; mdev -s
</pre></div>
<p>Time to add the <code>syslinux</code> package</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add syslinux
</pre></div>
<p>Load the VFAT kernel module</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> modprobe vfat
</pre></div>
<p>Create bootable file system</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkfs.vfat /dev/sde1
</pre></div>
<p>Check the UUID of the newly created filesystem, we need the UUID later so make a note of it</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> blkid <span class="p">|</span> fgrep sde1
<span class="go">/dev/sde1: UUID="61DF-01FB" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="2a6b8479-01"</span>
</pre></div>
<p>We need to know which device is the Installation Media, to do this do a <code>df</code>, and in my case the Installation media was mounted at <code>/media/sdc</code> (it might be mounted on different place depending on your situation)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df <span class="p">|</span> grep <span class="s1">'/media/'</span>
<span class="go">/dev/sdc 986036 585164 400872 59% /media/sdc</span>
</pre></div>
<p>Run the <code>setup-bootable</code> script to add Alpine Linux to the Boot USB stick and make it bootable (replacing <code>sde</code> with your Boot USB stick name):</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-bootable <Installation media> <Boot USB Stick>
<span class="gp">#</span> setup-bootable /dev/sdc /dev/sde1
</pre></div>
<p>This steps might take a few minutes.</p>
<p>When the <code>setup-bootable</code> script is finished, the installation is done, and we can remove the Installation media, and reboot.</p>
<div class="codehilite"><pre><span></span><span class="go"><remove installation media></span>
<span class="gp">#</span> reboot
</pre></div>
<h1 id="basic-alpine-host-setup">Basic alpine host setup<a class="headerlink" href="#basic-alpine-host-setup" title="Permanent link">¶</a></h1>
<p>After reboot, login on console again, (still no password for root), and it is time to configure this alpine installation.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-alpine
</pre></div>
<ul>
<li>Configure <code>eth0</code>, and add <code>br0</code>, end result should be like below.</li>
<li>Confirm that the IP, DNS, GW are correct and valid</li>
<li>Based on some script dependencies, it is best to name the bridge <code>br0</code></li>
<li>For DNS IP, please use your own, or if unsure, use Google <code>8.8.8.8</code></li>
</ul>
<p>below is printout of my interfaces file after the <code>setup-alpine</code> script was run.</p>
<div class="codehilite"><pre><span></span><span class="na">auto lo</span>
<span class="na">iface lo inet loopback</span>
<span class="na">auto br0</span>
<span class="na">iface br0 inet static</span>
<span class="na">bridge-ports eth0</span>
<span class="na">address 192.168.1.5</span>
<span class="na">netmask 255.255.255.0</span>
<span class="na">gateway 192.168.1.1</span>
</pre></div>
<ul>
<li>Skip <code>eth1</code>, answer <code>done</code></li>
<li>Which disk(s) would you like to use: <code>none</code></li>
<li>Enter where to store configs: <code>sdb1</code></li>
<li>Enter apk cache directory: <code>/media/sdb1/cache</code></li>
</ul>
<p>After setup has finish, you need to commit the changes to the Boot USB stick.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lbu commit
</pre></div>
<h1 id="switch-to-mount-with-uuid">Switch to mount with UUID<a class="headerlink" href="#switch-to-mount-with-uuid" title="Permanent link">¶</a></h1>
<p>After the installation a line with <code>/dev/sdb1</code> mounted as <code>/media/sdb1</code> was added in <code>/etc/fstab</code>, the problem is that <code>sdb</code> is a dynamic name so
we should switch to mounting via UUID.</p>
<p><code>fstab</code> Before</p>
<div class="codehilite"><pre><span></span><span class="na">/dev/sdb1 /media/sdb1 vfat ro,relatime,fmask</span><span class="o">=</span><span class="s">0022,dmask=0022,errors=remount-ro 0 0</span>
</pre></div>
<p><code>fstab</code> After</p>
<div class="codehilite"><pre><span></span><span class="na">UUID</span><span class="o">=</span><span class="s">61DF-01FB /media/flash vfat ro,relatime,fmask=0022,dmask=0022,errors=remount-ro 0 0</span>
</pre></div>
<p>Mount it</p>
<div class="codehilite"><pre><span></span># mkdir /media/flash; mount /media/flash
</pre></div>
<p>Fix <code>lbu.conf</code> and the apk <code>repositories</code> file</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> sed -i<span class="s1">'s/sdb1/flash/'</span> /etc/lbu/lbu.conf /etc/apk/repositories
</pre></div>
<p>Fix apk cache symlink</p>
<div class="codehilite"><pre><span></span># rm /etc/apk/cache; ln -sf /media/flash/cache /etc/apk/cache
</pre></div>
<p>Save</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lbu commit
</pre></div>
<h1 id="add-main-user">Add main user<a class="headerlink" href="#add-main-user" title="Permanent link">¶</a></h1>
<p>I took a small short cut here, and <a href="#add-a-user">added a normal user</a>.
This so I could SSH to the new Alpine server, and copy paste commands from this document.
<strong>Note</strong> Skip the use of <code>etckeeper</code> as its not installed if taking a short-cut (use <code>lbu commit</code>)</p>
<p>Reboot</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> reboot
</pre></div>
<p>At login prompt, login as <code>root</code>, use the password selected in <code>setup-alpine</code></p>
<div class="codehilite"><pre><span></span><span class="go">Login: root</span>
</pre></div>
<p>... or login via ssh as the "main user" optionally created above and use <code>su -</code> to switch to root</p>
<h1 id="add-etckeeper">Add etckeeper<a class="headerlink" href="#add-etckeeper" title="Permanent link">¶</a></h1>
<p>Etckeeper will store whole /etc in a git repository, and keep track of every change
that is made there.<br/>
Just remember to do a <em>etckeeper commit "Describe the change"</em></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add etckeeper
<span class="gp">#</span> cat << EOF > /etc/.git/hooks/post-commit
<span class="gp">#</span>!/bin/sh
<span class="go">set -e</span>
<span class="go">lbu commit</span>
<span class="go">EOF</span>
<span class="gp">#</span> chmod <span class="m">755</span> /etc/.git/hooks/post-commit
<span class="gp">#</span> lbu commit
</pre></div>
<h1 id="adding-lvm">Adding LVM<a class="headerlink" href="#adding-lvm" title="Permanent link">¶</a></h1>
<p>First, we need to confirm what name the Boot USB stick has (in my case <code>sde</code>).</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df
</pre></div>
<p>Time to add and configure LVM.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add lvm2
<span class="gp">#</span> pvcreate /dev/sde2
<span class="go"> Physical volume "/dev/sde2" successfully created.</span>
<span class="gp">#</span> vgcreate vg_domU /dev/sde2
<span class="go"> Volume group "vg_domU" successfully created</span>
<span class="gp">#</span> lvcreate -n lv_domU_installer -L 1G vg_domU
<span class="go"> Logical volume "lv_domU_installer" created.</span>
<span class="gp">#</span> rc-update add lvm
<span class="go"> * service lvm added to runlevel default</span>
<span class="gp">#</span> etckeeper commit <span class="s2">"Added LVM"</span>
</pre></div>
<p>And setup the filesystem.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add e2fsprogs
<span class="gp">#</span> mkfs.ext4 /dev/vg_domU/lv_domU_installer
</pre></div>
<p>And prepare for domU installation medias.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkdir /domU_installer
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"/dev/vg_domU/lv_domU_installer /domU_installer ext4 noauto,noatime 0 0"</span> >> /etc/fstab
<span class="gp">#</span> mount /domU_installer
<span class="gp">#</span> etckeeper commit <span class="s2">"Added /domU_installer to fstab"</span>
</pre></div>
<p><strong>NOTE</strong> That the <code>/domU_installer</code> is not mounted automatically on boot, but has to be specifically mounted by user when needed, as well as unmounted when not needed anymore.
When you try to create a domU, and <code>xl</code> complains about a missing media is usually a sure sign that you forgot to
<code>mount /domU_installer</code></p>
<h1 id="xen-hypervisor">xen-hypervisor<a class="headerlink" href="#xen-hypervisor" title="Permanent link">¶</a></h1>
<p>We need to add the <code>xen-hypervisor</code> manually, since we run diskless.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add xen-hypervisor
</pre></div>
<p>Need to ensure xendomains starts at reboot</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> rc-update add xendomains
<span class="gp">#</span> etckeeper commit <span class="s2">"Start xendomains at reboot"</span>
</pre></div>
<h1 id="tmux-console">TMUX Console<a class="headerlink" href="#tmux-console" title="Permanent link">¶</a></h1>
<p>We will use <code>tmux</code> to capture the various domU's console.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add tmux
</pre></div>
<p>Then we need to uncomment a line in the <code>/etc/conf.d/xendomains</code> configuration file</p>
<p>Before:</p>
<div class="codehilite"><pre><span></span><span class="c1">#XENDOMAINS_CONSOLE="tmux"</span>
</pre></div>
<p>After:</p>
<div class="codehilite"><pre><span></span><span class="na">XENDOMAINS_CONSOLE</span><span class="o">=</span><span class="s">"tmux"</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">#</span> etckeeper commit <span class="s2">"Configure xendomains to use tmux"</span>
</pre></div>
<p><strong>After</strong> you have created some domU's the output might look like below, and based on the below output the <code>tmux</code> session is called <code>xen</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> tmux ls
<span class="go">0: 1 windows (created Wed Sep 5 05:39:38 2018) [127x53]</span>
<span class="go">4: 1 windows (created Sun Sep 9 01:24:43 2018) [127x53]</span>
<span class="go">xen: 4 windows (created Mon Sep 10 14:44:51 2018) [127x53]</span>
</pre></div>
<p>And you would then connect to the <code>xen</code> <code>tmux</code> session with <code>tmux attach-session</code> using the following command:</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> tmux attach-session -t xen
</pre></div>
<p>For further information on how to navigate a <code>tmux</code> session, please check the following excellent <a href="https://tmuxcheatsheet.com/">Tmux Cheat Sheet</a></p>
<h1 id="prepare-for-domu">Prepare for domU<a class="headerlink" href="#prepare-for-domu" title="Permanent link">¶</a></h1>
<h2 id="alpine-image">Alpine Image<a class="headerlink" href="#alpine-image" title="Permanent link">¶</a></h2>
<p>Prepare domU's installer image (needed to create you first domU later)
Download Alpine Extended from <a href="http://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/alpine-extended-3.15.0-x86_64.iso">link to Alpine 3.15.0 Extended 64 bits</a>, or if You need an other version go the <a href="https://alpinelinux.org/downloads/">Alpine Download Page</a> and download Your preferred "Extended" version.</p>
<p>The reason we use the <code>-extended</code> flavor, is so when we create our domU;s we do not have to have network configured and protected when we do the installations.</p>
<p>Remember to download the checksum file as well.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /domU_installer
<span class="gp">#</span> <span class="nb">cd</span> /domU_installer
<span class="gp">#</span> wget https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/alpine-extended-3.15.0-x86_64.iso.sha256
<span class="gp">#</span> wget https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/x86_64/alpine-extended-3.15.0-x86_64.iso
</pre></div>
<p>After you have downloaded both ISO file as well as checksum file, you need to verify that the ISO file has the correct checksum. If not, please re-download both and try again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ls -lh
<span class="go">total 598M </span>
<span class="go">-rw-r--r-- 1 root root 598.0M Oct 10 23:42 alpine-extended-3.15.0-x86_64.iso</span>
<span class="go">-rw-r--r-- 1 root root 100 Oct 10 23:39 alpine-extended-3.15.0-x86_64.iso.sha256</span>
</pre></div>
<p>And now we verify that the checksum is OK.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> sha256sum -c alpine-extended-3.15.0-x86_64.iso.sha256
<span class="go">alpine-extended-3.15.0-x86_64.iso: OK</span>
</pre></div>
<p>After we have verified that the iso image has the correct checksum, place it in the <code>/domU_installer</code> directory (if not already there).</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mv <Downloaded Alpine Extended <span class="m">64</span> ISO> /domU_installer
</pre></div>
<h2 id="domu-preparation">domU preparation<a class="headerlink" href="#domu-preparation" title="Permanent link">¶</a></h2>
<p>We prepare for the domU's installation by fetching the domU boot loader here.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add grub-xenhost
</pre></div>
<p>The installation kernel and ramdisk we fetch from the ISO image.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t iso9660 -o ro alpine-extended-3.15.0-x86_64.iso /mnt
<span class="gp">#</span> cp /mnt/boot/vmlinuz-lts /domU_installer
<span class="gp">#</span> cp /mnt/boot/initramfs-lts /domU_installer
<span class="gp">#</span> umount /mnt
</pre></div>
<h2 id="add-dom0-memory">Add dom0 Memory<a class="headerlink" href="#add-dom0-memory" title="Permanent link">¶</a></h2>
<p>Limit the memory used by the dom0 so domUs does not have to "steal" available memory from dom0, when starting.
Since dom0 is booting from the Boot USB stick, we need to update syslinux at <code>/media/flash/boot/syslinux/syslinux.cfg</code></p>
<p>Previous version it was enough with 1GB ram, but I found that you could not do a system update/upgrade after fresh install with only 1G.
Apparently XEN requires a bit more during upgrades, so I'm using 2G here.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/flash -o remount,rw
<span class="gp">#</span> vi /media/flash/boot/syslinux/syslinux.cfg
</pre></div>
<p>in particular, we need to add a parameter (<code>dom0_mem=2048M</code>) to the row starting with <code>APPEND</code>. (A lower value will not work as the dom0 is running on a RAM disk.)</p>
<div class="codehilite"><pre><span></span>APPEND /boot/xen.gz dom0_mem=2048M --- /boot/vmlinuz-lts modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initr
</pre></div>
<p>And remount Boot USB stick read only again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/flash -o remount,ro
</pre></div>
<p>And lastly we reboot and confirm the newly created Alpine Dom0 server is booting up.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> sync
<span class="gp">#</span> reboot
</pre></div>
<h1 id="post-steps">Post steps<a class="headerlink" href="#post-steps" title="Permanent link">¶</a></h1>
<p>When system comes up it is time to do the final touches.</p>
<ul>
<li>Add normal user</li>
<li>Check network etc</li>
</ul>
<h4 id="ping-working">Ping working?<a class="headerlink" href="#ping-working" title="Permanent link">¶</a></h4>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ping www.google.com
</pre></div>
<h4 id="lets-update-the-system">Lets update the system<a class="headerlink" href="#lets-update-the-system" title="Permanent link">¶</a></h4>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk update
<span class="gp">#</span> apk upgrade
</pre></div>
<h4 id="add-sudo">Add sudo<a class="headerlink" href="#add-sudo" title="Permanent link">¶</a></h4>
<p>For security reasons, and good practice, lets install sudo</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add sudo
<span class="gp">#</span> sed -e <span class="s1">'s/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/g'</span> -i /etc/sudoers
<span class="gp">#</span> etckeeper commit <span class="s2">"Configured sudoers"</span>
</pre></div>
<h4 id="add-a-user">Add a user<a class="headerlink" href="#add-a-user" title="Permanent link">¶</a></h4>
<div class="codehilite"><pre><span></span><span class="gp">#</span> adduser <normal-user-ID>
<span class="gp">#</span> adduser <normal-user-ID> wheel
<span class="gp">#</span> lbu include /home
<span class="gp">#</span> lbu exclude /home/*/.ash_history
<span class="gp">#</span> etckeeper commit <span class="s2">"Added a user"</span>
</pre></div>
<h1 id="next-steps">Next steps<a class="headerlink" href="#next-steps" title="Permanent link">¶</a></h1>
<p>After this step, comes perhaps, and it can be argued if the ZFS host should come before the Network Domain or not...</p>
<ul>
<li>Installing a Basic Server as a domU.</li>
<li>Installing a ZFS Storage Domain as a domU.</li>
<li>Installing a Network Domain (firewall) as a domU.</li>
<li>Installing a DNS Caching server as a domU.</li>
<li>etc...</li>
</ul>
<p>These HowTo's are being prepared and will be linked in here later.
In the mean time, have a look at the old link below.</p>
<p><a href="alpine_domU.html">Alpine DomU</a></p>
<h1 id="appendix">Appendix<a class="headerlink" href="#appendix" title="Permanent link">¶</a></h1>
<h2 id="hypervisor-upgrade">Hypervisor upgrade<a class="headerlink" href="#hypervisor-upgrade" title="Permanent link">¶</a></h2>
<p>When the package <code>xen-hypervisor</code> package has been updated, the following needs to be done on the dom0 server.</p>
<ul>
<li>The XEN related files on the <strong>boot device</strong> (<code>/media/flash/boot/*xen*</code>) needs to be updated.</li>
</ul>
<p>After the upgrade the XEN boot related files are located in the <code>ramfs</code>, so we need to copy those files to the restart safe place on the <strong>boot device</strong></p>
<p>First, remount the Boot USB stick writable.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/flash -o remount,rw
</pre></div>
<p>Second, copy the files needed.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cp /boot/*xen* /media/flash/boot
</pre></div>
<p>Third, remount Boot USB stick read only again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/flash -o remount,ro
</pre></div>
<p>Fourth, time to verify; we need to confirm that the XEN reference in <code>syslinux.cfg</code> points to the correct XEN version.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> grep xen /media/flash/boot/syslinux/syslinux.cfg
<span class="go">APPEND /boot/xen.gz dom0_mem=2048M --- /boot/vmlinuz-lts modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initr</span>
</pre></div>
<p>From above we see that we are using <code>/boot/xen.gz</code>.</p>
<p>Lets confirm that <code>xen.gz</code> is the one we want. Confirming that checksum is same for <code>xen.gz</code> and <code>xen-NewVersion.gz</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cksum /media/flash/boot/xen*.gz
<span class="go">2396837473 1175423 /media/flash/boot/xen-4.15.1.gz</span>
<span class="go">2396837473 1175423 /media/flash/boot/xen-4.15.gz</span>
<span class="go">2396837473 1175423 /media/flash/boot/xen-4.gz</span>
<span class="go">2396837473 1175423 /media/flash/boot/xen.gz</span>
</pre></div>
<p>And last, confirm the above <code>xen.gz</code> checksum are the same as under <code>/boot</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cksum /boot/xen*.gz
<span class="go">2396837473 1175423 /boot/xen-4.15.1.gz</span>
<span class="go">2396837473 1175423 /boot/xen-4.15.gz</span>
<span class="go">2396837473 1175423 /boot/xen-4.gz</span>
<span class="go">2396837473 1175423 /boot/xen.gz</span>
</pre></div>
<h2 id="dom0-kernel-upgrade">dom0 Kernel Upgrade<a class="headerlink" href="#dom0-kernel-upgrade" title="Permanent link">¶</a></h2>
<p>You can update the kernel by putting <code><hostname>.apkovl.tar.gz</code> on a freshly installed USB stick or with the <code>update-kernel</code> command.
However using <code>update-kernel</code> requires more <code>dom0_mem</code> (<code>update-kernel</code> uses both RAM and <code>ramfs</code> on <code>/tmp</code>), hence we are temporarily
using a 4GB dedicated LVM disk for <code>/tmp</code> during the kernel upgrade to be able to complete the update without running out of memory.</p>
<p>The <code>tempfs</code> volume is to small for the kernel upgrade.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df -h /tmp
<span class="go">Filesystem Size Used Available Use% Mounted on</span>
<span class="go">tmpfs 155.7M 137.2M 18.5M 88% /</span>
</pre></div>
<p>We add a kernel upgrade volume.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lvcreate -n lv_kernel_upgrade -L 4G vg_domU
<span class="go"> Logical volume "lv_kernel_upgrade" created.</span>
<span class="gp">#</span> mkfs.ext4 /dev/vg_domU/lv_kernel_upgrade
</pre></div>
<p>And prepare for domU installation medias.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t /dev/vg_domU/lv_kernel_upgrade /tmp
<span class="gp">#</span> df -h /tmp
<span class="go">Filesystem Size Used Available Use% Mounted on</span>
<span class="go">/dev/vg_domU/lv_kernel_upgrade</span>
<span class="go"> 3.9G 16.0M 3.6G 0% /tmp</span>
</pre></div>
<p>Check free RAM.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> free -m
<span class="go"> total used free shared buffers cached</span>
<span class="go">Mem: 311 270 40 137 2 203</span>
<span class="go">-/+ buffers/cache: 64 247</span>
<span class="go">Swap: 0 0 0</span>
</pre></div>
<p>Now <code>update-kernel</code> can be used.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -o remount,rw /media/flash
<span class="gp">#</span> update-kernel
<span class="gp">#</span> mount -o remount,ro /media/flash
</pre></div>
<p><strong>If</strong> there is a complaint on missing <code>mksquash-fs</code> command, just install it, and re-run the <code>update-kernel</code> command.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add squashfs-tools
</pre></div>
<p>And we need to umount the temporary <code>/tmp</code> LVM disk</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> umount /tmp
</pre></div>
<p>Now you can reboot the dom0 to the updated kernel.</p>
<h2 id="localized-keyboard">Localized keyboard<a class="headerlink" href="#localized-keyboard" title="Permanent link">¶</a></h2>
<p>If You have troubles with nationalized keyboard (it is a bug in <code>setup-alpine</code>?), then do the following work-a-round:
Into the file <code>/etc/profile.d/loadkeymap.sh</code> enter the following content:</p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/ash</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">"/dev/tty1"</span> <span class="o">=</span> <span class="s2">"`tty`"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"Loading selected keymap."</span>
/etc/init.d/loadkmap start
<span class="k">fi</span>
</pre></div>
<p>Then commit the changes.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> etckeeper commit <span class="s2">"Added loadkeymap"</span>
</pre></div>
<h2 id="domu-installation-config">domU installation config<a class="headerlink" href="#domu-installation-config" title="Permanent link">¶</a></h2>
<p>To use this installation image, you could use the below template as a base.
You have to make sure that your MAC address is <strong>UNIQUE</strong>. A tool that can help you with this is, for example, <a href="https://gist.github.com/viz3/6591201">random_mac.py</a>.</p>
<p>If you do it manually, please start with <code>00:16:3E</code> followed by a unique combination for you.
For instance <code>00:16:3e:AA:AA:01</code> or <code>00:16:3e:BE:EF:01</code>.</p>
<div class="codehilite"><pre><span></span><span class="c1">#####</span>
<span class="c1">##### <Hostname> domU</span>
<span class="c1">#####</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">maxmem</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/domU_installer/vmlinuz-lts"</span>
<span class="na">ramdisk</span> <span class="o">=</span> <span class="s">"/domU_installer/initramfs-lts"</span>
<span class="na">extra</span> <span class="o">=</span> <span class="s">"alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'file://domU_installer/alpine-extended-3.15.0-x86_64.iso,hdc:cdrom,r',</span>
<span class="s"> 'phy:<Physical Path to your disk>,xvda1,w', </span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<Hostname>'</span>
<span class="c1">## ENSURE THAT THE MAC ADDRESS IS UNIQ!!!</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>
<h2 id="domu-running-config">domU running config<a class="headerlink" href="#domu-running-config" title="Permanent link">¶</a></h2>
<p>And slight modification is needed with using the proper kernel, and removing the installation image.</p>
<div class="codehilite"><pre><span></span><span class="c1">#####</span>
<span class="c1">##### <Hostname> domU</span>
<span class="c1">#####</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">maxmem</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/usr/lib/grub-xen/grub-x86_64-xen.bin"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'phy:<Physical Path to your disk>,xvda1,w', </span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<Hostname>'</span>
<span class="c1">## ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>Alpine Linux as a Xen Storage Driver Domain2021-01-10T00:00:00+01:002021-01-10T00:00:00+01:00bengttag:community.riocities.com,2021-01-10:/alpine_v311_storage_domu.html
<h1 id="alpine-linux-as-a-xen-storage-driver-domain">Alpine Linux as a Xen Storage Driver Domain<a class="headerlink" href="#alpine-linux-as-a-xen-storage-driver-domain" title="Permanent link">¶</a></h1>
<p>Guide to configure an Xen Storage Driver Domain based on Alpine 3.11, the Dom0 is setup like <a href="alpine_v38_dom0.html">Alpine Dom0 V3.8</a> but later upgraded in accordance with <a href="alpine_dom0_upgrade.html">Alpine dom0 upgrade</a>.</p>
<p>The aim of this domU is to serve ZFS at the …</p>
<h1 id="alpine-linux-as-a-xen-storage-driver-domain">Alpine Linux as a Xen Storage Driver Domain<a class="headerlink" href="#alpine-linux-as-a-xen-storage-driver-domain" title="Permanent link">¶</a></h1>
<p>Guide to configure an Xen Storage Driver Domain based on Alpine 3.11, the Dom0 is setup like <a href="alpine_v38_dom0.html">Alpine Dom0 V3.8</a> but later upgraded in accordance with <a href="alpine_dom0_upgrade.html">Alpine dom0 upgrade</a>.</p>
<p>The aim of this domU is to serve ZFS at the end, hence the name of the domU is <code>zfshost</code></p>
<p>To do this I have the following extra hardware</p>
<ul>
<li>SSD Root/SLOG Samsung SM863 120GB 2.5 inch 7mm SSD, 2 pieces so I can mirror them.</li>
<li>HDD Tank WD Red 6TB NAS HDD 3.5" 6Gb/s Intellipower WD60EFRX, 2 pieces so I can mirror them</li>
</ul>
<p>On the SSD disks I will partition it as below</p>
<ul>
<li>30GB for Raid and LVM. Will contain Root for <code>zfshost</code> (and some unused space in the LVM VG).</li>
<li>10GB unmarked. Will contain SLOG</li>
<li>Rest will be un-partitioned for increased endurance, and future use.</li>
</ul>
<p>The HDD disks will not be partitioned at all. ZFS will handle them straight up.</p>
<p>The end result will have <code>/boot</code> mounted from dom0 (virtual disk), while rest from the local domU disks.</p>
<table>
<thead>
<tr>
<th>Mount Point</th>
<th>"From where"</th>
<th>Disk</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>/boot</code></td>
<td>dom0 USB-Stick</td>
<td>LVM LV <code>zfshost-boot</code> in <code>vg_domU</code> (in dom0)</td>
</tr>
<tr>
<td><code>/</code></td>
<td>domU SSD</td>
<td>LVM LV <code>lv_root</code> in <code>vg_zfshost</code></td>
</tr>
<tr>
<td>SLOG</td>
<td>domU SSD</td>
<td>Two raw partitions</td>
</tr>
<tr>
<td>zfs pool disks</td>
<td>domU HDD</td>
<td>Whole disks</td>
</tr>
</tbody>
</table>
<h1 id="various-references">Various references<a class="headerlink" href="#various-references" title="Permanent link">¶</a></h1>
<p>Here are some various references I have been looking at</p>
<ol>
<li><a href="hp_microserver_gen8.html">HP Microserver Gen8</a></li>
<li><a href="alpine_dom0.html">Alpine dom0</a></li>
<li><a href="alpine_domU.html">Alpine domU</a></li>
<li><a href="xen_storage_driver_domain.html">XEN Storage Domain Driver</a></li>
<li><a href="https://github.com/zfsonlinux/zfs/wiki/Debian">ZFS On Linux</a></li>
<li><a href="https://pthree.org/2012/12/06/zfs-administration-part-iii-the-zfs-intent-log/">ZFS Administration Intent Log</a></li>
<li><a href="xen_dom0_setup.html#setup-pci-passthrough-optional">PCI Passthrough</a></li>
<li><a href="https://stewartadam.io/howtos/fedora-20/installing-zfs-and-setting-pool">Installing ZFS and setting Pool</a></li>
<li><a href="http://wiki.lustre.org/ZFS_Compression">ZFS Compression</a></li>
<li><a href="https://docs.oracle.com/cd/E23823_01/html/819-5461/gaypa.html">Creating a ZFS File System Hierarchy</a></li>
</ol>
<h2 id="dom0-work">Dom0 work<a class="headerlink" href="#dom0-work" title="Permanent link">¶</a></h2>
<p>In <a href="alpine_v38_dom0">Alpine Dom0 V3.8</a> we created a very basic Xen dom0 server, which was only prepared for it's domU guests. Now we need to add the specific parts related to this ZFS domU, mainly</p>
<ul>
<li>Virtual boot disk</li>
<li>domU configuration file</li>
<li>PCI Pass-through so we can access the required domU disks (SDD and HDD)</li>
</ul>
<h3 id="domus-boot-disk">domU's boot disk<a class="headerlink" href="#domus-boot-disk" title="Permanent link">¶</a></h3>
<p>We need to create, and prepare the disk for the domU</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lvcreate -n zfshost-boot -L 512M vg_domU</span>
<span class="go">dom0 # apk add e2fsprogs</span>
<span class="go">dom0 # mkfs.ext4 /dev/vg_domU/zfshost-boot</span>
</pre></div>
<h3 id="dom0-bios">dom0 BIOS<a class="headerlink" href="#dom0-bios" title="Permanent link">¶</a></h3>
<p>We will use ZFS and <code>mdadm</code>, and let these systems handle the RAID part, hence we need to de-activate hardware based RAID in the BIOS, as well as enable AHCI mode.</p>
<ul>
<li>Disable hardware based RAID in BIOS</li>
<li>Enable AHCI mode in BIOS</li>
</ul>
<h3 id="pci-passthru">PCI Passthru<a class="headerlink" href="#pci-passthru" title="Permanent link">¶</a></h3>
<p>Now we need to find out which PCI device our SSD disks are connected to. The default <code>lspci</code> application (part of <code>busybox</code>) will not provide enough information, so we need to install a more feature rich implemenation. In my case, I will look for the hotplug SATA devices. If you had an PCI board, look for what chip-set you have, and search for this in the <code>lspci</code> output</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # apk add pciutils</span>
<span class="go">dom0 # lspci -k</span>
<span class="go">...</span>
<span class="go">00:1f.2 SATA controller: Intel Corporation 6 Series/C200 Series Chipset Family 6 port Desktop SATA AHCI Controller (rev 05)</span>
<span class="go"> Subsystem: Hewlett-Packard Company Device 330d</span>
<span class="go"> Kernel driver in use: pciback</span>
<span class="go">...</span>
<span class="go">dom0 #</span>
</pre></div>
<p>Verify <code>xen_pciback</code> is in <code>/etc/modules</code>, if not, add it.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # grep xen_pciback /etc/modules</span>
</pre></div>
<p>Confirm that the module <code>xen_pciback</code> is loaded</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # modprobe xen_pciback</span>
</pre></div>
<h3 id="domu-configuration-file">domU configuration file<a class="headerlink" href="#domu-configuration-file" title="Permanent link">¶</a></h3>
<p>Ok, time to create the domU configuration file.</p>
<ul>
<li>Observe that the MAC Address has to be uniq among the dom0 and all domUs. A tool to help you with this might be <a href="https://gist.github.com/djoreilly/6991817b42805c1a556b43bec6a7eda3">random_mac.py</a>, as an example.</li>
<li>Make sure that you specify the correct PCI device to pass through to domU.</li>
<li>The <code>cdrom</code> points to the installer image which was prepared in the <a href="alpine_dom0_v38#domu-preparation">dom0</a> installation</li>
</ul>
<p>If you do it manually, please start the MAC Address with <code>00:16:3E</code> followed by a unique combination for you.
For instance <code>00:16:3e:AA:AA:01</code> or <code>00:16:3e:BE:EF:01</code> or something similar unique for Your Network</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # cat > /etc/xen/zfshost.cfg</span>
<span class="gp">#</span><span class="c1">####</span>
<span class="gp">#</span><span class="c1">#### zfshost domU</span>
<span class="gp">#</span><span class="c1">####</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '8096'</span>
<span class="go">maxmem = '8096'</span>
<span class="go">kernel = "/domU_installer/vmlinuz-lts"</span>
<span class="go">ramdisk = "/domU_installer/initramfs-lts"</span>
<span class="go">extra = "alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="go">disk = [</span>
<span class="go"> 'file://domU_installer/alpine-extended-3.11.2-x86_64.iso,hdc:cdrom,r',</span>
<span class="go"> 'phy:/dev/vg_domU/zfshost-boot,xvda1,w',</span>
<span class="go"> ]</span>
<span class="go">name = 'zfshost'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">pci = [ '00:1f.2' ]</span>
<span class="go">CTRL-D</span>
<span class="go">dom0 #</span>
</pre></div>
<p>If You have several PCI Devices You want to Passthru to the domU then should the line <code>pci = [ '00:1f.2' ]</code> above be changed to <code>pci = [ '00:1f.2', 'XX:YY.C', 'XX:YY.C', ... ]</code>, where the <code>XX:YY.C</code> has to be changed to the proper PCI bus adresses.</p>
<h3 id="handover-pci-device-to-dom0-xen-pciback-module">Handover PCI Device to dom0 <code>xen-pciback</code> module<a class="headerlink" href="#handover-pci-device-to-dom0-xen-pciback-module" title="Permanent link">¶</a></h3>
<p>To configure automatic PCI handover on every reboot, we need to modify <code>/etc/conf.d/xen_pci</code> and add your device to the list of devices.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # vi /etc/conf.d/xen-pci</span>
<span class="go">...</span>
<span class="go">DEVICES="00:1f.2"</span>
<span class="go">...</span>
</pre></div>
<p>If You have several PCI devices then the <code>DEVICES</code> line should look like below:</p>
<div class="codehilite"><pre><span></span>DEVICES="00:1f.2 XX:YY.C ..."
</pre></div>
<p>And last add it to <code>rc-update</code> so it is executed on reboot.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # rc-update add xen-pci</span>
<span class="go"> * service xen-pci added to runlevel default</span>
<span class="go">dom0 # lbu commit</span>
<span class="go">dom0 #</span>
</pre></div>
<h3 id="verify-pci-passthru">Verify PCI Passthru<a class="headerlink" href="#verify-pci-passthru" title="Permanent link">¶</a></h3>
<p>Reboot dom0 to verify that the PCI Passthru is working.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # reboot</span>
</pre></div>
<p>And when system is up and running, verify</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl pci-assignable-list</span>
<span class="go">0000:00:1f.2</span>
</pre></div>
<h3 id="start-domu">Start domU<a class="headerlink" href="#start-domu" title="Permanent link">¶</a></h3>
<p>First confirm that the installation directory is mounted.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # mount /domU_installer</span>
</pre></div>
<p>Then it is time to start the installation, to do this we simply start the domU</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/zfshost.cfg -c</span>
</pre></div>
<p>To get back to the dom0 environment from the domU console, you press CTRL+]</p>
<h2 id="domu-work">domU work<a class="headerlink" href="#domu-work" title="Permanent link">¶</a></h2>
<h3 id="disks-visible">Disks visible?<a class="headerlink" href="#disks-visible" title="Permanent link">¶</a></h3>
<p>Did the PCI Passthru work? Lets check</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg <span class="p">|</span> grep logical<span class="se">\ </span>blocks
<span class="go">[ 5.242266] sd 0:0:0:0: [sda] 11721045168 512-byte logical blocks: (6.00 TB/5.46 TiB)</span>
<span class="go">[ 5.718972] sd 1:0:0:0: [sdb] 11721045168 512-byte logical blocks: (6.00 TB/5.46 TiB)</span>
<span class="go">[ 6.194013] sd 2:0:0:0: [sdc] 234441648 512-byte logical blocks: (120 GB/112 GiB)</span>
<span class="go">[ 6.667206] sd 3:0:0:0: [sdd] 234441648 512-byte logical blocks: (120 GB/112 GiB)</span>
</pre></div>
<p>Yes, in my case it the PCI Passthru worked just fine.</p>
<ul>
<li><code>sdc</code> : (Optional) This disk will have a RAID, and a SLOG partition created at this stage.</li>
<li><code>sdd</code> : (Optional) This disk will have a RAID, and a SLOG partition created at this stage.</li>
<li><code>sdc</code> & <code>sdd</code> RAID partitions are mirrored, with LVM on top, which will contain the root filesystem (<code>/</code>)</li>
<li><code>sda</code> & <code>sdb</code> will not be touched at this stage. (Data disks for ZFS)</li>
</ul>
<h3 id="partition-the-disks">Partition the disks<a class="headerlink" href="#partition-the-disks" title="Permanent link">¶</a></h3>
<p>Partitioning of the disks (<code>sdc</code> and <code>sdd</code>) is done using <code>fdisk</code> for instance. These disks will contain the root volume under RAID/LVM control in the first partition, while the second partition will contain the SLOG under ZFS control.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> fdisk /dev/sdc
<span class="gp">#</span> fdisk /dev/sdd
</pre></div>
<p>The result should be something like this. Best to align with 4096 sectors.</p>
<div class="codehilite"><pre><span></span><span class="go">Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type</span>
<span class="go">/dev/sdc1 0,65,2 1023,254,63 4096 70332415 70328320 33.5G da Unknown</span>
<span class="go">/dev/sdc2 1023,254,63 1023,254,63 70332416 93775871 23443456 11.1G da Unknown</span>
<span class="go">/dev/sdd1 0,65,2 1023,254,63 4096 70332415 70328320 33.5G da Unknown</span>
<span class="go">/dev/sdd2 1023,254,63 1023,254,63 70332416 93775871 23443456 11.1G da Unknown</span>
</pre></div>
<p>We use partition type <code>da</code> (non-fs data) as this is the type recommended to be used with mdadm <a href="https://raid.wiki.kernel.org/index.php/Partition_Types">Partition_Types</a> and it also works
very good to use this for the SLOG partition.</p>
<h3 id="raid-and-lvm-configuration">RAID and LVM configuration<a class="headerlink" href="#raid-and-lvm-configuration" title="Permanent link">¶</a></h3>
<p>We are missing the MD RAID and LVM packages, so lets install them</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add mdadm lvm2
</pre></div>
<p>and create the raid device</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mdadm --zero-superblock /dev/sdc1
<span class="gp">#</span> mdadm --zero-superblock /dev/sdd1
<span class="gp">#</span> mdadm --create --bitmap<span class="o">=</span>internal md0 --level<span class="o">=</span><span class="m">1</span> --raid-devices<span class="o">=</span><span class="m">2</span> /dev/sdc1 /dev/sdd1
</pre></div>
<p>If you want to see the result the mirroring or follow the synchronization, check with <code>/proc/mdstat</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat /proc/mdstat
</pre></div>
<p>If it takes a long time, and you want to see it progress...</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> watch cat /proc/mdstat
</pre></div>
<p>and lets create the new LVM devices for this domU. In case if this is not the first attempt, just answer Y on a confirmation question.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> pvcreate -ff -y /dev/md/md0
<span class="gp">#</span> vgcreate vg_zfshost /dev/md/md0
<span class="gp">#</span> lvcreate -y -n lv_root -L 10G vg_zfshost
<span class="gp">#</span> apk add e2fsprogs
<span class="gp">#</span> mkfs.ext4 /dev/vg_zfshost/lv_root
</pre></div>
<h3 id="mountpoints-etc">Mountpoints etc<a class="headerlink" href="#mountpoints-etc" title="Permanent link">¶</a></h3>
<p>Time to configure the mountpoints for root and boot, as well as mount them. We will put them under <code>/mnt</code> for the installation process.</p>
<p>Boot (<code>/mnt/boot</code>) will be mounted from a virtual disk provided by dom0. One good advantage with this is that you can look at (read troubleshoot) the domU's boot disk while you are in dom0.</p>
<p>Root will mounted from the domU's local SSD virtual disk.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /dev/vg_zfshost/lv_root /mnt
<span class="gp">#</span> mkdir /mnt/boot
<span class="gp">#</span> mount /dev/xvda1 /mnt/boot
</pre></div>
<h3 id="running-the-setup-alpine">Running the <code>setup-alpine</code><a class="headerlink" href="#running-the-setup-alpine" title="Permanent link">¶</a></h3>
<p>Finally, time to configure (setup) the actual alpine part</p>
<p>Key things to remember</p>
<ul>
<li>Answer <code>none</code> on last questions (Disks, config, and apk repository)</li>
<li>Which disk(s) would you like to use? (or '?' for help or 'none') [none]</li>
<li>Enter where to store configs ('floppy', 'usb' or 'none') [none]:</li>
<li>Enter apk cache directory (or '?' or 'none') [<code>/var/cache/apk</code>]: <code>none</code></li>
</ul>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-alpine
<span class="go">Available keyboard layouts:</span>
<span class="go">af be cn fi hu jp lt my ro tj</span>
<span class="go">al bg cz fo ie ke lv ng rs tm</span>
<span class="go">am br de fr il kg ma nl ru tr</span>
<span class="go">ara brai dk gb in kr md no se tw</span>
<span class="go">at by dz ge iq kz me ph si ua</span>
<span class="go">az ca ee gh ir la mk pk sk us</span>
<span class="go">ba ch epo gr is latam ml pl sy uz</span>
<span class="go">bd cm es hr it lk mt pt th</span>
<span class="go">Select keyboard layout [none]: us</span>
<span class="go">Available variants: us-alt-intl us-altgr-intl us-chr us-colemak us-dvorak-alt-intl us-dvorak-classic us-dvorak-intl us-dvorak-l us-dvorak-r us-dvorak us-dvp us-euro us-hbs us-intl us-mac us-olpc2 us-rus us-workman-intl us-workman us</span>
<span class="go">Select variant []: us</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go"> * Setting keymap ... [ ok ]</span>
<span class="go">Enter system hostname (short form, e.g. 'foo') [localhost]: zfshost</span>
<span class="go">Available interfaces are: eth0.</span>
<span class="go">Enter '?' for help on bridges, bonding and vlans.</span>
<span class="go">Which one do you want to initialize? (or '?' or 'done') [eth0]</span>
<span class="go">Ip address for eth0? (or 'dhcp', 'none', '?') [dhcp] 192.168.1.19/24</span>
<span class="go">Gateway? (or 'none') [none] 192.168.1.1</span>
<span class="go">Configuration for eth0:</span>
<span class="go"> type=static</span>
<span class="go"> address=192.168.1.19</span>
<span class="go"> netmask=255.255.255.0</span>
<span class="go"> gateway=192.168.1.1</span>
<span class="go">Do you want to do any manual network configuration? [no]</span>
<span class="go">DNS domain name? (e.g 'bar.com') [] example.com</span>
<span class="go">DNS nameserver(s)? [] 8.8.8.8</span>
<span class="go">Changing password for root</span>
<span class="go">New password:</span>
<span class="go">Retype password:</span>
<span class="go">passwd: password for root changed by root</span>
<span class="go">Which timezone are you in? ('?' for list) [UTC] Australia/Melbourne</span>
<span class="go"> * Starting busybox acpid ... [ ok ]</span>
<span class="go"> * Starting busybox crond ... [ ok ]</span>
<span class="go">HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</span>
<span class="go">Available mirrors:</span>
<span class="go">1) dl-cdn.alpinelinux.org</span>
<span class="go">...</span>
<span class="go">19) http://mirror.aarnet.edu.au</span>
<span class="go">...</span>
<span class="go">36) mirrors.shu.edu.cn</span>
<span class="go">r) Add random from the above list</span>
<span class="go">f) Detect and add fastest mirror from above list</span>
<span class="go">e) Edit /etc/apk/repositories with text editor</span>
<span class="go">Enter mirror number (1-36) or URL to add (or r/f/e/done) [f]: 19</span>
<span class="go">Added mirror mirror.aarnet.edu.au</span>
<span class="go">Updating repository indexes... done.</span>
<span class="go">Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]</span>
<span class="go"> * service sshd added to runlevel default</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go">ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519</span>
<span class="go"> * Starting sshd ... [ ok ]</span>
<span class="go">Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]</span>
<span class="go"> * service chronyd added to runlevel default</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go"> * Starting chronyd ... [ ok ]</span>
<span class="go">Available disks are:</span>
<span class="go"> sda (6001.2 GB ATA WDC WD60EFRX-68L)</span>
<span class="go"> sdb (6001.2 GB ATA WDC WD60EFRX-68L)</span>
<span class="go"> dm-0 (10.7 GB )</span>
<span class="go"> dm-1 (2.1 GB )</span>
<span class="go">Which disk(s) would you like to use? (or '?' for help or 'none') [none]</span>
<span class="go">Enter where to store configs ('floppy', 'usb' or 'none') [none]:</span>
<span class="go">Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: none</span>
<span class="gp">zfshost:~#</span>
</pre></div>
<p><strong>Work-a-round</strong>: If the above fails or You need to re-run <code>setup-alpine</code> for some reason, then You must do the following work-a-round; tear down and rise the Network manually before re-running the above <code>setup-alpine</code> script:</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ifdown eth0
<span class="gp">#</span> ifup eth0
</pre></div>
<h3 id="modules-configuration">Modules configuration<a class="headerlink" href="#modules-configuration" title="Permanent link">¶</a></h3>
<p>Confirm that the required modules (<code>xen-pcifront</code>, <code>raid1</code> and LVM (<code>dm-mod</code> & <code>dm-snapshot</code>)) are in <code>/etc/modules</code>, if not, add them.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> vi /etc/modules
<span class="go">xen-pcifront</span>
<span class="go">dm-mod</span>
<span class="go">dm-snapshot</span>
<span class="go">raid1</span>
</pre></div>
<h3 id="mdadm-config">MDADM config<a class="headerlink" href="#mdadm-config" title="Permanent link">¶</a></h3>
<p>Save the RAID configuration to enable MDADM to load the proper configuration at boot time.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mdadm --detail --scan >> /etc/mdadm.conf
</pre></div>
<h3 id="store-filesystem">Store filesystem<a class="headerlink" href="#store-filesystem" title="Permanent link">¶</a></h3>
<p>Time to install domU (<code>zfshost</code>) to the filesystem on <code>/mnt</code> (which points to <code>lv_root</code>)</p>
<p>We will use the <code>-m</code> (write system to disk), <code>-r</code> (RAID), and <code>-L</code> (LVM) parameters</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-disk -m sys -r -L /mnt
<span class="go">Installing system on /dev/vg_zfshost/lv_root:</span>
<span class="go">/mnt/boot is device /dev/xvda1</span>
<span class="go">100% ############################################==> initramfs: creating /boot/initramfs-lts</span>
<span class="go">/boot is device /dev/xvda1</span>
<span class="go">You might need fix the MBR to be able to boot</span>
</pre></div>
<h3 id="update-grub">Update GRUB<a class="headerlink" href="#update-grub" title="Permanent link">¶</a></h3>
<p>We need to create a GRUB boot stanza</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkdir /mnt/boot/grub
<span class="gp">#</span> cat > /mnt/boot/grub/grub.cfg
<span class="go">set timeout=2</span>
<span class="go">set default=0</span>
<span class="go">menuentry "alpine" {</span>
<span class="go"> linux /boot/vmlinuz-lts modules=ext4 console=hvc0 root=/dev/vg_zfshost/lv_root</span>
<span class="go"> initrd /boot/initramfs-lts</span>
<span class="go">}</span>
<span class="go">CTRL-D</span>
</pre></div>
<h3 id="fix-initfs">Fix <code>initfs</code><a class="headerlink" href="#fix-initfs" title="Permanent link">¶</a></h3>
<p>We need to make sure that the disks are accessable during early boot, hence the xen pci driver must be loaded by the initramfs.</p>
<p>1: Add the features <code>xenpci</code>, <code>lvm</code> and <code>raid</code> to <code>mkinitfs.conf</code>, if they are not there. In below example I just added them last on the default list.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> vi /mnt/etc/mkinitfs/mkinitfs.conf
<span class="go">features="ata base ide scsi usb virtio ext4 xenpci lvm raid"</span>
</pre></div>
<p>2: Re-generate the <code>initramfs</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt <span class="sb">`</span>uname -r<span class="sb">`</span>
</pre></div>
<h3 id="time-to-halt">Time to halt<a class="headerlink" href="#time-to-halt" title="Permanent link">¶</a></h3>
<p>Time to halt this newly installed system, and go back to dom0 for some changes.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
</pre></div>
<h2 id="back-to-dom0">Back to dom0<a class="headerlink" href="#back-to-dom0" title="Permanent link">¶</a></h2>
<h3 id="fix-dom0s-domu-config-file">Fix dom0's domU config file<a class="headerlink" href="#fix-dom0s-domu-config-file" title="Permanent link">¶</a></h3>
<p>First we need to add the kernel for domU (<code>grub-x86_64-xen.bin</code>), OK not really a kernel but a bootloader compiled to be loadable as a kernel</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # apk add grub-xenhost</span>
</pre></div>
<p>then we need to update the domU configuration file to use the newly added kernel, as well as remove the <code>cdrom</code>.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # cat > /etc/xen/zfshost.cfg</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="gp">#</span><span class="c1">### zfshost domU</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '8096'</span>
<span class="go">maxmem = '8096'</span>
<span class="go">kernel = "/usr/lib/grub-xen/grub-x86_64-xen.bin"</span>
<span class="go">disk = [</span>
<span class="go"> 'phy:/dev/vg_domU/zfshost-boot,xvda1,w',</span>
<span class="go"> ]</span>
<span class="go">name = 'zfshost'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">pci = [ '00:1f.2' ]</span>
<span class="go">CTRL-D</span>
<span class="go">dom0 #</span>
</pre></div>
<p>And lastly we need to make these changes restart safe</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lbu commit</span>
</pre></div>
<h3 id="start-domu_1">Start domU<a class="headerlink" href="#start-domu_1" title="Permanent link">¶</a></h3>
<p>Finally time to start the newly created domU, and see if it all works.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/zfshost.cfg -c</span>
</pre></div>
<h3 id="add-udev">Add <code>udev</code><a class="headerlink" href="#add-udev" title="Permanent link">¶</a></h3>
<p>Add <code>udev</code>, so we get proper disk names (UUID)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add eudev zfs-udev
<span class="gp">#</span> setup-udev
</pre></div>
<h3 id="add-normal-user">Add normal user<a class="headerlink" href="#add-normal-user" title="Permanent link">¶</a></h3>
<p>As per normal security, we should not use the root account for normal operations, so we need to create a normal user</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> adduser <username>
</pre></div>
<h3 id="add-sudo">Add sudo<a class="headerlink" href="#add-sudo" title="Permanent link">¶</a></h3>
<p>For security reasons, and good practice, lets install <code>sudo,</code> and add allow the just created user to use <code>sudo</code>. Use <code>visudo</code> to remove the comment marker from the line: <code>#%wheel ALL=(ALL) ALL</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add sudo
<span class="gp">#</span> visudo
<span class="gp">#</span> adduser <username> wheel
</pre></div>
<h3 id="set-minimum-free-memory">Set minimum free memory<a class="headerlink" href="#set-minimum-free-memory" title="Permanent link">¶</a></h3>
<p>To avoid running out of memory during high data volume transfers, we specify how much minimum memory should be.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> vi /etc/sysctl.d/local.conf
<span class="gp">#</span> Make sure ZFS does not take all memory when stressed
<span class="go">vm.min_free_kbytes = 128000</span>
</pre></div>
<h3 id="reboot-to-confirm-udev">Reboot to confirm <code>udev</code><a class="headerlink" href="#reboot-to-confirm-udev" title="Permanent link">¶</a></h3>
<p>Time to reboot again, to verify <code>udev</code> is working</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> reboot
</pre></div>
<p>This might take a while (a few minutes), so be patient. You can check the progress from dom0 with the following command:</p>
<div class="codehilite"><pre><span></span>dom0 # xl list
</pre></div>
<p>and log back in again</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl console zfshost</span>
</pre></div>
<p>or (the command below should attach to the default session)</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # tmux attach-session</span>
</pre></div>
<p>Verify that your <code>/dev/disk</code> directory is populated</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ls -l /dev/disk
<span class="go">total 0</span>
<span class="go">drwxr-xr-x 2 root root 400 Jan 6 22:55 by-id</span>
<span class="go">drwxr-xr-x 2 root root 80 Jan 7 22:52 by-partuuid</span>
<span class="go">drwxr-xr-x 2 root root 60 Jan 6 22:55 by-uuid</span>
<span class="gp">#</span>
</pre></div>
<h3 id="time-to-set-started-flag">Time to set started flag<a class="headerlink" href="#time-to-set-started-flag" title="Permanent link">¶</a></h3>
<p>Time now to create a started flag in Xen Store (<code>xenstore</code>), which dom0 can check for when it is deciding if it is time to start the other domU (<code>zfshost</code> starts first).</p>
<p>First we need to install Xen</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add xen
</pre></div>
<p>Then we add the script</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat > /etc/init.d/zfs-ok-informdom0
<span class="gp">#</span>!/sbin/openrc-run
<span class="go">description="Add a flag (1) to xenstore which can be read by dom0 to determine if zfshost is running or not"</span>
<span class="go">depend()</span>
<span class="go">{</span>
<span class="go"> after syslog xendriverdomain</span>
<span class="go"> before zfs-share</span>
<span class="go">}</span>
<span class="go">start()</span>
<span class="go">{</span>
<span class="go"> ebegin "Inform dom0"</span>
<span class="go"> xenstore-write /local/domain/`xenstore-read domid`/data/storage-online 1</span>
<span class="go"> eend $? "Failed to inform dom0"</span>
<span class="go">}</span>
<span class="go">CTRL-D</span>
<span class="gp">#</span> chmod a+x /etc/init.d/zfs-ok-informdom0
<span class="gp">#</span> rc-update add zfs-ok-informdom0
</pre></div>
<h3 id="fix-autostart-of-domu">Fix autostart of domU<a class="headerlink" href="#fix-autostart-of-domu" title="Permanent link">¶</a></h3>
<p>Time to fix so that this domU is automatically started on reboot.</p>
<p>Lets stop domU!</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
<span class="go">.</span>
<span class="go">.</span>
<span class="go">.</span>
<span class="go">dom0 # xl list</span>
</pre></div>
<p>Repeat the <code>xl list</code> command above until the domU has gone from the list. It might take a while (a few minutes) before the domU is gone.</p>
<p>And on the dom0 we create the auto start link, remember, do not forget to enter the <code>lbu commit</code> command.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # ln -s /etc/xen/zfshost.cfg /etc/xen/auto</span>
<span class="go">dom0 # rc-update add xendomains</span>
<span class="go">dom0 # lbu commit</span>
</pre></div>
<p>Lets not stop all domain in parallel, safer to stop them one by one, so we disable this option.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # vi /etc/conf.d/xendomains</span>
<span class="go">PARALLEL_SHUTDOWN=no</span>
<span class="gp">#</span>
</pre></div>
<p>Now we need to patch how the various domains are started and stopped, since the Storage Domain has to be started before all other domains, as well as stopped after all other has stopped.</p>
<p>First, we need to add (if they are missing) the two patched <code>xendomains</code> files to the <code>lbu</code> management. The files to be patched are:</p>
<ul>
<li><code>/etc/init.d/xendomains</code></li>
<li><code>/etc/conf.d/xendomains</code></li>
</ul>
<p>If these two files are not visible in the <code>lbu ls</code> command, then please add them with the <code>lbu add</code> command.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lbu ls | grep xendomains</span>
<span class="go">dom0 # lbu add /etc/init.d/xendomains</span>
<span class="go">dom0 # lbu add /etc/conf.d/xendomains</span>
<span class="go">dom0 # lbu commit</span>
</pre></div>
<h4 id="edit-the-etcconfdxendomains-file">Edit the <code>/etc/conf.d/xendomains</code> file<a class="headerlink" href="#edit-the-etcconfdxendomains-file" title="Permanent link">¶</a></h4>
<p>Add the following lines to the end of <code>/etc/conf.d/xendomains</code></p>
<div class="codehilite"><pre><span></span>dom0 # cat >> /etc/conf.d/xendomains
# If using a storage domain its name should be supplied. The storage
# domain will be started first and no other domains will start before it
# is fully online.
XENDOMAINS_STORAGE_DOM_NAME="zfshost"
CTRL-D
</pre></div>
<h4 id="fix-the-etcinitdxendomains-file-to-handle-the-storage-domain-correctly">Fix the <code>/etc/init.d/xendomains</code> file to handle the storage domain correctly<a class="headerlink" href="#fix-the-etcinitdxendomains-file-to-handle-the-storage-domain-correctly" title="Permanent link">¶</a></h4>
<p>Please download and apply this patch <figure class="code">
<figcaption><span>xendomains-storage-domU.patch</span> <a href="/code/files/xendomains-storage-domU.patch">download</a></figcaption></figure></p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/init.d/xendomains</span>
<span class="gi">+++ b/init.d/xendomains</span>
<span class="gu">@@ -120,6 +120,42 @@</span>
esac
}
<span class="gi">+start_storage() {</span>
<span class="gi">+ einfo "Starting Xen storage domain from ${AUTODIR:=/etc/xen/auto}"</span>
<span class="gi">+</span>
<span class="gi">+ # Create storage domain.</span>
<span class="gi">+ want_usleep=</span>
<span class="gi">+ for dom in $(ls "${AUTODIR:=/etc/xen/auto}/"${XENDOMAINS_STORAGE_DOM_NAME}.cfg 2>/dev/null | sort); do</span>
<span class="gi">+ name=$(get_domname ${dom})</span>
<span class="gi">+ if ! is_running ${name} ; then</span>
<span class="gi">+ if [ -n "$want_usleep" ]; then</span>
<span class="gi">+ usleep ${XENDOMAINS_CREATE_USLEEP:=5000000}</span>
<span class="gi">+ else</span>
<span class="gi">+ want_usleep=1</span>
<span class="gi">+ fi</span>
<span class="gi">+ ebegin " Starting domain ${name}"</span>
<span class="gi">+ $startdom "${name}" "${dom}"</span>
<span class="gi">+ eend $?</span>
<span class="gi">+ else</span>
<span class="gi">+ einfo " Not starting domain ${name} - already running"</span>
<span class="gi">+ fi</span>
<span class="gi">+ done</span>
<span class="gi">+ #</span>
<span class="gi">+ # Lets wait until storage domain is fully running</span>
<span class="gi">+ # zfshost domain stores a 1 in data/storage-online when it is fully up.</span>
<span class="gi">+ #</span>
<span class="gi">+ # Sleep 5 to ensure we get a domain id</span>
<span class="gi">+ sleep 5</span>
<span class="gi">+</span>
<span class="gi">+ stor_dom=$(xl domid $XENDOMAINS_STORAGE_DOM_NAME)</span>
<span class="gi">+ einfo "Waiting for storage domain to come online (forever)"</span>
<span class="gi">+ until $(xenstore-exists /local/domain/${stor_dom}/data/storage-online)</span>
<span class="gi">+ do</span>
<span class="gi">+ sleep 2</span>
<span class="gi">+ done</span>
<span class="gi">+ einfo "Done Xen Starting storage domain from ${AUTODIR:=/etc/xen/auto}"</span>
<span class="gi">+}</span>
<span class="gi">+</span>
start() {
set_dom_cmd
checkpath --directory --mode 755 /var/run/xen
<span class="gu">@@ -127,6 +163,10 @@</span>
einfo "Starting Xen domains from ${AUTODIR:=/etc/xen/auto}"
$initconsole
<span class="gi">+ # If Storage Domain is definied, start this domain first.</span>
<span class="gi">+ if [ -n "$XENDOMAINS_STORAGE_DOM_NAME" ]; then</span>
<span class="gi">+ start_storage</span>
<span class="gi">+ fi</span>
# Create all domains with config files in AUTODIR.
want_usleep=
<span class="gu">@@ -157,11 +197,13 @@</span>
if yesno "$PARALLEL_SHUTDOWN"; then
for dom in $DOMAINS ; do
name=$(get_domname ${dom})
<span class="gd">- if is_running ${name} ; then</span>
<span class="gd">- ebegin " Asking domain ${name} to shutdown in the background..."</span>
<span class="gd">- xl shutdown -w ${name} >/dev/null &</span>
<span class="gd">- else</span>
<span class="gd">- einfo " Not stopping domain ${name} - not running"</span>
<span class="gi">+ if [ "n${name}" != "n${XENDOMAINS_STORAGE_DOM_NAME}" ]; then</span>
<span class="gi">+ if is_running ${name} ; then</span>
<span class="gi">+ ebegin " Asking domain ${name} to shutdown in the background..."</span>
<span class="gi">+ xl shutdown -w ${name} >/dev/null &</span>
<span class="gi">+ else</span>
<span class="gi">+ einfo " Not stopping domain ${name} - not running"</span>
<span class="gi">+ fi</span>
fi
done
einfo " Waiting for shutdown of domains that are still running"
<span class="gu">@@ -170,14 +212,27 @@</span>
else
for dom in $DOMAINS ; do
name=$(get_domname ${dom})
<span class="gd">- if is_running ${name} ; then</span>
<span class="gd">- ebegin " Waiting for domain ${name} to shutdown"</span>
<span class="gd">- xl shutdown -w ${name} >/dev/null</span>
<span class="gd">- eend $?</span>
<span class="gd">- else</span>
<span class="gd">- einfo " Not stopping domain ${name} - not running"</span>
<span class="gi">+ if [ "n${name}" != "n${XENDOMAINS_STORAGE_DOM_NAME}" ]; then</span>
<span class="gi">+ if is_running ${name} ; then</span>
<span class="gi">+ ebegin " Waiting for domain ${name} to shutdown"</span>
<span class="gi">+ xl shutdown -w ${name} >/dev/null</span>
<span class="gi">+ eend $?</span>
<span class="gi">+ else</span>
<span class="gi">+ einfo " Not stopping domain ${name} - not running"</span>
<span class="gi">+ fi</span>
fi
done
<span class="gi">+ fi</span>
<span class="gi">+</span>
<span class="gi">+ # If Storage Domain is definied, stop this domain last.</span>
<span class="gi">+ if [ -n "$XENDOMAINS_STORAGE_DOM_NAME" ]; then</span>
<span class="gi">+ if is_running ${XENDOMAINS_STORAGE_DOM_NAME} ; then</span>
<span class="gi">+ ebegin " Waiting for storage domain ${XENDOMAINS_STORAGE_DOM_NAME} to shutdown"</span>
<span class="gi">+ xl shutdown -w ${XENDOMAINS_STORAGE_DOM_NAME} >/dev/null</span>
<span class="gi">+ eend $?</span>
<span class="gi">+ else</span>
<span class="gi">+ einfo " Not stopping storage domain ${XENDOMAINS_STORAGE_DOM_NAME} - not running"</span>
<span class="gi">+ fi</span>
fi
$closeconsole
</pre></div>
<p>Apply it in the dom0</p>
<div class="codehilite"><pre><span></span><span class="go">dom0# cd /etc</span>
<span class="go">dom0# patch -p1 < .../xendomains-storage-domU.patch</span>
</pre></div>
<h4 id="store-the-lbu-state-and-reboot-to-verify">Store the LBU state and reboot to verify<a class="headerlink" href="#store-the-lbu-state-and-reboot-to-verify" title="Permanent link">¶</a></h4>
<p>And finally, execute the <code>lbu commit</code> command to make this reboot safe, and then <code>reboot</code> to verify that all is working as intended.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lbu commit</span>
<span class="go">dom0 # reboot</span>
</pre></div>
<p>Then, after dom0 is up and running again, check that the <code>zfshost</code> domain is up and running.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl list</span>
<span class="go">Name ID Mem VCPUs State Time(s)</span>
<span class="go">Domain-0 0 1024 2 r----- 17.3</span>
<span class="go">zfshost 1 8096 1 -b---- 10.6</span>
</pre></div>
<h2 id="zfs">ZFS<a class="headerlink" href="#zfs" title="Permanent link">¶</a></h2>
<p>Time to change this plain Alpine domU to a proper ZFS file server.</p>
<p>Start the console for this <code>zfshost</code>.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl console zfshost</span>
</pre></div>
<p>Or use the <code>tmux attach-session</code>command.</p>
<h3 id="add-packages">Add packages<a class="headerlink" href="#add-packages" title="Permanent link">¶</a></h3>
<p>Add the ZFS packages to the domU domain. Also enable automatic start on boot.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add parted
<span class="gp">#</span> apk add zfs zfs-<span class="k">$(</span>uname -r <span class="p">|</span> rev <span class="p">|</span> cut -d<span class="s1">'-'</span> -f1 <span class="p">|</span> rev<span class="k">)</span>
<span class="go">...</span>
<span class="gp">#</span> modprobe zfs
<span class="gp">#</span> lsmod <span class="p">|</span> grep zfs
<span class="go">zfs 3760128 0</span>
<span class="go">zunicode 335872 1 zfs</span>
<span class="go">zlua 176128 1 zfs</span>
<span class="go">zcommon 90112 1 zfs</span>
<span class="go">znvpair 94208 2 zfs,zcommon</span>
<span class="go">zavl 16384 1 zfs</span>
<span class="go">icp 311296 1 zfs</span>
<span class="go">spl 122880 5 zfs,icp,znvpair,zcommon,zavl</span>
</pre></div>
<p><strong>NOTE</strong>: If Linux was updated in the <code>apk add ...</code> command, then a reboot is necessary before doing the <code>modprobe zfs</code> command (because the files in the directory <code>/lib/modules</code> has been changed.</p>
<h3 id="option-a-create-a-pool-called-tank-and-add-a-mirrored-slog">Option A: Create a pool called <code>tank</code> and add a mirrored SLOG<a class="headerlink" href="#option-a-create-a-pool-called-tank-and-add-a-mirrored-slog" title="Permanent link">¶</a></h3>
<p><strong>NOTE</strong> If You are not using SLOG then go to next chapter.</p>
<p>Lets add the <code>tank</code> pool (the <code>tank</code> is the general pool for ZFS volumes).</p>
<p>Just a recap, we have the following disks and partitions to play with (extract from <code>dmesg</code>, and <code>fdisk -l</code>)</p>
<div class="codehilite"><pre><span></span><span class="go">dmesg | grep logical\ blocks</span>
<span class="go">...</span>
<span class="go">[ 5.242266] sd 0:0:0:0: [sda] 11721045168 512-byte logical blocks: (6.00 TB/5.46 TiB)</span>
<span class="go">[ 5.718972] sd 1:0:0:0: [sdb] 11721045168 512-byte logical blocks: (6.00 TB/5.46 TiB)</span>
<span class="go">...</span>
<span class="go">fdisk -l 2>/dev/null | grep "^/"</span>
<span class="go">...</span>
<span class="go">/dev/sdc2 1023,254,63 1023,254,63 58605120 78156224 19551105 9546M da Unknown</span>
<span class="go">/dev/sdd2 1023,254,63 1023,254,63 58605120 78156224 19551105 9546M da Unknown</span>
<span class="go">...</span>
</pre></div>
<p>OK, now we need to check what these disk devices are called in the <code>/dev/disk/by-id</code> directory.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ls -l /dev/disk/by-id <span class="p">|</span> awk <span class="s1">'{print $(NF-2), $(NF-1), $NF}'</span>
<span class="go">total 0 total 0</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00214 -> ../../sdd</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00214-part1 -> ../../sdd1</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00214-part2 -> ../../sdd2</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00793 -> ../../sdc</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00793-part1 -> ../../sdc1</span>
<span class="go">ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00793-part2 -> ../../sdc2</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX11D28H9KVT -> ../../sda</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX11D28H9KVT-part1 -> ../../sda1</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX11D28H9KVT-part9 -> ../../sda9</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX21D48FDP8H -> ../../sdb</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX21D48FDP8H-part1 -> ../../sdb1</span>
<span class="go">ata-WDC_WD60EFRX-68L0BN1_WD-WX21D48FDP8H-part9 -> ../../sdb9</span>
<span class="go">wwn-0x50014ee265419796 -> ../../sda</span>
<span class="go">wwn-0x50014ee265419796-part1 -> ../../sda1</span>
<span class="go">wwn-0x50014ee265419796-part9 -> ../../sda9</span>
<span class="go">wwn-0x50014ee2bae31e07 -> ../../sdb</span>
<span class="go">wwn-0x50014ee2bae31e07-part1 -> ../../sdb1</span>
<span class="go">wwn-0x50014ee2bae31e07-part9 -> ../../sdb9</span>
<span class="go">wwn-0x5002538c4045ab3f -> ../../sdd</span>
<span class="go">wwn-0x5002538c4045ab3f-part1 -> ../../sdd1</span>
<span class="go">wwn-0x5002538c4045ab3f-part2 -> ../../sdd2</span>
<span class="go">wwn-0x5002538c4045aecc -> ../../sdc</span>
<span class="go">wwn-0x5002538c4045aecc-part1 -> ../../sdc1</span>
<span class="go">wwn-0x5002538c4045aecc-part2 -> ../../sdc2</span>
</pre></div>
<p>Using the disk <code>/dev/disk/by-id</code>'s makes life much easier if you need to replace a disk, or move the disk around a bit.</p>
<p><strong>NOTE</strong>: The option <code>-o ashift=12</code> below is for disks with physical sector size 4096 bytes (2^12 = 4096), which are almost all modern disks. If Your disks has the physical sector size 512 bytes (2^9 = 512, older disks) then should the argument to <code>ashift</code> be <code>9</code> instead of <code>12</code>. One way to check the physical sector size of Your disks is with the following command:</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> parted --list <span class="m">2</span>>/dev/null <span class="p">|</span> egrep <span class="s2">"^Disk /|^Sector"</span>
<span class="go">...</span>
<span class="go">Disk /dev/sdc: 3001GB</span>
<span class="go">Sector size (logical/physical): 512B/4096B</span>
<span class="go">Disk /dev/sdd: 3001GB</span>
<span class="go">Sector size (logical/physical): 512B/4096B</span>
<span class="go">Disk /dev/sde: 3001GB</span>
<span class="go">Sector size (logical/physical): 512B/4096B</span>
<span class="go">...</span>
<span class="gp">#</span>
</pre></div>
<p>Here the 4096B (at the end of lines starting with <code>Sector</code>) shows that these disks have physical sector size of 4096 bytes. (If any line ends with <code>512B/512B</code> then the physical sector size are 512 bytes for those disks...)</p>
<p>Now, let's create the <code>tank</code> pool, and it should be on the <code>sda</code> and the <code>sdb</code> disks. (Yes, the whole disk! ZFS is capable of handling this correctly.)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zpool create -o <span class="nv">ashift</span><span class="o">=</span><span class="m">12</span> tank mirror <span class="se">\</span>
ata-WDC_WD60EFRX-68L0BN1_WD-WX11D28H9KVT <span class="se">\</span>
ata-WDC_WD60EFRX-68L0BN1_WD-WX21D48FDP8H
</pre></div>
<p>and the SLOG should be on the SLOG partition <code>sdc2</code> and <code>sdd2</code> (which should be fast SSD disks...).</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zpool add tank log mirror <span class="se">\</span>
ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00214-part2 <span class="se">\</span>
ata-SAMSUNG_MZ7KM120HAFD-00005_S2HPNX0HB00793-part2
</pre></div>
<h3 id="option-b-create-the-tank-pool-without-the-slog">Option B: Create the <code>tank</code> pool without the SLOG<a class="headerlink" href="#option-b-create-the-tank-pool-without-the-slog" title="Permanent link">¶</a></h3>
<p>Just do, for each wanted ZFS pool, as in the previous section, but do not do the last command (<code>zpool add tank log mirror ...</code>)</p>
<h3 id="zfs-cron-job">ZFS Cron job<a class="headerlink" href="#zfs-cron-job" title="Permanent link">¶</a></h3>
<p>Add <code>cron</code> job for automatic check and fix bit rot.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat > /etc/periodic/weekly/zfs_scrub
<span class="gp">#</span>!/bin/sh
<span class="go">/usr/sbin/zpool scrub tank</span>
<span class="go">CTRL-D</span>
<span class="gp">#</span> chmod a+x /etc/periodic/weekly/zfs_scrub
</pre></div>
<h3 id="zfs-boot-services">ZFS boot services<a class="headerlink" href="#zfs-boot-services" title="Permanent link">¶</a></h3>
<p>We need to configure ZFS to automatically mount <code>tank</code> on boot.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> rc-update add zfs-import boot
<span class="gp">#</span> rc-update add zfs-mount
<span class="gp">#</span> rc-update add zfs-zed
<span class="gp">#</span> rc-update add zfs-share
</pre></div>
<h3 id="zfs-basic-config">ZFS Basic Config<a class="headerlink" href="#zfs-basic-config" title="Permanent link">¶</a></h3>
<p>Set the Tank pool to <code>autoexpand=on</code>, in case larger disks are added in future</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zpool <span class="nb">set</span> <span class="nv">autoexpand</span><span class="o">=</span>on tank
</pre></div>
<p>Set default compression on top level (sub levels will inherit)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zfs <span class="nb">set</span> <span class="nv">compression</span><span class="o">=</span>lz4 tank
</pre></div>
<p>To see the status do the following</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zpool get autoexpand
<span class="go">NAME PROPERTY VALUE SOURCE</span>
<span class="go">tank autoexpand on local</span>
<span class="gp">#</span> zfs get compression
<span class="go">NAME PROPERTY VALUE SOURCE</span>
<span class="go">tank compression lz4 local</span>
</pre></div>
<h3 id="zfs-xen-related">ZFS Xen Related<a class="headerlink" href="#zfs-xen-related" title="Permanent link">¶</a></h3>
<p>Create a top dir for Xen domU storage, for example we use the name <code>xen</code> here.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zfs create tank/xen
</pre></div>
<p>And we also need to be able to use <code>zfshost</code> disks as disks for other domUs. To enable this we need <code>xendriverdomain</code>.
Start <code>xendriverdomain</code> manually, as well as configure automatic start on boot.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> service xendriverdomain start
<span class="gp">#</span> rc-update add xendriverdomain
</pre></div>
<h3 id="update-your-system">Update Your system<a class="headerlink" href="#update-your-system" title="Permanent link">¶</a></h3>
<p>Get Your system into sync with possible changes in the Alpine repository</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk update
<span class="go">fetch http://ftp.acc.umu.se/mirror/alpinelinux.org/v3.11/main/x86_64/APKINDEX.tar.gz</span>
<span class="go">v3.11.2-51-g7cf8ea7952 [http://ftp.acc.umu.se/mirror/alpinelinux.org/v3.11/main]</span>
<span class="go">OK: 5371 distinct packages available</span>
<span class="gp">#</span> apk upgrade
<span class="go">OK: 642 MiB in 204 packages</span>
<span class="gp">#</span>
</pre></div>
<h3 id="add-swap-to-the-zfshost">Add <code>swap</code> to the <code>zfshost</code><a class="headerlink" href="#add-swap-to-the-zfshost" title="Permanent link">¶</a></h3>
<p>There seems to be quite a few trouble reports on swap on zvol for zfs on linux. So we better avoid using a zvol for swap
for the time being. It seems stable on FreeBSD but they recommend a much "simpler" setup than most zfs on linux related
howtos for swap on zvol.</p>
<p><strong>NOTE</strong>: For the <code>swap</code>, we need to make the block size match the VM's system page size, which You can find with the command <code>getconf PAGESIZE</code> (to be used with the <code>-b</code> option below). Then we need to disable automatic snapshots for the <code>swap</code> (<code>com.sun:auto-snapshot=false</code>).</p>
<p>The FreeBSD way</p>
<div class="codehilite"><pre><span></span><span class="go">zfs create -V 2G -o org.freebsd:swap=on -o checksum=off -o compression=off -o dedup=off -o sync=disabled -o primarycache=none <pool name>/swap</span>
</pre></div>
<p>For Linux and our case that would be</p>
<div class="codehilite"><pre><span></span><span class="go">zfs create -V 8G -b 4k -o com.sun:auto-snapshot=false -o checksum=off -o compression=off -o dedup=off -o sync=disabled -o primarycache=none <pool name>/zfshost-swap</span>
</pre></div>
<p>But using <code>checksum=off</code> totally takes away the only reason to put swap on zfs in the first place, bit rot protecton. So I would suggest to <strong>not</strong> turn of checksums.</p>
<p>We need to put the <code>swap</code> on the <code>/tank/xen/zfshost-swap</code> area</p>
<p>Then to complete the setup</p>
<div class="codehilite"><pre><span></span># mkswap -f /dev/zvol/tank/xen/zfshost-swap
Setting up swapspace version 1, size = 8 GiB (8589930496 bytes)
no label, UUID=e84d527d-5bbb-4075-a377-6c7258c24633
# echo "/dev/zvol/tank/xen/zfshost-swap none swap sw,discard 0 0" >> /etc/fstab
# swapon -a
# rc-update add swap boot
# cat /proc/swaps
Filename Type Size Used Priority
/dev/zd0 partition 8388604 0 -2
# cat /proc/meminfo
MemTotal: 8112416 kB
MemFree: 7962448 kB
...
SwapTotal: 8388604 kB
SwapFree: 8388604 kB
Dirty: 8 kB
...
#
</pre></div>
<p><strong>NOTE</strong> But for maximum stability during memory pressure its probably much more vise to put swap on a lvm lv.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lvcreate -n zfshost-swap -L 8G vg_domU
</pre></div>
<p>and the rest like above but <code>/dev/vg_domU/zfshost-swap</code> instead of <code>/dev/zvol/tank/xen/zfshost-swap</code>.</p>
<h3 id="zfs-volumes-for-a-new-domu">ZFS volumes for a new domU<a class="headerlink" href="#zfs-volumes-for-a-new-domu" title="Permanent link">¶</a></h3>
<p>When we want to create a new domU we will need to do a bit of work on both <code>zfshost</code> and on the dom0</p>
<h4 id="on-the-zfshost">On the <code>zfshost</code><a class="headerlink" href="#on-the-zfshost" title="Permanent link">¶</a></h4>
<p>On <code>zfshost</code> we will need to create the relevant domU disks. (We are using the domU DNS, which will provide the DNS service, as an example of a domU.)</p>
<p><strong>NOTE</strong>: For the <code>swap</code>, we need to make the block size match the VM's system page size, which You can find with the command <code>getconf PAGESIZE</code> (to be used with the <code>-b</code> option below). Then we need to disable automatic snapshots for the <code>swap</code> (<code>com.sun:auto-snapshot=false</code>), and set the following other attributes according to <a href="Using a zvol for a swap device">https://github.com/zfsonlinux/zfs/wiki/FAQ#using-a-zvol-for-a-swap-device</a>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> getconf PAGESIZE
<span class="go">4096</span>
<span class="gp">#</span> zfs create -V 2G tank/xen/<domU-Service>-disk
<span class="gp">#</span> zfs create -V 512M -b 4k <span class="se">\</span>
-o <span class="nv">logbias</span><span class="o">=</span>throughput <span class="se">\</span>
-o <span class="nv">sync</span><span class="o">=</span>always <span class="se">\</span>
-o <span class="nv">primarycache</span><span class="o">=</span>metadata <span class="se">\</span>
-o com.sun:auto-snapshot<span class="o">=</span><span class="nb">false</span> <span class="se">\</span>
tank/xen/<domU-Service>-swap
</pre></div>
<p>As with the DNS Server as an example;</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> getconf PAGESIZE
<span class="go">4096</span>
<span class="gp">#</span> zfs create -V 2G tank/xen/dns-disk
<span class="gp">#</span> zfs create -V 512M -b 4k <span class="se">\</span>
-o <span class="nv">logbias</span><span class="o">=</span>throughput <span class="se">\</span>
-o <span class="nv">sync</span><span class="o">=</span>always <span class="se">\</span>
-o <span class="nv">primarycache</span><span class="o">=</span>metadata <span class="se">\</span>
-o com.sun:auto-snapshot<span class="o">=</span><span class="nb">false</span> <span class="se">\</span>
tank/xen/dns-swap
</pre></div>
<h4 id="on-the-dom0">On the dom0<a class="headerlink" href="#on-the-dom0" title="Permanent link">¶</a></h4>
<p>On the dom0 we need to use the <code>backend</code> parameter to indicate where the disks are located.</p>
<p>Apart from the <code>backend</code> parameter, the rest of the domU configuration file is the same as for a normal domU installation.</p>
<div class="codehilite"><pre><span></span><span class="go">domU # grep backend /etc/xen/dnshost.cfg</span>
<span class="go"> 'backend=zfshost,phy:/dev/zvol/tank/xen/<domU-Service>-disk,xvda1,w',</span>
<span class="go"> 'backend=zfshost,phy:/dev/zvol/tank/xen/<domU-Service>-swap,xvda2,w',</span>
</pre></div>
<p>Or as with the <code>dnshost</code> as an example</p>
<div class="codehilite"><pre><span></span><span class="go">domU # grep backend /etc/xen/dnshost.cfg</span>
<span class="go"> 'backend=zfshost,phy:/dev/zvol/tank/xen/dns-disk,xvda1,w',</span>
<span class="go"> 'backend=zfshost,phy:/dev/zvol/tank/xen/dns-swap,xvda2,w',</span>
</pre></div>
<h3 id="useful-commands">Useful commands<a class="headerlink" href="#useful-commands" title="Permanent link">¶</a></h3>
<p>Below are some simple useful commands to check the zfs status</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> zpool status
<span class="gp">#</span> zpool <span class="nb">history</span>
<span class="gp">#</span> zpool events
<span class="gp">#</span> zpool list
<span class="gp">#</span> zfs list
</pre></div>NitroKey HSM in Alpine2020-10-22T00:00:00+02:002020-10-22T00:00:00+02:00henriktag:community.riocities.com,2020-10-22:/nitrokey_hsm_alpine.html
<h1 id="installation">Installation<a class="headerlink" href="#installation" title="Permanent link">¶</a></h1>
<p>Do this part as the <code>root</code> user</p>
<p>Install needed packages</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add ccid opensc pcsc-lite-libs
</pre></div>
<p>Enable and start <code>pcscd</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> rc-update add pcscd
<span class="gp">#</span> service pcscd start
</pre></div>
<p><strong>NOTE</strong> The <code>pcscd</code> service must be restarted after plugging in the Nitrokey to the computer</p>
<h1 id="check-the-reader-and-smartcard">Check the reader and SmartCard<a class="headerlink" href="#check-the-reader-and-smartcard" title="Permanent link">¶</a></h1>
<p>The Nitrokey HSM contains …</p>
<h1 id="installation">Installation<a class="headerlink" href="#installation" title="Permanent link">¶</a></h1>
<p>Do this part as the <code>root</code> user</p>
<p>Install needed packages</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add ccid opensc pcsc-lite-libs
</pre></div>
<p>Enable and start <code>pcscd</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> rc-update add pcscd
<span class="gp">#</span> service pcscd start
</pre></div>
<p><strong>NOTE</strong> The <code>pcscd</code> service must be restarted after plugging in the Nitrokey to the computer</p>
<h1 id="check-the-reader-and-smartcard">Check the reader and SmartCard<a class="headerlink" href="#check-the-reader-and-smartcard" title="Permanent link">¶</a></h1>
<p>The Nitrokey HSM contains a tamper resistant smart card mounted in an usb attached smart card reader.</p>
<p>Do this section, and the following sections, as an <strong>unprivileged user</strong>!</p>
<p>You should now be able to find your NitroKey HSM</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> opensc-tool --list-readers
<span class="gp">#</span> Detected readers <span class="o">(</span>pcsc<span class="o">)</span>
<span class="go">Nr. Card Features Name</span>
<span class="go">0 Yes Nitrokey Nitrokey HSM (DENK0nnnnnnnnnn ) 00 00</span>
</pre></div>
<p>Make sure we can talk to the card by listing supported algorithms</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> opensc-tool --reader <span class="m">0</span> --list-algorithms
<span class="go">Algorithm: rsa</span>
<span class="go">Key length: 1024</span>
<span class="go">Flags: onboard key generation padding ( pss ) hashes ( )</span>
<span class="go">Algorithm: rsa</span>
<span class="go">Key length: 1536</span>
<span class="go">Flags: onboard key generation padding ( pss ) hashes ( )</span>
<span class="go">Algorithm: rsa</span>
<span class="go">Key length: 2048</span>
<span class="go">Flags: onboard key generation padding ( pss ) hashes ( )</span>
<span class="go">Algorithm: rsa</span>
<span class="go">Key length: 3072</span>
<span class="go">Flags: onboard key generation padding ( pss ) hashes ( )</span>
<span class="go">Algorithm: rsa</span>
<span class="go">Key length: 4096</span>
<span class="go">Flags: onboard key generation padding ( pss ) hashes ( )</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 192</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 224</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 256</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 320</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 384</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 512</span>
<span class="go">Flags: onboard key generation</span>
<span class="go">Algorithm: ec</span>
<span class="go">Key length: 521</span>
<span class="go">Flags: onboard key generation</span>
</pre></div>
<h1 id="initialize-the-smartcard">Initialize the SmartCard<a class="headerlink" href="#initialize-the-smartcard" title="Permanent link">¶</a></h1>
<p>When you initialize the card you choose a <code>so-pin</code> (Security Officer (SO) PIN) and a <code>pin</code> (but first turn off command history logging...)</p>
<p>Example (set <code>so-pin</code> and <code>pin</code> to your choosen values)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">set</span> +o <span class="nb">history</span>
<span class="gp">$</span> sc-hsm-tool --initialize --so-pin <<span class="m">16</span>-hexadecimal-digit-SO-PIN> --pin <<span class="m">6</span>-digit-PIN>
</pre></div>
<p>More info here <a href="https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#initialize-the-device">OpenSC initialize</a></p>
<h1 id="generate-first-key-pair">Generate first key-pair<a class="headerlink" href="#generate-first-key-pair" title="Permanent link">¶</a></h1>
<p>Use <code>pin</code> used when the card was initialized</p>
<p>Example creating a <code>nistp521</code> / <code>secp521r1</code> curve key (will prompt for pin)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --keypairgen --key-type EC:nistp521 --label mykey
<span class="go">sing slot 0 with a present token (0x0)</span>
<span class="go">Logging in to "SmartCard-HSM (UserPIN)".</span>
<span class="go">Please enter User PIN: ******</span>
<span class="go">Key pair generated:</span>
<span class="go">Private Key Object; EC</span>
<span class="go"> label: mykey</span>
<span class="go">.....</span>
</pre></div>
<p><strong>NOTE</strong> The key with label <code>mykey</code> is used in all examples below, but for production, give the key a label that
indicates what the key is used for e.g. <code>ssh-ca</code> if the key is used for an SSH Certificate Authority.</p>
<p>Extract the public key and convert to a <code>pem</code> file with <code>openssl</code></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> pkcs11-tool --module /usr/lib/opensc-pkcs11.so --label mykey --read-object --type pubkey --output-file /tmp/mykey-pub.spki
<span class="gp">$</span> openssl ec -inform DER -outform PEM -in /tmp/mykey-pub.spki -pubin > /tmp/mykey-pub.pem
</pre></div>
<p>Or use <code>pkcs15-tool</code></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> pkcs15-tool --list-public-keys
<span class="go">Using reader with a card: Nitrokey Nitrokey HSM (DENK0nnnnnnnnnn ) 00 00</span>
<span class="go">Public EC Key [mykey]</span>
<span class="go"> Object Flags : [0x0]</span>
<span class="go"> Usage : [0x40], verify</span>
<span class="go"> Access Flags : [0x2], extract</span>
<span class="go"> FieldLength : 528</span>
<span class="go"> Key ref : 0 (0x0)</span>
<span class="go"> Native : no</span>
<span class="go"> ID : nnnannnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn</span>
<span class="go"> DirectValue : <present></span>
<span class="gp">$</span> pkcs15-tool --read-public-key nnnannnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn > /tmp/mykey-pub.pem
</pre></div>
<p>Check the public key <code>pem</code> file</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl asn1parse -in /tmp/mykey-pub.pem -inform pem
<span class="go"> 0:d=0 hl=3 l= 155 cons: SEQUENCE</span>
<span class="go"> 3:d=1 hl=2 l= 16 cons: SEQUENCE</span>
<span class="go"> 5:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey</span>
<span class="go"> 14:d=2 hl=2 l= 5 prim: OBJECT :secp521r1</span>
<span class="go"> 21:d=1 hl=3 l= 134 prim: BIT STRING</span>
</pre></div>
<h1 id="sign-a-text-file-with-the-smartcard">Sign a text file with the SmartCard<a class="headerlink" href="#sign-a-text-file-with-the-smartcard" title="Permanent link">¶</a></h1>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">cd</span> /tmp
<span class="gp">$</span> <span class="nb">echo</span> <span class="s2">"test test"</span> > textfile
<span class="gp">$</span> pkcs11-tool --module /usr/lib/opensc-pkcs11.so --label mykey --hash -m SHA384 --input-file textfile --output-file textfile.hash
<span class="go">Using slot 0 with a present token (0x0)</span>
<span class="go">Using digest algorithm SHA384</span>
<span class="gp">$</span> pkcs11-tool --module /usr/lib/opensc-pkcs11.so --label mykey --sign -m ECDSA --signature-format openssl --input-file textfile.hash --output-file textfile.sig
<span class="go">Using slot 0 with a present token (0x0)</span>
<span class="go">Logging in to "UserPIN (SmartCard-HSM)".</span>
<span class="go">Please enter User PIN: ******</span>
<span class="go">Using signature algorithm ECDSA</span>
</pre></div>
<p>Verify the signed hash signature with <code>openssl</code></p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl dgst -sha384 -verify mykey-pub.pem -signature textfile.sig textfile
<span class="go">Verified OK</span>
</pre></div>
<h1 id="use-as-a-ssh-ca">Use as a SSH CA<a class="headerlink" href="#use-as-a-ssh-ca" title="Permanent link">¶</a></h1>
<p>More info on OpenSSH setup with a CA here: <a href="SSH_setup.html">OpenSSH setup</a></p>
<p>Extract the public key for the private key that will be used as your CA key</p>
<div class="codehilite"><pre><span></span>$ ssh-keygen -D /usr/lib/pkcs11/opensc-pkcs11.so <span class="p">|</span> fgrep <span class="s2">"mykey"</span> > /tmp/myCAkey.pub
</pre></div>
<p>Change the comment in the public key file, to a name that better describe the public key:</p>
<div class="codehilite"><pre><span></span>$ sed -i <span class="s1">'s/mykey/ca_key-example.com/'</span> /tmp/myCAkey.pub
</pre></div>
<p>Issue a certificate for the public key of a server <code>sys1</code> stored in <code>/tmp/sys1_ecdsa_key.pub</code>. Lets
give the certificate a validity time of 90 days and limit it to principal <code>sys1.example.com</code>.</p>
<div class="codehilite"><pre><span></span>$ ssh-keygen -s /tmp/myCAkey.pub -D /usr/lib/pkcs11/opensc-pkcs11.so -V +90d -I sys1 -n sys1.example.com -h /tmp/sys1_ecdsa_key.pub
Enter PIN <span class="k">for</span> <span class="s1">'SmartCard-HSM (UserPIN)'</span>:
Signed host key /tmp/sys1_ecdsa_key-cert.pub: id <span class="s2">"sys1"</span> serial <span class="m">0</span> <span class="k">for</span> sys1.example.com valid from <span class="m">2020</span>-10-20T21:39:00 to <span class="m">2021</span>-01-18T20:40:53
</pre></div>
<p>The certificate will be stored in <code>/tmp/sys1_ecdsa_key-cert.pub</code>, lets check it</p>
<div class="codehilite"><pre><span></span>$ ssh-keygen -L -f /tmp/sys1_ecdsa_key-cert.pub
sys1_ecdsa_key-cert.pub:
Type: ecdsa-sha2-nistp256-cert-v01@openssh.com host certificate
Public key: ECDSA-CERT SHA256:......
Signing CA: ECDSA SHA256:.... <span class="o">(</span>using ecdsa-sha2-nistp521<span class="o">)</span>
Key ID: <span class="s2">"sys1"</span>
Serial: <span class="m">0</span>
Valid: from <span class="m">2020</span>-10-20T21:39:00 to <span class="m">2021</span>-01-18T20:40:53
Principals:
sys1.example.com
Critical Options: <span class="o">(</span>none<span class="o">)</span>
Extensions: <span class="o">(</span>none<span class="o">)</span>
</pre></div>
<h1 id="epilogue">Epilogue<a class="headerlink" href="#epilogue" title="Permanent link">¶</a></h1>
<p>Turn on command history logging ... or do a plain exit from shell</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">set</span> -o <span class="nb">history</span>
</pre></div>
<p>Or</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> <span class="nb">exit</span>
</pre></div>Alpine Linux RPi - upgrading2020-09-29T00:00:00+02:002020-09-29T00:00:00+02:00henriktag:community.riocities.com,2020-09-29:/alpine_rpi_upgrade.html<h1 id="upgrade-guide-for-alpine-raspberry-pi-rpi-system">Upgrade guide for Alpine Raspberry PI (RPi) System<a class="headerlink" href="#upgrade-guide-for-alpine-raspberry-pi-rpi-system" title="Permanent link">¶</a></h1>
<p>This guide describes how to upgrade a diskless (booting from the microSD card) Alpine RPi between Alpine releases.</p>
<p>It expects your microSD card to be mounted to the <code>/media/mmcblk0p1</code> directory, if it is not mounted there on your system, adjust the …</p><h1 id="upgrade-guide-for-alpine-raspberry-pi-rpi-system">Upgrade guide for Alpine Raspberry PI (RPi) System<a class="headerlink" href="#upgrade-guide-for-alpine-raspberry-pi-rpi-system" title="Permanent link">¶</a></h1>
<p>This guide describes how to upgrade a diskless (booting from the microSD card) Alpine RPi between Alpine releases.</p>
<p>It expects your microSD card to be mounted to the <code>/media/mmcblk0p1</code> directory, if it is not mounted there on your system, adjust the instruction to match your case.</p>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>Backup all data from the microSD card (<code>/media/mmcblk0p1</code> directory) so you have a fall-back.</p>
<p>Download the version of the <code>tar.gz</code> you are upgrading to, as well as the GPG signature file, to your workstation.</p>
<p>Example with the files for an upgrade to Alpine v3.11.</p>
<div class="codehilite"><pre><span></span><span class="go">workstation $ curl -O <URL>/alpine-rpi-3.11.6-armv7.tar.gz</span>
<span class="go">workstation $ curl -O <URL>/alpine-rpi-3.11.6-armv7.tar.gz.asc</span>
<span class="go">workstation $ gpg --verify alpine-rpi-3.11.6-armv7.tar.gz.asc</span>
</pre></div>
<p>Replace <code><URL></code> above with the path to the download server used; e.g. <code>http://nl.alpinelinux.org/alpine/v3.11/releases/armv7/</code>.</p>
<p>Copy <code>alpine-rpi-3.11.6-armv7.tar.gz</code> to your RPi (suggestion in <code>/tmp/</code>).</p>
<h1 id="perform-the-upgrade-of-the-running-system">Perform the upgrade of the running system.<a class="headerlink" href="#perform-the-upgrade-of-the-running-system" title="Permanent link">¶</a></h1>
<p>Check that <code>LBU_MEDIA</code>, in file <code>/etc/lbu/lbu.conf</code>, points to the device used to store the persistent configuration. In my case its <code>/media/mmcblk0p1</code>. If its not <code>/media/mmcblk0p1</code> in your case, adjust the commands below to fit your case (e.g. <code>/media/mmcblk0p1</code> -> <code>/media/<your device></code>).</p>
<p>Edit file <code>/etc/apk/repositories</code> to point at the version you are upgrading to, then run the upgrade.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi $ sudo -i</span>
<span class="go">rpi # apk update</span>
<span class="go">rpi # apk upgrade --update-cache --available</span>
</pre></div>
<p>Commit the changes to <code>/etc</code> with the <code>lbu</code> command.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi # lbu commit</span>
</pre></div>
<h1 id="quick-upgrade-option-a">Quick upgrade (Option A)<a class="headerlink" href="#quick-upgrade-option-a" title="Permanent link">¶</a></h1>
<p>Only use this method if you have physical access to your RPi while running the upgrade. This method might fail
to boot (RPi stuck at black screen) and you will have to perform upgrade using <code>Option B</code> instead.</p>
<p>Upgrade the boot media in <code>/media/mmcblk0p1</code></p>
<div class="codehilite"><pre><span></span><span class="go">rpi # . /etc/lbu/lbu.conf</span>
<span class="go">rpi # mount /media/$LBU_MEDIA -o remount,rw</span>
<span class="go">rpi # mkdir /media/$LBU_MEDIA/new</span>
<span class="go">rpi # cd /media/$LBU_MEDIA/new</span>
<span class="go">rpi # tar xfz <path to tar file>/alpine-rpi-3.11.6-armv7.tar.gz</span>
<span class="go">rpi # cd ..</span>
<span class="go">rpi # setup-bootable -u /media/$LBU_MEDIA/new /media/$LBU_MEDIA</span>
<span class="go">rpi # rm -rf /media/$LBU_MEDIA/new</span>
<span class="go">rpi # lbu commit</span>
<span class="go">rpi # cd /</span>
<span class="go">rpi # mount /media/$LBU_MEDIA -o remount,ro</span>
</pre></div>
<p>After this the RPi can be rebooted.</p>
<h1 id="safe-upgrade-option-b">Safe upgrade (Option B)<a class="headerlink" href="#safe-upgrade-option-b" title="Permanent link">¶</a></h1>
<p>This option uses an microSD memory card in the microSD card reader of the RPi.</p>
<p>This is a more safe way of upgrading, and should be used when you are performing the upgrade remotely or if you are cross upgrading from <code>armhf</code> to <code>armv7</code>.</p>
<p><strong>WARNING</strong> Before continuing You should make sure that the (login) shell of the RPi remote user is a shell that is present in the base Alpine installation! For example the default shell <code>/bin/ash</code>.</p>
<p>Save <code>/media/mmcblk0p1/<hostname>.apkovl.tar.gz</code> and <code>/media/mmcblk0p1/usercfg.txt</code> outside of <code>/media/mmcblk0p1/</code> (e.g. in <code>/tmp</code>).</p>
<p>Perform the upgrade.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi # . /etc/lbu/lbu.conf</span>
<span class="go">rpi # mount /media/$LBU_MEDIA -o remount,rw</span>
<span class="go">rpi # cd /media/$LBU_MEDIA</span>
<span class="go">rpi # rm -rf * .alpine-release</span>
<span class="go">rpi # tar xfz <path to tar file>/alpine-rpi-3.11.6-armv7.tar.gz</span>
<span class="go">rpi # mkdir /media/$LBU_MEDIA/cache</span>
</pre></div>
<p>Copy back the saved <code><hostname>.apkovl.tar.gz</code> and <code>usercfg.txt</code> files to <code>/media/mmcblk0p1/</code>.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi # cp /tmp/<hostname>.apkovl.tar.gz /media/$LBU_MEDIA/</span>
<span class="go">rpi # cp /tmp/usercfg.txt /media/$LBU_MEDIA/</span>
</pre></div>
<p>Prepare for reboot.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi # sync</span>
<span class="go">rpi # reboot</span>
</pre></div>
<p>Now the RPi will boot with only the base packages (packages added in <code>/etc/apk/world</code> will not be present) so we need to update the <code>apk</code> cache and reboot
again in order to have all packages.</p>
<p>After reboot, login and synchronize the <code>apk</code> cache and do the upgrade to restore additional packages.</p>
<div class="codehilite"><pre><span></span><span class="go">rpi # apk update</span>
<span class="go">rpi # apk cache sync</span>
<span class="go">rpi # apk upgrade --update-cache --available</span>
<span class="go">rpi # lbu commit</span>
<span class="go">rpi # reboot</span>
</pre></div>
<p>If you are using an RTC module please follow this guide as well: <a href="alpine_rpi_rtc.html">Alpine Linux on a Raspberry Pi 3 B+ with a RTC module</a></p>Alpine Linux on a Raspberry Pi 3 B+ with a RTC module2020-08-04T00:00:00+02:002021-01-29T00:00:00+01:00henriktag:community.riocities.com,2020-08-04:/alpine_rpi_rtc.html
<h1 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h1>
<ul>
<li>Alpine Linux v3.11 (or later) installed on a Raspberry Pi 3 B+</li>
<li>DS3231 Real Time Clock Module for Raspberry Pi</li>
</ul>
<h1 id="pre-setup">Pre-Setup<a class="headerlink" href="#pre-setup" title="Permanent link">¶</a></h1>
<p>Install the RTC module on GPIO pins 1, 3, 5, 7 & 9 on the Raspberry Pi 3 B+</p>
<p><img alt="DS3231 mounting" src="//community.riocities.com/images/ds3231-rtc-module-for-raspberry-pi.jpg"/></p>
<p>Create (or edit) <code>usercfg.txt</code> on the SD card …</p>
<h1 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h1>
<ul>
<li>Alpine Linux v3.11 (or later) installed on a Raspberry Pi 3 B+</li>
<li>DS3231 Real Time Clock Module for Raspberry Pi</li>
</ul>
<h1 id="pre-setup">Pre-Setup<a class="headerlink" href="#pre-setup" title="Permanent link">¶</a></h1>
<p>Install the RTC module on GPIO pins 1, 3, 5, 7 & 9 on the Raspberry Pi 3 B+</p>
<p><img alt="DS3231 mounting" src="//community.riocities.com/images/ds3231-rtc-module-for-raspberry-pi.jpg"/></p>
<p>Create (or edit) <code>usercfg.txt</code> on the SD card partition and add</p>
<div class="codehilite"><pre><span></span><span class="na">dtoverlay</span><span class="o">=</span><span class="s">i2c-rtc,ds3231</span>
</pre></div>
<p>Boot into Alpine Linux and login</p>
<p>If you are running Alpine version v3.13 this is all you need to do,
if running an older version continue below.</p>
<h1 id="setup">Setup<a class="headerlink" href="#setup" title="Permanent link">¶</a></h1>
<p>Install mkinitfs package</p>
<div class="codehilite"><pre><span></span># apk add mkinitfs
</pre></div>
<p>add <code>rpirtc</code> to <code>/etc/mkinitfs/mkinitfs.conf</code></p>
<p>Example after:</p>
<div class="codehilite"><pre><span></span><span class="na">features</span><span class="o">=</span><span class="s">"ata base cdrom ext4 keymap kms mmc raid scsi usb virtio rpirtc"</span>
</pre></div>
<p>Rebuild initramfs in order to add the kernel modules needed for the ds3231 device.</p>
<div class="codehilite"><pre><span></span><span class="c1"># . /etc/lbu/lbu.conf</span>
<span class="c1"># ln -s /media/$LBU_MEDIA/boot /boot</span>
<span class="c1"># mount /media/$LBU_MEDIA -o remount,rw</span>
<span class="c1"># . /etc/mkinitfs/mkinitfs.conf</span>
<span class="c1"># mkinitfs -F "$features base squashfs"</span>
<span class="c1"># mount /media/$LBU_MEDIA -o remount,ro</span>
</pre></div>
<p>Enable the hwclock service</p>
<div class="codehilite"><pre><span></span><span class="c1"># rc-update del swclock boot</span>
<span class="c1"># rc-update add hwclock boot</span>
<span class="c1"># hwclock -w</span>
<span class="c1"># lbu commit</span>
</pre></div>
<p>Now you can <code>reboot</code> and the rtc hwclock should be used.</p>Alpine Linux XEN dom0 from a USB stick - upgrading2018-12-15T00:00:00+01:002018-12-15T00:00:00+01:00henriktag:community.riocities.com,2018-12-15:/alpine_dom0_upgrade.html<h1 id="upgrade-guide-for-alpine-based-xen-dom0s">Upgrade guide for Alpine based XEN dom0s<a class="headerlink" href="#upgrade-guide-for-alpine-based-xen-dom0s" title="Permanent link">¶</a></h1>
<p>This guide describes how to upgrade a diskless (booting from USB stick) Alpine XEN dom0 between alpine releases.</p>
<p>It expects your usb stick to be mounted under <code>/media/usb</code>, if it not mounted there on your system, adjust the instruction to match your …</p><h1 id="upgrade-guide-for-alpine-based-xen-dom0s">Upgrade guide for Alpine based XEN dom0s<a class="headerlink" href="#upgrade-guide-for-alpine-based-xen-dom0s" title="Permanent link">¶</a></h1>
<p>This guide describes how to upgrade a diskless (booting from USB stick) Alpine XEN dom0 between alpine releases.</p>
<p>It expects your usb stick to be mounted under <code>/media/usb</code>, if it not mounted there on your system, adjust the instruction to match your case.</p>
<p><strong>Note</strong> The stick should be connected to your running dom0, do not unplug the stick.</p>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>Backup all data under <code>/media/usb</code> so you have a fall-back.</p>
<p>Download the version of the xen iso you are upgrading to, as well as the gpg signature file, to your workstation.</p>
<p>Example with the files for an upgrade to Alpine v3.6</p>
<div class="codehilite"><pre><span></span><span class="go">workstation $ curl -O .../alpine-xen-3.6.2-x86_64.iso</span>
<span class="go">workstation $ curl -O .../alpine-xen-3.6.2-x86_64.iso.asc</span>
<span class="go">workstation $ gpg --verify alpine-xen-3.6.2-x86_64.iso.asc</span>
</pre></div>
<p>Replace <code>...</code> above with the path on the download server used e.g. <code>http://nl.alpinelinux.org/alpine/v3.6/releases/x86_64/</code></p>
<p>Turn of all running domUs, as you will not be able to to that later due to that you will have a upgraded XEN user land, that can not communicate with the running hypervisor.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 $ sudo service xendomains stop</span>
</pre></div>
<p>Copy <code>alpine-xen-3.6.2-x86_64.iso</code> to a disk device accessible in the dom0. If you have followed the other XEN howtos on this site, you can use <code>/domU_installer</code>.</p>
<h1 id="perform-the-upgrade-of-the-running-system">Perform the upgrade of the running system.<a class="headerlink" href="#perform-the-upgrade-of-the-running-system" title="Permanent link">¶</a></h1>
<p>Check that <code>LBU_MEDIA</code> in <code>/etc/lbu/lbu.conf</code> points to the device used to store the persistent configuration. In my case its <code>usb</code>. If its not <code>usb</code> in your
case, adjust the commands below to fit your case (e.g. /media/usb -> /media/<your device>).</p>
<p>Edit <code>/etc/apk/repositories</code> to point at the version you are upgrading to then run the upgrade.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 $ sudo -i</span>
<span class="go">dom0 # apk update</span>
<span class="go">dom0 # apk upgrade --update-cache --available</span>
</pre></div>
<p>Commit the changes to <code>/etc</code> with lbu</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lbu commit</span>
</pre></div>
<p>Upgrade the boot media in <code>/media/usb</code></p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # setup-bootable -u /domU_installer/alpine-xen-3.6.2-x86_64.iso /media/usb</span>
<span class="go">dom0 # umount /domU_installer</span>
<span class="go">dom0 # sync</span>
</pre></div>
<p>Now for the most important part to get right, editing <code>/media/usb/boot/syslinux/syslinux.cfg</code> to point at the new: </p>
<ul>
<li>linux kernel (e.g. <code>-grsec</code> -> <code>-hardened</code> -> <code>-vanilla</code>)</li>
<li>linux initramfs (e.g. <code>-grsec</code> -> <code>-hardened</code> -> <code>-vanilla</code>)</li>
<li>xen hypervisor (e.g. <code>-4.7.3.gz</code> -> <code>-4.8.1.gz</code>)</li>
</ul>
<p>All these files are located in <code>/media/usb/boot</code> edit <code>syslinux.cfg</code> to match the filenames.</p>
<p>Example for Alpine v.3.5 (<a href="alpine_dom0.html">alpine_dom0</a>) before changing</p>
<div class="codehilite"><pre><span></span>TIMEOUT 20
PROMPT 1
DEFAULT grsec
LABEL grsec
MENU LABEL Xen/Linux grsec
KERNEL /boot/syslinux/mboot.c32
APPEND /boot/xen.gz dom0_mem=1024M --- /boot/vmlinuz-grsec modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initramfs-grsec
</pre></div>
<p>After prepared to boot Alpine 3.6</p>
<div class="codehilite"><pre><span></span>TIMEOUT 20
PROMPT 1
DEFAULT hardened
LABEL hardened
MENU LABEL Xen/Linux hardened
KERNEL /boot/syslinux/mboot.c32
APPEND /boot/xen-4.8.1.gz dom0_mem=1536M --- /boot/vmlinuz-hardened modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initramfs-hardened
</pre></div>
<div class="codehilite"><pre><span></span><span class="go">dom0 # mount /media/usb -o remount,rw</span>
<span class="go">dom0 # vi /media/usb/boot/syslinux/syslinux.cfg</span>
<span class="go">dom0 # mount /media/usb -o remount,ro</span>
</pre></div>
<p>When you are sure that <code>syslinux.cfg</code> is correct you can reboot (use <code>reboot -f</code>). If boot fails you can use the servers integrated light out management to trouble-shoot, or if
that is not possible you can connect the usb memory to your laptop and boot from usb in order to trouble-shoot and fix errors.</p>A Basic Alpine Linux XEN domU2018-08-24T00:00:00+02:002018-11-06T05:12:46+01:00bengttag:community.riocities.com,2018-08-24:/alpine_v38_basic_domU.html
<h1 id="a-basic-alpine-linux-xen-domu">A Basic Alpine Linux XEN domU<a class="headerlink" href="#a-basic-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure an basic XEN domU based on Alpine 3.8.
As Dom0 we use <a href="alpine_v38_dom0.html">Alpine Dom0 V3.8</a>.</p>
<p>To do this I have the following extra hardware
- No extra hardware is needed.</p>
<h2 id="dom0-work">dom0 work<a class="headerlink" href="#dom0-work" title="Permanent link">¶</a></h2>
<p>We need to create the domU installation configuration …</p>
<h1 id="a-basic-alpine-linux-xen-domu">A Basic Alpine Linux XEN domU<a class="headerlink" href="#a-basic-alpine-linux-xen-domu" title="Permanent link">¶</a></h1>
<p>Guide to configure an basic XEN domU based on Alpine 3.8.
As Dom0 we use <a href="alpine_v38_dom0.html">Alpine Dom0 V3.8</a>.</p>
<p>To do this I have the following extra hardware
- No extra hardware is needed.</p>
<h2 id="dom0-work">dom0 work<a class="headerlink" href="#dom0-work" title="Permanent link">¶</a></h2>
<p>We need to create the domU installation configuration file, mount installation image location, and start the installation</p>
<p>Download iso and unpack kernel and initramfs see here: <a href="alpine_v38_dom0.html#domu-preparation">domu-preparation</a></p>
<h3 id="create-installation-config">Create Installation config<a class="headerlink" href="#create-installation-config" title="Permanent link">¶</a></h3>
<p>Now we need to create the domU configuration file.</p>
<ul>
<li>Observe that the MAC address has to be uniq among dom0 and all domU. A tool to help you with this is to use <a href="https://gist.github.com/viz3/6591201">random_mac.py</a> for instance.</li>
<li>The cdrom points to the installer image which was prepared in the <a href="alpine_v38_dom0.html">dom0</a> installation.</li>
</ul>
<p>If you do it manually, please start with "00:16:3E" followed by a unique combination for you.
For instance "00:16:3e:AA:AA:01"</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cat << EOF > /etc/xen/<domU-hostname>.cfg
<span class="gp">#</span><span class="c1">####</span>
<span class="gp">#</span><span class="c1">#### <domU-hostname> domU</span>
<span class="gp">#</span><span class="c1">####</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '256'</span>
<span class="go">maxmem = '256'</span>
<span class="go">kernel = "/domU_installer/vmlinuz-vanilla"</span>
<span class="go">ramdisk = "/domU_installer/initramfs-vanilla"</span>
<span class="go">extra = "alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="go">disk = [</span>
<span class="go"> 'file://domU_installer/alpine-extended-3.8.1-x86_64.iso,hdc:cdrom,r',</span>
<span class="go"> 'phy:/<root disk path>/<root disk>,xvda1,w', </span>
<span class="go"> 'phy:/<swap disk path>/<swap disk>,xvda2,w', </span>
<span class="go"> ]</span>
<span class="go">name = '<domU-hostname>'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQUE!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">EOF</span>
</pre></div>
<p>If you are using zfs disks, please see the Appendix.</p>
<p>If you are using LVM disks, it might look like this.</p>
<div class="codehilite"><pre><span></span><span class="go">'phy:/dev/vg_domU/<domU-name>-disk,xvda1,w'</span>
</pre></div>
<p>If you are using normal disks, it might look like this.</p>
<div class="codehilite"><pre><span></span><span class="go">'phy:/dev/sdb1,xvda1,w'</span>
</pre></div>
<p>If you are using an file as a disk, you need to create the file, and then use it. Something like this.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="c1"># Create a 3GB file to be used as a disk</span>
<span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/dev/zero <span class="nv">of</span><span class="o">=</span>/path/to/disk.img <span class="nv">bs</span><span class="o">=</span>1M <span class="nv">count</span><span class="o">=</span><span class="m">3000</span>
<span class="gp">#</span> <span class="c1"># And then use this disk file in the configuration file</span>
<span class="go">‘file:/path/to/disk.img,xvda,w’,</span>
</pre></div>
<h3 id="mount-domu_installer">Mount /domU_installer<a class="headerlink" href="#mount-domu_installer" title="Permanent link">¶</a></h3>
<p>And last we need to make sure that /domU_installer is mounted.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # mount /domU_installer</span>
</pre></div>
<h3 id="start-domu">Start domU<a class="headerlink" href="#start-domu" title="Permanent link">¶</a></h3>
<p>It is time to start the installation, to do this we simple start the domU</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/<domU-hostname>.cfg -c</span>
</pre></div>
<p>To get back to the dom0 environment from the console, you press CTRL+]</p>
<p><strong>Hint</strong> If CTRL+] does not work, CTRL+5 could work instead. Please see here for more info <a href="https://wiki.xenproject.org/wiki/Xen_FAQ_Console#How_do_I_connect_to_or_detach_from_a_console.3F">Xen_FAQ_Console</a></p>
<p>At login prompt, simply enter root and no password (default at installation time)</p>
<h2 id="domu-work">domU work<a class="headerlink" href="#domu-work" title="Permanent link">¶</a></h2>
<h3 id="format-root-disk">Format root disk<a class="headerlink" href="#format-root-disk" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add e2fsprogs
<span class="gp">#</span> mkfs.ext4 /dev/xvda1
</pre></div>
<h3 id="mountpoints-etc">Mountpoints etc<a class="headerlink" href="#mountpoints-etc" title="Permanent link">¶</a></h3>
<p>Time to configure the mountpoints for root, as well as mount it. We will mount it under /mnt for the installation process.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t ext4 /dev/xvda1 /mnt
</pre></div>
<h3 id="setup-alpine">setup-alpine<a class="headerlink" href="#setup-alpine" title="Permanent link">¶</a></h3>
<p>Finally, time to configure (setup) the actual alpine part</p>
<p>Key things to remember</p>
<ul>
<li>Answer <code>none</code> on last questions (Disks, config, and apk repository)</li>
<li>Which disk(s) would you like to use? (or '?' for help or 'none') <code>none</code></li>
<li>Enter where to store configs ('floppy', 'usb' or 'none') [none]:</li>
<li>Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: <code>none</code></li>
</ul>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-alpine
<span class="go">Available keyboard layouts:</span>
<span class="go">af be cn fi hu jp lt my ro tj</span>
<span class="go">al bg cz fo ie ke lv ng rs tm</span>
<span class="go">am br de fr il kg ma nl ru tr</span>
<span class="go">ara brai dk gb in kr md no se tw</span>
<span class="go">at by dz ge iq kz me ph si ua</span>
<span class="go">az ca ee gh ir la mk pk sk us</span>
<span class="go">ba ch epo gr is latam ml pl sy uz</span>
<span class="go">bd cm es hr it lk mt pt th</span>
<span class="go">Select keyboard layout [none]: us</span>
<span class="go">Available variants: us-alt-intl us-altgr-intl us-chr us-colemak us-dvorak-alt-intl us-dvorak-classic us-dvorak-intl us-dvorak-l us-dvorak-r us-dvorak us-dvp us-euro us-hbs us-intl us-mac us-olpc2 us-rus us-workman-intl us-workman us</span>
<span class="go">Select variant []: us</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go"> * Setting keymap ... [ ok ]</span>
<span class="go">Enter system hostname (short form, e.g. 'foo') [localhost]: `<domU-hostname>`</span>
<span class="go">Available interfaces are: eth0.</span>
<span class="go">Enter '?' for help on bridges, bonding and vlans.</span>
<span class="go">Which one do you want to initialize? (or '?' or 'done') [eth0]</span>
<span class="go">Ip address for eth0? (or 'dhcp', 'none', '?') [dhcp] 192.168.1.20/24</span>
<span class="go">Gateway? (or 'none') [none] 192.168.1.1</span>
<span class="go">Configuration for eth0:</span>
<span class="go"> type=static</span>
<span class="go"> address=192.168.1.20</span>
<span class="go"> netmask=255.255.255.0</span>
<span class="go"> gateway=192.168.1.1</span>
<span class="go">Do you want to do any manual network configuration? [no]</span>
<span class="go">DNS domain name? (e.g 'bar.com') [] example.com</span>
<span class="go">DNS nameserver(s)? [] 8.8.8.8</span>
<span class="go">Changing password for root</span>
<span class="go">New password:</span>
<span class="go">Retype password:</span>
<span class="go">passwd: password for root changed by root</span>
<span class="go">Which timezone are you in? ('?' for list) [UTC] Australia/Melbourne</span>
<span class="go"> * Starting busybox acpid ... [ ok ]</span>
<span class="go"> * Starting busybox crond ... [ ok ]</span>
<span class="go">HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</span>
<span class="go">Available mirrors:</span>
<span class="go">1) dl-cdn.alpinelinux.org</span>
<span class="go">...</span>
<span class="go">19) http://mirror.aarnet.edu.au</span>
<span class="go">...</span>
<span class="go">36) mirrors.shu.edu.cn</span>
<span class="go">r) Add random from the above list</span>
<span class="go">f) Detect and add fastest mirror from above list</span>
<span class="go">e) Edit /etc/apk/repositories with text editor</span>
<span class="go">Enter mirror number (1-36) or URL to add (or r/f/e/done) [f]: 19</span>
<span class="go">Added mirror mirror.aarnet.edu.au</span>
<span class="go">Updating repository indexes... done.</span>
<span class="go">Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]</span>
<span class="go"> * service sshd added to runlevel default</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go">ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519</span>
<span class="go"> * Starting sshd ... [ ok ]</span>
<span class="go">Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]</span>
<span class="go"> * service chronyd added to runlevel default</span>
<span class="go"> * Caching service dependencies ... [ ok ]</span>
<span class="go"> * Starting chronyd ... [ ok ]</span>
<span class="go">Available disks are:</span>
<span class="go"> xvda2 (0.5 GB )</span>
<span class="go">Which disk(s) would you like to use? (or '?' for help or 'none') [none]</span>
<span class="go">Enter where to store configs ('floppy', 'usb' or 'none') [none]:</span>
<span class="go">Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: none</span>
<span class="gp">#</span>
</pre></div>
<h3 id="store-filesystem">Store filesystem<a class="headerlink" href="#store-filesystem" title="Permanent link">¶</a></h3>
<p>Time to install this domU to the filesystem on <code>/mnt</code> (which points to the disk for the / partition after first reboot)</p>
<p>We will use the -m (write system to disk) parameters.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-disk -m sys /mnt
<span class="go">Installing system on /dev/xvda1:</span>
<span class="go">extlinux: Not a directory: /mnt/boot</span>
<span class="go">100% ############################################==> initramfs: creating /boot/initramfs-vanilla</span>
<span class="go">/boot is device /dev/xvda1</span>
<span class="go">extlinux: no previous syslinux boot sector found</span>
<span class="go">You might need fix the MBR to be able to boot</span>
</pre></div>
<h3 id="update-grub">Update grub<a class="headerlink" href="#update-grub" title="Permanent link">¶</a></h3>
<p>We need to create a grub boot stanza</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkdir /mnt/boot/grub
<span class="gp">#</span> cat << EOF > /mnt/boot/grub/grub.cfg
<span class="go">set timeout=2</span>
<span class="go">set default=0</span>
<span class="go">menuentry "alpine" {</span>
<span class="go"> linux /boot/vmlinuz-vanilla modules=ext4 console=hvc0 root=/dev/xvda1</span>
<span class="go"> initrd /boot/initramfs-vanilla</span>
<span class="go">}</span>
<span class="go">EOF</span>
</pre></div>
<h3 id="time-to-halt">Time to halt<a class="headerlink" href="#time-to-halt" title="Permanent link">¶</a></h3>
<p>Time to halt this newly installed system, and go back to dom0 for some changes.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
</pre></div>
<h2 id="post-install-actions">Post-Install actions<a class="headerlink" href="#post-install-actions" title="Permanent link">¶</a></h2>
<h3 id="fix-dom0s-domu-config-file">Fix dom0's domU config file<a class="headerlink" href="#fix-dom0s-domu-config-file" title="Permanent link">¶</a></h3>
<p>We need to update the domU configuration file to use the pv grub bootloader, as well as remove the cdrom entry.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # cat << EOF > /etc/xen/<domU-hostname>.cfg</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="gp">#</span><span class="c1">### <domU-hostname> domU</span>
<span class="gp">#</span><span class="c1">###</span>
<span class="go">vcpus = '1'</span>
<span class="go">memory = '256'</span>
<span class="go">maxmem = '256'</span>
<span class="go">kernel = "/usr/lib/grub-xen/grub-x86_64-xen.bin"</span>
<span class="go">disk = [</span>
<span class="go"> 'phy:/<root disk path>/<root disk>,xvda1,w', </span>
<span class="go"> 'phy:/<swap disk path>/<swap disk>,xvda2,w', </span>
<span class="go"> ]</span>
<span class="go">name = '<domU-hostname>'</span>
<span class="gp">#</span><span class="c1"># ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="go">vif = [ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="go">on_poweroff = 'destroy'</span>
<span class="go">on_reboot = 'restart'</span>
<span class="go">on_crash = 'restart'</span>
<span class="go">EOF</span>
</pre></div>
<p>And lastly we need to make these changes restart safe</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lbu commit</span>
</pre></div>
<h3 id="start-domu_1">Start domU<a class="headerlink" href="#start-domu_1" title="Permanent link">¶</a></h3>
<p>Finally time to start the newly created domU, and see if it all works.</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl create /etc/xen/<domU-hostname>.cfg -c</span>
</pre></div>
<h3 id="add-normal-user">Add normal user<a class="headerlink" href="#add-normal-user" title="Permanent link">¶</a></h3>
<p>As per normal security, we should not use the root account for normal operations, so we need to create a normal user, add it to wheel</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> adduser <username>
</pre></div>
<h3 id="add-sudo">Add sudo<a class="headerlink" href="#add-sudo" title="Permanent link">¶</a></h3>
<p>For security reasons, and good practice, lets install sudo</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add sudo
<span class="gp">#</span> sed -e <span class="s1">'s/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/g'</span> -i /etc/sudoers
<span class="gp">#</span> adduser <username> wheel
</pre></div>
<h3 id="add-swap">Add swap<a class="headerlink" href="#add-swap" title="Permanent link">¶</a></h3>
<p>We need to put the swap on the swap disk</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkswap /dev/xvda2
<span class="gp">#</span> swapon /dev/xvda2
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"/dev/xvda2 none swap sw 0 0"</span> >> /etc/fstab
<span class="gp">#</span> swapon -a
<span class="gp">#</span> rc-update add swap
</pre></div>
<h3 id="confirm-network-ok">Confirm network ok<a class="headerlink" href="#confirm-network-ok" title="Permanent link">¶</a></h3>
<p>Ensure we can ping google</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ping www.google.com
</pre></div>
<h3 id="update-system">Update system<a class="headerlink" href="#update-system" title="Permanent link">¶</a></h3>
<p>Good practice to update the system</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk update
<span class="gp">#</span> apk upgrade
</pre></div>
<h3 id="fix-autostart-of-domu">Fix autostart of domU<a class="headerlink" href="#fix-autostart-of-domu" title="Permanent link">¶</a></h3>
<p>Time to fix so that this domU is automatically started on reboot</p>
<p>Lets stop domU</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> halt
</pre></div>
<p>And on the <strong>dom0</strong> we create the auto start link, remember, do not forget to give the <strong>lbu commit</strong> command.</p>
<p>If you want to have some control of when this particular domU will be started, preceed the config file name with a numeric part, where 00 is first in priority, and 99 is last.
For instance, if you want this particular domU to be started first, you should give it the following link name. 00-<domu-hostname>.cfg</domu-hostname></p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # ln -s /etc/xen/<domU-hostname>.cfg /etc/xen/auto/<NN-domU-hostname>.cfg</span>
<span class="go">dom0 # lbu commit</span>
</pre></div>
<p>Reboot to verify</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # reboot</span>
</pre></div>
<p>or if you prefere to just restart the service</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # service xendomains restart</span>
</pre></div>
<p>and after dom0 is up and running again, check that the newly created domU domain is running</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # xl list</span>
</pre></div>
<h1 id="appendix">Appendix<a class="headerlink" href="#appendix" title="Permanent link">¶</a></h1>
<h2 id="disk-from-a-storage-driver-domain-running-zfs">Disk from a storage driver domain running ZFS<a class="headerlink" href="#disk-from-a-storage-driver-domain-running-zfs" title="Permanent link">¶</a></h2>
<p>If you are using a storage driver domU with <strong>ZFS</strong>, like <a href="alpine_v38_storage_domu.html">Alpine Storage DomU V3.8</a>, you need to add the <strong>backend=<storage domu="" driver="" name=""></storage></strong> to the disk specification.
For how to create the zfs based disks, please look at <a href="alpine_v38_storage_domu.html">Alpine Storage DomU V3.8</a></p>
<p>Example</p>
<div class="codehilite"><pre><span></span><span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'backend=<Storage driver domU name>,phy:/dev/zvol/tank/xen/<domU name>-disk,xvda1,w',</span>
<span class="s"> ]</span>
</pre></div>
<p>Example on my system</p>
<div class="codehilite"><pre><span></span><span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'backend=zfshost,phy:/dev/zvol/tank/xen/dns-disk,xvda1,w',</span>
<span class="s"> ]</span>
</pre></div>Alpine v3.8 Linux as a XEN dom0 from a USB stick2018-08-24T00:00:00+02:002018-10-17T20:17:34+02:00bengttag:community.riocities.com,2018-08-24:/alpine_v38_dom0.html
<h1 id="guide-to-configure-an-xen-dom0-server-based-on-alpine-38">Guide to configure an XEN Dom0 server based on Alpine 3.8<a class="headerlink" href="#guide-to-configure-an-xen-dom0-server-based-on-alpine-38" title="Permanent link">¶</a></h1>
<p>I have the following configuration for my file server.</p>
<ul>
<li>Server HP ProLiant MicroServer Gen8 G1610T</li>
<li>Memory Kingston KCP316ED8/8 8GB DDR3 1600MHz ECC Module, 16GB total</li>
<li>USB Boot USB 16GB Stick Cruzer</li>
</ul>
<p>During the installation we also need …</p>
<h1 id="guide-to-configure-an-xen-dom0-server-based-on-alpine-38">Guide to configure an XEN Dom0 server based on Alpine 3.8<a class="headerlink" href="#guide-to-configure-an-xen-dom0-server-based-on-alpine-38" title="Permanent link">¶</a></h1>
<p>I have the following configuration for my file server.</p>
<ul>
<li>Server HP ProLiant MicroServer Gen8 G1610T</li>
<li>Memory Kingston KCP316ED8/8 8GB DDR3 1600MHz ECC Module, 16GB total</li>
<li>USB Boot USB 16GB Stick Cruzer</li>
</ul>
<p>During the installation we also need an USB stick (1G+), as well as a workstation/laptop.</p>
<ul>
<li>Temporary USB Stick, to be used as installation media.</li>
</ul>
<h1 id="various-references">Various references<a class="headerlink" href="#various-references" title="Permanent link">¶</a></h1>
<p>Here are some various references I have been looking at</p>
<ol>
<li><a href="hp_microserver_gen8.html">HP Microserver Gen8</a></li>
<li><a href="alpine_dom0.html">Alpine dom0</a></li>
<li><a href="alpine_domU.html">Alpine domU</a></li>
<li><a href="xen_storage_driver_domain.html">XEN Storage Driver domain</a></li>
</ol>
<h1 id="preparation">Preparation<a class="headerlink" href="#preparation" title="Permanent link">¶</a></h1>
<p>This chapter should be executed on your normal desktop/laptop.</p>
<p>First we need to download the Alpine XEN Image from <a href="https://alpinelinux.org/downloads/">Alpines download page</a> or use this direct <a href="http://dl-cdn.alpinelinux.org/alpine/v3.8/releases/x86_64/alpine-xen-3.8.1-x86_64.iso">link to alpine-xen-3.8.1-x86_64.iso</a>
Store the image under <code>/tmp</code>.</p>
<p>Insert the installation Media USB stick into your desktop/laptop, and check which device it is located at</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg <span class="p">|</span> tail
<span class="go">...</span>
<span class="go">[162562.819054] sd 5:0:0:0: [sdb] 2046240 512-byte logical blocks: (1.04 GB/999 MiB)</span>
<span class="go">[162562.823977] sdb: sdb1</span>
</pre></div>
<p>You can also check dmesg for removable disks, as per this example.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg <span class="p">|</span> grep -i removable
<span class="go">[14607526.725995] sd 16:0:0:0: [sdb] Attached SCSI removable disk</span>
<span class="go">[15742096.383712] sd 17:0:0:0: [sdb] Attached SCSI removable disk</span>
<span class="gp">#</span>
</pre></div>
<p>On my system, we can see that the Installation Media USB stick has been attached as <code>/dev/sdb</code>, but please <em>note</em> that this varies from system to system.</p>
<p>Please, ensure that the Installation Media USB stick has not been automatically mounted.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> mount <span class="p">|</span> grep <Removable Installation Media USB Stick>
<span class="gp">$</span> df <span class="p">|</span> grep <Removable Installation Media USB Stick>
</pre></div>
<p>If it had been auto-mounted, please unmount it. Since the <code>dd</code> command expects it to be unmounted.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> umount <Removable Installation Media USB Stick>
</pre></div>
<p>Time to move the just downloaded Alpine Xen 3.8 Image to the installation Media USB stick using <code>dd</code>.</p>
<p>The command we should use is <code>dd</code>, and syntax</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/tmp/alpine-xen-3.8.1-x86_64.iso <span class="nv">of</span><span class="o">=</span><Removable Installation USB Stick>
</pre></div>
<p>In my case the command would be</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo -i
<span class="gp">#</span> dd <span class="k">if</span><span class="o">=</span>/tmp/alpine-xen-3.8.1-x86_64.iso <span class="nv">of</span><span class="o">=</span>/dev/sdb
<span class="go">299008+0 records in</span>
<span class="go">299008+0 records out</span>
<span class="go">153092096 bytes (153 MB) copied, 56.1059 s, 2.7 MB/s</span>
<span class="gp">#</span> sync
</pre></div>
<p>At this time, we are done working on our workstation, time to move over to the new server.</p>
<h1 id="prepare-boot-usb-stick">Prepare Boot USB Stick<a class="headerlink" href="#prepare-boot-usb-stick" title="Permanent link">¶</a></h1>
<p>Time to start the installation on the new Alpine Server. Insert the Installation Media USB Stick, and reboot the server. Ensure that you boot from the installation media.</p>
<p>When server has booted, insert the Boot USB Stick (16GB USB Cruzer in my case)</p>
<p>At login prompt, login as <code>root</code>, no password at this stage.</p>
<div class="codehilite"><pre><span></span><span class="go">Login: root</span>
</pre></div>
<p>Time to figure out which device the Boot USB Stick device has. </p>
<p>Look in the <code>dmesg</code> output and search for your USB stick. In my case <strong>Cruzer</strong>.
It should be located towards the end of the <code>dmesg</code> output.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> dmesg
<span class="go">[ 12.296717] usb 1-1.1: new high-speed USB device number 3 using ehci-pci</span>
<span class="go">[ 12.313381] usb 2-1.3: new high-speed USB device number 3 using ehci-pci</span>
<span class="go">[ 12.398454] usb 1-1.1: New USB device found, idVendor=0781, idProduct=5571</span>
<span class="go">[ 12.398457] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3</span>
<span class="go">[ 12.398459] usb 1-1.1: Product: Cruzer Fit</span>
<span class="go">[ 12.398461] usb 1-1.1: Manufacturer: SanDisk</span>
<span class="go">[ 12.398463] usb 1-1.1: SerialNumber: 4C530001231102113292</span>
<span class="go">[ 12.398886] usb-storage 1-1.1:1.0: USB Mass Storage device detected</span>
<span class="go">[ 12.399172] scsi host8: usb-storage 1-1.1:1.0</span>
<span class="go">[ 13.410934] scsi 8:0:0:0: Direct-Access SanDisk Cruzer Fit 1.00 PQ: 0 ANSI: 6</span>
<span class="go">[ 13.412237] sd 8:0:0:0: [sde] 30595072 512-byte logical blocks: (15.7 GB/14.6 GiB)</span>
<span class="go">[ 13.414122] sd 8:0:0:0: [sde] Write Protect is off</span>
<span class="go">[ 13.414126] sd 8:0:0:0: [sde] Mode Sense: 43 00 00 00</span>
<span class="go">[ 13.415246] sd 8:0:0:0: [sde] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA</span>
<span class="go">[ 13.420719] sde: sde1 sde2</span>
<span class="go">[ 13.423963] sd 8:0:0:0: [sde] Attached SCSI removable disk</span>
</pre></div>
<p>In my case the device we will be using is <code>sde</code> (Cruzer)</p>
<p>We need to format the Boot USB stick with two partitions</p>
<ul>
<li>We need a small bootable boot partition for dom0, about 1GB is enough.</li>
<li>The rest will be used as a LVM partition, for holding supporting domU's</li>
</ul>
<p>We will format using <code>fdisk</code>. Make sure you target the Boot USB stick. </p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> fdisk /dev/sde
</pre></div>
<p>End result should look like this</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> fdisk -l /dev/sde
<span class="go">Disk /dev/sde: 15 GB, 15664676864 bytes, 30595072 sectors</span>
<span class="go">1904 cylinders, 255 heads, 63 sectors/track</span>
<span class="go">Units: cylinders of 16065 * 512 = 8225280 bytes</span>
<span class="go">Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type</span>
<span class="go">/dev/sde1 * 0,1,1 122,254,63 63 1975994 1975932 964M c Win95 FAT32 (LBA)</span>
<span class="go">/dev/sde2 123,0,1 1023,254,63 1975995 30587759 28611765 13.6G 8e Linux LVM</span>
</pre></div>
<p><strong>NOTE</strong> observe that <code>sde1</code> is a bootable partition.</p>
<p><strong>NOTE</strong> you might need to unplug/replug the stick after partitioning it.</p>
<p>Time to add the <code>syslinux</code> package</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add syslinux
</pre></div>
<p>Load the VFAT kernel module</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> modprobe vfat
</pre></div>
<p>Create bootable file system</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkfs.vfat /dev/sde1
</pre></div>
<p>We need to know which device is the Installation Media, to do this do a <code>df</code>, and in my case the Installation media was mounted at <code>/media/usb</code> (it might be mounted on different place depending on your situation)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df <span class="p">|</span> grep <span class="s1">'media/{sd|usb}'</span>
<span class="go">/dev/sdc 986036 585164 400872 59% /media/usb</span>
</pre></div>
<p>Run the <code>setup-bootable</code> script to add Alpine Linux to the Boot USB stick and make it bootable (replacing <code>sde</code> with your Boot USB stick name):</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-bootable <Installation media> <Boot USB Stick>
<span class="gp">#</span> setup-bootable /dev/sdc /dev/sde1
</pre></div>
<p>This steps might take a few minutes.</p>
<p>When the <code>setup-bootable</code> script is finished, the installation is done, and we can remove the Installation media, and reboot.</p>
<div class="codehilite"><pre><span></span><span class="go"><remove installation media></span>
<span class="gp">#</span> reboot
</pre></div>
<h1 id="basic-alpine-host-setup">Basic alpine host setup<a class="headerlink" href="#basic-alpine-host-setup" title="Permanent link">¶</a></h1>
<p>After reboot, login on console again, (still no password for root), and it is time to configure this alpine installation.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> setup-alpine
</pre></div>
<ul>
<li>Configure <code>eth0</code>, and add <code>br0</code>, end result should be like below.</li>
<li>Confirm that the IP, DNS, GW are correct and valid</li>
<li>Based on some script dependencies, it is best to name the bridge <code>br0</code></li>
<li>For DNS IP, please use your own, or if unsure, use Google <code>8.8.8.8</code></li>
</ul>
<p>below is printout of my interfaces file after the <code>setup-alpine</code> script was run.</p>
<div class="codehilite"><pre><span></span><span class="na">auto lo</span>
<span class="na">iface lo inet loopback</span>
<span class="na">auto br0</span>
<span class="na">iface br0 inet static</span>
<span class="na">bridge-ports eth0</span>
<span class="na">address 192.168.1.5</span>
<span class="na">netmask 255.255.255.0</span>
<span class="na">gateway 192.168.1.1</span>
</pre></div>
<ul>
<li>Skip <code>eth1</code>, answer <code>done</code></li>
<li>Which disk(s) would you like to use: <code>none</code></li>
<li>Enter where to store configs: <code>usb</code></li>
<li>Enter apk cache directory: <code>/media/usb/cache</code></li>
</ul>
<p>After setup has finish, you need to commit the changes to the Boot USB stick.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lbu commit
</pre></div>
<h1 id="adding-lvm">Adding LVM<a class="headerlink" href="#adding-lvm" title="Permanent link">¶</a></h1>
<p>First, we need to confirm what name the Boot USB stick has (in my case <code>sde</code>).</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df
</pre></div>
<p>Time to add and configure LVM.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add lvm2
<span class="gp">#</span> pvcreate /dev/sde2
<span class="go"> Physical volume "/dev/sde2" successfully created.</span>
<span class="gp">#</span> vgcreate vg_domU /dev/sde2
<span class="go"> Volume group "vg_domU" successfully created</span>
<span class="gp">#</span> lvcreate -n lv_domU_installer -L 512M vg_domU
<span class="go"> Logical volume "lv_domU_installer" created.</span>
<span class="gp">#</span> rc-update add lvm
<span class="go"> * service lvm added to runlevel default</span>
<span class="gp">#</span> lbu commit
</pre></div>
<p>And setup the filesystem.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add e2fsprogs
<span class="gp">#</span> mkfs.ext4 /dev/vg_domU/lv_domU_installer
</pre></div>
<p>And prepare for domU installation medias.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mkdir /domU_installer
<span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"/dev/vg_domU/lv_domU_installer /domU_installer ext4 noauto,noatime 0 0"</span> >> /etc/fstab
<span class="gp">#</span> mount /domU_installer
<span class="gp">#</span> lbu commit
</pre></div>
<p><strong>NOTE</strong> That the <code>/domU_installer</code> is not mounted automatically on boot, but has to be specifically mounted by user when needed, as well as unmounted when not needed anymore.
When you try to create a domU, and <code>xl</code> complains about a missing media is usually a sure sign that you forgot to
<code>mount /domU_installer</code></p>
<h1 id="xen-hypervisor">xen-hypervisor<a class="headerlink" href="#xen-hypervisor" title="Permanent link">¶</a></h1>
<p>We need to add the <code>xen-hypervisor</code> manually, since we run diskless.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add xen-hypervisor
<span class="gp">#</span> lbu commit
</pre></div>
<h1 id="tmux-console">TMUX Console<a class="headerlink" href="#tmux-console" title="Permanent link">¶</a></h1>
<p>We will use <code>tmux</code> to capture the various domU's console. </p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add tmux
</pre></div>
<p>Then we need to uncomment a line in the <code>/etc/conf.d/xendomains</code> configuration file</p>
<p>Before:</p>
<div class="codehilite"><pre><span></span><span class="c1">#XENDOMAINS_CONSOLE="tmux"</span>
</pre></div>
<p>After:</p>
<div class="codehilite"><pre><span></span><span class="na">XENDOMAINS_CONSOLE</span><span class="o">=</span><span class="s">"tmux"</span>
</pre></div>
<p><strong>After</strong> you have created some domU's the output might look like below, and based on the below output the <code>tmux</code> session is called <code>xen</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> tmux ls
<span class="go">0: 1 windows (created Wed Sep 5 05:39:38 2018) [127x53]</span>
<span class="go">4: 1 windows (created Sun Sep 9 01:24:43 2018) [127x53]</span>
<span class="go">xen: 4 windows (created Mon Sep 10 14:44:51 2018) [127x53]</span>
</pre></div>
<p>And you would then connect to the <code>xen</code> <code>tmux</code> session with <code>tmux attach-session</code> using the following command:</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> tmux attach-session -t xen
</pre></div>
<p>For further information on how to navigate a <code>tmux</code> session, please check the following excellent <a href="https://tmuxcheatsheet.com/">Tmux Cheat Sheet</a></p>
<h1 id="prepare-for-domu">Prepare for domU<a class="headerlink" href="#prepare-for-domu" title="Permanent link">¶</a></h1>
<h2 id="alpine-image">Alpine Image<a class="headerlink" href="#alpine-image" title="Permanent link">¶</a></h2>
<p>Prepare domU's installer image (needed to create you first domU later)
Download Alpine Extended from <a href="http://dl-cdn.alpinelinux.org/alpine/v3.8/releases/x86_64/alpine-extended-3.8.1-x86_64.iso">link to Alpine 3.8.1 Extended 64 bits</a>, or if You need an other version go the <a href="https://alpinelinux.org/downloads/">Alpine Download Page</a> and download Your preffered "Extended" version.</p>
<p>The reason we use the <code>-extended</code> flavor, is so when we create our domU;s we do not have to have network configured and protected when we do the installations.</p>
<p>Remember to download the checksum file as well.</p>
<p>After you have downloaded both ISO file as well as checksum file, you need to verify that the ISO file has the correct checksum. If not, please re-download both and try again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ls -l
<span class="go">total 393200</span>
<span class="go">-rw-r--r-- 1 root root 386924544 Sep 17 20:30 alpine-extended-3.8.1-x86_64.iso</span>
<span class="go">-rw-r--r-- 1 root root 99 Sep 17 20:31 alpine-extended-3.8.1-x86_64.iso.sha256</span>
</pre></div>
<p>And now we verify that the checksum is OK.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> sha256sum alpine-extended-3.8.1-x86_64.iso <span class="p">;</span> cat alpine-extended-3.8.1-x86_64.iso.sha256
<span class="go">6320a8e6d2a40fdf1b940f2854f515cb7f231e2df6221640e4307b1f848b8138 alpine-extended-3.8.1-x86_64.iso</span>
<span class="go">6320a8e6d2a40fdf1b940f2854f515cb7f231e2df6221640e4307b1f848b8138 alpine-extended-3.8.1-x86_64.iso.sha256</span>
</pre></div>
<p>After we have verified that the iso image has the correct checksum, place it in the <code>/domU_installer</code> directory (if not already there).</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mv <Downloaded Alpine Extended <span class="m">64</span> ISO> /domU_installer
</pre></div>
<h2 id="domu-preparation">domU preparation<a class="headerlink" href="#domu-preparation" title="Permanent link">¶</a></h2>
<p>We prepare for the domU's installation by fetching the domU boot loader here.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add grub-xenhost
<span class="gp">#</span> lbu commit
</pre></div>
<p>The installation kernel and ramdisk we fetch from the ISO image.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t iso9660 -o ro alpine-extended-3.8.1-x86_64.iso /mnt
<span class="gp">#</span> cp /mnt/boot/vmlinuz-vanilla /domU_installer
<span class="gp">#</span> cp /mnt/boot/initramfs-vanilla /domU_installer
<span class="gp">#</span> umount /mnt
</pre></div>
<h2 id="add-dom0-memory">Add dom0 Memory<a class="headerlink" href="#add-dom0-memory" title="Permanent link">¶</a></h2>
<p>Limit the memory used by the dom0 so domUs does not have to "steal" available memory from dom0, when starting.
Since dom0 is booting from the Boot USB stick, we need to update syslinux at <code>/media/usb/boot/syslinux/syslinux.cfg</code></p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/usb -o remount,rw
<span class="gp">#</span> vi /media/usb/boot/syslinux/syslinux.cfg
</pre></div>
<p>in particular, we need to add a parameter (<code>dom0_mem=1024M</code>) to the row starting with <code>APPEND</code>. (A lower value will not work as the dom0 is running on a RAM disk.)</p>
<div class="codehilite"><pre><span></span>APPEND /boot/xen.gz dom0_mem=1024M --- /boot/vmlinuz-vanilla modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initramfs-vanilla
</pre></div>
<p>And remount Boot USB stick read only again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/usb -o remount,ro
</pre></div>
<p>And lastly we reboot and confirm the newly created Alpine Dom0 server is booting up.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> sync
<span class="gp">#</span> reboot
</pre></div>
<h1 id="post-steps">Post steps<a class="headerlink" href="#post-steps" title="Permanent link">¶</a></h1>
<p>When system comes up it is time to do the final touches.</p>
<ul>
<li>Add normal user</li>
<li>Check network etc</li>
</ul>
<p>Ping working?</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> ping www.google.com
</pre></div>
<p>Lets update the system.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk update
<span class="gp">#</span> apk upgrade
</pre></div>
<p>Add a user.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> adduser <normal-user-ID>
<span class="gp">#</span> adduser <normal-user-ID> wheel
<span class="gp">#</span> lbu include /home
<span class="gp">#</span> lbu exclude /home/*/.ash_history
<span class="gp">#</span> lbu commit
</pre></div>
<h1 id="next-steps">Next steps<a class="headerlink" href="#next-steps" title="Permanent link">¶</a></h1>
<p>After this step, comes perhaps, and it can be argued if the ZFS host should come before the Network Domain or not... </p>
<ul>
<li>Installing a Basic Server as a domU.</li>
<li>Installing a ZFS Storage Domain as a domU.</li>
<li>Installing a Network Domain (firewall) as a domU.</li>
<li>Installing a DNS Caching server as a domU.</li>
<li>etc...</li>
</ul>
<p>These HowTo's are being prepared and will be linked in here later.
In the mean time, have a look at the old link below.</p>
<p><a href="alpine_domU.html">Alpine DomU</a></p>
<h1 id="appendix">Appendix<a class="headerlink" href="#appendix" title="Permanent link">¶</a></h1>
<h2 id="hypervisor-upgrade">Hypervisor upgrade<a class="headerlink" href="#hypervisor-upgrade" title="Permanent link">¶</a></h2>
<p>When the package <code>xen-hypervisor</code> package has been updated, the following needs to be done on the dom0 server.</p>
<ul>
<li>The XEN related files on the <strong>boot device</strong> (<code>/media/usb/boot/*xen*</code>) needs to be updated.</li>
</ul>
<p>After the upgrade the XEN boot related files are located in the <code>ramfs</code>, so we need to copy those files to the restart safe place on the <strong>boot device</strong></p>
<p>First, remount the Boot USB stick writable.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/usb -o remount,rw
</pre></div>
<p>Second, copy the files needed.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cp /boot/*xen* /media/usb/boot
</pre></div>
<p>Third, remount Boot USB stick read only again.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount /media/usb -o remount,ro
</pre></div>
<p>Fourth, time to verify; we need to confirm that the XEN reference in <code>syslinux.cfg</code> points to the correct XEN version.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> grep xen /media/usb/boot/syslinux/syslinux.cfg
<span class="go">APPEND /boot/xen.gz dom0_mem=1024M --- /boot/vmlinuz-vanilla modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initramfs-vanilla</span>
</pre></div>
<p>From above we see that we are using <code>/boot/xen.gz</code>.</p>
<p>Lets confirm that <code>xen.gz</code> is the one we want. Confirming that checksum is same for <code>xen.gz</code> and <code>xen-NewVersion.gz</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cksum /media/usb/boot/xen*.gz
<span class="go">756110446 1084297 /media/usb/boot/xen-4.10.1.gz</span>
<span class="go">2952674154 1091674 /media/usb/boot/xen-4.10.2.gz</span>
<span class="go">2952674154 1091674 /media/usb/boot/xen-4.10.gz</span>
<span class="go">2952674154 1091674 /media/usb/boot/xen-4.gz</span>
<span class="go">2952674154 1091674 /media/usb/boot/xen.gz</span>
</pre></div>
<p>And last, confirm the above <code>xen.gz</code> checksum are the same as under <code>/boot</code>.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> cksum /boot/xen*.gz
<span class="go">2952674154 1091674 /boot/xen-4.10.2.gz</span>
<span class="go">2952674154 1091674 /boot/xen-4.10.gz</span>
<span class="go">2952674154 1091674 /boot/xen-4.gz</span>
<span class="go">2952674154 1091674 /boot/xen.gz</span>
</pre></div>
<h2 id="dom0-kernel-upgrade">dom0 Kernel Upgrade<a class="headerlink" href="#dom0-kernel-upgrade" title="Permanent link">¶</a></h2>
<p>You can update the kernel by putting <code><hostname>.apkovl.tar.gz</code> on a freshly installed USB stick or with the <code>update-kernel</code> command.
However using <code>update-kernel</code> requires more <code>dom0_mem</code> (<code>update-kernel</code> uses both RAM and <code>ramfs</code> on <code>/tmp</code>), hence we are temporarily
using a 4GB dedicated LVM disk for <code>/tmp</code> during the kernel upgrade to be able to complete the update without running out of memory.</p>
<p>The <code>tempfs</code> volume is to small for the kernel upgrade.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> df -h /tmp
<span class="go">Filesystem Size Used Available Use% Mounted on</span>
<span class="go">tmpfs 155.7M 137.2M 18.5M 88% /</span>
</pre></div>
<p>We add a kernel upgrade volume.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lvcreate -n lv_kernel_upgrade -L 4G vg_domU
<span class="go"> Logical volume "lv_kernel_upgrade" created.</span>
<span class="gp">#</span> mkfs.ext4 /dev/vg_domU/lv_kernel_upgrade
</pre></div>
<p>And prepare for domU installation medias.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -t /dev/vg_domU/lv_kernel_upgrade /tmp
<span class="gp">#</span> df -h /tmp
<span class="go">Filesystem Size Used Available Use% Mounted on</span>
<span class="go">/dev/vg_domU/lv_kernel_upgrade</span>
<span class="go"> 3.9G 16.0M 3.6G 0% /tmp</span>
</pre></div>
<p>Check free RAM.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> free -m
<span class="go"> total used free shared buffers cached</span>
<span class="go">Mem: 311 270 40 137 2 203</span>
<span class="go">-/+ buffers/cache: 64 247</span>
<span class="go">Swap: 0 0 0</span>
</pre></div>
<p>Now <code>update-kernel</code> can be used.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> mount -o remount,rw /media/usb
<span class="gp">#</span> update-kernel
<span class="gp">#</span> mount -o remount,ro /media/usb
</pre></div>
<p><strong>If</strong> there is a complaint on missing <code>mksquash-fs</code> command, just install it, and re-run the <code>update-kernel</code> command.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apk add squashfs-tools
</pre></div>
<p>And we need to umount the temporary <code>/tmp</code> LVM disk</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> umount /tmp
</pre></div>
<p>Now you can reboot the dom0 to the updated kernel.</p>
<h2 id="localized-keyboard">Localized keyboard<a class="headerlink" href="#localized-keyboard" title="Permanent link">¶</a></h2>
<p>If You have troubles with nationalized keyboard (it is a bug in <code>setup-alpine</code>?), then do the following work-a-round:
Into the file <code>/etc/profile.d/loadkeymap.sh</code> enter the following content:</p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/ash</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">"/dev/tty1"</span> <span class="o">=</span> <span class="s2">"`tty`"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"Loading selected keymap."</span>
/etc/init.d/loadkmap start
<span class="k">fi</span>
</pre></div>
<p>Then commit the changes.</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lbu commit
</pre></div>
<h2 id="domu-installation-config">domU installation config<a class="headerlink" href="#domu-installation-config" title="Permanent link">¶</a></h2>
<p>To use this installation image, you could use the below template as a base.
You have to make sure that your MAC address is <strong>UNIQUE</strong>. A tool that can help you with this is, for example, <a href="https://gist.github.com/viz3/6591201">random_mac.py</a>.</p>
<p>If you do it manually, please start with <code>00:16:3E</code> followed by a unique combination for you.
For instance <code>00:16:3e:AA:AA:01</code> or <code>00:16:3e:BE:EF:01</code>.</p>
<div class="codehilite"><pre><span></span><span class="c1">#####</span>
<span class="c1">##### <Hostname> domU</span>
<span class="c1">#####</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">maxmem</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/domU_installer/vmlinuz-vanilla"</span>
<span class="na">ramdisk</span> <span class="o">=</span> <span class="s">"/domU_installer/initramfs-vanilla"</span>
<span class="na">extra</span> <span class="o">=</span> <span class="s">"alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'file://domU_installer/alpine-extended-3.8.1-x86_64.iso,hdc:cdrom,r',</span>
<span class="s"> 'phy:<Physical Path to your disk>,xvda1,w', </span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<Hostname>'</span>
<span class="c1">## ENSURE THAT THE MAC ADDRESS IS UNIQ!!!</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>
<h2 id="domu-running-config">domU running config<a class="headerlink" href="#domu-running-config" title="Permanent link">¶</a></h2>
<p>And slight modification is needed with using the proper kernel, and removing the installation image.</p>
<div class="codehilite"><pre><span></span><span class="c1">#####</span>
<span class="c1">##### <Hostname> domU</span>
<span class="c1">#####</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">maxmem</span> <span class="o">=</span> <span class="s">'256'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/usr/lib/grub-xen/grub-x86_64-xen.bin"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'phy:<Physical Path to your disk>,xvda1,w', </span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<Hostname>'</span>
<span class="c1">## ENSURE MAC ADDRESS IS UNIQ!!!</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=<Unique MAC Address>,bridge=br0' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>Alpine Linux as a XEN dom0 from a USB stick (EFI boot)2017-09-24T00:00:00+02:002017-09-24T00:00:00+02:00williamtag:community.riocities.com,2017-09-24:/alpine_dom0_efi.html
<h1 id="howto-boot-alpine-xen-dom0-with-efi">Howto boot Alpine Xen dom0 with EFI<a class="headerlink" href="#howto-boot-alpine-xen-dom0-with-efi" title="Permanent link">¶</a></h1>
<p>This guide will create an installation of diskless Alpine with Xen dom0 support, bootable with EFI.</p>
<h2 id="create-efi-bootable-dom0-medium">Create EFI bootable dom0 medium<a class="headerlink" href="#create-efi-bootable-dom0-medium" title="Permanent link">¶</a></h2>
<p><strong>NOTE:</strong> the official Alpine installation medium doesn't support EFI, so create the installed medium by booting it with BIOS/compatibility mode.</p>
<p>This …</p>
<h1 id="howto-boot-alpine-xen-dom0-with-efi">Howto boot Alpine Xen dom0 with EFI<a class="headerlink" href="#howto-boot-alpine-xen-dom0-with-efi" title="Permanent link">¶</a></h1>
<p>This guide will create an installation of diskless Alpine with Xen dom0 support, bootable with EFI.</p>
<h2 id="create-efi-bootable-dom0-medium">Create EFI bootable dom0 medium<a class="headerlink" href="#create-efi-bootable-dom0-medium" title="Permanent link">¶</a></h2>
<p><strong>NOTE:</strong> the official Alpine installation medium doesn't support EFI, so create the installed medium by booting it with BIOS/compatibility mode.</p>
<p>This guide assumes <code>alpine-xen-3.6.2-x86_64.iso</code> is used as boot medium, and is booted before continuing.</p>
<h3 id="partition-disk">Partition disk<a class="headerlink" href="#partition-disk" title="Permanent link">¶</a></h3>
<p>Set up internet connectivity and configure to use an Alpine repository mirror:</p>
<div class="codehilite"><pre><span></span>$ ifconfig eth0 up
$ udhcpc eth0
$ setup-apkrepos
$ apk update
</pre></div>
<p>Assumptions:</p>
<ol>
<li>The destination disk is at <code>/dev/sda</code>.</li>
<li>The size of the dom0 disk is 1GiB.</li>
<li>The dom0 disk and EFI ESP is the same partition.</li>
</ol>
<div class="codehilite"><pre><span></span>$ modprobe vfat
$ apk add parted dosfstools
$ parted /dev/sda
<span class="o">(</span>parted<span class="o">)</span> mklabel gpt
<span class="o">(</span>parted<span class="o">)</span> mkpart ESP fat32 1MiB 1GiB
<span class="o">(</span>parted<span class="o">)</span> <span class="nb">set</span> <span class="m">1</span> boot on
<span class="o">(</span>parted<span class="o">)</span> quit
$ mkfs.vfat /dev/sda1
</pre></div>
<h3 id="setup-diskless-alpine">Setup diskless Alpine<a class="headerlink" href="#setup-diskless-alpine" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span>$ apk add syslinux
$ setup-bootable /dev/cdrom /dev/sda1
</pre></div>
<h3 id="install-efi-bootloader">Install EFI bootloader<a class="headerlink" href="#install-efi-bootloader" title="Permanent link">¶</a></h3>
<p>This uses Gummiboot as bootloader, which is deprecated but the only way with Xen 4.8.
Xen 4.9 supports multiboot2, making it possible to use GRUB2 instead, and avoiding creating the configuration for <code>xen.efi</code>.</p>
<div class="codehilite"><pre><span></span>$ apk add gummiboot
$ mount -t vfat /dev/sda1 /media/sda1
$ mkdir -p /media/sda1/EFI/boot /media/sda1/loader/entries
$ cp /usr/lib/gummiboot/gummibootx64.efi /media/sda1/EFI/boot/bootx64.efi
</pre></div>
<h3 id="configure-gummiboot">Configure gummiboot<a class="headerlink" href="#configure-gummiboot" title="Permanent link">¶</a></h3>
<p>Gummiboot will be configured with two boot options: <code>linux-hardened</code> (without Xen) and <code>xen</code>.</p>
<p><strong>TODO:</strong> The options below could be read from <code>/etc/update-extlinux.conf</code></p>
<p>Create file <code>/media/sda1/loader/entries/linux-hardened.conf</code>:</p>
<div class="codehilite"><pre><span></span><span class="na">linux /boot/vmlinuz-hardened</span>
<span class="na">initrd /boot/initramfs-hardened</span>
<span class="na">options modules</span><span class="o">=</span><span class="s">loop,squashfs,sd-mod,usb-storage quiet nomodeset</span>
</pre></div>
<p>Create file <code>/media/sda1/loader/entries/xen.conf</code>:</p>
<div class="codehilite"><pre><span></span><span class="na">efi /boot/xen.efi</span>
</pre></div>
<p><strong>NOTE:</strong> The first boot will be without Xen, to setup Xen properly first.</p>
<p>Create file <code>/media/sda1/loader/loader.conf</code>:</p>
<div class="codehilite"><pre><span></span><span class="na">default linux-hardened</span>
<span class="na">timeout 5</span>
</pre></div>
<h3 id="reboot-into-uefi">Reboot into UEFI<a class="headerlink" href="#reboot-into-uefi" title="Permanent link">¶</a></h3>
<p>Reboot the machine and make sure it boots via UEFI and not BIOS.</p>
<h2 id="setup-xen-dom0">Setup Xen dom0<a class="headerlink" href="#setup-xen-dom0" title="Permanent link">¶</a></h2>
<p>Refer to the base dom0 guide: <a href="/alpine_dom0.html">alpine_dom0</a></p>
<h3 id="setup-base-system">Setup base system<a class="headerlink" href="#setup-base-system" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span>$ setup-alpine
$ lbu commit
</pre></div>
<h3 id="install-xen">Install Xen<a class="headerlink" href="#install-xen" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span>$ apk add xen xen-hypervisor
$ lbu commit
</pre></div>
<h3 id="copy-xen-boot-files">Copy Xen boot files<a class="headerlink" href="#copy-xen-boot-files" title="Permanent link">¶</a></h3>
<p><strong>NOTE:</strong> due to a bug in current Xen APKBUILD, the Xen efi files are stored in <code>/usr/lib64/efi/xen</code>. See PR <a href="https://github.com/alpinelinux/aports/pull/1513">aports#1513</a> for discussion.</p>
<p><strong>NOTE:</strong> since symlinks isn't supported on vfat, this wastes quite some space...</p>
<p><strong>TODO:</strong> this needs to be run upon Xen updates, so should be put in a script and run with <code>update-kernel</code>.</p>
<div class="codehilite"><pre><span></span>$ mount -o remount,rw /media/sda1
$ cp -f /usr/lib64/efi/xen* /media/sda1/boot/
</pre></div>
<h3 id="configure-xen-efi-bootloader">Configure Xen EFI bootloader<a class="headerlink" href="#configure-xen-efi-bootloader" title="Permanent link">¶</a></h3>
<p>The <code>xen.efi</code> is a bootloader itself, which requires a configuration file.
This is easier with Xen 4.9 which has multiboot2 support, but for now it needs to be configured.</p>
<p><em>TODO:</em> kernel options should also be read from <code>/etc/update-extlinux.conf</code> instead.</p>
<p>Create <code>/media/sda1/boot/xen.cfg</code>:</p>
<div class="codehilite"><pre><span></span><span class="k">[global]</span>
<span class="na">default</span><span class="o">=</span><span class="s">XEN-linux-hardened</span>
<span class="k">[XEN-linux-hardened]</span>
<span class="na">options</span><span class="o">=</span><span class="s">dom0_mem=1024M</span>
<span class="na">kernel</span><span class="o">=</span><span class="s">vmlinuz-hardened modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset</span>
<span class="na">ramdisk</span><span class="o">=</span><span class="s">initramfs-hardened</span>
</pre></div>
<h3 id="set-xen-as-default-boot">Set Xen as default boot<a class="headerlink" href="#set-xen-as-default-boot" title="Permanent link">¶</a></h3>
<p>Set Xen as the default Gummiboot target.</p>
<p>In <code>/media/sda1/loader/loader.conf</code>:</p>
<div class="codehilite"><pre><span></span><span class="na">default xen</span>
<span class="na">timeout 5</span>
</pre></div>
<h3 id="reboot-into-xen">Reboot into Xen<a class="headerlink" href="#reboot-into-xen" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span>$ reboot
</pre></div>
<h2 id="setup-xen-dom0-essentials">Setup Xen dom0 essentials<a class="headerlink" href="#setup-xen-dom0-essentials" title="Permanent link">¶</a></h2>
<p>The system is now like a Xen dom0 system booted with BIOS.</p>
<div class="codehilite"><pre><span></span>$ setup-xen-dom0
$ lbu commit
</pre></div>Alpine Linux on Solid Run I2EX-300-D2017-06-05T00:00:00+02:002017-06-05T00:00:00+02:00henriktag:community.riocities.com,2017-06-05:/alpine_i2ex.html<h1 id="what-you-need">What you need<a class="headerlink" href="#what-you-need" title="Permanent link">¶</a></h1>
<ol>
<li>Solid Run I2EX-300-D</li>
<li>MicroSD card</li>
<li>micro-USB to USB cable</li>
<li>Alpine Linux armhf generic arm build (.tgz file)</li>
</ol>
<h1 id="on-your-linux-workstation">On your Linux workstation<a class="headerlink" href="#on-your-linux-workstation" title="Permanent link">¶</a></h1>
<p>Download <a href="https://nl.alpinelinux.org/alpine/v3.6/releases/armhf/alpine-uboot-3.6.1-armhf.tar.gz">alpine-uboot-3.6.1-armhf.tar.gz</a></p>
<p>Connect the MicroSD card to the workstation</p>
<p>Partition the MicroSD card with two partitions: </p>
<div class="codehilite"><pre><span></span> #1 should be of type 0xc …</pre></div><h1 id="what-you-need">What you need<a class="headerlink" href="#what-you-need" title="Permanent link">¶</a></h1>
<ol>
<li>Solid Run I2EX-300-D</li>
<li>MicroSD card</li>
<li>micro-USB to USB cable</li>
<li>Alpine Linux armhf generic arm build (.tgz file)</li>
</ol>
<h1 id="on-your-linux-workstation">On your Linux workstation<a class="headerlink" href="#on-your-linux-workstation" title="Permanent link">¶</a></h1>
<p>Download <a href="https://nl.alpinelinux.org/alpine/v3.6/releases/armhf/alpine-uboot-3.6.1-armhf.tar.gz">alpine-uboot-3.6.1-armhf.tar.gz</a></p>
<p>Connect the MicroSD card to the workstation</p>
<p>Partition the MicroSD card with two partitions: </p>
<div class="codehilite"><pre><span></span> #1 should be of type 0xc, bootable and have a vfat
file system on it (size 250 to 1000MB).
#2 should be of type 0x83 and does not need to have a filesystem
</pre></div>
<p>Create a vfat file system on the first partition, mount it and unpack the alpine tar.gz in it. (Note: replace
N with the name if the microSD card)</p>
<div class="codehilite"><pre><span></span><span class="c1"># mkfs.vfat /dev/sdN1</span>
<span class="c1"># mount /dev/sdN1 /mnt</span>
<span class="c1"># cd /mnt</span>
<span class="c1"># tar xfz /tmp/alpine-uboot-3.6.1-armhf.tar.gz</span>
</pre></div>
<p>Edit <code>extlinux/extlinux.conf</code> and add <code>console=ttymxc0,115200</code> to the APPEND line, after the change:</p>
<div class="codehilite"><pre><span></span># tail -2 extlinux/extlinux.conf
DEVICETREEDIR /boot/dtbs
APPEND modules=loop,squashfs,sd-mod,usb-storage quiet console=ttymxc0,115200
</pre></div>
<p>Install SPL and u-boot on the microSD card</p>
<div class="codehilite"><pre><span></span># dd if=./u-boot/mx6cuboxi/SPL of=/dev/sdN bs=1k seek=1 status=none
# dd if=./u-boot/mx6cuboxi/u-boot.img of=/dev/sdN bs=1k seek=69 status=none
</pre></div>
<p>unmount the MicroSD card</p>
<div class="codehilite"><pre><span></span># sync
# cd /
# umount /mnt
</pre></div>
<p>Install minicom and set it up for the Cubox (115200 8n1 and /dev/ttyUSBn)</p>
<h1 id="on-the-cubox">On the Cubox<a class="headerlink" href="#on-the-cubox" title="Permanent link">¶</a></h1>
<ol>
<li>Mount the microSD card in the Cubox (note: upside down)</li>
<li>Connect a microUSB cable to the microUSB port on the Cubox and the other end to your workstation</li>
<li>Connect the power to the Cubox</li>
</ol>
<p>In minicom you will now see</p>
<div class="codehilite"><pre><span></span>U-Boot SPL 2017.01 (Apr 28 2017 - 05:20:21)
Trying to boot from MMC1
U-Boot 2017.01 (Apr 28 2017 - 05:20:21 +0000)
CPU: Freescale i.MX6D rev1.5 996 MHz (running at 792 MHz)
CPU: Extended Commercial temperature grade (-20C to 105C) at 22C
Reset cause: POR
Board: MX6 Cubox-i
DRAM: 1 GiB
MMC: FSL_SDHC: 0
*** Warning - bad CRC, using default environment
No panel detected: default to HDMI
Display: HDMI (1024x768)
In: serial
Out: serial
Err: serial
Net: FEC
Hit any key to stop autoboot: 0
</pre></div>
<p>When the system is booted login and use <code>setup-alpine</code> (use <code>mmcblk0p1</code> for config store).</p>
<p>You can setup <code>/dev/mmcblk0p2</code> for <code>/home</code> or use it for something else of you choice after you are done with <code>setup-alpine</code>. </p>
<p>Disable hw-clock and commit the config:</p>
<div class="codehilite"><pre><span></span># rc-update add swclock boot # enable the software clock
# rc-update del hwclock boot # disable the hardware clock
# lbu commit -d
</pre></div>
<p><strong><em>Note</em></strong> reboot does not work on Cubox, you must power cycle it.</p>Alpine Linux as a XEN dom0 from a USB stick2016-12-29T00:00:00+01:002017-04-20T23:45:11+02:00henriktag:community.riocities.com,2016-12-29:/alpine_dom0.html
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>What you need:</p>
<ul>
<li>1x 16GB SLC USB stick to run the dom0 from</li>
<li>1x 1GB Installer USB stick</li>
<li>1x Laptop or similar to run the setup (initial installation) from</li>
</ul>
<p>Later (when you are ready to deploy)</p>
<ul>
<li>1x Proper server to run the alpine dom0 on (e.g. <a href="hp_microserver_gen8.html">HP MicroServer …</a></li></ul>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>What you need:</p>
<ul>
<li>1x 16GB SLC USB stick to run the dom0 from</li>
<li>1x 1GB Installer USB stick</li>
<li>1x Laptop or similar to run the setup (initial installation) from</li>
</ul>
<p>Later (when you are ready to deploy)</p>
<ul>
<li>1x Proper server to run the alpine dom0 on (e.g. <a href="hp_microserver_gen8.html">HP MicroServer</a> or similar)</li>
</ul>
<p>Plug in the Installer USB stick in your workstation an add the alpine-xen iso to it.</p>
<p>from dmesg</p>
<div class="codehilite"><pre><span></span>[162562.819054] sd 5:0:0:0: [sdb] 2046240 512-byte logical blocks: (1.04 GB/999 MiB)
[162562.823977] sdb: sdb1
</pre></div>
<p>Put the installation iso on the installer usb-stick</p>
<div class="codehilite"><pre><span></span>$ sudo dd <span class="k">if</span><span class="o">=</span>/tmp/alpine-xen-3.5.2-x86_64.iso <span class="nv">of</span><span class="o">=</span>/dev/sdb
<span class="m">299008</span>+0 records in
<span class="m">299008</span>+0 records out
<span class="m">153092096</span> bytes <span class="o">(</span><span class="m">153</span> MB<span class="o">)</span> copied, <span class="m">56</span>.1059 s, <span class="m">2</span>.7 MB/s
$ sync
</pre></div>
<p>unplug the usb-stick from the workstation.</p>
<h1 id="installation-on-the-slc-stick">Installation on the SLC stick<a class="headerlink" href="#installation-on-the-slc-stick" title="Permanent link">¶</a></h1>
<p>Boot the laptop from the <strong><em>installer</em></strong> usb-stick.</p>
<p>When booted connect the 16GB SLC stick as well and then partition it with</p>
<ol>
<li>Small partition of 1GB for booting the dom0</li>
<li>LVM partition that will be holding supporting domUs </li>
</ol>
<p>With supporting domUs I am referring to network driver domain and storage driver domain. The storage driver domain for instance uses storage connected to a local PCI exported PCIe card or alternatively bringing in storage via iSCSI from a remote iscsi-target.</p>
<p>Partition table for the SLC USB device:</p>
<div class="codehilite"><pre><span></span><span class="na">Disk /dev/sdf: 15.9 GB, 15977152512 bytes</span>
<span class="na">64 heads, 32 sectors/track, 15237 cylinders</span>
<span class="na">Units</span> <span class="o">=</span> <span class="s">cylinders of 2048 * 512 = 1048576 bytes</span>
<span class="na">Device Boot Start End Blocks Id System</span>
<span class="na">/dev/sdf1 * 1 955 977904 c Win95 FAT32 (LBA)</span>
<span class="na">/dev/sdf2 956 15237 14624768 8e Linux LVM</span>
</pre></div>
<p><strong><em>Note:</em></strong> you might need to unplug/replug the stick after partitioning it.</p>
<p>Run <code>apk add syslinux</code> to install syslinux package</p>
<p>Run <code>modprobe vfat</code> to load the vfat kernel module</p>
<p>Create a file system on the bootable vfat partition</p>
<div class="codehilite"><pre><span></span><span class="c1"># mkfs.vfat /dev/sdf1</span>
</pre></div>
<p>Run the <code>setup-bootable</code> script to add Alpine Linux to the USB stick and make it bootable (replacing <code>sdf</code> with your USB stick name):</p>
<p><strong><em>Note</em></strong> <code>/media/sdb</code> could be other mountpoint as well (e.g. <code>/media/usb</code>), check in the output of <code>df</code> (before running <code>setup-bootable</code>).</p>
<div class="codehilite"><pre><span></span><span class="c1"># setup-bootable /media/sdb /dev/sdf1</span>
</pre></div>
<p>Now you can reboot the laptop from the 16GB SLC stick (unplug the Installer USB stick).</p>
<h1 id="basic-alpine-host-setup">Basic alpine host setup<a class="headerlink" href="#basic-alpine-host-setup" title="Permanent link">¶</a></h1>
<p>After reboot, login on console again.</p>
<p><strong><em>Note:</em></strong> you must setup working networking with Internet access in alpine-setup.</p>
<p>Basic dom0/host setup</p>
<div class="codehilite"><pre><span></span><span class="c1"># apk add syslinux bridge</span>
<span class="c1"># setup-alpine</span>
</pre></div>
<p>choose to bridge eth0 if any domUs will share eth0 with dom0, name it <code>br_eth0</code></p>
<div class="codehilite"><pre><span></span> Which disk(s) would you like to use: none
Enter where to store configs: usb
Enter apk cache directory: /media/usb/cache
</pre></div>
<p>Save changes to the USB drive</p>
<div class="codehilite"><pre><span></span>dom0:~# lbu commit
</pre></div>
<h1 id="xen-dom0-setup">XEN dom0 setup<a class="headerlink" href="#xen-dom0-setup" title="Permanent link">¶</a></h1>
<div class="codehilite"><pre><span></span>dom0:~# setup-xen-dom0
dom0:~# lbu commit
</pre></div>
<p>Setup LVM (before continuing make sure what name the stick have by checking <code>df</code> output)</p>
<div class="codehilite"><pre><span></span>dom0:~# apk add lvm2
dom0:~# rc-update add lvm
dom0:~# pvcreate /dev/sdb2
Physical volume <span class="s2">"/dev/sdb2"</span> successfully created.
dom0:~# vgcreate vg_domU /dev/sdb2
Volume group <span class="s2">"vg_domU"</span> successfully created
dom0:~# lbu commit
</pre></div>
<p>Install pv-grub2 from edge/testing</p>
<div class="codehilite"><pre><span></span>dom0:~# <span class="nb">echo</span> <span class="s2">"@edge http://nl.alpinelinux.org/alpine/edge/testing"</span> >> /etc/apk/repositories
dom0:~# apk add grub-xenhost@edge --update-cache
</pre></div>
<h1 id="domu-installation">domU installation<a class="headerlink" href="#domu-installation" title="Permanent link">¶</a></h1>
<p>Now follow <a href="alpine_domU.html">Alpine Linux as a XEN domU</a> to setup a network driver domain called fw. Store <code>alpine-extended-3.4.4-x86_64.iso</code> in <code>/media/usb</code> and you can reuse <code>/media/usb/boot/vmlinuz-grsec</code> and <code>/media/usb/boot/initramfs-grsec</code> from the dom0 to boot the domU installer from.</p>
<p>E.g. directory for alpine-extended-3.4.4-x86_64.iso</p>
<div class="codehilite"><pre><span></span>dom0:~# mkdir /media/usb/domu_installer
</pre></div>
<p>Example /etc/xen/fw.cfg</p>
<div class="codehilite"><pre><span></span><span class="c1"># fw domU</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'128'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/media/usb/boot/vmlinuz-grsec"</span>
<span class="na">ramdisk</span> <span class="o">=</span> <span class="s">"/media/usb/boot/initramfs-grsec"</span>
<span class="na">extra</span><span class="o">=</span><span class="s">"alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'file://media/usb/domu_installer/alpine-extended-3.4.4-x86_64.iso,hdc:cdrom,r',</span>
<span class="s"> 'phy:/dev/vg_domU/fw-disk,xvda1,w',</span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'fw'</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=00:16:3E:AA:BB:CC,bridge=br_eth0' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>
<p>Example creation of storage for the new domU</p>
<div class="codehilite"><pre><span></span>dom0:~# lvcreate -n fw-disk -L 512M vg_domU
Logical volume <span class="s2">"fw-disk"</span> created.
dom0:~# apk add e2fsprogs
dom0:~# mkfs.ext4 /dev/vg_domU/fw-disk
dom0:~# xl create /etc/xen/fw.cfg -c
</pre></div>
<p>Test rest of the steps as described in <a href="alpine_domU.html">Alpine Linux as a XEN domU</a>. But
make sure to install the <code>iptables</code> and <code>bridge</code> packages as well.</p>
<p>Make the fw domU start at boot</p>
<div class="codehilite"><pre><span></span>dom0:~# <span class="nb">cd</span> /etc/xen/auto
dom0:/etc/xen/auto# ln -s ../fw.cfg <span class="m">00</span>-fw.cfg
dom0:/etc/xen/auto# rc-update add xendomains
dom0:/etc/xen/auto# lbu commit
</pre></div>
<h1 id="xen-dom0-mem-optional">XEN dom0 mem (optional)<a class="headerlink" href="#xen-dom0-mem-optional" title="Permanent link">¶</a></h1>
<p>When the dom0 boots from the SLC USB stick the bootloader is syslinux, hence dom0_mem should be configured in syslinux.cfg.</p>
<p>Before editing make the usb stick writeable</p>
<div class="codehilite"><pre><span></span>dom0:~# mount /media/usb -o remount,rw
</pre></div>
<p>Edit <code>/media/usb/boot/syslinux/syslinux.cfg</code> and add <code>dom0_mem=1024M</code>. A lower value will not work as the dom0 is running on a RAM disk.</p>
<p>Example after editing</p>
<div class="codehilite"><pre><span></span><span class="na">TIMEOUT 20</span>
<span class="na">PROMPT 1</span>
<span class="na">DEFAULT grsec</span>
<span class="na">LABEL grsec</span>
<span class="na">MENU LABEL Xen/Linux grsec</span>
<span class="na">KERNEL /boot/syslinux/mboot.c32</span>
<span class="na">APPEND /boot/xen.gz dom0_mem</span><span class="o">=</span><span class="s">1024M --- /boot/vmlinuz-grsec modules=loop,squashfs,sd-mod,usb-storage quiet nomodeset --- /boot/initramfs-grsec</span>
</pre></div>
<p>After editing make the usb stick readonly</p>
<div class="codehilite"><pre><span></span>dom0:~# mount /media/usb -o remount,ro
</pre></div>
<p><strong>Note:</strong> 1024M will not be enough to upgrade the kernel with the <code>update-kernel</code> command.</p>
<h1 id="dom0-kernel-update">dom0 kernel update<a class="headerlink" href="#dom0-kernel-update" title="Permanent link">¶</a></h1>
<p>You can update the kernel by putting <code><hostname>.apkovl.tar.gz</code> on a freshly installed USB stick or with the <code>update-kernel</code>
command. However using <code>update-kernel</code> requires more dom0_mem, I use 1536M.</p>
<p>Free space on / need to be about 700MB free for <code>update-kernel</code> to complete.</p>
<p>Example with too little free:</p>
<div class="codehilite"><pre><span></span>dom0:~# df -h /
Filesystem Size Used Available Use% Mounted on
tmpfs <span class="m">616</span>.8M <span class="m">205</span>.4M <span class="m">411</span>.4M <span class="m">33</span>% /
</pre></div>
<p>Check free RAM</p>
<div class="codehilite"><pre><span></span>dom0:~# free -m
total used free shared buffers cached
Mem: <span class="m">1285</span> <span class="m">464</span> <span class="m">821</span> <span class="m">205</span> <span class="m">2</span> <span class="m">293</span>
-/+ buffers/cache: <span class="m">168</span> <span class="m">1117</span>
Swap: <span class="m">0</span> <span class="m">0</span> <span class="m">0</span>
</pre></div>
<p>Add more RAM to tmpfs mounted on /</p>
<div class="codehilite"><pre><span></span>dom0:~# mount -o remount,size<span class="o">=</span>900M /
dom0:~# df -h /
Filesystem Size Used Available Use% Mounted on
tmpfs <span class="m">900</span>.0M <span class="m">205</span>.1M <span class="m">694</span>.9M <span class="m">23</span>% /
</pre></div>
<p>Now <code>update-kernel</code> can be used.</p>
<div class="codehilite"><pre><span></span>dom0:~# mount -o remount,rw /media/usb
dom0:~# update-kernel
dom0:~# mount -o remount,ro /media/usb
</pre></div>
<p>Now you can reboot the dom0 to the updated kernel.</p>apt-dater-host for Alpine2016-07-10T00:00:00+02:002017-02-17T20:10:41+01:00henriktag:community.riocities.com,2016-07-10:/alpine_apt_dater.html<p>I use <a href="https://www.ibh.de/apt-dater/">apt-dater</a> to manage updates to numerous
XEN domUs, after starting to use Alpine Linux I needed to implement apt-dater-host
support for Alpine Linux.</p>
<p>Normally <a href="https://github.com/DE-IBH/apt-dater-host">apt-dater host support</a>
is implemented in Perl, but as that is not present in a base Alpine install,
this implementation of <a href="https://raw.githubusercontent.com/DE-IBH/apt-dater-host/master/doc/ADP-0.6">ADP-0.6</a>
was …</p><p>I use <a href="https://www.ibh.de/apt-dater/">apt-dater</a> to manage updates to numerous
XEN domUs, after starting to use Alpine Linux I needed to implement apt-dater-host
support for Alpine Linux.</p>
<p>Normally <a href="https://github.com/DE-IBH/apt-dater-host">apt-dater host support</a>
is implemented in Perl, but as that is not present in a base Alpine install,
this implementation of <a href="https://raw.githubusercontent.com/DE-IBH/apt-dater-host/master/doc/ADP-0.6">ADP-0.6</a>
was done in ash, sed and awk provided by Busybox.</p>
<p>Link to code on GitHub: <a href="https://github.com/DE-IBH/apt-dater-host/tree/master/apk">apt-dater-host apk support</a> (merged upstream).</p>
<p>Example output, when running apt-dater against an alpine host with pending updates</p>
<div class="codehilite"><pre><span></span>v <span class="o">[</span>-<span class="o">]</span> <span class="m">192</span>.168.3.8 <span class="o">(</span>alpine <span class="m">3</span>.4.0 <span class="p">;</span> <span class="m">4</span>.4.11-0-grsec<span class="o">)</span>
u: alpine-base
u: alpine-baselayout
u: alpine-conf
u: blkid
u: busybox
u: busybox-initscripts
u: busybox-suid
u: curl
u: expat
u: libblkid
u: libcrypto1.0
u: libssl1.0
u: libuuid
u: linux-grsec
u: mkinitfs
u: musl
u: musl-utils
</pre></div>FiiO E10K (OLYMPUS 2-E10K)2016-05-21T00:00:00+02:002016-05-21T00:00:00+02:00henriktag:community.riocities.com,2016-05-21:/FiiOE10K.html<p><a href="http://fiio.net/en/products/27">FiiO E10K</a> is a
small and nice USB DAC (96KHz/24Bit) + headphone amp I bought to replace my aging <a href="/FiiO.html">E10</a>.</p>
<p><a href="http://fiio.me/forum.php?mod=viewthread&tid=40362&extra=">E10 vs E10K</a> compared by FiiO.</p>
<p>Tested and found to be working fine with:</p>
<ol>
<li>Debian 8 (Jessie)</li>
<li>Ubuntu 14.04</li>
</ol>
<p>Also Note: The general recommendation for a USB DAC is …</p><p><a href="http://fiio.net/en/products/27">FiiO E10K</a> is a
small and nice USB DAC (96KHz/24Bit) + headphone amp I bought to replace my aging <a href="/FiiO.html">E10</a>.</p>
<p><a href="http://fiio.me/forum.php?mod=viewthread&tid=40362&extra=">E10 vs E10K</a> compared by FiiO.</p>
<p>Tested and found to be working fine with:</p>
<ol>
<li>Debian 8 (Jessie)</li>
<li>Ubuntu 14.04</li>
</ol>
<p>Also Note: The general recommendation for a USB DAC is to set the master volume to 0 dBFS (<a href="http://benchmarkmedia.com/blogs/wiki/14949169-computer-audio-playback-setup-guide">100%</a>)
in order to get the full 16 or 24 bit digital resolution (i.e. accurate bit stream).</p>
<p>From <code>dmesg</code></p>
<div class="codehilite"><pre><span></span>usb 2-1.1.4: new full-speed USB device number 10 using xhci_hcd
usb 2-1.1.4: New USB device found, idVendor=1852, idProduct=7022
usb 2-1.1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-1.1.4: Product: DigiHug USB Audio
usb 2-1.1.4: Manufacturer: FiiO
input: FiiO DigiHug USB Audio as /devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1.1/2-1.1.4/2-1.1.4:1.0/0003:1852:7022.0004/input/input14
hid-generic 0003:1852:7022.0004: input,hidraw3: USB HID v1.00 Device [FiiO DigiHug USB Audio] on usb-0000:00:14.0-1.1.4/input0
usbcore: registered new interface driver snd-usb-audio
</pre></div>
<p><code>lsusb</code></p>
<div class="codehilite"><pre><span></span>$ lsusb <span class="p">|</span> fgrep <span class="m">1852</span>:7022
Bus <span class="m">002</span> Device <span class="m">010</span>: ID <span class="m">1852</span>:7022 GYROCOM C<span class="p">&</span>C Co., LTD
</pre></div>Alpine Linux as a XEN domU2016-04-29T00:00:00+02:002016-09-28T21:48:51+02:00henriktag:community.riocities.com,2016-04-29:/alpine_domU.html
<p>Guide for how-to install Alpine Linux as a domU (tested on a Debian Jessie dom0).</p>
<p>The iso <code>alpine-extended-3.4.4-x86_64.iso</code> is used as that makes it possible to
complete a full alpine linux installation without networking in the domU.</p>
<h2 id="preparations-in-dom0">Preparations in dom0<a class="headerlink" href="#preparations-in-dom0" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Setup storage as <code>/dev/<lvm_vg>/<domU-name>-disk …</code></p></li></ol>
<p>Guide for how-to install Alpine Linux as a domU (tested on a Debian Jessie dom0).</p>
<p>The iso <code>alpine-extended-3.4.4-x86_64.iso</code> is used as that makes it possible to
complete a full alpine linux installation without networking in the domU.</p>
<h2 id="preparations-in-dom0">Preparations in dom0<a class="headerlink" href="#preparations-in-dom0" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Setup storage as <code>/dev/<lvm_vg>/<domU-name>-disk</code> and create an ext4 file system on it. (in the examples below the VG is called <code>vg_raid1</code>).</p>
</li>
<li>
<p><strong>Optional:</strong> if you need swap create <code>/dev/<lvm_vg>/<domU-name>-swap</code> and add it to the domU config as xvda2</p>
</li>
<li>
<p>Extract <code>vmlinuz-grsec</code> & <code>initramfs-grsec</code> from <code>alpine-extended-3.4.4-x86_64.iso</code> and store it in <code>/home/<user>/</code>.</p>
</li>
<li>
<p>Setup basic domU configuration for installation from iso.</p>
</li>
</ol>
<div class="codehilite"><pre><span></span><span class="c1"># basic config for alpine linux installation</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'128'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">"/home/<user>/vmlinuz-grsec"</span>
<span class="na">ramdisk</span> <span class="o">=</span> <span class="s">"/home/<user>/initramfs-grsec"</span>
<span class="na">extra</span><span class="o">=</span><span class="s">"alpine_dev=hdc:iso9660 modules=loop,squashfs,sd-mod,usb-storage console=hvc0"</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'file://home/<user>/alpine-extended-3.4.4-x86_64.iso,hdc:cdrom,r',</span>
<span class="s"> 'phy:/dev/vg_raid1/<domU-name>-disk,xvda1,w',</span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<domU-name>'</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=00:16:3E:AA:BB:CC,bridge=br_<domU>' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>
<p>Now we can start the alpine domU and run the installer.</p>
<div class="codehilite"><pre><span></span>dom0# xl create /etc/xen/<domU-name>.cfg -c
</pre></div>
<h2 id="steps-in-the-installer-domu">Steps in the installer domU<a class="headerlink" href="#steps-in-the-installer-domu" title="Permanent link">¶</a></h2>
<p>Install e2fsprogs and mount the partition that was setup before in the dom0.</p>
<div class="codehilite"><pre><span></span>domU# apk add e2fsprogs
domU# mount /dev/xvda1 /mnt
</pre></div>
<p>Run alpine setup (answer none for the last options)</p>
<div class="codehilite"><pre><span></span>domU# setup-alpine
...
Enter where to store configs <span class="o">(</span><span class="s1">'floppy'</span>, <span class="s1">'usb'</span>, <span class="s1">'xvdc1'</span> or <span class="s1">'none'</span><span class="o">)</span> <span class="o">[</span>xvdc1<span class="o">]</span>: none
Enter apk cache directory <span class="o">(</span>or <span class="s1">'?'</span> or <span class="s1">'none'</span><span class="o">)</span> <span class="o">[</span>/var/cache/apk<span class="o">]</span>: none
</pre></div>
<p>On some test runs <code>/etc/apk/world</code> got a strange entry <code>.setup-apkrepos</code>, make
sure it is not there and if it is remove that line before continuing with the next step.</p>
<p>Install alpine linux to the mounted partition.</p>
<div class="codehilite"><pre><span></span>domU# setup-disk /mnt
</pre></div>
<p><strong>Optional:</strong> setup swap on /dev/xvda2 accordning to the <a href="https://wiki.alpinelinux.org/wiki/Setting_up_disks_manually#Setting_up_swap">Setting_up_swap</a> instruction on the alpine wiki.</p>
<p>Setup basic grub configuration for pvgrub</p>
<div class="codehilite"><pre><span></span>domU# mkdir /mnt/boot/grub
domU# vi /mnt/boot/grub/grub.cfg
</pre></div>
<div class="codehilite"><pre><span></span><span class="na">set timeout</span><span class="o">=</span><span class="s">2</span>
<span class="na">set default</span><span class="o">=</span><span class="s">0</span>
<span class="na">menuentry "alpine" {</span>
<span class="na">linux /boot/vmlinuz-grsec modules</span><span class="o">=</span><span class="s">ext4 console=hvc0 root=/dev/xvda1 </span>
<span class="s"> initrd /boot/initramfs-grsec</span>
<span class="na">}</span>
</pre></div>
<p>Now the installation is done so we can halt the installer.</p>
<div class="codehilite"><pre><span></span>domU# halt
</pre></div>
<h2 id="dom0-prepare-for-first-boot">dom0: prepare for first boot<a class="headerlink" href="#dom0-prepare-for-first-boot" title="Permanent link">¶</a></h2>
<p>Change domU configuration to use pvgrub</p>
<div class="codehilite"><pre><span></span><span class="na">vcpus</span> <span class="o">=</span> <span class="s">'1'</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">'128'</span>
<span class="na">kernel</span> <span class="o">=</span> <span class="s">'/usr/lib/grub-xen/grub-x86_64-xen.bin'</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">[</span>
<span class="s"> 'phy:/dev/vg_raid1/<domU name>-disk,xvda1,w',</span>
<span class="s"> ]</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">'<domU name>'</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'mac=00:16:3E:AA:BB:CC,bridge=br_<domU>' ]</span>
<span class="na">on_poweroff</span> <span class="o">=</span> <span class="s">'destroy'</span>
<span class="na">on_reboot</span> <span class="o">=</span> <span class="s">'restart'</span>
<span class="na">on_crash</span> <span class="o">=</span> <span class="s">'restart'</span>
</pre></div>
<p>boot alpine with pvgrub</p>
<div class="codehilite"><pre><span></span>dom0# xl create /etc/xen/<domU-name>.cfg -c
</pre></div>
<p>Grub should show up and boot into your new alpine linux domU.</p>Fedora as Xen domU with pv-grub2015-12-02T00:00:00+01:002015-12-02T00:00:00+01:00williamtag:community.riocities.com,2015-12-02:/fedora_xen_domu.html
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>This is a HOWTO on how to install Fedora 23 Server as a Xen PV domU under a
Debian Jessie dom0, using pv-grub for booting the guest. Using pv-grub makes it
possible to easily avoid HVM domains and use storage domains, since that's not
possible for pygrub.</p>
<h1 id="download-installer-image">Download installer …</h1>
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>This is a HOWTO on how to install Fedora 23 Server as a Xen PV domU under a
Debian Jessie dom0, using pv-grub for booting the guest. Using pv-grub makes it
possible to easily avoid HVM domains and use storage domains, since that's not
possible for pygrub.</p>
<h1 id="download-installer-image">Download installer image<a class="headerlink" href="#download-installer-image" title="Permanent link">¶</a></h1>
<p>We're using the pxeboot images from Fedora 23. Download the kernel and
initramfs:</p>
<div class="codehilite"><pre><span></span>dom0$ <span class="nb">cd</span> /mnt/isos/Linux/Fedora/23/
dom0$ wget https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/images/pxeboot/initrd.img
dom0$ wget https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/images/pxeboot/vmlinuz
</pre></div>
<h1 id="configure-xen-domu-for-installation">Configure Xen domU for installation<a class="headerlink" href="#configure-xen-domu-for-installation" title="Permanent link">¶</a></h1>
<p>Create a basic domU configuration file for the domain. This is my
<code>/etc/xen/fed23lab</code>:</p>
<div class="codehilite"><pre><span></span><span class="na">kernel</span> <span class="o">=</span> <span class="s">'/mnt/isos/Linux/Fedora/23/vmlinuz'</span>
<span class="na">ramdisk</span> <span class="o">=</span> <span class="s">'/mnt/isos/Linux/Fedora/23/initrd.img'</span>
<span class="na">extra</span> <span class="o">=</span> <span class="s">'inst.stage2=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=dhcp'</span>
<span class="na">name</span> <span class="o">=</span> <span class="s">"fed23lab"</span>
<span class="na">memory</span> <span class="o">=</span> <span class="s">1024</span>
<span class="na">vcpus</span> <span class="o">=</span> <span class="s">1</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">['mac=00:16:3E:xx:xx:xx, bridge=xenbrX']</span>
<span class="na">disk</span> <span class="o">=</span> <span class="s">['/dev/zvol/storage/it/vms/fed23lab/disk0,raw,xvda,rw,backend=nas01']</span>
</pre></div>
<p>Note that I needed more than 512 MB RAM for the installer to boot up properly.
The <code>extra</code> field contains information for the installer on where to download
the packages from, what networking settings and so on. An example that uses
static IPv4 address instead of DHCP:</p>
<div class="codehilite"><pre><span></span><span class="na">extra</span> <span class="o">=</span> <span class="s">'inst.stage2=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=10.3.3.5::10.3.3.1:255.255.255.0:fed23lab:eth0:off nameserver=10.3.3.1'</span>
</pre></div>
<p>The <code>off</code> value in the last fields means that the DHCP client should be
disabled.</p>
<p>More information about IP settings can be found in the <a href="http://man7.org/linux/man-pages/man7/dracut.cmdline.7.html"><code>dracut.cmdline(7)</code> man
page</a>, and about
the installer fields in section 10.4 in <a href="https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-bootloader.html">Fedora Installation
Guide</a>.</p>
<h1 id="install-fedora-23">Install Fedora 23<a class="headerlink" href="#install-fedora-23" title="Permanent link">¶</a></h1>
<p>Create the domain and let the installer download some components. You will then
be presented with an text based installer in a tmux session.</p>
<div class="codehilite"><pre><span></span>$ xl create -c /etc/xen/fed23lab
...
X was unable to start on your machine. Would you like to start VNC to connect t
o this computer from another computer and perform a graphical installation or co
ntinue with a text mode installation?
<span class="m">1</span><span class="o">)</span> Start VNC
<span class="m">2</span><span class="o">)</span> Use text mode
</pre></div>
<p>Using text mode is fine, but advanced partitioning is only available in the
graphical installer. However, using the installer through VNC works very well.</p>
<p>Finish the installation but avoid letting the domain reboot. I chose the
minimal installation to avoid a lot of, in my opinion, unnecessary packages.
The next sections of this guide also assumes that you have a separate partition
for <code>/boot</code> as is default by the installer.</p>
<h1 id="preparing-for-pv-grub">Preparing for pv-grub<a class="headerlink" href="#preparing-for-pv-grub" title="Permanent link">¶</a></h1>
<p>The same guide can be followed as in the <a href="http://community.riocities.com/pvgrub_separate_boot.html">pvgrub workaround for separate
/boot</a> article,
before booting the guest up the first time with pv-grub.</p>
<p>The required symbolic link to <code>grub.cfg</code> can be created before rebooting the
guest after installation, e.g. to avoid bringing in the disk from your storage
domain to dom0. Instead of pressing the Reboot button, switch to the shell tmux
pane (number two) and create the link:</p>
<div class="codehilite"><pre><span></span><span class="o">[</span>anaconda root@fed23lab ~<span class="o">]</span><span class="c1"># cd /mnt/sysimage/boot/</span>
<span class="o">[</span>anaconda root@fed23lab boot<span class="o">]</span><span class="c1"># mkdir grub</span>
<span class="o">[</span>anaconda root@fed23lab boot<span class="o">]</span><span class="c1"># cd grub</span>
<span class="o">[</span>anaconda root@fed23lab grub<span class="o">]</span><span class="c1"># ln -s /grub2/grub.cfg grub.cfg</span>
</pre></div>
<p>The pv-grub on Debian Jessie is not aware of the <code>linux16</code> and <code>initrd16</code>
commands that Fedora uses, so make sure you temporarily replace that in the
config before rebooting:</p>
<div class="codehilite"><pre><span></span><span class="o">[</span>anaconda root@fed23lab boot<span class="o">]</span><span class="c1"># sed -i -e "s/linux16/linux/" -e "s/initrd16/initrd/" /mnt/sysimage/boot/grub2/grub.cfg</span>
</pre></div>
<p>Now, reboot the domU and destroy it if it starts up on the installer again.</p>
<h1 id="booting-the-domu-with-pv-grub">Booting the domU with pv-grub<a class="headerlink" href="#booting-the-domu-with-pv-grub" title="Permanent link">¶</a></h1>
<p>Make the following changes to the domU configuration:</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/xen/fed23lab</span>
<span class="gi">+++ b/xen/fed23lab</span>
<span class="gu">@@ -1,6 +1,4 @@</span>
<span class="gd">-kernel = '/mnt/isos/Linux/Fedora/23/vmlinuz'</span>
<span class="gd">-ramdisk = '/mnt/isos/Linux/Fedora/23/initrd.img'</span>
<span class="gd">-extra = 'inst.stage2=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=dhcp'</span>
<span class="gi">+kernel = '/usr/lib/grub-xen/grub-x86_64-xen.bin'</span>
name = "fed23lab"
</pre></div>
<h1 id="make-the-pv-grub-modifications-permanent">Make the pv-grub modifications permanent<a class="headerlink" href="#make-the-pv-grub-modifications-permanent" title="Permanent link">¶</a></h1>
<p>To make sure that <code>linux16</code> and <code>initrd16</code> commands are never used in the grub
configuration file, following adjustments should be made to
<code>/etc/grub.d/10_linux</code> in the domU:</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/grub.d/10_linux 2015-12-02 20:55:30.225073995 +0100</span>
<span class="gi">+++ b/grub.d/10_linux 2015-12-02 20:55:37.308073995 +0100</span>
<span class="gu">@@ -89,7 +89,7 @@ linux_entry ()</span>
initrdefi="initrd"
case "$machine" in
i?86|x86_64)
<span class="gd">- sixteenbit="16"</span>
<span class="gi">+ sixteenbit=""</span>
linuxefi="linuxefi"
initrdefi="initrdefi"
;;
</pre></div>
<p>A fresh configuration can then be generated with:</p>
<div class="codehilite"><pre><span></span><span class="o">[</span>root@fed23lab grub.d<span class="o">]</span><span class="c1"># grub2-mkconfig -o /boot/grub2/grub.cfg</span>
</pre></div>
<p><strong>Note</strong> that upgrades to the grub package might undo these changes!</p>XEN ZFS storage driver domain2015-09-11T00:00:00+02:002015-09-11T00:00:00+02:00henriktag:community.riocities.com,2015-09-11:/xen_storage_driver_domain.html
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>The storage driver domain in this howto is called <code>zfshost</code></p>
<p>I have two small Intel 320 SSD 40GB in MD raid1 in a LVM VG (Volume Group) called <code>vg_raid1</code>. This VG contains 4 LV's (root+swap for dom0 and zfshost)</p>
<p>The LVM LVs (Logical Volume) <code>zfshost-disk</code> <code>zfshost-swap</code> are used …</p>
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>The storage driver domain in this howto is called <code>zfshost</code></p>
<p>I have two small Intel 320 SSD 40GB in MD raid1 in a LVM VG (Volume Group) called <code>vg_raid1</code>. This VG contains 4 LV's (root+swap for dom0 and zfshost)</p>
<p>The LVM LVs (Logical Volume) <code>zfshost-disk</code> <code>zfshost-swap</code> are used for boot and swap for the Debian based zfs storage driver domain.</p>
<p>The actual ZFS storage disks are handled fully by the storage driver domain and they are on a SATA controller exported with pci-export to the zfshost domU.</p>
<p>The SATA disks on the exported SATA controller are in a pool called <a href="http://matrix.wikia.com/wiki/Tank">tank</a>.</p>
<p>Why not FreeBSD</p>
<ul>
<li>NFSv4 and Kerberos not working well enough</li>
<li>No pure PV mode (only HVM) (causes issues with pci passthrough)</li>
<li>Resize of zvol needs domU restart</li>
</ul>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<h2 id="switch-from-pygrub-to-pvgrub">Switch from pygrub to pvgrub<a class="headerlink" href="#switch-from-pygrub-to-pvgrub" title="Permanent link">¶</a></h2>
<p>Pygrub can not be used with disks directly from a storage driver domain as pygrub runs on dom0 it self. Instead all domUs using pygrub shall be changed to use pvgrub.</p>
<h3 id="in-domu-debian-jessie-only">In domU (Debian Jessie only)<a class="headerlink" href="#in-domu-debian-jessie-only" title="Permanent link">¶</a></h3>
<p>Change from grub-legacy to pvgrub (based on grub2)</p>
<div class="codehilite"><pre><span></span># apt-get install grub-xen
# mv /boot/grub/menu.lst /root/
# update-grub
</pre></div>
<h3 id="in-dom0-debian-jessie-only">In dom0 (Debian Jessie only)<a class="headerlink" href="#in-dom0-debian-jessie-only" title="Permanent link">¶</a></h3>
<p>Make sure the package <code>grub-xen-host</code> is installed first, then apply the following diff to the domU</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/xen/<domU-name>.cfg</span>
<span class="gi">+++ b/xen/<domU-name>.cfg</span>
<span class="gu">@@ -8,7 +8,7 @@</span>
#
<span class="gd">-bootloader = '/usr/lib/xen-4.4/bin/pygrub'</span>
<span class="gi">+kernel = '/usr/lib/grub-xen/grub-x86_64-xen.bin'</span>
vcpus = '1'
memory = '1024'
<span class="gu">@@ -17,7 +17,6 @@ memory = '1024'</span>
#
# Disk device(s).
#
<span class="gd">-root = '/dev/xvda2 ro'</span>
disk = [
'phy:/dev/vg_raid1/<domU-name>-disk,xvda2,w',
'phy:/dev/vg_raid1/<domU-name>-swap,xvda1,w',
</pre></div>
<p>For 32-bit domUs use <code>/usr/lib/grub-xen/grub-i386-xen.bin</code>.</p>
<p>Shutdown the domU and restart it</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> xl shutdown <domU-name>
<span class="go"> - (wait until it is down)</span>
<span class="gp">#</span> xl create /etc/xen/<domU-name>.cfg -c
</pre></div>
<h2 id="setup-zfshost">Setup zfshost<a class="headerlink" href="#setup-zfshost" title="Permanent link">¶</a></h2>
<h3 id="installation">Installation<a class="headerlink" href="#installation" title="Permanent link">¶</a></h3>
<p>Install Debian Jessie as a XEN-PV on a LVM lv from the dom0 (e.g. <code>/dev/vg_raid1/zfshost-root</code> and <code>/dev/vg_raid1/zfshost-swap</code>)</p>
<p>The disks that will be managed by ZFS are connected to a SATA controller exported to the domU with
PCI export.</p>
<h3 id="pci-export">PCI export<a class="headerlink" href="#pci-export" title="Permanent link">¶</a></h3>
<p>Find the PCI id for the SATA/SAS card to export, in my case (on a HP Microserver Gen8)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> lspci <span class="p">|</span> fgrep AHCI
<span class="go">00:1f.2 SATA controller: Intel Corporation 6 Series/C200 Series Chipset Family SATA AHCI Controller (rev 05)</span>
</pre></div>
<p>Add the following to the end of /etc/xen/zfshost.cfg to export the pci device</p>
<div class="codehilite"><pre><span></span><span class="na">pci</span> <span class="o">=</span> <span class="s">[ '00:1f.2' ]</span>
</pre></div>
<p>Hand the device over to the dom0 xen-pciback module</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">echo</span> xen-pciback >> /etc/modules
<span class="gp">#</span> modprobe xen-pciback
<span class="gp">#</span> xl pci-assignable-add <span class="m">00</span>:1f.2
</pre></div>
<p>For automatic handling of <code>xl pci-assignable-add</code> at reboot see here <a href="xen_dom0_setup.html#setup-pci-passthrough-optional">setup-pci-passthrough</a></p>
<h3 id="setup-xenstore">Setup xenstore<a class="headerlink" href="#setup-xenstore" title="Permanent link">¶</a></h3>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> <span class="nv">RUNLEVEL</span><span class="o">=</span><span class="m">1</span> apt-get install --no-install-recommends xen-utils-4.4
</pre></div>
<p>xen-tools are usually used in a dom0, to be used in a storage driver domain we should disable services only used in a dom0</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> systemctl disable xen.service
<span class="gp">root@zfshost:~ #</span> systemctl disable xendomains.service
</pre></div>
<p>Mount /proc/xen</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> mount -t xenfs xenfs /proc/xen
</pre></div>
<p>Also add the <code>/proc/xen</code> mounting to <code>/etc/rc.local</code>, plus add a xenstore call about that the storage domain is online (we will
wait for this in the dom0).</p>
<div class="codehilite"><pre><span></span>mount -t xenfs xenfs /proc/xen
xenstore-write /local/domain/<span class="sb">`</span>xenstore-read domid<span class="sb">`</span>/data/storage-online <span class="m">1</span>
<span class="nb">exit</span> <span class="m">0</span>
</pre></div>
<h3 id="install-zfs-on-linux">Install ZFS on Linux<a class="headerlink" href="#install-zfs-on-linux" title="Permanent link">¶</a></h3>
<p>Follow this guide <a href="http://zfsonlinux.org/debian.html">ZoL Debian</a></p>
<h3 id="creating-the-tank-pool">Creating the tank pool<a class="headerlink" href="#creating-the-tank-pool" title="Permanent link">¶</a></h3>
<p>Setup disks for gpt format (without adding any partitions), you can use <code>gdisk</code> for this.</p>
<p>Create the pool with ashift for Advanced Format disks (4k sector size), this will automatically partition the disks as well:</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> zpool create -o <span class="nv">ashift</span><span class="o">=</span><span class="m">12</span> tank mirror sda sdb
</pre></div>
<p>Or as an alternative to sd[a-z] naming you can use "disk by-id" names (see /dev/disk/by-id/)</p>
<p>After this the pool should be up and running (<strong>Note</strong> that I use "disk by-id" names)</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> zpool status
<span class="go"> pool: tank</span>
<span class="go"> state: ONLINE</span>
<span class="go"> scan: resilvered 240K in 0h0m with 0 errors on Sat Jul 11 23:58:12 2015</span>
<span class="go">config:</span>
<span class="go"> NAME STATE READ WRITE CKSUM</span>
<span class="go"> tank ONLINE 0 0 0</span>
<span class="go"> mirror-0 ONLINE 0 0 0</span>
<span class="go"> ata-WDC_WD20EFRX-..... ONLINE 0 0 0</span>
<span class="go"> ata-WDC_WD20EFRX-..... ONLINE 0 0 0</span>
<span class="go">errors: No known data errors</span>
</pre></div>
<p>Set pool to autoexpand if you add larger disks later to the mirror</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> zpool <span class="nb">set</span> <span class="nv">autoexpand</span><span class="o">=</span>on tank
</pre></div>
<h3 id="switch-to-sysvinit">Switch to sysvinit<a class="headerlink" href="#switch-to-sysvinit" title="Permanent link">¶</a></h3>
<p>The pool will fail to mount with this error at reboot</p>
<div class="codehilite"><pre><span></span><span class="n">zpool</span><span class="p">[</span><span class="mi">231</span><span class="p">]:</span> <span class="n">cannot</span> <span class="kn">import</span> <span class="s1">'tank'</span><span class="p">:</span> <span class="n">no</span> <span class="n">such</span> <span class="n">pool</span> <span class="ow">or</span> <span class="n">dataset</span>
</pre></div>
<p>The reason for this is this zfs services and tasks start in the wrong order.</p>
<p>I could not find a reliable solution for this for a system with systemd (zol version 0.6.4-1.2-1), so I did a fallback to sysvinit instead:</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> apt-get install --purge -y sysvinit-core
</pre></div>
<p>Fix getty startup on hvc0</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/inittab</span>
<span class="gi">+++ b/inittab</span>
<span class="gd">-1:2345:respawn:/sbin/getty 38400 tty1</span>
<span class="gd">-2:23:respawn:/sbin/getty 38400 tty2</span>
<span class="gd">-3:23:respawn:/sbin/getty 38400 tty3</span>
<span class="gd">-4:23:respawn:/sbin/getty 38400 tty4</span>
<span class="gd">-5:23:respawn:/sbin/getty 38400 tty5</span>
<span class="gd">-6:23:respawn:/sbin/getty 38400 tty6</span>
<span class="gi">+1:2345:respawn:/sbin/getty 38400 hvc0</span>
<span class="gi">+#2:23:respawn:/sbin/getty 38400 tty2</span>
<span class="gi">+#3:23:respawn:/sbin/getty 38400 tty3</span>
<span class="gi">+#4:23:respawn:/sbin/getty 38400 tty4</span>
<span class="gi">+#5:23:respawn:/sbin/getty 38400 tty5</span>
<span class="gi">+#6:23:respawn:/sbin/getty 38400 tty6</span>
</pre></div>
<h1 id="patch-xendomains-init-scripts">Patch xendomains init scripts<a class="headerlink" href="#patch-xendomains-init-scripts" title="Permanent link">¶</a></h1>
<p>The following patch adds storage domain support to the xendomains start script</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/default/xendomains</span>
<span class="gi">+++ b/default/xendomains</span>
<span class="gu">@@ -58,3 +58,7 @@ XENDOMAINS_AUTO=/etc/xen/auto</span>
#
XENDOMAINS_STOP_MAXWAIT=300
<span class="gi">+# If using a storage domain its name should be supplied. The storage</span>
<span class="gi">+# domain will be started first and no other domains will start before it</span>
<span class="gi">+# is fully online.</span>
<span class="gi">+XENDOMAINS_STORAGE_DOM_NAME="zfshost"</span>
<span class="gh">diff --git a/init.d/xendomains b/init.d/xendomains</span>
<span class="gh">index 5fd5a5d..1ac35db 100755</span>
<span class="gd">--- a/init.d/xendomains</span>
<span class="gi">+++ b/init.d/xendomains</span>
<span class="gu">@@ -150,10 +150,38 @@ do_start_auto()</span>
done
}
<span class="gi">+start_storage()</span>
<span class="gi">+{</span>
<span class="gi">+ log_action_begin_msg "Starting Storage domain $XENDOMAINS_STORAGE_DOM_NAME"</span>
<span class="gi">+</span>
<span class="gi">+ out=$(xen create --quiet --defconfig "/etc/xen/${XENDOMAINS_STORAGE_DOM_NAME}.cfg" 2>&1 1>/dev/null)</span>
<span class="gi">+ case "$?" in</span>
<span class="gi">+ 0)</span>
<span class="gi">+ log_action_end_msg 0</span>
<span class="gi">+ ;;</span>
<span class="gi">+ *)</span>
<span class="gi">+ log_action_end_msg 1</span>
<span class="gi">+ echo "$out"</span>
<span class="gi">+ ;;</span>
<span class="gi">+ esac</span>
<span class="gi">+</span>
<span class="gi">+ sleep 5</span>
<span class="gi">+ stor_dom=$(xen domid $XENDOMAINS_STORAGE_DOM_NAME)</span>
<span class="gi">+</span>
<span class="gi">+ log_action_begin_msg "Waiting for storage to come online (forever)."</span>
<span class="gi">+ until $(xenstore-exists /local/domain/${stor_dom}/data/storage-online)</span>
<span class="gi">+ do</span>
<span class="gi">+ sleep 2</span>
<span class="gi">+ done</span>
<span class="gi">+ log_action_end_msg 0</span>
<span class="gi">+}</span>
<span class="gi">+</span>
do_start()
{
declare -A domains
<span class="gi">+ [ -n "$XENDOMAINS_STORAGE_DOM_NAME" ] && start_storage</span>
<span class="gi">+</span>
do_start_restore
do_start_auto
}
<span class="gu">@@ -183,7 +211,7 @@ do_stop_shutdown()</span>
{
while read id name rest; do
log_action_begin_msg "Shutting down Xen domain $name ($id)"
<span class="gd">- xen shutdown $id 2>&1 1>/dev/null</span>
<span class="gi">+ xen shutdown --wait $id 2>&1 1>/dev/null</span>
log_action_end_msg $?
done < <(/usr/lib/xen-common/bin/xen-init-list)
while read id name rest; do
</pre></div>
<h1 id="moving-existing-domu-data">Moving existing domU data<a class="headerlink" href="#moving-existing-domu-data" title="Permanent link">¶</a></h1>
<h2 id="install-netcat-on-dom0-and-zfshost">Install netcat on dom0 and zfshost<a class="headerlink" href="#install-netcat-on-dom0-and-zfshost" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apt-get install netcat-openbsd
</pre></div>
<h2 id="zvol-topdir-for-xen-domus">zvol topdir for XEN domUs<a class="headerlink" href="#zvol-topdir-for-xen-domus" title="Permanent link">¶</a></h2>
<p>Create a topdir for xen domU storage with <code>lz4</code> compression</p>
<div class="codehilite"><pre><span></span><span class="go">zfs create -o compression=lz4 tank/xen</span>
</pre></div>
<h2 id="creating-zvol-for-domu-swap">Creating zvol for domU swap<a class="headerlink" href="#creating-zvol-for-domu-swap" title="Permanent link">¶</a></h2>
<p>The block size should match the vm:s system page size (for Linux 64-bit it is 4k)</p>
<p>Example</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> zfs create -b 4k <span class="se">\</span>
-V <size>G <span class="se">\</span>
-o com.sun:auto-snapshot<span class="o">=</span><span class="nb">false</span> <span class="se">\</span>
tank/xen/<domU-name>-swap
</pre></div>
<h2 id="lvm-lv-to-zvol">LVM lv to zvol<a class="headerlink" href="#lvm-lv-to-zvol" title="Permanent link">¶</a></h2>
<p><strong>WARNING</strong> Transferring data like it is done in this chapter is very fast, but it puts high stress on
ZFS. When testing this on a storage domU with only 5GB RAM it resulted in a kernel panic
related to that the system was out of memory. Tuning <code>/proc/sys/vm/min_free_kbytes</code>
up to 128MB solved these problems for me.</p>
<p>For next start-up add the following to <code>/etc/sysctl.conf</code></p>
<div class="codehilite"><pre><span></span><span class="c1"># Make sure ZFS does not take all memory when stressed</span>
<span class="na">vm.min_free_kbytes</span> <span class="o">=</span> <span class="s">128000</span>
</pre></div>
<p>Create zvol for non swap</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> zfs create -V <existing-lv-size>G tank/xen/<domU-name>-disk
</pre></div>
<p>Start netcat on zfshost</p>
<div class="codehilite"><pre><span></span><span class="gp">root@zfshost:~ #</span> nc -l <span class="m">2222</span> > /dev/zvol/tank/xen/<domU-name>-disk
</pre></div>
<p>Stop domU</p>
<div class="codehilite"><pre><span></span><span class="gp">root@dom0:~ #</span> xl shutdown <domU-name>
</pre></div>
<p>Send data from dom0</p>
<div class="codehilite"><pre><span></span><span class="gp">root@dom0:~ #</span> nc zfshost <span class="m">2222</span> < /dev/vg_raid1/<domU-name>-disk
</pre></div>
<p>Patch domU.cfg file</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/xen/<domU-name>.cfg</span>
<span class="gi">+++ b/xen/<domU-name>.cfg</span>
<span class="gu">@@ -18,8 +18,8 @@ memory = '512'</span>
# Disk device(s).
#
disk = [
<span class="gd">- 'phy:/dev/vg_raid1/<domU-name>-disk,xvda2,w',</span>
<span class="gd">- 'phy:/dev/vg_raid1/<domU-name>-swap,xvda1,w',</span>
<span class="gi">+ 'phy:/dev/zvol/tank/xen/<domU-name>-disk,xvda2,w,backend=zfshost',</span>
<span class="gi">+ 'phy:/dev/zvol/tank/xen/<domU-name>-swap,xvda1,w,backend=zfshost',</span>
]
</pre></div>
<p>Start domU and attach the console. In pvgrub add <code>fsck.mode=force</code> as a kernel parameter.</p>
<div class="codehilite"><pre><span></span><span class="gp">root@dom0:~ #</span> xl create /etc/xen/<domU-name>.cfg -c
</pre></div>
<p>In the domU</p>
<div class="codehilite"><pre><span></span><span class="gp">root@domU:~ #</span> mkswap /dev/xvda1
<span class="gp">root@domU:~ #</span> swapon -a
</pre></div>
<hr/>
<h1 id="appendix">Appendix<a class="headerlink" href="#appendix" title="Permanent link">¶</a></h1>
<h2 id="attaching-volumes-to-domains-and-dom0">attaching volumes to domains (and dom0)<a class="headerlink" href="#attaching-volumes-to-domains-and-dom0" title="Permanent link">¶</a></h2>
<p>Example attach a zvol to dom0 as /dev/xvdc1</p>
<div class="codehilite"><pre><span></span><span class="gp">root@dom0:~ #</span> xl block-attach Domain-0 <span class="s1">'format=raw,backendtype=phy,backend=zfshost,vdev=xvdc1,target=/dev/zvol/tank/xen/dom0'</span>
</pre></div>
<h2 id="detaching-volumes-from-domains-and-dom0">detaching volumes from domains (and dom0)<a class="headerlink" href="#detaching-volumes-from-domains-and-dom0" title="Permanent link">¶</a></h2>
<p><code>xl block-list</code> does not work with disks from a storage driver domain, instead you need to look for <code><DevId></code> in xenstore with <code>xenstore-ls</code></p>
<p>After finding the right <code><DevId></code> volumes can be detached as per usual <code>xl block-detach <Domain> <DevId></code></p>
<p>Example for dom0</p>
<div class="codehilite"><pre><span></span>root@dom0:~ # xenstore-ls | fgrep -C2 /dev/zvol/tank/xen/dom0
51745 = ""
frontend = "/local/domain/0/device/vbd/51745"
params = "/dev/zvol/tank/xen/dom0"
script = "/etc/xen/scripts/block"
frontend-id = "0"
root@dom0:~ # xl block-detach Domain-0 51745
</pre></div>NFSv4+Kerberos in FreeBSD2015-09-04T00:00:00+02:002015-09-04T00:00:00+02:00henriktag:community.riocities.com,2015-09-04:/freebsd_nfv4_krb.html
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>Setup of kerberized NFSv4 FreeBSD host with nfs users handled by FreeIPA.</p>
<p>The FreeBSD nfs-server host will be called <code>zfshost</code> and the FreeIPA server <code>ipa</code> in this howto.
The Kerberos realm and domain will be called <code>foo.se</code>.</p>
<h1 id="setup-the-nfs-daemon-without-kerberos">Setup the NFS daemon (without Kerberos)<a class="headerlink" href="#setup-the-nfs-daemon-without-kerberos" title="Permanent link">¶</a></h1>
<p>Enable nfs and nfsv4</p>
<p>At …</p>
<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>Setup of kerberized NFSv4 FreeBSD host with nfs users handled by FreeIPA.</p>
<p>The FreeBSD nfs-server host will be called <code>zfshost</code> and the FreeIPA server <code>ipa</code> in this howto.
The Kerberos realm and domain will be called <code>foo.se</code>.</p>
<h1 id="setup-the-nfs-daemon-without-kerberos">Setup the NFS daemon (without Kerberos)<a class="headerlink" href="#setup-the-nfs-daemon-without-kerberos" title="Permanent link">¶</a></h1>
<p>Enable nfs and nfsv4</p>
<p>At least the following is needed in <code>/etc/rc.conf</code></p>
<div class="codehilite"><pre><span></span><span class="na">hostname</span><span class="o">=</span><span class="s">"zfshost.foo.se"</span>
<span class="na">...</span>
<span class="na">ntpd_enable</span><span class="o">=</span><span class="s">"YES"</span>
<span class="na">...</span>
<span class="na">nfs_server_enable</span><span class="o">=</span><span class="s">"YES"</span>
<span class="na">nfsv4_server_enable</span><span class="o">=</span><span class="s">"YES"</span>
</pre></div>
<p>Restrict to only NFSv4</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"vfs.nfsd.server_min_nfsvers=4"</span> >> /etc/sysctl.conf
<span class="gp">#</span> sysctl vfs.nfsd.server_min_nfsvers<span class="o">=</span><span class="m">4</span>
</pre></div>
<p>Start the server</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> /etc/rc.d/nfsd start
</pre></div>
<p>Setup /etc/export with a root for the V4 exports in <code>/exports</code></p>
<div class="codehilite"><pre><span></span><span class="na">/export/<dir> -sec</span><span class="o">=</span><span class="s">sys -network 192.168.1.0 -mask 255.255.255.0</span>
<span class="na">V4: /export/ -sec</span><span class="o">=</span><span class="s">sys</span>
</pre></div>
<p>Reload exports</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> /etc/rc.d/mountd onereload
</pre></div>
<p><code><dir></code> should now be mountable from a NFSv4 client in 192.168.1.0/24.</p>
<h1 id="setup-kerberos">Setup Kerberos<a class="headerlink" href="#setup-kerberos" title="Permanent link">¶</a></h1>
<p>Create /etc/krb5.conf (based on the example in the man-page for <code>krb5.conf</code></p>
<div class="codehilite"><pre><span></span><span class="k">[libdefaults]</span>
<span class="na">default_realm</span> <span class="o">=</span> <span class="s">FOO.SE</span>
<span class="k">[domain_realm]</span>
<span class="na">.foo.se</span> <span class="o">=</span> <span class="s">FOO.SE</span>
<span class="s"> .bar.se = FOO.SE</span>
<span class="k">[realms]</span>
<span class="na">FOO.SE</span> <span class="o">=</span> <span class="s">{</span>
<span class="s"> kdc = ipa.foo.se</span>
<span class="s"> v4_name_convert = {</span>
<span class="s"> rcmd = host</span>
<span class="s"> }</span>
<span class="s"> default_domain = foo.se</span>
<span class="s"> }</span>
<span class="k">[logging]</span>
<span class="na">kdc</span> <span class="o">=</span> <span class="s">FILE:/var/heimdal/kdc.log</span>
<span class="na">kdc</span> <span class="o">=</span> <span class="s">SYSLOG:INFO</span>
<span class="na">default</span> <span class="o">=</span> <span class="s">SYSLOG:INFO:USER</span>
</pre></div>
<p>Test that you can authenticate against the kdc</p>
<div class="codehilite"><pre><span></span># kinit <user>
<user>@FOO.SE's Password:
Your password/account will expire at Sun Jul 5 19:57:05 2015
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: <user>@FOO.SE
Issued Expires Principal
Jul 1 23:16:13 2015 Jul 2 09:16:13 2015 krbtgt/FOO.SE@FOO.SE
</pre></div>
<p>Start gssd</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> /etc/rc.d/gssd start
<span class="go">Starting gssd.</span>
</pre></div>
<h2 id="compile-and-install-sssd">Compile and Install sssd<a class="headerlink" href="#compile-and-install-sssd" title="Permanent link">¶</a></h2>
<p>The sssd package is built without ipa support so we can not just simply install the package, we must
build it and enable ipa support (Select "SMB Install IPA and AD providers (requires Samba4)")</p>
<p>Patch /usr/ports/security/sssd/Makefile so it uses the right krb5.conf file.</p>
<div class="codehilite"><pre><span></span><span class="gd">--- Makefile.orig 2015-07-05 00:21:05.651645000 +0200</span>
<span class="gi">+++ Makefile 2015-07-04 00:01:29.789868000 +0200</span>
<span class="gu">@@ -44,6 +44,7 @@</span>
--with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \
--with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \
--with-unicode-lib=libunistring --with-autofs=no \
<span class="gi">+ --with-krb5-conf=/etc/krb5.conf \</span>
--disable-cifs-idmap-plugin --disable-config-lib
CFLAGS+= -fstack-protector-all
PLIST_SUB= PYTHON_VER=${PYTHON_VER}
</pre></div>
<p>Build the required ports</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">echo</span> <span class="s2">"WANT_OPENLDAP_SASL=yes"</span> > /etc/make.conf
<span class="gp">#</span> <span class="nb">cd</span> /usr/ports/net/samba42
<span class="gp">#</span> make install
<span class="gp">#</span> /usr/ports/security/cyrus-sasl2-gssapi
<span class="gp">#</span> make install
<span class="gp">#</span> <span class="nb">cd</span> /usr/ports/security/sssd
<span class="gp">#</span> make install
<span class="gp">#</span> cp /usr/local/etc/sssd/sssd.conf.sample /usr/local/etc/sssd/sssd.conf
<span class="gp">#</span> chmod <span class="m">0600</span> /usr/local/etc/sssd/sssd.conf
</pre></div>
<p>Setup sssd and host on the FreeIPA server, then customize sssd.conf (<strong>note</strong> you need a ca.crt file for you FreeIPA server) on zfshost:</p>
<div class="codehilite"><pre><span></span><span class="gu">@@ -1,16 +1,32 @@</span>
[sssd]
config_file_version = 2
services = nss, pam
<span class="gi">+enumerate = True</span>
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
<span class="gd">-; domains = LDAP</span>
<span class="gi">+domains = foo.se</span>
[nss]
<span class="gi">+override_shell = /usr/local/bin/bash</span>
<span class="gi">+override_homedir = /usr/home/%u</span>
[pam]
<span class="gi">+[domain/foo.se]</span>
<span class="gi">+cache_credentials = True</span>
<span class="gi">+krb5_store_password_if_offline = True</span>
<span class="gi">+ipa_domain = foo.se</span>
<span class="gi">+id_provider = ipa</span>
<span class="gi">+auth_provider = ipa</span>
<span class="gi">+access_provider = ipa</span>
<span class="gi">+ipa_hostname = zfshost.foo.se</span>
<span class="gi">+chpass_provider = ipa</span>
<span class="gi">+ipa_server = ipa.foo.se</span>
<span class="gi">+ldap_tls_cacert = /etc/ipa/ca.crt</span>
<span class="gi">+enumerate = True</span>
<span class="gi">+</span>
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
</pre></div>
<p>Setup your NFSv4 FreeBSD host i FreeIPA (add & provision Kerberos keytab).</p>
<p>Store the generated keytab on the FreeBSD host as <code>/etc/krb5.keytab</code> (perm 0600)</p>
<p>Start and test sssd towards FreeIPA</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> /usr/local/etc/rc.d/sssd onestart
<span class="go">Starting sssd.</span>
</pre></div>
<p>Edit <code>etc/nsswitch.conf</code></p>
<div class="codehilite"><pre><span></span><span class="na">...</span>
<span class="na">group: files sss</span>
<span class="na">...</span>
<span class="na">passwd: files sss</span>
</pre></div>
<p>Now should should be able to use the <code>id <username></code> command to lookup users stored in FreeIPA.</p>
<p>Make sure sshd and gssd are started at boot by adding the following to <code>/etc/rc.conf</code></p>
<div class="codehilite"><pre><span></span><span class="na">gssd_enable</span><span class="o">=</span><span class="s">"YES"</span>
<span class="na">sssd_enable</span><span class="o">=</span><span class="s">"YES"</span>
</pre></div>
<h2 id="pam-setup">PAM Setup<a class="headerlink" href="#pam-setup" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">#</span> pkg install pam_mkhomedir
</pre></div>
<p>Diff to /etc/pam.d/system</p>
<div class="codehilite"><pre><span></span><span class="gu">@@ -7,14 +7,16 @@</span>
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
<span class="gd">-#auth sufficient pam_krb5.so no_warn try_first_pass</span>
<span class="gi">+auth sufficient pam_krb5.so no_warn try_first_pass</span>
#auth sufficient pam_ssh.so no_warn try_first_pass
<span class="gi">+auth sufficient /usr/local/lib/pam_sss.so use_first_pass</span>
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
<span class="gi">+account required /usr/local/lib/pam_sss.so ignore_unknown_user</span>
# session
#session optional pam_ssh.so want_agent
<span class="gu">@@ -22,4 +24,5 @@</span>
# password
#password sufficient pam_krb5.so no_warn try_first_pass
<span class="gi">+password sufficient /usr/local/lib/pam_sss.so use_authtok</span>
password required pam_unix.so no_warn try_first_pass
</pre></div>
<p>Diff to /etc/pam.d/ssh</p>
<div class="codehilite"><pre><span></span><span class="gu">@@ -7,8 +7,9 @@</span>
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
<span class="gd">-#auth sufficient pam_krb5.so no_warn try_first_pass</span>
<span class="gi">+auth sufficient pam_krb5.so no_warn try_first_pass</span>
#auth sufficient pam_ssh.so no_warn try_first_pass
<span class="gi">+auth sufficient /usr/local/lib/pam_sss.so use_first_pass</span>
auth required pam_unix.so no_warn try_first_pass
# account
<span class="gu">@@ -16,11 +17,14 @@</span>
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
<span class="gi">+account required /usr/local/lib/pam_sss.so ignore_unknown_user</span>
# session
#session optional pam_ssh.so want_agent
<span class="gi">+session required /usr/local/lib/pam_mkhomedir.so</span>
session required pam_permit.so
# password
#password sufficient pam_krb5.so no_warn try_first_pass
<span class="gi">+password sufficient /usr/local/lib/pam_sss.so use_authtok</span>
password required pam_unix.so no_warn try_first_pass
</pre></div>
<p>Now you should be able to login with SSH as a user stored in FreeIPA.</p>
<h2 id="setup-the-nfs-daemon-for-kerberos">Setup the NFS daemon for Kerberos<a class="headerlink" href="#setup-the-nfs-daemon-for-kerberos" title="Permanent link">¶</a></h2>
<p>Add the nfs service to the FreeBSD nfs server in FreeIPA</p>
<div class="codehilite"><pre><span></span><span class="go">ipa$ kinit admin</span>
<span class="go">ipa$ ipa service-add nfs/zfshost.foo.se</span>
<span class="go">ipa$ ipa-getkeytab -s ipa.foo.sw -p nfs/zfshost.foo.se -k /tmp/nfs.keytab</span>
</pre></div>
<p>Now transfer <code>/tmp/nfs.keytab</code> to zfshost and merge with the existing keytab.</p>
<div class="codehilite"><pre><span></span><span class="go">zfshost# (echo rkt /tmp/nfs.keytab; echo wkt /etc/krb5.keytab) | /usr/local/bin/ktutil</span>
</pre></div>
<p>Change <code>/etc/exports</code> to the following:</p>
<div class="codehilite"><pre><span></span><span class="na">/export/<dir> -sec</span><span class="o">=</span><span class="s">krb5:krb5i:krb5p -network 192.168.1.0 -mask 255.255.255.0</span>
<span class="na">V4: /export -sec</span><span class="o">=</span><span class="s">krb5:krb5i:krb5p</span>
</pre></div>
<p>Reload the exports</p>
<div class="codehilite"><pre><span></span><span class="go">zfshost# /etc/rc.d/mountd onereload</span>
</pre></div>
<p>Now should should be able to use NFSv4 and Kerberos.</p>
<h1 id="references">References<a class="headerlink" href="#references" title="Permanent link">¶</a></h1>
<p>https://forums.freebsd.org/threads/freebsd-freeipa-via-sssd.46526/
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2
https://code.google.com/p/macnfsv4/wiki/FreeBSD8KerberizedNFSSetup</p>pvgrub workaround for separate /boot2015-06-26T00:00:00+02:002015-06-26T00:00:00+02:00henriktag:community.riocities.com,2015-06-26:/pvgrub_separate_boot.html<h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>The pvgrub binary in Debian Jessie (dom0) is not "happy" about the fact that in Fedora (domU) /boot is on a separate partition and
that the grub config is stored in <code>/boot/grub2/grub.cfg</code>.</p>
<p>Errors seen when starting a domU with this setup</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> xl create /etc/xen/<domU …</pre></div><h1 id="intro">Intro<a class="headerlink" href="#intro" title="Permanent link">¶</a></h1>
<p>The pvgrub binary in Debian Jessie (dom0) is not "happy" about the fact that in Fedora (domU) /boot is on a separate partition and
that the grub config is stored in <code>/boot/grub2/grub.cfg</code>.</p>
<p>Errors seen when starting a domU with this setup</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> xl create /etc/xen/<domU>.cfg -c
<span class="go">Parsing config from /etc/xen/<domU>.cfg</span>
<span class="go">error: no such device: /boot/xen/pvboot-x86_64.elf.</span>
<span class="go">error: no such device: /xen/pvboot-x86_64.elf.</span>
<span class="go">error: no such device: /boot/grub/grub.cfg.</span>
<span class="go"> GNU GRUB version 2.02~beta2-22</span>
<span class="go"> Minimal BASH-like line editing is supported. For the first word, TAB </span>
<span class="go"> lists possible command completions. Anywhere else TAB lists possible </span>
<span class="go"> device or file completions. </span>
<span class="go">grub></span>
</pre></div>
<p>A quick fix is to create a symlink grub.cfg -> /grub2/grub.cfg</p>
<h1 id="howto-fix-from-dom0">Howto fix from dom0<a class="headerlink" href="#howto-fix-from-dom0" title="Permanent link">¶</a></h1>
<p>Mount disk (if /boot is the first partition of the disk)</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> losetup -f /dev/vg_raid1/<domu>-volume
<span class="gp">#</span> kpartx -av /dev/loop0
<span class="go">add map loop0p1 (253:21): 0 1024000 linear /dev/loop0 2048</span>
<span class="go">add map loop0p2 (253:22): 0 11556864 linear /dev/loop0 1026048</span>
<span class="gp">#</span> mount /dev/mapper/loop0p1 /mnt
</pre></div>
<p>Add symlink</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">cd</span> /mnt/
<span class="gp">#</span> mkdir -p boot/grub
<span class="gp">#</span> <span class="nb">cd</span> boot/grub/
<span class="gp">#</span> ln -s /grub2/grub.cfg grub.cfg
</pre></div>
<p>Clean-up</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">cd</span> /
<span class="gp">#</span> umount /mnt
<span class="gp">#</span> kpartx -dv /dev/loop0
<span class="go">del devmap : loop0p2</span>
<span class="go">del devmap : loop0p1</span>
<span class="gp">#</span> losetup -d /dev/loop0
</pre></div>
<p>After this pvgrub should be able to bring up the grub menu in the Fedora domU.</p>Configure OpenIKE Site to Site VPN in OpenBSD2015-06-20T23:23:00+02:002015-06-20T23:23:00+02:00magnustag:community.riocities.com,2015-06-20:/openike_openbsd.html<p>Quick howto configure OpenIKE on OpenBSD</p><h1 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h1>
<p>This HOWTO cover how to configure OpenIKE (IKE v2) on OpenBSD.</p>
<p><img alt="Network Topology" src="//community.riocities.com/images/diagram2.png"></p>
<h1 id="configuration">Configuration<a class="headerlink" href="#configuration" title="Permanent link">¶</a></h1>
<p><strong><em>/etc/iked.conf</em></strong> on VPN1</p>
<div class="codehilite"><pre><span></span>remote_gw = "82.182.106.1"
local_gw = "192.168.102.2"
ikev2 active esp from $local_gw to $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
ikev2 active esp from 192.168.100.0/24 to 192.168.200.0/24 peer $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
ikev2 active esp from 192.168.102.0/24 to 192.168.200.0/24 peer $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
</pre></div>
<p><strong><em>/etc/iked.conf</em></strong> on VPN2</p>
<div class="codehilite"><pre><span></span>remote_gw = "82.182.103.1"
local_gw = "192.168.200.2"
ikev2 active esp from $local_gw to $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
ikev2 active esp from 192.168.200.0/24 to 192.168.100.0/24 peer $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
ikev2 active esp from 192.168.200.0/24 to 192.168.102.0/24 peer $remote_gw psk "CHANGE_THIS_TO_A_STRONG_PSK"
</pre></div>
<h1 id="bring-up-enc0">Bring up enc0<a class="headerlink" href="#bring-up-enc0" title="Permanent link">¶</a></h1>
<p><code>ifconfig enc0 up</code></p>
<h1 id="ports-to-forward-in-gw1-and-gw2">Ports to forward in GW1 and GW2<a class="headerlink" href="#ports-to-forward-in-gw1-and-gw2" title="Permanent link">¶</a></h1>
<p>UDP 500 and UDP 4500</p>
<h1 id="auto-start-when-booting">Auto start when booting<a class="headerlink" href="#auto-start-when-booting" title="Permanent link">¶</a></h1>
<p><code>echo "iked_flags=YES" >> /etc/rc.conf.local</code></p>
<p><code>echo "up" > /etc/hostname.enc0</code></p>Configure Asterisk as a SIP proxy for the carrier 32015-06-19T15:59:00+02:002015-06-19T15:59:00+02:00magnustag:community.riocities.com,2015-06-19:/sip_proxy_for_3.html<p>Configure Asterisk to allow phone calls from any SIP client to 3</p><h1 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h1>
<p>This HOWTO cover how to setup Asterisk so you can use any SIP phone to connect to the VoIP service provided by the carrier 3 in Sweden.</p>
<p>3 has blocked clients with the use of the User Agent header in the SIP protocol.</p>
<p>This howto will show you how to configure Asterisk to register to the SIP server at 3 and setup an account for your SIP client to connect to.</p>
<h1 id="prerequisites">Prerequisites<a class="headerlink" href="#prerequisites" title="Permanent link">¶</a></h1>
<ul>
<li>Asterisk Server</li>
<li>Subscription to the service 3Switch provided by the carrier 3</li>
</ul>
<h1 id="configuration-of-asterisk">Configuration of Asterisk<a class="headerlink" href="#configuration-of-asterisk" title="Permanent link">¶</a></h1>
<p>The following files shall be edited</p>
<ul>
<li>/etc/asterisk/sip.conf</li>
<li>/etc/asterisk/extensions.conf</li>
<li>/etc/asterisk/users.conf</li>
</ul>
<p><strong>/etc/asterisk/users.conf</strong></p>
<div class="codehilite"><pre><span></span><span class="k">[general]</span>
<span class="na">fullname</span> <span class="o">=</span> <span class="s">New User</span>
<span class="na">userbase</span> <span class="o">=</span> <span class="s">6000</span>
<span class="na">hasvoicemail</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">vmsecret</span> <span class="o">=</span> <span class="s">1234</span>
<span class="na">hassip</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">hasiax</span> <span class="o">=</span> <span class="s">no</span>
<span class="na">hash323</span> <span class="o">=</span> <span class="s">no</span>
<span class="na">hasmanager</span> <span class="o">=</span> <span class="s">no</span>
<span class="na">callwaiting</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">threewaycalling</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">callwaitingcallerid</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">transfer</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">canpark</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">cancallforward</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">callreturn</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">callgroup</span> <span class="o">=</span> <span class="s">1</span>
<span class="na">pickupgroup</span> <span class="o">=</span> <span class="s">1</span>
<span class="na">nat</span> <span class="o">=</span> <span class="s">yes</span>
<span class="k">[46712345678]</span>
<span class="na">fullname</span> <span class="o">=</span> <span class="s">John Doe</span>
<span class="na">email</span> <span class="o">=</span> <span class="s">john.doe@noname.local</span>
<span class="na">secret</span> <span class="o">=</span> <span class="s">THE_USERS_PASSWORD_IN_ASTERISK</span>
<span class="na">callwaiting</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">host</span> <span class="o">=</span> <span class="s">dynamic</span>
<span class="na">nat</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">transport</span> <span class="o">=</span> <span class="s">udp,tcp</span>
<span class="na">context</span> <span class="o">=</span> <span class="s">46712345678-out</span>
</pre></div>
<p><strong>/etc/asterisk/extensions.conf</strong></p>
<div class="codehilite"><pre><span></span><span class="k">[general]</span>
<span class="na">static</span><span class="o">=</span><span class="s">yes</span>
<span class="na">writeprotect</span><span class="o">=</span><span class="s">yes</span>
<span class="na">clearglobalvars</span><span class="o">=</span><span class="s">no</span>
<span class="k">[globals]</span>
<span class="k">[from_three]</span>
<span class="na">exten</span> <span class="o">=</span><span class="s">> 46712345678,1,Dial(SIP/${EXTEN},45, Ttr)</span>
<span class="k">[46712345678-out]</span>
<span class="na">exten</span> <span class="o">=</span><span class="s">> _!.,1,Dial(SIP/${EXTEN}@46712345678-three,30,r)</span>
</pre></div>
<p><strong>/etc/asterisk/sip.conf</strong></p>
<div class="codehilite"><pre><span></span><span class="k">[general]</span>
<span class="na">context</span><span class="o">=</span><span class="s">public </span>
<span class="na">allowguest</span><span class="o">=</span><span class="s">no </span>
<span class="na">allowoverlap</span><span class="o">=</span><span class="s">no </span>
<span class="na">bindaddr</span><span class="o">=</span><span class="s">0.0.0.0</span>
<span class="na">tcpenable</span><span class="o">=</span><span class="s">yes</span>
<span class="na">tcpbindaddr</span><span class="o">=</span><span class="s">0.0.0.0</span>
<span class="na">transport</span><span class="o">=</span><span class="s">udp</span>
<span class="na">defaultexpiry</span><span class="o">=</span><span class="s">700</span>
<span class="na">useragent</span><span class="o">=</span><span class="s">3Switch-Phone-1.0.4-SE/Windows-XP</span>
<span class="na">register</span> <span class="o">=</span><span class="s">> tcp://46712345678:THE_USERS_PASSWORD_AT_THREE@voip.tre.se/46712345678</span>
<span class="k">[46712345678-three]</span>
<span class="na">type</span> <span class="o">=</span> <span class="s">peer</span>
<span class="na">transport</span> <span class="o">=</span> <span class="s">tcp</span>
<span class="na">secret</span> <span class="o">=</span> <span class="s">THE_USERS_PASSWORD_IN_ASTERISK</span>
<span class="na">username</span> <span class="o">=</span> <span class="s">46712345678</span>
<span class="na">host</span> <span class="o">=</span> <span class="s">voip.tre.se</span>
<span class="na">fromuser</span> <span class="o">=</span> <span class="s">46712345678</span>
<span class="na">fromdomain</span> <span class="o">=</span> <span class="s">voip.tre.se</span>
<span class="na">canreinvite</span> <span class="o">=</span> <span class="s">no</span>
<span class="na">insecure</span> <span class="o">=</span> <span class="s">invite,port</span>
<span class="na">qualify</span> <span class="o">=</span> <span class="s">yes</span>
<span class="na">nat</span> <span class="o">=</span> <span class="s">no </span>
<span class="na">context</span> <span class="o">=</span> <span class="s">from_three</span>
</pre></div>
<h1 id="script-to-make-sure-asterisk-is-always-registered-to-3">Script to make sure Asterisk is always registered to 3<a class="headerlink" href="#script-to-make-sure-asterisk-is-always-registered-to-3" title="Permanent link">¶</a></h1>
<p><strong>/usr/local/bin/superwise-asterisk.sh</strong></p>
<table class="codehilitetable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10</pre></div></td><td class="code"><div class="codehilite"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="c1">#</span>
<span class="nv">log</span><span class="o">=</span><span class="s2">"/var/log/supervise-asterisk.log"</span>
<span class="nv">sipstat</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>asterisk -x <span class="s2">"sip show registry"</span> <span class="p">|</span> head -n -1 <span class="p">|</span> tail -n +2<span class="k">)</span><span class="s2">"</span>
<span class="k">if</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$sipstat</span><span class="s2">"</span> <span class="p">|</span> awk <span class="s1">'{print $5}'</span> <span class="p">|</span> fgrep -qv Registered <span class="p">;</span> <span class="k">then</span>
asterisk -x <span class="s2">"sip reload"</span> >> <span class="s2">"</span><span class="nv">$log</span><span class="s2">"</span> <span class="m">2</span>><span class="p">&</span><span class="m">1</span>
<span class="nb">echo</span> <span class="s2">"Reloaded SIP `date`"</span> >> <span class="s2">"</span><span class="nv">$log</span><span class="s2">"</span>
<span class="k">fi</span>
</pre></div>
</td></tr></table>
<p><code>chmod u+x /usr/local/bin/superwise-asterisk.sh</code></p>
<p>Install it in the crontab with <code>crontab -e</code></p>
<div class="codehilite"><pre><span></span>* * * * * /usr/local/bin/supervise-asterisk.sh
</pre></div>
<h1 id="fail2ban-optional">Fail2Ban (Optional)<a class="headerlink" href="#fail2ban-optional" title="Permanent link">¶</a></h1>
<p>Please Note that using Fail2Ban makes the asterisk server more vulnerable to DoS if you allow incoming UDP traffic on port 5060.</p>
<h2 id="install-and-configure-fail2ban">Install and configure fail2ban<a class="headerlink" href="#install-and-configure-fail2ban" title="Permanent link">¶</a></h2>
<p><code>apt-get install fail2ban</code></p>
<p>Create configurations files:<br/>
<strong>/etc/fail2ban/filter.d/asterisk-immediate.conf</strong></p>
<div class="codehilite"><pre><span></span>cat > /etc/fail2ban/filter.d/asterisk-immediate.conf << EOF
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# *** All lines below should start with NOTICE
# Some lines have been wrapped due to space requirements for
# the book. All new lines should start with NOTICE.
#
failregex = NOTICE.* .*Call from '' \(<HOST>:.*\) to extension '.*' rejected because extension not found in context.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF
</pre></div>
<p><strong>/etc/fail2ban/filter.d/asterisk-immediate.conf</strong></p>
<div class="codehilite"><pre><span></span>cat > /etc/fail2ban/filter.d/asterisk.conf << EOF
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# *** All lines below should start with NOTICE
# Some lines have been wrapped due to space requirements for
# the book. All new lines should start with NOTICE.
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*Call from '' \(<HOST>:.*\) to extension '.*' rejected because extension not found in context.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF
</pre></div>
<p><strong>/etc/fail2bin/jail.conf</strong></p>
<div class="codehilite"><pre><span></span>cat >> /etc/fail2ban/jail.conf << EOF
[asterisk-iptables]
enabled = true
filter = asterisk
protocol = all
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/asterisk/messages
maxretry = 5
bantime = 259200
[asterisk-immediate]
enabled = true
filter = asterisk-immediate
protocol = all
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/asterisk/messages
maxretry = 0
bantime = -1
EOF
</pre></div>Install OpenBSD as an Xen DomU (HVM)2015-06-15T22:06:00+02:002015-06-15T22:06:00+02:00magnustag:community.riocities.com,2015-06-15:/openbsd_xen_domu.html<p>Quick howto for installing OpenBSD as a HVM DomU in Xen on Debian</p><h1 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h1>
<p>This HOWTO cover how to configure XEN in order to be able to install OpenBSD as a virtual machine (DomU).</p>
<h1 id="preperation-and-installation">Preperation and installation<a class="headerlink" href="#preperation-and-installation" title="Permanent link">¶</a></h1>
<h2 id="download-openbsd-installation-iso-to-the-xen-server">Download OpenBSD installation ISO to the Xen Server<a class="headerlink" href="#download-openbsd-installation-iso-to-the-xen-server" title="Permanent link">¶</a></h2>
<p>In this HOWO we use OpenBSD 5.7. We have created a directory called <em>/opt/images</em> where we download the installation image for OpenBSD.</p>
<p><code>cd /opt/images && wget "http://ftp.eu.openbsd.org/pub/OpenBSD/5.7/amd64/install57.iso"</code></p>
<h2 id="create-a-logical-volume-in-lvm-for-the-disk">Create a Logical Volume in LVM for the disk<a class="headerlink" href="#create-a-logical-volume-in-lvm-for-the-disk" title="Permanent link">¶</a></h2>
<p><code>lvcreate -n openbsd-disk -L 4G <path to volume group></code></p>
<p>Adjust the disk size to your needs.</p>
<h2 id="create-your-xen-configuration-file">Create your Xen configuration file<a class="headerlink" href="#create-your-xen-configuration-file" title="Permanent link">¶</a></h2>
<p><em>/etc/xen/openbsd.cfg</em></p>
<div class="codehilite"><pre><span></span>builder = 'hvm'
memory = '256'
vcpus = 1
# Adjust Logical Volume path to your location
disk = [
'phy:/dev/vg_md0/openbsd-disk,ioemu:hda,w',
'file:/opt/images/install57.iso,ioemu:hdc:cdrom,r',
]
# Hostname
name = 'openbsd'
# Networking, Adapt bridge to your needs
vif = ['mac=00:16:3E:B6:AA:BB, bridge=br_200, model=e1000']
# Boot on disk first then on cdrom
boot = 'cd'
vnc = 1
vncviewer = 0
# Bind to port 5910, should be unique for each virtual server
vncdisplay = 10
sdl = 0
</pre></div>
<h2 id="start-the-installation">Start the installation<a class="headerlink" href="#start-the-installation" title="Permanent link">¶</a></h2>
<p><code>xl create /etc/xen/openbsd.cfg</code></p>
<p>NOTE: On Wheezy and earlier use <strong>xm</strong> instead of <strong>xl</strong></p>
<p>Start VNC and connect to port 5910, this will give you access to the graphical console of the virtual machine.</p>
<p>NOTE: You might need to port forward the VNC port if you are using SSH to access your Xen Server.</p>
<p><code>ssh <IP to your Xen Server> -L 5910:127.0.0.1:5910</code></p>
<p>In this case use <code>vncviewer localhost:10</code> to connect to the console.</p>
<h1 id="post-installation-recommendations-for-openbsd-domu">Post installation recommendations for OpenBSD (DomU)<a class="headerlink" href="#post-installation-recommendations-for-openbsd-domu" title="Permanent link">¶</a></h1>
<p>The following steps are optional.</p>
<h2 id="recommended-packages-to-install">Recommended packages to install<a class="headerlink" href="#recommended-packages-to-install" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.7/packages/amd64/git-2.3.0.tgz
pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.7/packages/amd64/bash-4.3.33.tgz
pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.7/packages/amd64/wget-1.16.1.tgz
pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.7/packages/amd64/lsof-4.87p4.tgz
pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.7/packages/amd64/ngrep-1.45p4.tgz
</pre></div>
<h2 id="setup-git-version-control-of-etc">Setup git version control of /etc<a class="headerlink" href="#setup-git-version-control-of-etc" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>cd /etc
git config --global user.name "Your Name"
git config --global user.email you@example.com
git init
git add .
git commit -a -m "Post install state"
</pre></div>
<h1 id="upgrade-to-openbsd-57-snapshot">Upgrade to OpenBSD 5.7 snapshot<a class="headerlink" href="#upgrade-to-openbsd-57-snapshot" title="Permanent link">¶</a></h1>
<p>If you like to upgrade to the latest snapshot, you can follow <a href="openbsd_upgrade_xen_hvm.html"><strong>this</strong></a> guide.</p>OpenBSD upgrade (XEN HVM)2015-06-14T00:00:00+02:002015-06-14T00:00:00+02:00henriktag:community.riocities.com,2015-06-14:/openbsd_upgrade_xen_hvm.html<p>Lazy for how to upgrade from OpenBSD 5.7 to 5.7-snapshot</p>
<p>(Installation instruction of <a href="openbsd_xen_domu.html">OpenBSD as XEN-HVM</a>)</p>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>Download 5.7-snapshot versions of <code>install57.iso</code> and <code>SHA256.sig</code>.</p>
<p>Store <code>install57.iso</code> on the dom0</p>
<p>scp the <code>SHA256.sig</code> file into the OpenBSD domU</p>
<p>Restart the OpenBSD HVM-domU with the …</p><p>Lazy for how to upgrade from OpenBSD 5.7 to 5.7-snapshot</p>
<p>(Installation instruction of <a href="openbsd_xen_domu.html">OpenBSD as XEN-HVM</a>)</p>
<h1 id="preparations">Preparations<a class="headerlink" href="#preparations" title="Permanent link">¶</a></h1>
<p>Download 5.7-snapshot versions of <code>install57.iso</code> and <code>SHA256.sig</code>.</p>
<p>Store <code>install57.iso</code> on the dom0</p>
<p>scp the <code>SHA256.sig</code> file into the OpenBSD domU</p>
<p>Restart the OpenBSD HVM-domU with the CD attached from dom0.</p>
<p>Mount CD in OpenBSD</p>
<div class="codehilite"><pre><span></span><span class="go">mount_cd9660 /dev/cd0 /mnt/</span>
</pre></div>
<p>Validate the CD with <code>signify</code> and the earlier transfered SHA256.sig file</p>
<div class="codehilite"><pre><span></span><span class="go">cd /mnt/5.7/<arch></span>
<span class="go">signify -C -p /etc/signify/openbsd-57-base.pub -x <path to sig file>/SHA256.sig</span>
</pre></div>
<h1 id="upgrade">Upgrade<a class="headerlink" href="#upgrade" title="Permanent link">¶</a></h1>
<p>Upgrade the "RAM Disk" kernel</p>
<div class="codehilite"><pre><span></span><span class="go">cp /mnt/5.7/<arch>/bsd.rd /</span>
</pre></div>
<p>Connect with VNC and reboot and reconnect again with VNC when diconnected.</p>
<p>At the <code>boot></code> prompt type <code>boot bsd.rd</code></p>
<p>When bsd.rd has booted into the installer, choose <code>(U)pgrade</code></p>
<p>When prompted select <code>cd0</code> as upgrade source</p>
<p>At the end of the upgrade type <code>reboot</code></p>
<h1 id="merge-changes-to-etc">Merge changes to /etc<a class="headerlink" href="#merge-changes-to-etc" title="Permanent link">¶</a></h1>
<p><strong>Note</strong>: you can do this part via ssh (no need for VNC)</p>
<p>After reboot do a <code>sysmerge</code> to upgrade and merge config-files in the <code>/etc/</code> directory. </p>iSCSI Initiator on Debian2015-06-03T21:06:00+02:002015-08-11T23:30:00+02:00magnustag:community.riocities.com,2015-06-03:/iscsi_initiator_debian.html<p>Quick howto for using iSCSI on Debian with XEN DomU's</p><h1 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">¶</a></h1>
<p>If you have a NAS in your network, it can be convinient to setup iSCSI on the NAS and export logical drives to your Debian server. This HOWTO has been tested on Debian Wheezy.</p>
<h2 id="package-that-need-to-be-installed">Package that need to be installed<a class="headerlink" href="#package-that-need-to-be-installed" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">#</span> apt-get install open-iscsi
</pre></div>
<h2 id="on-the-target-nas">On the target (NAS)<a class="headerlink" href="#on-the-target-nas" title="Permanent link">¶</a></h2>
<p>In this example we use XEN on our Debian server and we use iSCSI for the different drive partitions on the virtual machines (DomU's).</p>
<p>Create one target in the NAS for every virtual machine and one LUN on the target for every partition the virtual machine will use e g <em>disk</em> and <em>swap</em>.</p>
<h2 id="on-the-initiator-debian-server-running-xen">On the initiator (Debian server running XEN)<a class="headerlink" href="#on-the-initiator-debian-server-running-xen" title="Permanent link">¶</a></h2>
<h3 id="configure-udev-rules">Configure udev rules<a class="headerlink" href="#configure-udev-rules" title="Permanent link">¶</a></h3>
<p>Run the following as root:</p>
<div class="codehilite"><pre><span></span><span class="gp">#</span> <span class="nb">echo</span> <span class="s1">'KERNEL=="sd*", ACTION=="add", PROGRAM="/etc/udev/scripts/iscsidev.sh %p",SYMLINK+="iscsi/%c{1}/lun%c{2}"'</span> > /etc/udev/rules.d/55-openiscsi.rules
<span class="gp">#</span> mkdir /etc/udev/scripts
<span class="gp">#</span> cat > /etc/udev/scripts/iscsidev.sh << EOF
<span class="gp">#</span>!/bin/sh
<span class="gp">#</span> FILE: /etc/udev/scripts/iscsidev.sh
<span class="go">BUS="\`echo "\$1" | sed 's/\//\n/g' | egrep '^[0-9]+:'\`"</span>
<span class="go">HOST=\${BUS%%:*}</span>
<span class="go">[ -e /sys/class/iscsi_host ] || exit 1</span>
<span class="go">file="/sys/class/iscsi_host/host\${HOST}/device/session*/iscsi_session*/session*/targetname"</span>
<span class="go">target_name=\$(cat \${file})</span>
<span class="gp">#</span> This is not an open-scsi drive
<span class="go">if [ -z "\${target_name}" ]; then</span>
<span class="go"> exit 1</span>
<span class="go">fi</span>
<span class="gp">#</span> Check <span class="k">if</span> QNAP drive
<span class="go">check_qnap_target_name=\${target_name%%:*}</span>
<span class="go">if [ \$check_qnap_target_name = "iqn.2004-04.com.qnap" ]; then</span>
<span class="go"> target_name=\`echo "\${target_name%.*}"\`</span>
<span class="go">fi</span>
<span class="go">lun="\`echo \$BUS | awk -F: '{print \$NF}'\`" </span>
<span class="go">echo "\${target_name##*.} \$lun"</span>
<span class="go">EOF</span>
<span class="gp">#</span> chmod <span class="m">755</span> /etc/udev/scripts/iscsidev.sh
</pre></div>
<h1 id="commands-to-use">Commands to use<a class="headerlink" href="#commands-to-use" title="Permanent link">¶</a></h1>
<p><strong>To find targets from the NAS on the initiator (Debian server)</strong><br/>
<code>iscsiadm --mode discovery --type sendtargets --portal <TARGET_IP></code></p>
<p>It is useful to use this command after a new target has been added on the NAS to get the target name.</p>
<p><strong>Manually connect to a target</strong><br/>
<code>iscsiadm --mode node --targetname <TARGET> --portal <TARGET_IP>:3260 --login</code></p>
<p><strong><em>Example</em></strong><br/>
<code>iscsiadm --mode node --targetname iqn.2004-04.com.qnap:ts-412:iscsi.dhcpserver.d8a009 --portal 192.168.1.1:3260 --login</code></p>
<p><strong>Manually disconnect from a target</strong><br/>
<code>iscsiadm --mode node --targetname <TARGET> --portal <TARGET_IP>:3260 --logout</code></p>
<p><strong>Tell open iscsi to automatically connect to a target during boot</strong><br/>
<code>iscsiadm --mode node --targetname <TARGET> --portal <TARGET_IP> --op update --name node.startup --value automatic</code></p>
<p><strong><em>IMPORTANT NOTE</em></strong><br/>
Your automatic settings will be reverted to manual everytime you perform a scan using<br/><code>iscsiadm --mode discovery --type sendtargets</code></p>
<p>It might be a good idea to create a script where you configure your targets startup to be <em>automatic</em>. This script can be executed manually when needed.</p>
<p><em>/usr/local/bin/update-iscsi-targets.sh</em></p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="c1">#</span>
<span class="c1"># Update targets will set start mode to manual</span>
iscsiadm --mode discovery --type sendtargets --portal <span class="m">192</span>.168.1.1
<span class="c1"># Set each target to automatic manually to specify the IP you want (multplie IPs on same NAS)</span>
iscsiadm --mode node --targetname iqn.2004-04.com.qnap:ts-412:iscsi.dhcpserver.d8a009 --portal <span class="m">192</span>.168.1.1:3260 --op update --name node.startup --value automatic
</pre></div>
<h1 id="the-result">The result<a class="headerlink" href="#the-result" title="Permanent link">¶</a></h1>
<p>Your imported devices should now be available in <code>/dev/iscsi/<TARGET_NAME>/<LUN></code></p>
<p><strong>Example</strong><br/>
<em>/dev/iscsi/dhcpserver/lun0</em></p>
<p>You can use the dives directly in your cfg file for your DomU or setup encryption with cryptsetup.</p>Running a DHCP server in a XEN domU2015-03-26T00:00:00+01:002015-03-26T00:00:00+01:00magnustag:community.riocities.com,2015-03-26:/dhcpd_in_domu.html<p>How to fix UDP checksum errors in a Xen DomU running a DHCP Server.</p>
<p>In <code>/etc/network/interfaces</code> in the domU acting as dhcp-server, add the following iptables rule</p>
<div class="codehilite"><pre><span></span><span class="na">auto eth0</span>
<span class="na">iface eth0 inet static</span>
<span class="na">address 192.168.139.2</span>
<span class="na">gateway 192.168.139.254</span>
<span class="na">netmask 255.255.255.0 …</span></pre></div><p>How to fix UDP checksum errors in a Xen DomU running a DHCP Server.</p>
<p>In <code>/etc/network/interfaces</code> in the domU acting as dhcp-server, add the following iptables rule</p>
<div class="codehilite"><pre><span></span><span class="na">auto eth0</span>
<span class="na">iface eth0 inet static</span>
<span class="na">address 192.168.139.2</span>
<span class="na">gateway 192.168.139.254</span>
<span class="na">netmask 255.255.255.0</span>
<span class="na">up iptables -t mangle -A POSTROUTING -o $IFACE -p udp --dport bootps -j CHECKSUM --checksum-fill</span>
</pre></div>Debian based XEN dom0 setup2015-03-26T00:00:00+01:002016-07-27T22:26:32+02:00henriktag:community.riocities.com,2015-03-26:/xen_dom0_setup.html
<h2 id="prerequisite">Prerequisite<a class="headerlink" href="#prerequisite" title="Permanent link">¶</a></h2>
<p>Debian Jessie install with LVM and space left in a LVM volume group ( <code>vg</code> ) for the domUs.</p>
<p><strong>Note:</strong> diffs in this howto are against files in the /etc directory.</p>
<h2 id="setup-time-keeping-with-ntp">Setup time keeping with ntp<a class="headerlink" href="#setup-time-keeping-with-ntp" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo apt-get install ntp
</pre></div>
<p>Make sure it does not listen on all interfaces (i.e …</p>
<h2 id="prerequisite">Prerequisite<a class="headerlink" href="#prerequisite" title="Permanent link">¶</a></h2>
<p>Debian Jessie install with LVM and space left in a LVM volume group ( <code>vg</code> ) for the domUs.</p>
<p><strong>Note:</strong> diffs in this howto are against files in the /etc directory.</p>
<h2 id="setup-time-keeping-with-ntp">Setup time keeping with ntp<a class="headerlink" href="#setup-time-keeping-with-ntp" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo apt-get install ntp
</pre></div>
<p>Make sure it does not listen on all interfaces (i.e. so we get no traffic from domUs to this dom0 service)</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/default/ntp</span>
<span class="gi">+++ b/default/ntp</span>
<span class="gu">@@ -1 +1 @@</span>
<span class="gd">-NTPD_OPTS='-g'</span>
<span class="gi">+NTPD_OPTS='-g -I eth0'</span>
</pre></div>
<h2 id="remove-nfs">Remove NFS<a class="headerlink" href="#remove-nfs" title="Permanent link">¶</a></h2>
<p>If you're not going to use NFS, it is better to purge it</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo apt-get purge rpcbind nfs-common
</pre></div>
<h2 id="disable-ipv6">Disable IPv6<a class="headerlink" href="#disable-ipv6" title="Permanent link">¶</a></h2>
<p>We must disable IPv6 or else the dom0 will have an IPv6 link-local address in each bridge for the domUs</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/default/grub</span>
<span class="gi">+++ b/default/grub</span>
<span class="gu">@@ -7,7 +7,7 @@ GRUB_DEFAULT=0</span>
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
<span class="gd">-GRUB_CMDLINE_LINUX=""</span>
<span class="gi">+GRUB_CMDLINE_LINUX="ipv6.disable=1"</span>
</pre></div>
<p>If you are running exim4 you need to disable IPv6 for exim as well, or you will get this in the paniclog</p>
<div class="codehilite"><pre><span></span>2015-03-13 21:01:33 IPv6 socket creation failed: Address family not supported by protocol
</pre></div>
<p>Use <code>dpkg-reconfigure exim4-config</code> do disable IPv6 in exim by removing <code>; ::1</code> from "IP-addresses to listen on for incoming SMTP connection"</p>
<h2 id="install-the-xen-system">Install the XEN system<a class="headerlink" href="#install-the-xen-system" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo apt-get install xen-system-amd64 xen-tools bridge-utils
</pre></div>
<h2 id="dom0-mem-config">Dom0 mem config<a class="headerlink" href="#dom0-mem-config" title="Permanent link">¶</a></h2>
<p>Configure memory for dom0 and disable auto-ballooning for certain ;-)</p>
<p><strong>Note:</strong> 1024M is space enough for the dom0 to be able to cache a bit, if you have less RAM
in your system 512MB will be fine as well.</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/default/grub</span>
<span class="gi">+++ b/default/grub</span>
<span class="gu">@@ -9,6 +9,9 @@ GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`</span>
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="ipv6.disable=1"
<span class="gi">+# Xen boot parameters for all Xen boots</span>
<span class="gi">+GRUB_CMDLINE_XEN="dom0_mem=1024M,max:1024M"</span>
<span class="gi">+</span>
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
<span class="gh">diff --git a/xen/xl.conf b/xen/xl.conf</span>
<span class="gh">index 374b6bb..3cd2902 100644</span>
<span class="gd">--- a/xen/xl.conf</span>
<span class="gi">+++ b/xen/xl.conf</span>
<span class="gu">@@ -3,7 +3,7 @@</span>
# Control whether dom0 is ballooned down when xen doesn't have enough
# free memory to create a domain. "auto" means only balloon if dom0
# starts with all the host's memory.
<span class="gd">-#autoballoon="auto"</span>
<span class="gi">+autoballoon=0</span>
# full path of the lockfile used by xl during domain creation
#lockfile="/var/lock/xl"
</pre></div>
<h2 id="configure-grub-to-boot-xen-first">Configure Grub to boot XEN first<a class="headerlink" href="#configure-grub-to-boot-xen-first" title="Permanent link">¶</a></h2>
<p>Make sure grub loads the XEN hypervisor first, also make sure that grub does not list the domUs in the grub menu</p>
<p>Add this to <code>/etc/default/grub</code></p>
<div class="codehilite"><pre><span></span><span class="na">GRUB_DISABLE_OS_PROBER</span><span class="o">=</span><span class="s">true</span>
</pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo dpkg-divert --divert /etc/grub.d/08_linux_xen --rename /etc/grub.d/20_linux_xen
<span class="gp">$</span> sudo update-grub
</pre></div>
<h2 id="reboot-domus-instead-of-saving">Reboot domUs instead of saving<a class="headerlink" href="#reboot-domus-instead-of-saving" title="Permanent link">¶</a></h2>
<p>Disable save and restore of domUs (shutdown and restart instead)</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/default/xendomains</span>
<span class="gi">+++ b/default/xendomains</span>
<span class="gu">@@ -21,12 +21,12 @@</span>
# (e.g. because you rather shut domains down).
# If domain saving does succeed, SHUTDOWN will not be executed.
#
<span class="gd">-XENDOMAINS_SAVE=/var/lib/xen/save</span>
<span class="gi">+XENDOMAINS_SAVE=""</span>
# This variable determines whether saved domains from XENDOMAINS_SAVE
# will be restored on system startup.
#
<span class="gd">-XENDOMAINS_RESTORE=true</span>
<span class="gi">+XENDOMAINS_RESTORE=false</span>
# This variable sets the directory where domains configurations
# are stored that should be started on system startup automatically.
</pre></div>
<h2 id="configure-xen-tools">Configure Xen-tools<a class="headerlink" href="#configure-xen-tools" title="Permanent link">¶</a></h2>
<p>Initial minimal xen-tools configuration (my vg for domUs is named <code>vg_raid1</code>)</p>
<div class="codehilite"><pre><span></span><span class="gd">--- a/xen-tools/xen-tools.conf</span>
<span class="gi">+++ b/xen-tools/xen-tools.conf</span>
<span class="gu">@@ -52,7 +52,7 @@</span>
# LVM volume group here instead
#
##
<span class="gd">-# lvm = vg0</span>
<span class="gi">+lvm = vg_raid1</span>
#
<span class="gu">@@ -130,10 +130,10 @@ memory = 128M # Suffix (G, M, k) required</span>
#maxmem = 256M # Suffix (G, M, k) optional
swap = 128M # Suffix (G, M, k) required
# noswap = 1 # Don't use swap at all for new systems.
<span class="gd">-fs = ext3 # Default file system for any disk</span>
<span class="gd">-dist = `xt-guess-suite-and-mirror --suite`</span>
<span class="gi">+fs = ext4 # Default file system for any disk</span>
<span class="gi">+dist = wheezy</span>
# Default distribution is determined by Dom0's distribution
<span class="gd">-image = sparse # Specify sparse vs. full disk images (file based images only)</span>
<span class="gi">+image = full # Specify sparse vs. full disk images (file based images only)</span>
#
# See the README for currently supported and tested distributions. You can
<span class="gu">@@ -152,7 +152,7 @@ image = sparse # Specify sparse vs. full disk images (file based images only)</span>
# new instances static IP addresses.
#
# gateway = 192.168.1.1
<span class="gd">-# netmask = 255.255.255.0</span>
<span class="gi">+netmask = 255.255.255.0</span>
# broadcast = 192.168.1.255
#
# Uncomment this if you wish the images to use DHCP
<span class="gu">@@ -241,7 +241,7 @@ initrd = /boot/initrd.img-`uname -r`</span>
# Uncomment the following line if you wish to use pygrub by default
# for all distributions.
#
<span class="gd">-# pygrub = 1</span>
<span class="gi">+pygrub = 1</span>
#
</pre></div>
<h2 id="setup-tab-completion">Setup Tab completion<a class="headerlink" href="#setup-tab-completion" title="Permanent link">¶</a></h2>
<p>Debian currently lacks tab completion for xl <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768005">#768005</a></p>
<p>Basic (not as good as the xm completion) tab completion can be fetched here
<a href="http://xenbits.xenproject.org/gitweb/?p=xen.git;a=blob;f=tools/libxl/bash-completion;h=b7cd6b3992fa22f33ffe9d4851d122383ab8e319;hb=d5a7ed88d86f840c0cc26ebc48987101669b5bf7">xen.git xl</a>.</p>
<p>Store it as <code>/etc/bash_completion.d/xl</code></p>
<h2 id="enable-mcelog">Enable mcelog<a class="headerlink" href="#enable-mcelog" title="Permanent link">¶</a></h2>
<p>To get machine check exceptions like ECC errors logged with <a href="http://www.mcelog.org/">mcelog</a>, you need to blacklist any used edac modules.
Check for them with <code>lsmod | fgrep edac</code> and blacklist if you find them to be loaded:</p>
<p>Example:</p>
<div class="codehilite"><pre><span></span><span class="go">echo "blacklist edac_core" >> /etc/modprobe.d/edac-blacklist.conf</span>
<span class="go">echo "blacklist i7core_edac" >> /etc/modprobe.d/edac-blacklist.conf</span>
</pre></div>
<p>After this mcelog can be installed to handle events from the kernel</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo apt-get install mcelog
</pre></div>
<h2 id="setup-pci-passthrough-optional">Setup pci passthrough (optional)<a class="headerlink" href="#setup-pci-passthrough-optional" title="Permanent link">¶</a></h2>
<p>Find the pci id for the device you would like to pass to a domU</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> lspci <span class="p">|</span> fgrep Ethernet
<span class="go">03:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe</span>
<span class="go">03:00.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe</span>
</pre></div>
<p>Create the following init.d script as <code>/etc/init.d/pci-release</code> to pass <code>03:00.1</code></p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="c1">### BEGIN INIT INFO</span>
<span class="c1"># Provides: pci-release</span>
<span class="c1"># Required-Start: $syslog $remote_fs xend</span>
<span class="c1"># Required-Stop:</span>
<span class="c1"># X-Start-Before: xendomains</span>
<span class="c1"># Default-Start: 2 3 4 5</span>
<span class="c1"># Default-Stop:</span>
<span class="c1"># Short-Description: Provides pci-release</span>
<span class="c1"># Description: Releases some pci devices to be used by xen domUs</span>
<span class="c1">### END INIT INFO</span>
<span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> !<span class="o">=</span> <span class="s2">"start"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">exit</span> <span class="m">0</span>
<span class="k">fi</span>
<span class="nb">echo</span> <span class="s2">"Adding devices to assignable list for xen domUs"</span>
<span class="nb">echo</span> <span class="s2">"Before:"</span>
xl pci-assignable-list
<span class="k">for</span> d in <span class="m">03</span>:00.1<span class="p">;</span> <span class="k">do</span>
<span class="nb">echo</span> <span class="s2">"Adding </span><span class="nv">$d</span><span class="s2">"</span>
lspci <span class="p">|</span> grep -i <span class="s2">"^</span><span class="nv">$d</span><span class="s2">"</span>
xl pci-assignable-add <span class="nv">$d</span>
<span class="nb">echo</span> <span class="s2">"Done adding </span><span class="nv">$d</span><span class="s2">"</span>
<span class="k">done</span>
<span class="nb">echo</span> <span class="s2">"After:"</span>
xl pci-assignable-list
<span class="nb">echo</span> <span class="s2">"Done adding devices"</span>
<span class="nb">exit</span> <span class="m">0</span>
</pre></div>
<p>Edit <code>03:00.1</code> for your needs (hint <code>lspci</code>) and add as many pci devices as you need to passthrough.</p>
<p>Enable the init.d script</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> sudo chmod a+x /etc/init.d/pci-release
<span class="gp">$</span> sudo update-rc.d pci-release defaults
</pre></div>
<p>Make sure xen-pciback is loaded at boot by adding</p>
<div class="codehilite"><pre><span></span><span class="c1"># xen pci to domU</span>
<span class="na">xen-pciback</span>
</pre></div>
<p>in <code>/etc/modules</code>, thats it! After this the pci devices can be handed to domUs by adding a line like this is the domU config file</p>
<div class="codehilite"><pre><span></span><span class="na">pci</span> <span class="o">=</span> <span class="s">[ '03:00.1' ]</span>
</pre></div>
<p>or if you see problems with the exported device in the domU (check dmesg):</p>
<div class="codehilite"><pre><span></span><span class="na">pci</span> <span class="o">=</span> <span class="s">[ '03:00.1,permissive=1' ]</span>
</pre></div>Debian based XEN Network Driver Domain2015-03-17T00:00:00+01:002016-07-27T22:38:21+02:00henriktag:community.riocities.com,2015-03-17:/xen_network_driver_domain.html
<p>Configuring a Debian based XEN Network <a href="http://wiki.xen.org/wiki/Driver_Domain">Driver domain</a>.</p>
<p><strong>Note:</strong> Tested with Debian 8 Jessie as dom0 and as Network Driver Domain domU.</p>
<h2 id="setup-for-a-driver-domain-preparations-in-dom0">Setup for a driver domain (preparations in dom0)<a class="headerlink" href="#setup-for-a-driver-domain-preparations-in-dom0" title="Permanent link">¶</a></h2>
<p>Export at least one PCI device to the new network driver domain, in this example called <code>int-fw</code></p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lspci | fgrep …</span></pre></div>
<p>Configuring a Debian based XEN Network <a href="http://wiki.xen.org/wiki/Driver_Domain">Driver domain</a>.</p>
<p><strong>Note:</strong> Tested with Debian 8 Jessie as dom0 and as Network Driver Domain domU.</p>
<h2 id="setup-for-a-driver-domain-preparations-in-dom0">Setup for a driver domain (preparations in dom0)<a class="headerlink" href="#setup-for-a-driver-domain-preparations-in-dom0" title="Permanent link">¶</a></h2>
<p>Export at least one PCI device to the new network driver domain, in this example called <code>int-fw</code></p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # lspci | fgrep Ethernet</span>
<span class="go">03:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe</span>
<span class="go">03:00.1 Ethernet controller: Broadcom Corporation NetXtreme BCM5720 Gigabit Ethernet PCIe</span>
</pre></div>
<p>Add the following to the end of <code>/etc/xen/int-fw.cfg</code> to export the second nic to int-fw</p>
<div class="codehilite"><pre><span></span><span class="c1"># BCM5720 (nic 2)</span>
<span class="na">pci</span> <span class="o">=</span> <span class="s">[ '03:00.1,permissive=1' ]</span>
</pre></div>
<p><strong>Note</strong>: <code>permissive=1</code> should only be used if it does not work without it, so test without first.</p>
<p>Hand the device over to the dom0 xen-pciback module </p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # echo xen-pciback >> /etc/modules</span>
<span class="go">dom0 # modprobe xen-pciback</span>
<span class="go">dom0 # xl pci-assignable-add 03:00.1</span>
</pre></div>
<p>Start the domU and install xen hotplug scripts</p>
<div class="codehilite"><pre><span></span>dom0 <span class="c1"># xl create -c /etc/xen/int-fw.cfg</span>
</pre></div>
<h2 id="setup-within-the-network-driver-domain-domu">Setup within the network driver domain domU<a class="headerlink" href="#setup-within-the-network-driver-domain-domu" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span><span class="gp">root@int-fw:~#</span> apt-get install xen-utils-common vlan bridge-utils
<span class="gp">root@int-fw:~#</span> apt-get install --no-install-recommends xen-utils-4.4
<span class="gp">root@int-fw:~#</span> systemctl disable xen.service
<span class="gp">root@int-fw:~#</span> systemctl disable xendomains.service
</pre></div>
<p>Setup VLANed interfaces in <code>/etc/network/interfaces</code>, example where the pci exported nic is <code>eth1</code></p>
<div class="codehilite"><pre><span></span><span class="na">auto eth1.13</span>
<span class="na">iface eth1.13 inet static</span>
<span class="na">address 192.168.3.1</span>
<span class="na">netmask 255.255.255.0</span>
<span class="na">network 192.168.3.0</span>
<span class="na">broadcast 192.168.3.255</span>
</pre></div>
<p>Setup bridges for other domUs (e.g. a nfs domU)</p>
<div class="codehilite"><pre><span></span><span class="na">auto br_nfs</span>
<span class="na">iface br_nfs inet static</span>
<span class="na">bridge_ports none</span>
<span class="na">bridge_stp off</span>
<span class="na">bridge_maxwait 0</span>
<span class="na">bridge_fd 0</span>
<span class="na">address 192.168.12.1</span>
<span class="na">netmask 255.255.255.0</span>
</pre></div>
<p>Add this to <code>/etc/rc.local</code> (on int-fw) to catch domUs starting while int-fw is starting at the same time.</p>
<div class="codehilite"><pre><span></span><span class="k">if</span> <span class="o">[</span> ! -e <span class="s2">"/proc/xen/capabilities"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
mount -t xenfs xenfs /proc/xen <span class="o">||</span> <span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
<span class="nb">export</span> <span class="nv">SUBSYSTEM</span><span class="o">=</span>xen-backend
<span class="nb">export</span> <span class="nv">DRIVER</span><span class="o">=</span>vif
<span class="nb">export</span> <span class="nv">XENBUS_TYPE</span><span class="o">=</span>vif
<span class="nb">export</span> <span class="nv">ACTION</span><span class="o">=</span>online
<span class="nb">export</span> <span class="nv">XENBUS_BASE_PATH</span><span class="o">=</span>backend
<span class="k">for</span> vif in <span class="k">$(</span>ifconfig -a <span class="p">|</span> awk <span class="s1">'/^vif/ {print $1}'</span><span class="k">)</span>
<span class="k">do</span>
<span class="nv">x</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> <span class="nv">$vif</span> <span class="p">|</span> sed <span class="s1">'s/^vif//'</span> <span class="p">|</span> sed <span class="s1">'s/.0$//'</span><span class="k">)</span>
<span class="nv">y</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> <span class="nv">$vif</span> <span class="p">|</span> sed <span class="s1">'s/^vif[0-9]*\.//'</span><span class="k">)</span>
<span class="nb">export</span> <span class="nv">DEVPATH</span><span class="o">=</span>/devices/vif-<span class="nv">$x</span>-<span class="nv">$y</span>
<span class="nb">export</span> <span class="nv">XENBUS_PATH</span><span class="o">=</span>backend/vif/<span class="nv">$x</span>/<span class="nv">$y</span>
<span class="nb">export</span> <span class="nv">vif</span><span class="o">=</span><span class="nv">$vif</span>
/etc/xen/scripts/vif-bridge online
<span class="k">done</span>
</pre></div>
<h2 id="setup-of-other-domus">Setup of other domU:s<a class="headerlink" href="#setup-of-other-domus" title="Permanent link">¶</a></h2>
<p>To make the other domU:s use the network driver domain instead of dom0 for networking, change
the vif line in the domU.cfg, by adding <code>,backend=int-fw</code> to the end. Example:</p>
<div class="codehilite"><pre><span></span><span class="c1">#</span>
<span class="c1"># Networking</span>
<span class="c1">#</span>
<span class="na">vif</span> <span class="o">=</span> <span class="s">[ 'ip=192.168.12.10, mac=00:16:3E:xx:yy:zz, bridge=br_nfs, backend=int-fw' ]</span>
</pre></div>
<h2 id="limitations">Limitations<a class="headerlink" href="#limitations" title="Permanent link">¶</a></h2>
<p>There is a need to reboot other domUs after network driver domain reboot.</p>
<p>The xen-utils are usually installed in a dom0 and when a dom0 is rebooted so
are the domUs, hence it (at least currently) does not re-hotplug network
interfaces for domUs after a network driver domain has been re-booted.</p>
<p>Reboot of the other domUs can be done within each of them, or preferably in the
dom0 in one go:</p>
<div class="codehilite"><pre><span></span><span class="go">dom0 # service xendomains restart</span>
</pre></div>
<p>This also means that you <strong>must</strong> make sure that the network driver domain is the first domain that is started after a dom0 reboot.</p>
<p>In order to prevent needrestart from restarting xendomains by default, override service default selection to a 0, by adding the following to <code>/etc/needrestart/needrestart.conf</code>.</p>
<div class="codehilite"><pre><span></span><span class="na">$nrconf{override_rc}</span> <span class="o">=</span> <span class="s">{</span>
<span class="s"> ....</span>
<span class="s"> # xendomains</span>
<span class="s"> q(^xendomains) => 0,</span>
<span class="s"> ....</span>
</pre></div>Fronting apt-cacher-ng with nginx2015-02-10T00:00:00+01:002015-02-10T00:00:00+01:00henriktag:community.riocities.com,2015-02-10:/fronting-apt-cacher-ng-with-nginx.html<p>Why: I have some isolated islands in the network that are using a local
apt-cacher-ng instance. To optimize the caching I am moving to one central
cache and instead let the isolated islands connect via a proxy provided
by nginx.</p>
<div class="codehilite"><pre><span></span>sudo apt-get install nginx-light
</pre></div>
<p>Disable the <code>default</code> site</p>
<div class="codehilite"><pre><span></span>sudo rm …</pre></div><p>Why: I have some isolated islands in the network that are using a local
apt-cacher-ng instance. To optimize the caching I am moving to one central
cache and instead let the isolated islands connect via a proxy provided
by nginx.</p>
<div class="codehilite"><pre><span></span>sudo apt-get install nginx-light
</pre></div>
<p>Disable the <code>default</code> site</p>
<div class="codehilite"><pre><span></span>sudo rm /etc/nginx/sites-enabled/default
</pre></div>
<p>Configure the proxy as a new site in <code>/etc/nginx/sites-available/apt-cacher-ng</code></p>
<div class="codehilite"><pre><span></span><span class="k">upstream</span> <span class="s">apt-cacher-ng</span> <span class="p">{</span>
<span class="kn">server</span> <span class="n">aptproxy.example.com</span><span class="p">:</span><span class="mi">9999</span><span class="p">;</span>
<span class="kn">server</span> <span class="n">127.0.0.1</span><span class="p">:</span><span class="mi">9998</span> <span class="s">backup</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">server</span> <span class="p">{</span>
<span class="kn">listen</span> <span class="mi">9999</span><span class="p">;</span>
<span class="kn">location</span> <span class="s">/</span> <span class="p">{</span>
<span class="kn">proxy_pass</span> <span class="s">http://apt-cacher-ng</span><span class="p">;</span>
<span class="kn">proxy_redirect</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span>
<span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
<p>The local apt-cacher-ng instance is running as a backup on port 9998 and used in case the
central is down.</p>
<p>enable the new "site"</p>
<div class="codehilite"><pre><span></span>cd /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/apt-cacher-ng .
</pre></div>
<p>start nginx</p>
<div class="codehilite"><pre><span></span>sudo service nginx start
</pre></div>
<p><strong>Note:</strong> If you would like the X-Forwarded-For info to be seen in the apt-cacher-ng log
you must enable <code>LogSubmittedOrigin</code> option in <code>apt-cacher-ng/acng.conf</code>.</p>HP ProLiant MicroServer Gen82015-01-24T00:00:00+01:002015-03-01T22:55:18+01:00henriktag:community.riocities.com,2015-01-24:/hp_microserver_gen8.html<p>The HP Microserver Gen8 is a very nice home server for use as a NAS for
instance with the FreeNAS software or as a XEN or KVM server.</p>
<p>The entry level CPU choice (<a href="http://ark.intel.com/products/71074/Intel-Celeron-Processor-G1610T-2M-Cache-2_30-GHz">G1610T</a>) provides me with enough power to run almost 10 XEN domU:s
with 10GB RAM in …</p><p>The HP Microserver Gen8 is a very nice home server for use as a NAS for
instance with the FreeNAS software or as a XEN or KVM server.</p>
<p>The entry level CPU choice (<a href="http://ark.intel.com/products/71074/Intel-Celeron-Processor-G1610T-2M-Cache-2_30-GHz">G1610T</a>) provides me with enough power to run almost 10 XEN domU:s
with 10GB RAM in the server (1GB RAM for the dom0).</p>
<p>Pros</p>
<ul>
<li>Price</li>
<li>Excellent HW-quality for its price</li>
<li>Performance</li>
<li>ECC memory (a must for a NAS)</li>
<li>Easy to replace hard-disks</li>
<li>Works fine with non HP branded hard-disks</li>
</ul>
<p>Cons</p>
<ul>
<li>Disks are not hot-swappable</li>
<li>Needs HP branded ECC memory (HP calls this limitation "HP SmartMemory" ;-) )</li>
<li>Non standard fan connector</li>
</ul>
<p>The server has built in LOM (lights out management) via a dedicated network interface. The LOM is called <a href="http://www8.hp.com/us/en/products/servers/ilo/">iLO version 4</a>.
However please note that you will need to purchase a license to use it for installing and managing the OS via the virtual console function.</p>
<p>Useful Links:</p>
<ul>
<li>
<p>The problem with the fan connector can apparently be <a href="http://www.silentpcreview.com/article1377-page9.html">worked around</a>.
I have not tested as the fan only runs at about 12% for me with 2x WD RED in it.</p>
</li>
<li>
<p>The storage controller must be configured in AHCI mode for use with Linux, and if you have an old firmware version
<a href="http://h20564.www2.hp.com/hpsc/doc/public/display?docId=c04226727">you must upgrade</a>.</p>
</li>
<li>
<p><a href="http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03871499">Howto change to AHCI mode</a> (<strong>Note:</strong> scroll down to "Configure the Controller for SATA Mode and Use the Distribution AHCI Driver")</p>
</li>
<li>
<p><a href="http://www.virten.net/2013/12/update-hp-microserver-with-2-5-ssd/">HP Microserver with 2.5″ SSD</a></p>
</li>
<li>
<p>Change to a XEON <a href="https://b3n.org/installed-xeon-e3-1230v2-in-gen8-hp-microserver/">E3-1230v2</a></p>
</li>
</ul>Re part live system md+lvm2013-08-12T00:00:00+02:002014-02-26T23:14:56+01:00henriktag:community.riocities.com,2013-08-12:/Re-part_live_system-md-lvm.html
<p>Re-partitioning of a <strong>live system</strong> to have space for a new (and larger) grub bootloader.</p>
<h1 id="background-and-introduction">Background and introduction<a class="headerlink" href="#background-and-introduction" title="Permanent link">¶</a></h1>
<p>Upgrading from Debian Squeeze to Wheezy failed on my md+lvm systems (same problem with an Ubuntu LTS upgrade from lucid 10.04 to precise 12.04). </p>
<p>This is the error message …</p>
<p>Re-partitioning of a <strong>live system</strong> to have space for a new (and larger) grub bootloader.</p>
<h1 id="background-and-introduction">Background and introduction<a class="headerlink" href="#background-and-introduction" title="Permanent link">¶</a></h1>
<p>Upgrading from Debian Squeeze to Wheezy failed on my md+lvm systems (same problem with an Ubuntu LTS upgrade from lucid 10.04 to precise 12.04). </p>
<p>This is the error message from grub-install during the system upgrade, when it fails to fit the image</p>
<div class="codehilite"><pre><span></span>/usr/sbin/grub-setup: warn: Your core.img is unusually large. It won't fit in the embedding area..
/usr/sbin/grub-setup: error: embedding is not possible, but this is required when the root device is on a RAID array or LVM volume.
</pre></div>
<p>The grub2 in Wheezy is large and does not fit on drives partitioned with old version of fdisk. Example from my system:</p>
<p><strong>Note</strong> use <code>fdisk -l <device></code> with "Wheezy fdisk" and <code>fdisk -lu <device></code> with "Squeeze fdisk"</p>
<div class="codehilite"><pre><span></span>Device Boot Start End Blocks Id System
/dev/sda1 * 63 312576704 156288321 fd Linux raid autodetect
</pre></div>
<p>If partitioned with a newer fdisk start would have been 2048, and Wheezy grub2 needs the extra space to fit with support for md-raid and lvm.</p>
<p>So how to solve this? in short it involves creating a new raid metadevice with disks partitioned to start the first partition on 2048 and
moving the existing lvm volume group to this metadevice.</p>
<p>=> This can be done by degrading the running raid array and repartition the disk that was removed from the running raid array.</p>
<p>I however strongly recommend that you add new disks while doing this on a live system. (There is an optional tagged chapter that shows how
this is done). The extra disks
can be connected via SATA/eSATA. USB will not work as you can not mix USB and SATA disks in the same array. If you try you will get this:</p>
<div class="codehilite"><pre><span></span>bio too big device md0 (248 > 240)
</pre></div>
<p>And that is NOT GOOD!</p>
<p><strong>NOTE NOTE NOTE</strong> - before starting any work you must make sure that you have free blocks in the volume group with md0 as a physical disk. This is due to that the
new metadevice created will be slightly smaller (in other words you need some <code>Free PE</code> in the md0 LVM physical volume)</p>
<p>Timing - This can be done before the upgrade, or as in my case directly after "dist-upgrade", but before reboot.</p>
<h1 id="adding-a-extra-disk-to-md0-optional">Adding a extra disk to md0 (optional)<a class="headerlink" href="#adding-a-extra-disk-to-md0-optional" title="Permanent link">¶</a></h1>
<p>The new disk must be larger than the existing disks so you can partition it correctly from the start and be able to fit grub on that disk at least.</p>
<p>Later when you create md1 you can add an extra disk to that as well, so md1 is also having full redundancy during the data move.</p>
<h2 id="partitioning">Partitioning<a class="headerlink" href="#partitioning" title="Permanent link">¶</a></h2>
<p>Create a new primary partition starting at 2048 and ending at 'current-disks-end + (2048-63)' in my case
312576704 + 1985 = 312578689</p>
<p>Example in fdisk</p>
<div class="codehilite"><pre><span></span> Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-976773167, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-976773167, default 976773167): 312578689
Command (m for help): t
Selected partition 1
Hex code (type L to list codes): fd
Changed system type of partition 1 to fd (Linux raid autodetect)
Disk /dev/sdc: 500.1 GB, 500107862016 bytes
81 heads, 63 sectors/track, 191411 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xc659cfc5
Device Boot Start End Blocks Id System
/dev/sdc1 * 2048 312578689 156288321 fd Linux raid autodetect
</pre></div>
<h2 id="install-grub-to-the-new-disk">Install grub to the new disk<a class="headerlink" href="#install-grub-to-the-new-disk" title="Permanent link">¶</a></h2>
<p>We at least want to have one disk with the new grub on it in case something happens</p>
<div class="codehilite"><pre><span></span><span class="c1"># grub-install /dev/sdc</span>
Installation finished. No error reported.
</pre></div>
<h2 id="add-the-new-disk-to-md0">Add the new disk to md0<a class="headerlink" href="#add-the-new-disk-to-md0" title="Permanent link">¶</a></h2>
<p>We first add the new disk as a spare</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --add /dev/md0 /dev/sdc1</span>
mdadm: added /dev/sdc1
</pre></div>
<p>and then "grow" the raid1 to three disks</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --grow --raid-devices=3 /dev/md0</span>
raid_disks <span class="k">for</span> /dev/md0 <span class="nb">set</span> to <span class="m">3</span>
</pre></div>
<p>And then <strong>wait</strong> for the full sync (hours to days) - see <code>/proc/mdstat</code></p>
<p>-- end optional extra mirror device setup ---</p>
<h1 id="md1-setup">md1 setup<a class="headerlink" href="#md1-setup" title="Permanent link">¶</a></h1>
<h2 id="remove-one-disk-from-md0">Remove one disk from md0<a class="headerlink" href="#remove-one-disk-from-md0" title="Permanent link">¶</a></h2>
<p>Remove the disk that will be the first disk in the new md1 </p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --fail /dev/md0 /dev/sdb1</span>
<span class="c1"># mdadm --remove /dev/md0 /dev/sdb1</span>
</pre></div>
<h2 id="repartion-sdb">Repartion sdb<a class="headerlink" href="#repartion-sdb" title="Permanent link">¶</a></h2>
<p>Re-partition /dev/sdb with a new empty partition table and then add a new primary partition on it starting at 2048. </p>
<p>Fdisk output should be like this:</p>
<div class="codehilite"><pre><span></span> Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 312581807 156289880 da Non-FS data
</pre></div>
<h2 id="install-grub-to-sdb">Install grub to sdb<a class="headerlink" href="#install-grub-to-sdb" title="Permanent link">¶</a></h2>
<p>We now have a disk with a suitable partition table for grub installation, lets install it</p>
<div class="codehilite"><pre><span></span><span class="c1"># grub-install /dev/sdb</span>
Installation finished. No error reported.
</pre></div>
<h2 id="create-a-new-degraded-mirror-md1">Create a new degraded mirror (md1)<a class="headerlink" href="#create-a-new-degraded-mirror-md1" title="Permanent link">¶</a></h2>
<ul>
<li>Zero out previous raid super block (most probably not needed)
<strong>note:</strong> an error like "Unrecognised md component device" is to be expected</li>
</ul>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --zero-superblock /dev/sdb1</span>
mdadm: Unrecognised md component device - /dev/sdb1
</pre></div>
<p>Now we can setup md1 in degraded mode</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --create /dev/md1 --level=raid1 -f -n 1 /dev/sdb1</span>
</pre></div>
<p>Note: if doing this step on a pure Squeeze system (before partial upgrade) you should specify 1.2 format (default for mdadm in Wheezy)</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --create /dev/md1 --metadata=1.2 --level=raid1 -f -n 1 /dev/sdb1</span>
</pre></div>
<p>A word of warning, you will need to complete the upgrade to Wheezy before rebooting as a Squeeze system can <strong>not</strong> boot from a metadata version 1.2 mirror.</p>
<p><strong>Option:</strong> you can also add <code>--bitmap=internal</code> flag to <code>--create</code> in order to setup a write-intent bitmap. Note: if doing this with mdadm before user space upgrade to Wheezy the chunk size will be small. The default in Wheezy is 65536KB and can be selected with <code>--bitmap-chunk=</code> .</p>
<h1 id="house-keeping-precaution">House keeping (precaution)<a class="headerlink" href="#house-keeping-precaution" title="Permanent link">¶</a></h1>
<p>Some house keeping in case of a system/power failure </p>
<p><strong>update md config file</strong></p>
<p>We now need to update the system config with awareness of md1</p>
<div class="codehilite"><pre><span></span><span class="c1"># /usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf</span>
</pre></div>
<p><strong>update initrd files</strong></p>
<p>Make sure the new mdadm.conf is present in the initrd files</p>
<div class="codehilite"><pre><span></span><span class="c1"># update-initramfs -u -k all</span>
</pre></div>
<h1 id="move-the-data">Move the data<a class="headerlink" href="#move-the-data" title="Permanent link">¶</a></h1>
<p>Make md1 into a pysical volume for LVM</p>
<div class="codehilite"><pre><span></span><span class="c1"># pvcreate /dev/md1</span>
</pre></div>
<p>Move the data from md0 to md1</p>
<div class="codehilite"><pre><span></span><span class="c1"># vgextend vg_raid1 /dev/md1</span>
<span class="c1"># pvmove /dev/md0</span>
<span class="c1"># vgreduce vg_raid1 /dev/md0</span>
<span class="c1"># pvremove /dev/md0</span>
</pre></div>
<h1 id="remove-md0-and-move-new-spare-partition-into-md1">Remove md0 and move new spare partition into md1<a class="headerlink" href="#remove-md0-and-move-new-spare-partition-into-md1" title="Permanent link">¶</a></h1>
<p>Now all data is in md1 so md0 can be removed and the disk in it can be used for md1</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --stop /dev/md0 </span>
</pre></div>
<p>Re-partition sda as sdb (starting at 2048)</p>
<p>Install grub</p>
<div class="codehilite"><pre><span></span><span class="c1"># grub-install /dev/sda</span>
Installation finished. No error reported.
</pre></div>
<p>Add sda1 to /dev/md1</p>
<div class="codehilite"><pre><span></span><span class="c1"># mdadm --zero-superblock /dev/sda1</span>
<span class="c1"># mdadm --add /dev/md1 /dev/sda1</span>
<span class="c1"># mdadm --grow /dev/md1 -n 2</span>
</pre></div>
<h1 id="house-keeping-end">House keeping (end)<a class="headerlink" href="#house-keeping-end" title="Permanent link">¶</a></h1>
<p>Some house keeping due to changes in metadevice setup</p>
<p><strong>update md config file</strong></p>
<p>We now need to update the system config with awareness of md0 removal</p>
<div class="codehilite"><pre><span></span><span class="c1"># /usr/share/mdadm/mkconf > /etc/mdadm/mdadm.conf</span>
</pre></div>
<p><strong>update initrd files</strong></p>
<p>Make sure the new mdadm.conf is present in the initrd files</p>
<div class="codehilite"><pre><span></span><span class="c1"># update-initramfs -u -k all</span>
</pre></div>
<ul>
<li>
<p>Wait for re-sync of md1 (see /proc/mdstat)</p>
</li>
<li>
<p>Complete the upgrade to Wheezy if not done before (mandatory: if using 1.2 meta data)</p>
</li>
<li>
<p>Reboot (and hope for the best)...</p>
</li>
</ul>KVM mount guest disk on host2013-08-04T20:47:55+02:002013-08-04T20:47:55+02:00henriktag:community.riocities.com,2013-08-04:/KVM_mount_guest_disk_on_host.html
<p>Howto mount a guest LVM disk on host</p>
<p>Note: guest is called <strong>bup</strong> in the example</p>
<h2 id="setup">Setup<a class="headerlink" href="#setup" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Snapshot the guests running LVM volume (guests virtual disk)</p>
<div class="codehilite"><pre><span></span>$ sudo lvcreate --size 100m --snapshot --name snap-bup /dev/vg_raid1/bup
Logical volume <span class="s2">"snap-bup"</span> created
</pre></div>
</li>
<li>
<p>Setup a loop device for the virtual disk snapshot</p>
<div class="codehilite"><pre><span></span>$ sudo …</pre></div></li></ol>
<p>Howto mount a guest LVM disk on host</p>
<p>Note: guest is called <strong>bup</strong> in the example</p>
<h2 id="setup">Setup<a class="headerlink" href="#setup" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Snapshot the guests running LVM volume (guests virtual disk)</p>
<div class="codehilite"><pre><span></span>$ sudo lvcreate --size 100m --snapshot --name snap-bup /dev/vg_raid1/bup
Logical volume <span class="s2">"snap-bup"</span> created
</pre></div>
</li>
<li>
<p>Setup a loop device for the virtual disk snapshot</p>
<div class="codehilite"><pre><span></span>$ sudo losetup -f /dev/vg_raid1/snap-bup
/dev/loop0: <span class="o">[</span><span class="m">0005</span><span class="o">]</span>:49084 <span class="o">(</span>/dev/mapper/vg_raid1-snap--bup<span class="o">)</span>
</pre></div>
</li>
<li>
<p>Create device maps from the loop back device</p>
<div class="codehilite"><pre><span></span>$ sudo kpartx -av /dev/loop0
add map loop0p1 <span class="o">(</span><span class="m">251</span>:16<span class="o">)</span>: <span class="m">0</span> <span class="m">3817472</span> linear /dev/loop0 <span class="m">2048</span>
add map loop0p2 <span class="o">(</span><span class="m">251</span>:17<span class="o">)</span>: <span class="m">0</span> <span class="m">272386</span> linear /dev/loop0 <span class="m">3821566</span>
add map loop0p5 <span class="o">(</span><span class="m">251</span>:18<span class="o">)</span>: <span class="m">0</span> <span class="m">272384</span> <span class="m">251</span>:17 <span class="m">2</span>
</pre></div>
</li>
<li>
<p>mount</p>
</li>
</ol>
<p>Now you can mount a partition the the snapshot of the guest disk, example mounting partition one.</p>
<div class="codehilite"><pre><span></span> $ sudo mount /dev/mapper/loop0p1 /mnt/ -o ro
</pre></div>
<h2 id="clean-up">Clean-up<a class="headerlink" href="#clean-up" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Un-mount all mounted partitions</p>
<div class="codehilite"><pre><span></span>$ sudo umount /mnt
...
</pre></div>
</li>
<li>
<p>Delete partition mappings</p>
<div class="codehilite"><pre><span></span>$ sudo kpartx -dv /dev/loop0
del devmap : loop0p5
del devmap : loop0p2
del devmap : loop0p1
</pre></div>
</li>
<li>
<p>Detach loop device</p>
<div class="codehilite"><pre><span></span>$ sudo losetup -d /dev/loop0
</pre></div>
</li>
<li>
<p>Remove LVM snapshot</p>
<div class="codehilite"><pre><span></span>$ sudo lvremove /dev/vg_raid1/snap-bup
Do you really want to remove active logical volume snap-bup? <span class="o">[</span>y/n<span class="o">]</span>: y
Logical volume <span class="s2">"snap-bup"</span> successfully removed
</pre></div>
</li>
</ol>Android games2013-01-05T00:00:00+01:002014-02-01T20:35:37+01:00henriktag:community.riocities.com,2013-01-05:/Android_games.html<h1 id="android-games-with-sane-permissions">Android Games with sane permissions<a class="headerlink" href="#android-games-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>More info on sane permissions: <a href="/Android_apps.html">Android apps</a></p>
<p>List of games that I have found that fulfills my requirements on permissions</p>
<ul>
<li><a href="https://play.google.com/store/apps/details?id=org.jfedor.frozenbubble">Frozen Bubble</a></li>
<li><a href="https://play.google.com/store/apps/details?id=magory.mahjongpremium">Mahjong</a></li>
</ul><h1 id="android-games-with-sane-permissions">Android Games with sane permissions<a class="headerlink" href="#android-games-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>More info on sane permissions: <a href="/Android_apps.html">Android apps</a></p>
<p>List of games that I have found that fulfills my requirements on permissions</p>
<ul>
<li><a href="https://play.google.com/store/apps/details?id=org.jfedor.frozenbubble">Frozen Bubble</a></li>
<li><a href="https://play.google.com/store/apps/details?id=magory.mahjongpremium">Mahjong</a></li>
</ul>Android kids games2013-01-03T00:00:00+01:002015-02-18T20:55:15+01:00henriktag:community.riocities.com,2013-01-03:/Android_kids.html<h1 id="android-kids-games-with-sane-permissions">Android Kids Games with sane permissions<a class="headerlink" href="#android-kids-games-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>More info on sane permissions: <a href="/Android_apps.html">Android apps</a></p>
<p>List of games that I have found that fulfills my requirements on permissions</p>
<ul>
<li><a href="https://play.google.com/store/apps/details?id=de.it_malic.animalsafrica">African Animals</a></li>
<li><a href="https://play.google.com/store/apps/details?id=de.it_malic.animalfarm">Animal Farm</a></li>
<li><a href="https://play.google.com/store/apps/details?id=ru.burt.apps.coloringbook">Burt's Coloring Book HD</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.coloring">Coloring For Kids</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.androidcave.escapethebee">Escape The Bee</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.anusen.mathmagic">Math Magic</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.games.memory.kids">Memory Game For Kids</a></li>
<li><a href="https://play.google.com/store/apps/details?id=eu.lavarde.pmtd">Plus Minus Times Divide …</a></li></ul><h1 id="android-kids-games-with-sane-permissions">Android Kids Games with sane permissions<a class="headerlink" href="#android-kids-games-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>More info on sane permissions: <a href="/Android_apps.html">Android apps</a></p>
<p>List of games that I have found that fulfills my requirements on permissions</p>
<ul>
<li><a href="https://play.google.com/store/apps/details?id=de.it_malic.animalsafrica">African Animals</a></li>
<li><a href="https://play.google.com/store/apps/details?id=de.it_malic.animalfarm">Animal Farm</a></li>
<li><a href="https://play.google.com/store/apps/details?id=ru.burt.apps.coloringbook">Burt's Coloring Book HD</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.coloring">Coloring For Kids</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.androidcave.escapethebee">Escape The Bee</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.anusen.mathmagic">Math Magic</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.games.memory.kids">Memory Game For Kids</a></li>
<li><a href="https://play.google.com/store/apps/details?id=eu.lavarde.pmtd">Plus Minus Times Divide</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.games.slowit">Slow It !</a></li>
<li><a href="https://play.google.com/store/apps/details?id=org.androidsoft.games.memory.tux">Tux Memory Game</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.ulduzsoft.kids.memory">Toddler Memory Game</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.acoupleofdads.ToddlersCubed">Toddlers Cubed</a></li>
</ul>Android apps2012-06-13T00:00:00+02:002015-01-15T00:00:00+01:00henriktag:community.riocities.com,2012-06-13:/Android_apps.html<h1 id="android-applications-with-sane-permissions">Android Applications with sane permissions<a class="headerlink" href="#android-applications-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>Finding apps at the play store with sane permissions is a bit like looking for a needle in a hay-stack.</p>
<p>There is no way to, for instance sort apps by the amount of permissions they require.</p>
<p>How do I define sane permissions:</p>
<ul>
<li>A. Does not …</li></ul><h1 id="android-applications-with-sane-permissions">Android Applications with sane permissions<a class="headerlink" href="#android-applications-with-sane-permissions" title="Permanent link">¶</a></h1>
<p>Finding apps at the play store with sane permissions is a bit like looking for a needle in a hay-stack.</p>
<p>There is no way to, for instance sort apps by the amount of permissions they require.</p>
<p>How do I define sane permissions:</p>
<ul>
<li>A. Does not require more permissions than what should be necessary to accomplish task X</li>
<li>B. Does not require access to private data + Internet</li>
<li>C. Does not require access to parts that only system apps should need</li>
</ul>
<p>Why:</p>
<ul>
<li>A. "Make each program do one thing well"<ol>
<li>If an app tries to do multiple things, it is probably its main task that it does the best. Task y,z might be of lower code quality and also therefore more sensitive to security bugs.</li>
<li>There is also most probably apps that will do y,z much better anyhow.</li>
</ol>
</li>
<li>B. "Maintain isolation of your data from others" / "Principle of Least Privilege"<ol>
<li>There is a risk that the app is malicious, in that it sells (or in other ways abuses) your private data</li>
<li>If the app (or what the app interfaces) has a security fault you personal data it at risk</li>
</ol>
</li>
<li>C. "High risk of the app being malicious" <ol>
<li>Why should for instance a calculator app need access to your wifi password?</li>
</ol>
</li>
</ul>
<p><strong>A word of warning</strong>; Please note the the sdcard is always world readable (configurable in Android 4.1->4.3) , i.e all apps can always read your sdcard. Seriously conciser this when you grant (/install) apps with network access.</p>
<p>More on sd card (EXTERNAL_STORAGE) read: http://source.android.com/devices/tech/storage/</p>
<p>Worth reading about the new permission groups in play: http://www.xda-developers.com/android/play-store-permissions-change-opens-door-to-rogue-apps/</p>
<p>List of apps that I have found that fulfills my requirements:</p>
<ul>
<li>Backup sms & call-log: <a href="https://play.google.com/store/apps/details?id=de.shandschuh.slightbackup">Slight backup</a></li>
<li>Battery stats in % on the status bar: <a href="https://play.google.com/store/apps/details?id=ch.blinkenlights.battery">Battery Circle</a></li>
<li>Keep track of birthdays: <a href="https://f-droid.org/repository/browse/?fdfilter=Birthdroid&fdid=com.rigid.birthdroid">Birthdroid</a></li>
<li>Calculator: <a href="https://play.google.com/store/apps/details?id=com.miwachang.progcalc">CALC-P</a></li>
<li>Camera: <a href="https://play.google.com/store/apps/details?id=com.flavionet.android.camera.pro">FV-5</a></li>
<li>Countdown: <a href="https://play.google.com/store/apps/details?id=org.openintents.countdown">OI Countdown</a></li>
<li>CPU "State logging": <a href="https://play.google.com/store/apps/details?id=com.bvalosek.cpuspy">CPU Spy</a></li>
<li>File Manager: <a href="https://play.google.com/store/apps/details?id=org.openintents.filemanager">OI File Manager</a></li>
<li>Galley (photo & video): <s>QuickPic</s></li>
<li>GPS Logger: <a href="https://play.google.com/store/apps/details?id=com.nonobtrusive.logger">Offline Logger</a></li>
<li>GPS Testing: <a href="https://play.google.com/store/apps/details?id=uk.co.cubeone.gpsmonitor">GPS Monitor</a></li>
<li>IP calc: <a href="https://play.google.com/store/apps/details?id=skacofonia.ipcalculator">IP calculator</a></li>
<li>Jpeg Exif Viewer: <S>https://play.google.com/store/apps/details?id=com.ohakado.exifviewx</s></li>
<li>Notepad: <a href="https://play.google.com/store/apps/details?id=org.openintents.notepad">OI Notepad</a></li>
<li>Permissions: <a href="https://play.google.com/store/apps/details?id=com.carlocriniti.android.permission_explorer">Permission Explorer</a></li>
<li>PDF Viewer: <a href="https://play.google.com/store/apps/details?id=cx.hell.android.pdfview">APV PDF Viewer</a></li>
<li>QR scanner: <a href="https://play.google.com/store/apps/details?id=com.tingiz">tingiz QR barcode scanner</a> (not perfect but the least bad with a nice feature set)</li>
<li>QR scanner: <a href="https://play.google.com/store/apps/details?id=trikita.obsqr">Obsqr QR Scanner</a></li>
<li><a href="https://play.google.com/store/apps/details?id=easicorp.recipe_calc">Recipe Calculator</a></li>
<li>Reminders: <a href="https://play.google.com/store/apps/details?id=ch.blinkenlights.android.ntyfr">Status Notes</a></li>
<li>World Clock: <a href="https://play.google.com/store/apps/details?id=com.chineseinspiration">Clocks around the world</a></li>
</ul>XEN domU LVM to raw2012-02-28T20:57:48+01:002012-02-28T20:57:48+01:00henriktag:community.riocities.com,2012-02-28:/XEN_domU_LVM_to_raw.html<p>Export a "LVM based" domU for use with KVM (or XEN-HVM)</p>
<p>Small lazy for converting a LVM based domU to a more portable raw file for migration to an other virtualization system or other XEN host</p>
<p>Specifics for this example</p>
<div class="codehilite"><pre><span></span> /dev/vg_raid10/<domU>-disk 8GB
/dev/vg_raid10/<domU>-swap 2GB …</pre></div><p>Export a "LVM based" domU for use with KVM (or XEN-HVM)</p>
<p>Small lazy for converting a LVM based domU to a more portable raw file for migration to an other virtualization system or other XEN host</p>
<p>Specifics for this example</p>
<div class="codehilite"><pre><span></span> /dev/vg_raid10/<domU>-disk 8GB
/dev/vg_raid10/<domU>-swap 2GB
</pre></div>
<p>Create a 10G raw image</p>
<div class="codehilite"><pre><span></span>$ qemu-img create export.raw 10G
</pre></div>
<p>Boot kvm with a live CD iso (e.g. Debian netinst) and partition export.raw as hda (8G=>83:Linux & 2G=>82:Linux swap). Be very careful in selecting the size for the linux partition (double check the exact logical volume size).</p>
<div class="codehilite"><pre><span></span>$ kvm -hda export.raw -cdrom <iso file> -m <span class="m">512</span>
</pre></div>
<p>After export.raw partitioning (and shutting down kvm) the raw file should look as follows when queried from the host</p>
<div class="codehilite"><pre><span></span>$ fdisk -lc ./export.raw
You must <span class="nb">set</span> cylinders.
You can <span class="k">do</span> this from the extra functions menu.
Disk ./export.raw: <span class="m">0</span> MB, <span class="m">0</span> bytes
<span class="m">255</span> heads, <span class="m">63</span> sectors/track, <span class="m">0</span> cylinders
<span class="nv">Units</span> <span class="o">=</span> cylinders of <span class="m">16065</span> * <span class="nv">512</span> <span class="o">=</span> <span class="m">8225280</span> bytes
Sector size <span class="o">(</span>logical/physical<span class="o">)</span>: <span class="m">512</span> bytes / <span class="m">512</span> bytes
I/O size <span class="o">(</span>minimum/optimal<span class="o">)</span>: <span class="m">512</span> bytes / <span class="m">512</span> bytes
Disk identifier: 0x22455093
Device Boot Start End Blocks Id System
./export.raw1 <span class="m">1</span> <span class="m">1045</span> <span class="m">8393931</span> <span class="m">83</span> Linux
./export.raw2 <span class="m">1046</span> <span class="m">1305</span> <span class="m">2088450</span> <span class="m">82</span> Linux swap / Solaris
</pre></div>
<p>Install kpartx</p>
<div class="codehilite"><pre><span></span>$ sudo apt-get install kpartx
</pre></div>
<p>Prepare for mounting the partitions in the raw image on host.</p>
<div class="codehilite"><pre><span></span>$ sudo kpartx -v -a ./export.raw
add map loop2p1 <span class="o">(</span><span class="m">254</span>:16<span class="o">)</span>: <span class="m">0</span> <span class="m">16787862</span> linear /dev/loop2 <span class="m">63</span>
add map loop2p2 <span class="o">(</span><span class="m">254</span>:17<span class="o">)</span>: <span class="m">0</span> <span class="m">4176900</span> linear /dev/loop2 <span class="m">16787925</span>
</pre></div>
<p>Create swap on the swap partition</p>
<div class="codehilite"><pre><span></span>$ sudo mkswap /dev/mapper/loop2p2
mkswap: /dev/mapper/loop2p2: warning: don<span class="err">'</span>t erase bootbits sectors
on whole disk. Use -f to force.
Setting up swapspace version <span class="m">1</span>, <span class="nv">size</span> <span class="o">=</span> <span class="m">2088444</span> KiB
no label, <span class="nv">UUID</span><span class="o">=</span>ca2d322e-a245-43c0-9d6a-5ebf663818e8
</pre></div>
<p>Copy data</p>
<div class="codehilite"><pre><span></span>$ sudo dd <span class="k">if</span><span class="o">=</span>/dev/<vg_name>/<domU>-disk <span class="nv">of</span><span class="o">=</span>/dev/mapper/loop2p1 <span class="nv">bs</span><span class="o">=</span>4k
</pre></div>
<p>Do a file system check (ext3 used in example)</p>
<div class="codehilite"><pre><span></span>$ sudo e2fsck -f /dev/mapper/loop2p1
</pre></div>
<p>Remove device mappings in host</p>
<div class="codehilite"><pre><span></span>$ sudo kpartx -d ./export.raw
</pre></div>
<p>Boot kvm with a debian net-install CD iso in rescue mode</p>
<div class="codehilite"><pre><span></span>$ kvm -hda export.raw -cdrom <iso file> -m <span class="m">512</span> -boot d
<span class="m">1</span>. Edit /etc/fstab to reflect the new device name <span class="o">(</span>and partition numbers<span class="o">)</span> xvda1<span class="o">(</span>swap<span class="o">)</span> -> sda2 + xvda2<span class="o">(</span>disk<span class="o">)</span> -> sda1
<span class="m">2</span>. Clear mtab <span class="o">(</span>cat /dev/null > /etc/mtab<span class="o">)</span>
<span class="m">3</span>. <span class="nb">exit</span> rescue mode and enter it again
<span class="m">4</span>. start bash
<span class="m">5</span>. apt-get update
<span class="m">6</span>.1 apt-get install linux-image-2.6-amd64 <span class="c1"># install non XEN kernel</span>
<span class="m">6</span>.2 apt-get purge linux-image-xen-amd64 <span class="c1"># purge this and all other xen kernel packages</span>
<span class="m">7</span>.1 apt-get install grub-pc
<span class="m">7</span>.2 Linux cmd line shall be <span class="s2">"root=/dev/sda1 ro"</span>
<span class="m">7</span>.3 Install grub on /dev/sda <span class="o">(</span>QEMU_HARDDISK<span class="o">)</span>
<span class="m">8</span>. Change getty console from hvc0 to tty1 in /etc/inittab
<span class="m">9</span>. Exit rescue mode
</pre></div>
<p>Note: sda is for KVM use, if converting for XEN HVM use xvda (in other words just switch the partition numbers)</p>
<p>That's it, export.raw can now be used with KVM (or XEN HVM).</p>FiiO E102012-01-10T00:00:00+01:002012-01-11T20:30:00+01:00henriktag:community.riocities.com,2012-01-10:/FiiO.html<p><a href="http://www.fiio.com.cn/product/index.aspx?ID=37&MenuID=020301">FiiO E10</a> is a
small and nice USB DAC (96KHz/24Bit) + headphone amp without the problems with the <a href="/NuForce_uDAC.html">NuForce uDAC</a>
(<a href="http://www.head-fi.org/t/483510/udac-channel-imbalance">channel</a> <a href="http://www.audiocircle.com/index.php?topic=77305.0">imbalance</a>
and the <a href="/NuForce_uDAC.html#bugs">strange character</a> in the USB device name).</p>
<p>Tested and found to be working fine with:</p>
<ol>
<li>Debian squeeze (Gnome)</li>
<li>Debian testing (linux: 3.1.0 + kde: 4 …</li></ol><p><a href="http://www.fiio.com.cn/product/index.aspx?ID=37&MenuID=020301">FiiO E10</a> is a
small and nice USB DAC (96KHz/24Bit) + headphone amp without the problems with the <a href="/NuForce_uDAC.html">NuForce uDAC</a>
(<a href="http://www.head-fi.org/t/483510/udac-channel-imbalance">channel</a> <a href="http://www.audiocircle.com/index.php?topic=77305.0">imbalance</a>
and the <a href="/NuForce_uDAC.html#bugs">strange character</a> in the USB device name).</p>
<p>Tested and found to be working fine with:</p>
<ol>
<li>Debian squeeze (Gnome)</li>
<li>Debian testing (linux: 3.1.0 + kde: 4.6.5)</li>
<li>Ubuntu 11.10 (Unity)</li>
</ol>
<p>Also Note: The general recommendation for a USB DAC is to set the master volume to 0 dBFS (<a href="http://benchmarkmedia.com/blogs/wiki/14949169-computer-audio-playback-setup-guide">100%</a>)
in order to get the full 16 or 24 bit digital resolution (i.e. accurate bit stream).</p>
<p>From <code>dmesg</code></p>
<div class="codehilite"><pre><span></span>usb 1-1.2.4: New USB device found, idVendor=1852, idProduct=7022
usb 1-1.2.4: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1.2.4: Product: DigiHug USB Audio
usb 1-1.2.4: Manufacturer: FiiO
input: FiiO DigiHug USB Audio as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.2/1-1.2.4/1-1.2.4:1.0/input/input7
generic-usb 0003:1852:7022.0005: input,hidraw4: USB HID v1.00 Device [FiiO DigiHug USB Audio] on usb-0000:00:1a.0-1.2.4/input0
</pre></div>
<p><code>lsusb</code></p>
<div class="codehilite"><pre><span></span>$ lsusb <span class="p">|</span> fgrep <span class="m">1852</span>:7022
Bus <span class="m">001</span> Device <span class="m">021</span>: ID <span class="m">1852</span>:7022 GYROCOM C<span class="p">&</span>C Co., LTD
</pre></div>Computer HW2011-10-01T00:00:00+02:002016-12-29T20:54:47+01:00henriktag:community.riocities.com,2011-10-01:/Computer_HW.html
<p><strong>Computer HW Suggestions</strong></p>
<p>I often get questions about what to buy (or not), this is a short summary of my hardware suggestions for home workstations and servers, with focus on stable and quiet systems.</p>
<h1 id="psu">PSU<a class="headerlink" href="#psu" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider">Brands to consider<a class="headerlink" href="#brands-to-consider" title="Permanent link">¶</a></h2>
<ul>
<li>Antec</li>
<li>Seasonic</li>
</ul>
<h2 id="suggestion">Suggestion<a class="headerlink" href="#suggestion" title="Permanent link">¶</a></h2>
<p>ATX</p>
<ul>
<li><a href="http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=202">Seasonic X-series</a></li>
<li>Value/Budget choice: <a href="http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=313">Seasonic G-series</a></li>
</ul>
<p>SFX …</p>
<p><strong>Computer HW Suggestions</strong></p>
<p>I often get questions about what to buy (or not), this is a short summary of my hardware suggestions for home workstations and servers, with focus on stable and quiet systems.</p>
<h1 id="psu">PSU<a class="headerlink" href="#psu" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider">Brands to consider<a class="headerlink" href="#brands-to-consider" title="Permanent link">¶</a></h2>
<ul>
<li>Antec</li>
<li>Seasonic</li>
</ul>
<h2 id="suggestion">Suggestion<a class="headerlink" href="#suggestion" title="Permanent link">¶</a></h2>
<p>ATX</p>
<ul>
<li><a href="http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=202">Seasonic X-series</a></li>
<li>Value/Budget choice: <a href="http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=313">Seasonic G-series</a></li>
</ul>
<p>SFX</p>
<ul>
<li>Only Choice: <a href="http://www.jonnyguru.com/modules.php?name=NDReviews&op=Story&reid=319">Silverstone ST45SF-G 450W SFX</a></li>
</ul>
<h1 id="usb-power-supply-charger">USB Power Supply / Charger<a class="headerlink" href="#usb-power-supply-charger" title="Permanent link">¶</a></h1>
<h2 id="brand-to-consider">Brand to consider<a class="headerlink" href="#brand-to-consider" title="Permanent link">¶</a></h2>
<ul>
<li>Anker</li>
</ul>
<h2 id="suggestion_1">Suggestion<a class="headerlink" href="#suggestion_1" title="Permanent link">¶</a></h2>
<ul>
<li>Anker PowerPort+ 5</li>
</ul>
<h1 id="cpu-cooler">CPU cooler<a class="headerlink" href="#cpu-cooler" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_1">Brands to consider<a class="headerlink" href="#brands-to-consider_1" title="Permanent link">¶</a></h2>
<ul>
<li>Noctua</li>
<li>Scythe</li>
<li>Thermalright</li>
</ul>
<h2 id="suggestion_2">Suggestion<a class="headerlink" href="#suggestion_2" title="Permanent link">¶</a></h2>
<p>Noctua <a href="http://www.silentpcreview.com/Noctua_NH-U12P_CPU_Cooler">NH-U12P</a></p>
<h1 id="cooling-fan">Cooling Fan<a class="headerlink" href="#cooling-fan" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_2">Brands to consider<a class="headerlink" href="#brands-to-consider_2" title="Permanent link">¶</a></h2>
<ul>
<li>Nexus</li>
<li>Noctua</li>
</ul>
<h2 id="suggestion_3">Suggestion<a class="headerlink" href="#suggestion_3" title="Permanent link">¶</a></h2>
<p>Noctua <a href="http://www.silentpcreview.com/article695-page4.html#noctua">NF-S12</a> Series (under volted)</p>
<h1 id="case">Case<a class="headerlink" href="#case" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_3">Brands to consider<a class="headerlink" href="#brands-to-consider_3" title="Permanent link">¶</a></h2>
<ul>
<li>Antec</li>
<li>Silverstone (HTPC)</li>
<li>Supermicro</li>
</ul>
<h2 id="suggestions">Suggestions<a class="headerlink" href="#suggestions" title="Permanent link">¶</a></h2>
<ul>
<li>Server: Antec <a href="http://www.silentpcreview.com/antec-p183">P183</a></li>
<li>Server with few or external disks: <ul>
<li>Antec <a href="http://www.silentpcreview.com/Antec_NSK-3480">NSK3480</a></li>
<li>Antec <a href="http://www.silentpcreview.com/article591-page8.html">NSK2480</a></li>
</ul>
</li>
<li>Storage Server: Supermicro <a href="https://www.servethehome.com/near-silent-powerhouse-making-a-quieter-microlab-platform">SC721TQ-250B</a></li>
<li>Workstation: <ul>
<li>MicroATX, Antec <a href="http://www.silentpcreview.com/Antec_NSK-3480">NSK3480</a></li>
<li>ATX, Antec <a href="http://www.overclockersclub.com/reviews/antec_sonata_proto/">Sonata Proto</a></li>
</ul>
</li>
<li>HTPC Mini-ITX: Silverstone <a href="http://www.silentpcreview.com/Silverstone_SG05_SG06">SST-SG06B</a></li>
</ul>
<h1 id="motherboards">Motherboards<a class="headerlink" href="#motherboards" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_4">Brands to consider<a class="headerlink" href="#brands-to-consider_4" title="Permanent link">¶</a></h2>
<ul>
<li>Supermicro</li>
<li>Intel</li>
<li>Tyan (sometimes have reasonably priced offerings) </li>
<li><s>ASUS</s></li>
</ul>
<h2 id="suggestion_4">Suggestion<a class="headerlink" href="#suggestion_4" title="Permanent link">¶</a></h2>
<ul>
<li>Supermicro <a href="http://www.supermicro.com/products/motherboard/Xeon/D/X10SDV-2C-TLN2F.cfm">X10SDV-2C-TLN2F</a></li>
<li>Supermicro <a href="http://www.supermicro.com/products/motherboard/Atom/X10/A1SAM-2550F.cfm">A1SAM-2550F-O</a></li>
</ul>
<h2 id="do-not-buy">Do not buy<a class="headerlink" href="#do-not-buy" title="Permanent link">¶</a></h2>
<p>ASUS E35M1-M PRO, <a href="http://vip.asus.com/forum/topic.aspx?board_id=1&model=E35M1-M+PRO&SLanguage=en-us">as it can not handle IRQs properly</a></p>
<p>Or any ASUS board with a ASM1083 PCIx-PCI bridge, it is totally broken and ASUS does nothing!</p>
<h1 id="cpu">CPU<a class="headerlink" href="#cpu" title="Permanent link">¶</a></h1>
<ul>
<li>High-end Server: Entry level Intel XEON (e.g. E3-1200 series or XEON-D) and ECC memory modules</li>
<li>Low-end Server: Intel Avoton and ECC memory modules</li>
<li>Workstation: Intel i3/i5 or XEON E3-1200</li>
<li>HTPC: Intel ATOM with Nvidia ION chip-set on the m/b.</li>
<li>HTPC: SolidRun CuBox-i2eX (complete system with case) or Raspberry Pi 2 or 3.</li>
</ul>
<h2 id="suggestion_5">Suggestion<a class="headerlink" href="#suggestion_5" title="Permanent link">¶</a></h2>
<ul>
<li>Intel XEON-D <a href="https://www.servethehome.com/supermicro-x10sdv-2c-tln2f-review-dual-core-mitx-pentium-d1508/">D1508</a> (high-end Server)</li>
<li>Intel Avoton C2550 4-Core 14W TDP</li>
</ul>
<h1 id="memory">Memory<a class="headerlink" href="#memory" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_5">Brands to consider<a class="headerlink" href="#brands-to-consider_5" title="Permanent link">¶</a></h2>
<ul>
<li>Corsair</li>
<li>Samsung</li>
<li>Kingston (only ECC modules)</li>
</ul>
<h1 id="storage">Storage<a class="headerlink" href="#storage" title="Permanent link">¶</a></h1>
<p>I strongly recommend you to use hot-swap cases for disks in a server setting. Replacing a failed drive by dismantling a sever case is way to risky when you RAID is already degraded (you want do get into consistent RAID state ASAP, not risk more faults).</p>
<p>You can use hot-swap enclosures for 5.25" inch bays or fully external. I personally try to use fully external so I can use a smaller case for the server it self. Or use the great little <a href="hp_microserver_gen8.html">HP MicroServer</a>.</p>
<p>SSDs I suggest you place in an internal enclosure for a 5.25" inch bay that holds 4x2.5" disks. Or put each of them in small external eSATA cases.</p>
<h2 id="brands-to-consider_6">Brands to consider<a class="headerlink" href="#brands-to-consider_6" title="Permanent link">¶</a></h2>
<ul>
<li>SSD<ul>
<li>Intel</li>
<li>Samsung</li>
</ul>
</li>
<li>HDD <ul>
<li>Western Digital</li>
</ul>
</li>
<li>SLC USB stick<ul>
<li>Mach Xtreme Technology</li>
</ul>
</li>
</ul>
<h2 id="suggestions_1">Suggestions<a class="headerlink" href="#suggestions_1" title="Permanent link">¶</a></h2>
<p>SSD</p>
<ul>
<li>Best: Samsung SM863 (has power-loss data protection)</li>
<li>Intel SSD DC S3500/S3510 (has power-loss data protection)</li>
<li>Samsung 850 EVO (only together with UPS)</li>
<li>Intel 320 Series SSD (has power-loss data protection)</li>
</ul>
<p>HDD</p>
<ul>
<li>High End choice: WD - Red Pro</li>
<li>Budget choice: WD - Red</li>
</ul>
<p>SLC USB stick</p>
<ul>
<li>SLC NAND flash for server use: MX-ES Series, USB3.0 stick from Mach Xtreme Technology</li>
</ul>
<h1 id="example-systems">Example Systems<a class="headerlink" href="#example-systems" title="Permanent link">¶</a></h1>
<h2 id="xen-server">XEN Server<a class="headerlink" href="#xen-server" title="Permanent link">¶</a></h2>
<p>Nice XEN server system where you can run file server (e.g. Debian with ZFS on Linux) in one domU and MythTV backend in an other with lots of room to grow.</p>
<p>dom0 boots from USB-stick, Storage domU with mirrored SSDs for SLOG and a fast SSD pool then add WD RED 3.5" disks mirrored for the data pool.</p>
<p><a href="http://www.prisjakt.nu/list.php?l=3224975&view=m">http://www.prisjakt.nu/list.php?l=3224975&view=m</a></p>
<h2 id="entry-level-xen-server">"Entry level" XEN Server<a class="headerlink" href="#entry-level-xen-server" title="Permanent link">¶</a></h2>
<p>Like above but Avoton based and a bit more simple in specs (e.g no SSDs) and in price:</p>
<p><a href="http://www.prisjakt.nu/list.php?l=2206358&view=m">http://www.prisjakt.nu/list.php?l=2206358&view=m</a></p>
<p>or</p>
<p><a href="hp_microserver_gen8.html">HP MicroServer</a></p>
<h2 id="freenas-storage-server">FreeNAS storage server<a class="headerlink" href="#freenas-storage-server" title="Permanent link">¶</a></h2>
<p>Small box with hot-swap disks and enough RAM to use ZFS</p>
<p><a href="http://www.prisjakt.nu/list.php?l=2172522&view=m">http://www.prisjakt.nu/list.php?l=2172522&view=m</a></p>
<h1 id="mini-network-server-eg-fw">Mini network server (e.g. FW)<a class="headerlink" href="#mini-network-server-eg-fw" title="Permanent link">¶</a></h1>
<h2 id="brand-to-consider_1">Brand to consider<a class="headerlink" href="#brand-to-consider_1" title="Permanent link">¶</a></h2>
<ul>
<li>Soekris - <a href="http://soekris.com/">http://soekris.com/</a></li>
</ul>
<h1 id="laptop">Laptop<a class="headerlink" href="#laptop" title="Permanent link">¶</a></h1>
<p>There seems to be only one place where you can buy laptops with GNU/Linux in Sweden: <a href="http://www.ggsdata.se/">http://www.ggsdata.se/</a>. (Note: I have not tried them yet.)</p>
<h1 id="wlan-aprouter">WLAN AP/Router<a class="headerlink" href="#wlan-aprouter" title="Permanent link">¶</a></h1>
<p>My requirements are stability and good indoor coverage. On top of this it is mandatory that OpenWRT works on the device with no issues what so ever.</p>
<h2 id="suggestion_6">Suggestion<a class="headerlink" href="#suggestion_6" title="Permanent link">¶</a></h2>
<ul>
<li>TP-Link Archer C7 AC1750 v2.0, 16MB flash, 128 MB ram, 802.11 ac/n/g/b/a (2.4GHz and 5 GHz Bands), GBIC switch and USB.</li>
</ul>
<h1 id="vlan-ethernet-switch">VLAN Ethernet switch<a class="headerlink" href="#vlan-ethernet-switch" title="Permanent link">¶</a></h1>
<p>Try to get a VLAN Ethernet switch with security features like Port Security, DHCP-snooping and Storm control.
For me it is also essential that it can be manged via SSH and that the switch is fan-less.</p>
<h2 id="suggestion_7">Suggestion<a class="headerlink" href="#suggestion_7" title="Permanent link">¶</a></h2>
<ul>
<li>TP-Link TL-SG3216</li>
</ul>
<h1 id="ups">UPS<a class="headerlink" href="#ups" title="Permanent link">¶</a></h1>
<h2 id="brands-to-consider_7">Brands to consider<a class="headerlink" href="#brands-to-consider_7" title="Permanent link">¶</a></h2>
<ul>
<li>APC</li>
<li>Eaton</li>
</ul>
<h2 id="suggestion_8">Suggestion<a class="headerlink" href="#suggestion_8" title="Permanent link">¶</a></h2>
<ul>
<li><a href="http://en.wikipedia.org/wiki/Uninterruptible_power_supply#Line-interactive">Line-interactive</a> for home servers and workstations</li>
<li>
<p><a href="http://en.wikipedia.org/wiki/Uninterruptible_power_supply#Offline.2Fstandby">Offline</a> for switches, modems, wlan-ap:s, etc.</p>
</li>
<li>
<p>APC Smart-UPS is a good family of line-interactive UPSes </p>
</li>
<li>Eaton 3S is a good offline UPS choice</li>
</ul>
<p>Note that if you have a PSU with Active PFC you should select a UPS with true sine wave output like the APC Smart-UPS series (avoid Smart-UPS SC) <a href="http://en.wikipedia.org/wiki/APC_Smart-UPS">http://en.wikipedia.org/wiki/APC_Smart-UPS</a></p>
<h1 id="where-to-buy-the-more-hard-to-get-stuff">Where to buy the more hard to get stuff<a class="headerlink" href="#where-to-buy-the-more-hard-to-get-stuff" title="Permanent link">¶</a></h1>
<p>Supermicro stuff & HDDs for RAID use - <a href="http://mullet.se">http://mullet.se</a></p>OpenSSH setup2011-09-15T15:07:54+02:002011-09-15T15:07:54+02:00henriktag:community.riocities.com,2011-09-15:/SSH_setup.html
<h1 id="certificates-with-openssh">Certificates with OpenSSH<a class="headerlink" href="#certificates-with-openssh" title="Permanent link">¶</a></h1>
<p>Howto setup and use certificates with OpenSSH for host keys.</p>
<h2 id="setup-ca">Setup CA<a class="headerlink" href="#setup-ca" title="Permanent link">¶</a></h2>
<p>Create the CA keypair</p>
<div class="codehilite"><pre><span></span><span class="err">$</span> <span class="s s-Atom">mkdir</span> <span class="nv">SSH</span><span class="o">-</span><span class="nv">CA</span>
<span class="err">$</span> <span class="s s-Atom">cd</span> <span class="p">!</span><span class="err">$</span>
<span class="err">$</span> <span class="s s-Atom">ssh</span><span class="o">-</span><span class="s s-Atom">keygen</span> <span class="o">-</span><span class="s s-Atom">t</span> <span class="s s-Atom">rsa</span> <span class="o">-</span><span class="s s-Atom">b</span> <span class="mi">4096</span> <span class="o">-</span><span class="nv">C</span> <span class="s s-Atom">ca_key</span><span class="o">-</span><span class="s s-Atom">example</span><span class="p">.</span><span class="s s-Atom">com</span> <span class="s s-Atom">#</span> <span class="s s-Atom">name</span> <span class="s s-Atom">the</span> <span class="s s-Atom">output</span> <span class="s s-Atom">keyfile</span> <span class="s s-Atom">ca_key</span><span class="o">-</span><span class="s s-Atom">example</span><span class="p">.</span><span class="s s-Atom">com_rsa</span><span class="p">,</span> <span class="s s-Atom">and</span> <span class="s s-Atom">choose</span> <span class="s s-Atom">a</span> <span class="s s-Atom">very</span> <span class="s s-Atom">good</span> <span class="s s-Atom">pass</span><span class="o">-</span><span class="nf">phrase</span> <span class="o">:-</span><span class="p">)</span>
</pre></div>
<h2 id="sign-server-pub-keys-at-the-ca">Sign server .pub …</h2>
<h1 id="certificates-with-openssh">Certificates with OpenSSH<a class="headerlink" href="#certificates-with-openssh" title="Permanent link">¶</a></h1>
<p>Howto setup and use certificates with OpenSSH for host keys.</p>
<h2 id="setup-ca">Setup CA<a class="headerlink" href="#setup-ca" title="Permanent link">¶</a></h2>
<p>Create the CA keypair</p>
<div class="codehilite"><pre><span></span><span class="err">$</span> <span class="s s-Atom">mkdir</span> <span class="nv">SSH</span><span class="o">-</span><span class="nv">CA</span>
<span class="err">$</span> <span class="s s-Atom">cd</span> <span class="p">!</span><span class="err">$</span>
<span class="err">$</span> <span class="s s-Atom">ssh</span><span class="o">-</span><span class="s s-Atom">keygen</span> <span class="o">-</span><span class="s s-Atom">t</span> <span class="s s-Atom">rsa</span> <span class="o">-</span><span class="s s-Atom">b</span> <span class="mi">4096</span> <span class="o">-</span><span class="nv">C</span> <span class="s s-Atom">ca_key</span><span class="o">-</span><span class="s s-Atom">example</span><span class="p">.</span><span class="s s-Atom">com</span> <span class="s s-Atom">#</span> <span class="s s-Atom">name</span> <span class="s s-Atom">the</span> <span class="s s-Atom">output</span> <span class="s s-Atom">keyfile</span> <span class="s s-Atom">ca_key</span><span class="o">-</span><span class="s s-Atom">example</span><span class="p">.</span><span class="s s-Atom">com_rsa</span><span class="p">,</span> <span class="s s-Atom">and</span> <span class="s s-Atom">choose</span> <span class="s s-Atom">a</span> <span class="s s-Atom">very</span> <span class="s s-Atom">good</span> <span class="s s-Atom">pass</span><span class="o">-</span><span class="nf">phrase</span> <span class="o">:-</span><span class="p">)</span>
</pre></div>
<h2 id="sign-server-pub-keys-at-the-ca">Sign server .pub keys at the CA<a class="headerlink" href="#sign-server-pub-keys-at-the-ca" title="Permanent link">¶</a></h2>
<p>Fetch the /etc/ssh/ssh_host_rsa_key.pub files from each server and rename them to <code><hostname>_rsa_key.pub</code> to reflect the system name (e.g. <code>sys1_rsa_key.pub</code>)</p>
<p>Validate finger-print of server public key</p>
<div class="codehilite"><pre><span></span>$ ssh-keygen -l -f ./sys1_rsa_key.pub
</pre></div>
<p>Sign the server pub key with the ca_rsa key, limit the validity to the servers FQDN (-n flag).</p>
<div class="codehilite"><pre><span></span>$ ssh-keygen -s ca_key-example.com_rsa -I sys1 -n sys1.example.com -h sys1_rsa_key.pub
</pre></div>
<p>Output will be the certificate <code><hostname>_rsa_key-cert.pub</code> (e.g. <code>sys1_rsa_key-cert.pub</code>)</p>
<h2 id="add-ca-certs-to-servers">Add CA certs to servers<a class="headerlink" href="#add-ca-certs-to-servers" title="Permanent link">¶</a></h2>
<p>Store the certificate in /etc/ssh/ on the corresponding server and add the following in /etc/ssh/sshd_config</p>
<div class="codehilite"><pre><span></span># CA cert for host
HostCertificate /etc/ssh/<hostname>_rsa_key-cert.pub
</pre></div>
<p>Then reload the server config</p>
<div class="codehilite"><pre><span></span>$ sudo /etc/init.d/ssh reload
</pre></div>
<h2 id="client-config">Client Config<a class="headerlink" href="#client-config" title="Permanent link">¶</a></h2>
<p>Two options are available, depending if you are root on the client or not.</p>
<h3 id="1-system-wide-ssh-client-config">1. System wide ssh client config<a class="headerlink" href="#1-system-wide-ssh-client-config" title="Permanent link">¶</a></h3>
<p>Add public key of CA to <code>/etc/ssh/ssh_known_hosts</code> prepending <code>'@cert-authority *'</code></p>
<p>Example</p>
<div class="codehilite"><pre><span></span>@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3.......== ca_key-example.com
</pre></div>
<p>Make sure the ssh_known_hosts file is readable by all but only writable by root.</p>
<h3 id="2-per-user-config">2. Per user config<a class="headerlink" href="#2-per-user-config" title="Permanent link">¶</a></h3>
<p>Add public key of CA to <code>/home/<user>/.ssh/known_hosts</code> prepending <code>'@cert-authority *'</code></p>
<p>Example</p>
<div class="codehilite"><pre><span></span>@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDcXMO5H0zn3a.......== ca_key-example.com
</pre></div>XEN domU move2010-01-27T16:23:37+01:002010-01-27T16:23:37+01:00henriktag:community.riocities.com,2010-01-27:/XEN_domU_move.html<p>Moving a XEN domU to a new server</p>
<p><strong>Note</strong> In order to ease reading the LVM-vg is called vg_raid on newhost and vg_main on oldhost</p>
<p>Create logical volumes on the newhost</p>
<div class="codehilite"><pre><span></span>newhost# lvcreate -n <hostname>-disk -L <disk-size-in-gig>g vg_raid
newhost# lvcreate -n <hostname>-swap -L <swap-size-in-meg>m vg_raid
</pre></div>
<p>Shutdown …</p><p>Moving a XEN domU to a new server</p>
<p><strong>Note</strong> In order to ease reading the LVM-vg is called vg_raid on newhost and vg_main on oldhost</p>
<p>Create logical volumes on the newhost</p>
<div class="codehilite"><pre><span></span>newhost# lvcreate -n <hostname>-disk -L <disk-size-in-gig>g vg_raid
newhost# lvcreate -n <hostname>-swap -L <swap-size-in-meg>m vg_raid
</pre></div>
<p>Shutdown the domU on oldhost</p>
<div class="codehilite"><pre><span></span>oldhost# xm shutdown <hostname>
</pre></div>
<p>Copy the data</p>
<div class="codehilite"><pre><span></span>oldhost# dd if=/dev/vg_main/<hostname>-disk bs=1k | ssh -C <newhost> dd of=/dev/vg_raid/<hostname>-disk bs=1k
</pre></div>
<p>Copy the configuration file</p>
<div class="codehilite"><pre><span></span>oldhost# scp /etc/xen/<hostname>.cfg <newhost>:/etc/xen/
</pre></div>
<p>if newhost is running Lenny you need to move the etch kernel as well</p>
<div class="codehilite"><pre><span></span>oldhost# scp /boot/*2.6.18-6-xen-686 <newhost>:/boot
</pre></div>
<p>Do a file system check</p>
<div class="codehilite"><pre><span></span>newhost# e2fsck -f /dev/vg_raid/<hostname>-disk
</pre></div>
<p>edit <code>/etc/xen/<host>.cfg</code> and change vg_main to vg_raid</p>
<p>Start domU and handle swap</p>
<div class="codehilite"><pre><span></span>newhost# xm create <host>.cfg -c
domU# mkswap /dev/sda2
domU# swapon -a
</pre></div>NuForce uDAC2010-01-08T00:00:00+01:002010-01-28T00:00:00+01:00henriktag:community.riocities.com,2010-01-08:/NuForce_uDAC.html
<p>NuForce µDAC / uDAC in Linux</p>
<p><strong>Status:</strong> Tested and found to be working on Debian Lenny with a 2.6.30 kernel from backports.org</p>
<h2 id="connecting-to-the-system">Connecting to the system<a class="headerlink" href="#connecting-to-the-system" title="Permanent link">¶</a></h2>
<p>Logs when connecting</p>
<div class="codehilite"><pre><span></span> <span class="o">[</span> <span class="m">185</span>.824297<span class="o">]</span> usb <span class="m">7</span>-2: new full speed USB device using uhci_hcd and address <span class="m">2</span>
<span class="o">[</span> <span class="m">186</span>.023563<span class="o">]</span> usb <span class="m">7 …</span></pre></div>
<p>NuForce µDAC / uDAC in Linux</p>
<p><strong>Status:</strong> Tested and found to be working on Debian Lenny with a 2.6.30 kernel from backports.org</p>
<h2 id="connecting-to-the-system">Connecting to the system<a class="headerlink" href="#connecting-to-the-system" title="Permanent link">¶</a></h2>
<p>Logs when connecting</p>
<div class="codehilite"><pre><span></span> <span class="o">[</span> <span class="m">185</span>.824297<span class="o">]</span> usb <span class="m">7</span>-2: new full speed USB device using uhci_hcd and address <span class="m">2</span>
<span class="o">[</span> <span class="m">186</span>.023563<span class="o">]</span> usb <span class="m">7</span>-2: New USB device found, <span class="nv">idVendor</span><span class="o">=</span>08bb, <span class="nv">idProduct</span><span class="o">=</span>da48
<span class="o">[</span> <span class="m">186</span>.023574<span class="o">]</span> usb <span class="m">7</span>-2: New USB device strings: <span class="nv">Mfr</span><span class="o">=</span><span class="m">1</span>, <span class="nv">Product</span><span class="o">=</span><span class="m">2</span>, <span class="nv">SerialNumber</span><span class="o">=</span><span class="m">0</span>
<span class="o">[</span> <span class="m">186</span>.023580<span class="o">]</span> usb <span class="m">7</span>-2: Product: Nuforce �DAC
<span class="o">[</span> <span class="m">186</span>.023585<span class="o">]</span> usb <span class="m">7</span>-2: Manufacturer: Vendor strings are placed here.
<span class="o">[</span> <span class="m">186</span>.023791<span class="o">]</span> usb <span class="m">7</span>-2: configuration <span class="c1">#1 chosen from 1 choice</span>
<span class="o">[</span> <span class="m">186</span>.030474<span class="o">]</span> input: Vendor strings are placed here. Nuforce �DAC as /devices/pci0000:00/0000:00:1d.1/usb7/7-2/7-2:1.2/input/input17
<span class="o">[</span> <span class="m">186</span>.030646<span class="o">]</span> generic-usb <span class="m">0003</span>:08BB:DA48.0005: input,hidraw4: USB HID v1.00 Device <span class="o">[</span>Vendor strings are placed here. Nuforce �DAC <span class="o">]</span> on usb-0000:00:1d.1-2/input2
<span class="o">[</span> <span class="m">186</span>.291482<span class="o">]</span> usbcore: registered new interface driver snd-usb-audio
</pre></div>
<div class="codehilite"><pre><span></span> $ lsusb <span class="p">|</span> grep <span class="m">007</span> <span class="p">|</span> grep <span class="m">002</span>
Bus <span class="m">007</span> Device <span class="m">002</span>: ID 08bb:da48 Texas Instruments Japan
</pre></div>
<h2 id="gnome-config">Gnome config<a class="headerlink" href="#gnome-config" title="Permanent link">¶</a></h2>
<p>System -> Preferences -> Sound</p>
<p><img alt="Gnome Prefs" src="//community.riocities.com/images/gnome_udac.png"/></p>
<h2 id="bugs">Bugs<a class="headerlink" href="#bugs" title="Permanent link">¶</a></h2>
<p>Gnome volume applet has problems with the non unicode character in the product string. </p>
<p>The following error is received in "Open Volume Control" when selecting "NuForce DAC" under "File -> Change Device"</p>
<p><img alt="Gnome Volume Applet DAC" src="//community.riocities.com/images/gnome_volume_applet_DAC.png"/></p>
<p>Error:</p>
<p><img alt="Gnome Volume Applet DAC error" src="//community.riocities.com/images/gnome_volume_applet_DAC_error.png"/></p>
<p>"Details" shows <code>Text contains invalid UTF-8</code></p>
<h2 id="mplayer-config">Mplayer config<a class="headerlink" href="#mplayer-config" title="Permanent link">¶</a></h2>
<p>Prerequisites: aplay</p>
<div class="codehilite"><pre><span></span>$ aplay -l <span class="p">|</span> grep Nuforce <span class="p">|</span> awk <span class="s1">'{ print $2 $9 }'</span> <span class="p">|</span> sed -e <span class="s2">"s/:/./g"</span> -e <span class="s2">"s/^\(.*\)\.</span>$<span class="s2">/ao=alsa:device=hw=\1/"</span> >> ~/.mplayer/config
</pre></div>
<p>Now use mplayer as usual</p>Replacing apt-proxy with apt-cacher-ng2009-07-13T00:00:00+02:002009-07-14T20:51:01+02:00henriktag:community.riocities.com,2009-07-13:/Replacing-apt-proxy-with-apt-cacher-ng.html<p>Howto replace APT-Proxy with APT-cacher-ng</p>
<p><strong>Goal</strong> change to APT cacher-ng from APT-Proxy without changes on the client side.</p>
<p><strong>Tested with</strong> apt-cacher-ng 0.4</p>
<h2 id="installation-and-configuration">Installation and configuration<a class="headerlink" href="#installation-and-configuration" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Install</p>
<div class="codehilite"><pre><span></span>apt-get install apt-cacher-ng
</pre></div>
</li>
<li>
<p>Do the following changes to /etc/apt-cacher-ng/acng.conf</p>
<div class="codehilite"><pre><span></span><span class="o">@@</span> <span class="nt">-9</span><span class="o">,</span><span class="nt">7</span> <span class="o">+</span><span class="nt">9</span><span class="o">,</span><span class="nt">7</span> <span class="o">@@</span>
<span class="err">#</span> <span class="nt">TCP</span> <span class="o">(</span><span class="nt">http</span><span class="o">)</span> <span class="nt">port</span>
<span class="err">#</span> <span class="nt">Set</span> <span class="nt">to</span> <span class="nt">9999</span> <span class="nt">to …</span></pre></div></li></ol><p>Howto replace APT-Proxy with APT-cacher-ng</p>
<p><strong>Goal</strong> change to APT cacher-ng from APT-Proxy without changes on the client side.</p>
<p><strong>Tested with</strong> apt-cacher-ng 0.4</p>
<h2 id="installation-and-configuration">Installation and configuration<a class="headerlink" href="#installation-and-configuration" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Install</p>
<div class="codehilite"><pre><span></span>apt-get install apt-cacher-ng
</pre></div>
</li>
<li>
<p>Do the following changes to /etc/apt-cacher-ng/acng.conf</p>
<div class="codehilite"><pre><span></span><span class="o">@@</span> <span class="nt">-9</span><span class="o">,</span><span class="nt">7</span> <span class="o">+</span><span class="nt">9</span><span class="o">,</span><span class="nt">7</span> <span class="o">@@</span>
<span class="err">#</span> <span class="nt">TCP</span> <span class="o">(</span><span class="nt">http</span><span class="o">)</span> <span class="nt">port</span>
<span class="err">#</span> <span class="nt">Set</span> <span class="nt">to</span> <span class="nt">9999</span> <span class="nt">to</span> <span class="nt">emulate</span> <span class="nt">apt-proxy</span>
<span class="nt">-Port</span><span class="p">:</span><span class="nd">3142</span>
<span class="o">+</span><span class="nt">Port</span><span class="p">:</span><span class="nd">9999</span>
<span class="err">#</span> <span class="nt">Addresses</span> <span class="nt">to</span> <span class="nt">bind</span><span class="o">/</span><span class="nt">listen</span> <span class="nt">on</span><span class="o">.</span> <span class="nt">Multiple</span> <span class="nt">addresses</span> <span class="nt">must</span> <span class="nt">be</span> <span class="nt">separated</span> <span class="nt">by</span> <span class="nt">spaces</span><span class="o">.</span>
<span class="err">#</span> <span class="nt">DNS</span> <span class="nt">resolution</span> <span class="nt">is</span> <span class="nt">performed</span><span class="o">.</span> <span class="nt">If</span> <span class="nt">multiple</span> <span class="nt">protocols</span> <span class="nt">are</span> <span class="nt">available</span> <span class="nt">for</span> <span class="nt">a</span>
<span class="o">@@</span> <span class="nt">-27</span><span class="o">,</span><span class="nt">6</span> <span class="o">+</span><span class="nt">27</span><span class="o">,</span><span class="nt">11</span> <span class="o">@@</span>
<span class="nt">Remap-debrep</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">deb_mirror</span><span class="o">*</span><span class="p">.</span><span class="nc">gz</span> <span class="o">/</span><span class="nt">debian</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_debian</span>
<span class="nt">Remap-uburep</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">ubuntu_mirrors</span> <span class="o">/</span><span class="nt">ubuntu</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_ubuntu</span>
<span class="nt">Remap-debvol</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">debvol_mirror</span><span class="o">*</span><span class="p">.</span><span class="nc">gz</span> <span class="o">/</span><span class="nt">debian-volatile</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_debvol</span>
<span class="o">+</span><span class="nt">Remap-debsec</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">deb_sec_mirrors</span> <span class="o">/</span><span class="nt">debian-security</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_debian_sec</span>
<span class="o">+</span><span class="nt">Remap-ubusec</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">ubuntu_sec_mirrors</span> <span class="o">/</span><span class="nt">ubuntu-security</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_ubuntu_sec</span>
<span class="o">+</span><span class="err">#</span> <span class="nt">Ubuntu</span> <span class="nt">nx</span> <span class="nt">ppa</span>
<span class="o">+</span><span class="nt">Remap-ubunx</span><span class="o">:</span> <span class="nt">file</span><span class="p">:</span><span class="nd">ubuntu_nx_mirrors</span> <span class="o">/</span><span class="nt">ubuntu-nx</span> <span class="o">;</span> <span class="nt">file</span><span class="p">:</span><span class="nd">backends_ubuntu_nx</span>
<span class="o">+</span>
<span class="err">#</span> <span class="nt">Virtual</span> <span class="nt">page</span> <span class="nt">accessible</span> <span class="nt">in</span> <span class="nt">a</span> <span class="nt">web</span> <span class="nt">browser</span> <span class="nt">to</span> <span class="nt">see</span> <span class="nt">statistics</span> <span class="nt">and</span> <span class="nt">status</span>
<span class="err">#</span> <span class="nt">information</span><span class="o">,</span> <span class="nt">i</span><span class="p">.</span><span class="nc">e</span><span class="o">.</span> <span class="nt">under</span> <span class="nt">http</span><span class="o">://</span><span class="nt">localhost</span><span class="p">:</span><span class="nd">3142</span><span class="o">/</span><span class="nt">acng-report</span><span class="p">.</span><span class="nc">html</span>
<span class="o">@@</span> <span class="nt">-57</span><span class="o">,</span><span class="nt">7</span> <span class="o">+</span><span class="nt">62</span><span class="o">,</span><span class="nt">7</span> <span class="o">@@</span>
<span class="err">#</span> <span class="nt">offlinemode</span><span class="p">:</span><span class="nd">0</span>
<span class="err">#</span> <span class="nt">Forbid</span> <span class="nt">all</span> <span class="nt">downloads</span> <span class="nt">that</span> <span class="nt">don</span><span class="err">'</span><span class="nt">t</span> <span class="nt">run</span> <span class="nt">through</span> <span class="nt">preconfigured</span> <span class="nt">backends</span> <span class="o">(</span><span class="p">.</span><span class="nc">where</span><span class="o">)</span>
<span class="nt">-</span><span class="p">#</span><span class="nn">ForceManaged</span><span class="o">:</span> <span class="nt">0</span>
<span class="o">+</span><span class="nt">ForceManaged</span><span class="o">:</span> <span class="nt">1</span>
<span class="err">#</span> <span class="nt">Days</span> <span class="nt">before</span> <span class="nt">considering</span> <span class="nt">an</span> <span class="nt">unreferenced</span> <span class="nt">file</span> <span class="nt">expired</span> <span class="o">(</span><span class="nt">to</span> <span class="nt">be</span> <span class="nt">deleted</span><span class="o">).</span>
<span class="err">#</span> <span class="nt">Warning</span><span class="o">:</span> <span class="nt">if</span> <span class="nt">the</span> <span class="nt">value</span> <span class="nt">is</span> <span class="nt">set</span> <span class="nt">too</span> <span class="nt">low</span> <span class="nt">and</span> <span class="nt">particular</span> <span class="nt">index</span> <span class="nt">files</span> <span class="nt">are</span> <span class="nt">not</span>
</pre></div>
</li>
<li>
<p>Create backend config files (replace with you local mirrors) in /etc/apt-cacher-ng</p>
<p>backends_debian</p>
<div class="codehilite"><pre><span></span>http://ftp.se.debian.org/debian
</pre></div>
<p>backends_debian_sec</p>
<div class="codehilite"><pre><span></span>http://security.debian.org/
</pre></div>
<p>backends_debvol</p>
<div class="codehilite"><pre><span></span>http://volatile.debian.org/debian-volatile
</pre></div>
<p>backends_ubuntu</p>
<div class="codehilite"><pre><span></span>http://se.archive.ubuntu.com/ubuntu/
</pre></div>
<p>backends_ubuntu_nx</p>
<div class="codehilite"><pre><span></span>http://ppa.launchpad.net/freenx-team/ppa/ubuntu
</pre></div>
<p>backends_ubuntu_sec</p>
<div class="codehilite"><pre><span></span>http://security.ubuntu.com/ubuntu
</pre></div>
</li>
<li>
<p>Create (extra) needed mirror files in /etc/apt-cacher-ng</p>
<div class="codehilite"><pre><span></span>cp backends_debian_sec deb_sec_mirrors
cp backends_ubuntu_sec ubuntu_sec_mirrors
cp backends_ubuntu_nx ubuntu_nx_mirrors
</pre></div>
</li>
<li>
<p>Configure a AdminAuth in /etc/apt-cacher-ng/security.conf</p>
</li>
<li>
<p>Done, now you can (re-)start apt-cacher-ng</p>
</li>
</ol>
<h2 id="data-migration-optional">Data migration (optional)<a class="headerlink" href="#data-migration-optional" title="Permanent link">¶</a></h2>
<p>When you are sure that you different clients can update via apt-cacher-ng instead of apt-proxy you are also set for data migration.</p>
<p><strong>Note:</strong> You will at least have to test updates from all different versions of dists that you are running (e.g. etch + lenny & dapper + hardy) otherwise you will not have index files available for a successful migration.</p>
<ol>
<li>
<p>Create (hard)links for debs and tar.gz from apt-proxy to a temporary import directory (you can not use apt-proxy after this step, due to the permissions change)</p>
<div class="codehilite"><pre><span></span>mkdir /var/cache/apt-cacher-ng/_import
find /var/cache/apt-proxy/ -name "*.deb" -o -name "*.tar.gz" | xargs -I '{}' ln '{}' /var/cache/apt-cacher-ng/_import
chown -R apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng/_import
</pre></div>
</li>
<li>
<p>Point your web browser to your apt-proxy e.g. http://aptproxy:9999 and select the report page </p>
</li>
<li>
<p>Click "Start import"</p>
</li>
<li>
<p>De-install and purge apt-proxy</p>
<div class="codehilite"><pre><span></span>apt-get remove apt-proxy --purge
</pre></div>
</li>
<li>
<p>Remove the apt-proxy cache (rm -r /var/cache/apt-proxy/) and /var/cache/apt-cacher-ng/_import</p>
</li>
</ol>Ubuntu Gutsy HSDPA E220 Modem2007-11-17T21:50:22+01:002007-11-17T21:50:22+01:00henriktag:community.riocities.com,2007-11-17:/Ubuntu_Gutsy_HSDPA_E220_Modem.html<h1 id="tele2-mobile-broadband-in-ubuntu">Tele2 Mobile "Broadband" in Ubuntu<a class="headerlink" href="#tele2-mobile-broadband-in-ubuntu" title="Permanent link">¶</a></h1>
<p>Prerequisite</p>
<div class="codehilite"><pre><span></span><span class="n">Device</span><span class="o">:</span> <span class="n">Huawei</span> <span class="n">E220</span> <span class="o">(</span><span class="n">USB</span><span class="o">)</span>
<span class="n">Operator</span><span class="o">:</span> <span class="n">Swedish</span> <span class="n">Tele2</span>
<span class="n">SIM</span><span class="o">-</span><span class="n">Card</span><span class="o">:</span> <span class="n">disabled</span> <span class="n">PIN</span> <span class="n">code</span> <span class="o">(</span><span class="n">put</span> <span class="n">it</span> <span class="k">in</span> <span class="n">you</span> <span class="n">phone</span> <span class="n">first</span> <span class="n">and</span> <span class="n">disable</span> <span class="n">the</span> <span class="n">pin</span> <span class="n">code</span><span class="o">)</span>
<span class="n">OS</span><span class="o">:</span> <span class="n">Ubuntu</span> <span class="n">Gutsy</span> <span class="n">Gibbon</span> <span class="mf">7.10</span>
</pre></div>
<p>What will be done: Setup of USB HSDPA Modem with auto connect to Internet</p>
<h2 id="1-compile-huaweiaktbbo-and-place-it-in-your-path">1 …</h2><h1 id="tele2-mobile-broadband-in-ubuntu">Tele2 Mobile "Broadband" in Ubuntu<a class="headerlink" href="#tele2-mobile-broadband-in-ubuntu" title="Permanent link">¶</a></h1>
<p>Prerequisite</p>
<div class="codehilite"><pre><span></span><span class="n">Device</span><span class="o">:</span> <span class="n">Huawei</span> <span class="n">E220</span> <span class="o">(</span><span class="n">USB</span><span class="o">)</span>
<span class="n">Operator</span><span class="o">:</span> <span class="n">Swedish</span> <span class="n">Tele2</span>
<span class="n">SIM</span><span class="o">-</span><span class="n">Card</span><span class="o">:</span> <span class="n">disabled</span> <span class="n">PIN</span> <span class="n">code</span> <span class="o">(</span><span class="n">put</span> <span class="n">it</span> <span class="k">in</span> <span class="n">you</span> <span class="n">phone</span> <span class="n">first</span> <span class="n">and</span> <span class="n">disable</span> <span class="n">the</span> <span class="n">pin</span> <span class="n">code</span><span class="o">)</span>
<span class="n">OS</span><span class="o">:</span> <span class="n">Ubuntu</span> <span class="n">Gutsy</span> <span class="n">Gibbon</span> <span class="mf">7.10</span>
</pre></div>
<p>What will be done: Setup of USB HSDPA Modem with auto connect to Internet</p>
<h2 id="1-compile-huaweiaktbbo-and-place-it-in-your-path">1. Compile <code>huaweiAktBbo</code> and place it in your path.<a class="headerlink" href="#1-compile-huaweiaktbbo-and-place-it-in-your-path" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>$ wget http://www.kanoistika.sk/bobovsky/archiv/umts/huaweiAktBbo.c
$ sudo apt-get install libusb-dev
$ gcc huaweiAktBbo.c -o huaweiAktBbo -l usb
$ sudo cp huaweiAktBbo /usr/local/bin/
</pre></div>
<h2 id="2-test-the-modem">2. Test the modem<a class="headerlink" href="#2-test-the-modem" title="Permanent link">¶</a></h2>
<p>2.1 Connect the USB modem and wait for a while</p>
<p>2.2 Check that you now see a USB serial device</p>
<div class="codehilite"><pre><span></span>$ ls -l /dev/ttyUSB0
crw-rw---- <span class="m">1</span> root dialout <span class="m">188</span>, <span class="m">0</span> <span class="m">2007</span>-11-17 <span class="m">19</span>:50 /dev/ttyUSB0
</pre></div>
<p>2.3 Run <code>sudo huaweiAktBbo</code> and check the you see three USB serial devices</p>
<div class="codehilite"><pre><span></span>$ ls -l /dev/ttyUSB*
crw-rw---- <span class="m">1</span> root dialout <span class="m">188</span>, <span class="m">0</span> <span class="m">2007</span>-11-17 <span class="m">19</span>:50 /dev/ttyUSB0
crw-rw---- <span class="m">1</span> root dialout <span class="m">188</span>, <span class="m">1</span> <span class="m">2007</span>-11-17 <span class="m">19</span>:50 /dev/ttyUSB1
crw-rw---- <span class="m">1</span> root dialout <span class="m">188</span>, <span class="m">2</span> <span class="m">2007</span>-11-17 <span class="m">19</span>:50 /dev/ttyUSB2
</pre></div>
<h2 id="3-test-the-connection">3. Test the connection<a class="headerlink" href="#3-test-the-connection" title="Permanent link">¶</a></h2>
<p>3.1 Create a wvdial config file named <code>/etc/wvdial.conf</code></p>
<div class="codehilite"><pre><span></span><span class="k">[Dialer Defaults]</span>
<span class="na">Modem</span> <span class="o">=</span> <span class="s">/dev/ttyUSB0</span>
<span class="na">Baud</span> <span class="o">=</span> <span class="s">460800</span>
<span class="na">Init1</span> <span class="o">=</span> <span class="s">ATZ</span>
<span class="na">Init2</span> <span class="o">=</span> <span class="s">ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0</span>
<span class="na">Phone</span> <span class="o">=</span> <span class="s">*99#</span>
<span class="na">Username</span> <span class="o">=</span> <span class="s">gprs</span>
<span class="na">Password</span> <span class="o">=</span> <span class="s">internet</span>
<span class="na">Dial Command</span> <span class="o">=</span> <span class="s">ATDT</span>
<span class="na">Stupid Mode</span> <span class="o">=</span> <span class="s">1</span>
<span class="na">ISDN</span> <span class="o">=</span> <span class="s">0</span>
<span class="na">Auto DNS</span> <span class="o">=</span> <span class="s">1</span>
<span class="na">Init3</span> <span class="o">=</span> <span class="s">AT+CGDCONT=1,"IP","internet.tele2.se"</span>
</pre></div>
<p>3.2 Try to connect</p>
<div class="codehilite"><pre><span></span>$ sudo wvdial
</pre></div>
<p>3.3 Check that you are connected</p>
<div class="codehilite"><pre><span></span>$ ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:83.178.XX.YY P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:778 <span class="o">(</span><span class="m">778</span>.0 b<span class="o">)</span> TX bytes:157 <span class="o">(</span><span class="m">157</span>.0 b<span class="o">)</span>
$ host www.slashdot.org
www.slashdot.org has address AA.BB.CC.DD
www.slashdot.org mail is handled by <span class="m">10</span> mail.ostg.com.
</pre></div>
<h2 id="4-if-everything-was-ok-up-to-this-point-you-are-now-ready-to-make-it-automatic">4. If everything was OK up to this point you are now ready to make it automatic<a class="headerlink" href="#4-if-everything-was-ok-up-to-this-point-you-are-now-ready-to-make-it-automatic" title="Permanent link">¶</a></h2>
<p>4.1 UDEV rule</p>
<p>Create the file <code>/etc/udev/rules.d/50-huawei-e220.rules</code> with the following configuration</p>
<div class="codehilite"><pre><span></span>SUBSYSTEM=="usb", SYSFS{idProduct}=="1003", SYSFS{idVendor}=="12d1", RUN+="/usr/local/bin/setup_e220"
</pre></div>
<p>4.2 RUN script</p>
<p>Create the script that udev will call when you insert the device. Due to that a "bad" DNS is given at times the script contains a check for that. Name the script <code>/usr/local/bin/setup_e220</code></p>
<div class="codehilite"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="c1"># This script should be called with the following line in</span>
<span class="c1"># /etc/udev/rules.d/50-huawei-e220.rules</span>
<span class="c1"># SUBSYSTEM=="usb", SYSFS{idProduct}=="1003", SYSFS{idVendor}=="12d1", RUN+="/root/src/setup_E220"</span>
<span class="nv">LOCKFILE</span><span class="o">=</span>/var/lock/LCK..setup_E220
<span class="nv">LOCKFILE_USB</span><span class="o">=</span>/var/lock/LCK..ttyUSB0
<span class="nv">LOGFILE</span><span class="o">=</span>/tmp/setup_E220.log
<span class="nv">BAD_DNS</span><span class="o">=</span><span class="s2">"10.11.12.13"</span> <span class="c1"># Address of bad DNS server to check for</span>
<span class="nb">export</span> <span class="nv">PATH</span><span class="o">=</span>/usr/sbin:/usr/bin:/sbin:/bin
setup<span class="o">()</span>
<span class="o">{</span>
sleep <span class="m">5</span>
/usr/local/bin/huaweiAktBbo >> <span class="nv">$LOGFILE</span> <span class="m">2</span>><span class="p">&</span><span class="m">1</span>
<span class="c1">#/etc/network/firewall >> $LOGFILE 2>&1</span>
sleep <span class="m">5</span>
wvdial >> <span class="nv">$LOGFILE</span> <span class="m">2</span>><span class="p">&</span><span class="m">1</span>
<span class="nb">echo</span> <span class="s2">"Removing </span><span class="nv">$LOCKFILE</span><span class="s2">"</span> >> <span class="nv">$LOGFILE</span>
rm <span class="nv">$LOCKFILE</span>
<span class="o">}</span>
check_DNS<span class="o">()</span>
<span class="o">{</span>
<span class="k">while</span> <span class="nb">true</span>
<span class="k">do</span>
<span class="c1"># Wait for connection</span>
sleep <span class="m">2</span>
<span class="k">while</span> <span class="o">[</span> ! -e <span class="nv">$LOCKFILE_USB</span> -a -e <span class="nv">$LOCKFILE</span> <span class="o">]</span><span class="p">;</span> <span class="k">do</span> sleep <span class="m">1</span><span class="p">;</span> <span class="k">done</span>
<span class="k">while</span> <span class="o">[</span> <span class="sb">`</span><span class="o">(</span>ifconfig ppp0 <span class="p">|</span> grep -c inet<span class="o">)</span> <span class="m">2</span>> /dev/null<span class="sb">`</span> -eq <span class="m">0</span> -a -e <span class="nv">$LOCKFILE</span> <span class="o">]</span><span class="p">;</span> <span class="k">do</span> sleep <span class="m">1</span><span class="p">;</span> <span class="k">done</span>
<span class="o">[</span> ! -e <span class="nv">$LOCKFILE</span> <span class="o">]</span> <span class="o">&&</span> <span class="nb">break</span>
sleep <span class="m">5</span>
<span class="c1"># Check DNS</span>
<span class="k">if</span> <span class="o">[</span> <span class="sb">`</span>grep -c <span class="nv">$BAD_DNS</span> /etc/resolv.conf<span class="sb">`</span> -eq <span class="m">1</span> <span class="o">]</span><span class="p">;</span><span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"DNS NOK"</span> >> <span class="nv">$LOGFILE</span>
<span class="c1"># kill wvdial & run setup again</span>
<span class="nb">kill</span> <span class="sb">`</span>cat <span class="nv">$LOCKFILE_USB</span><span class="sb">`</span>
<span class="k">while</span> <span class="o">[</span> -e <span class="nv">$LOCKFILE</span> <span class="o">]</span><span class="p">;</span> <span class="k">do</span> sleep <span class="m">1</span><span class="p">;</span> <span class="k">done</span>
setup <span class="p">&</span>
<span class="nb">echo</span> <span class="nv">$!</span> > <span class="nv">$LOCKFILE</span>
sleep <span class="m">10</span>
<span class="k">else</span>
<span class="nb">echo</span> <span class="s2">"DNS OK"</span> >> <span class="nv">$LOGFILE</span>
<span class="nb">break</span>
<span class="k">fi</span>
<span class="k">done</span>
<span class="o">}</span>
<span class="k">if</span> <span class="o">[</span> ! -e <span class="nv">$LOCKFILE</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"Preparing for dialup."</span> > <span class="nv">$LOGFILE</span>
setup <span class="p">&</span>
<span class="nb">echo</span> <span class="nv">$!</span> > <span class="nv">$LOCKFILE</span>
<span class="o">[</span> ! -z <span class="s2">"</span><span class="nv">$BAD_DNS</span><span class="s2">"</span> <span class="o">]</span> <span class="o">&&</span> check_DNS <span class="p">&</span>
<span class="k">fi</span>
</pre></div>
<p><strong>Note:</strong> I call my firewall script in the setup function.</p>
<p>That's it. The HSDPA USB Modem will now connect automatically when you insert it into your computer.</p>vnc readony port.patch2007-07-15T14:27:53+02:002007-07-15T14:27:53+02:00henriktag:community.riocities.com,2007-07-15:/vnc_readony_port_patch.html
<ul>
<li>Based on work by John Kilburg <a href="http://www.physics.unlv.edu/~john/hacks/vnc/">http://www.physics.unlv.edu/~john/hacks/vnc/</a></li>
<li>Update to VNC 3.3.7</li>
<li>Supports (optionally) a password for the read only port</li>
</ul>
<p>Patches:</p>
<h2 id="start-script">Start script<a class="headerlink" href="#start-script" title="Permanent link">¶</a></h2>
<figure class="code">
<figcaption><span>[Patch for the Perl start script] vnc-3.3.7.readonly-script.patch</span> <a href="/code/files/vnc-3.3.7.readonly-script.patch">download</a>
<div class="codehilite"><pre><span></span><span class="gh">diff -urN vnc-3.3.7/vncserver …</span></pre></div></figcaption></figure>
<ul>
<li>Based on work by John Kilburg <a href="http://www.physics.unlv.edu/~john/hacks/vnc/">http://www.physics.unlv.edu/~john/hacks/vnc/</a></li>
<li>Update to VNC 3.3.7</li>
<li>Supports (optionally) a password for the read only port</li>
</ul>
<p>Patches:</p>
<h2 id="start-script">Start script<a class="headerlink" href="#start-script" title="Permanent link">¶</a></h2>
<figure class="code">
<figcaption><span>[Patch for the Perl start script] vnc-3.3.7.readonly-script.patch</span> <a href="/code/files/vnc-3.3.7.readonly-script.patch">download</a>
<div class="codehilite"><pre><span></span><span class="gh">diff -urN vnc-3.3.7/vncserver vnc-3.3.7.readonly/vncserver</span>
<span class="gd">--- vnc-3.3.7/vncserver 2007-06-09 22:27:05.000000000 +0200</span>
<span class="gi">+++ vnc-3.3.7.readonly/vncserver 2007-06-11 18:53:00.000000000 +0200</span>
<span class="gu">@@ -115,6 +115,9 @@</span>
if ($pixelformat) {
$opt{'-pixelformat'} = $pixelformat;
}
<span class="gi">+if (!$useVncReadOnlyPort) {</span>
<span class="gi">+ $useVncReadOnlyPort="true";</span>
<span class="gi">+}</span>
chop($host = `uname -n`);
<span class="gu">@@ -192,6 +195,16 @@</span>
}
}
<span class="gi">+# Check if we should use a password for readonly port</span>
<span class="gi">+</span>
<span class="gi">+($z,$z,$mode) = stat("$vncPasswdFile.readonly");</span>
<span class="gi">+if ((-e "$vncPasswdFile.readonly") || ($mode & 077)) {</span>
<span class="gi">+ $useReadOnlyPasswd="true";</span>
<span class="gi">+}</span>
<span class="gi">+else {</span>
<span class="gi">+ $useReadOnlyPasswd="false"; </span>
<span class="gi">+}</span>
<span class="gi">+</span>
# Find display number.
if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
<span class="gu">@@ -207,6 +220,10 @@</span>
}
$vncPort = 5900 + $displayNumber;
<span class="gi">+if($vncPort > 5949) {</span>
<span class="gi">+ die "Only port numbers below :49 (5949) are allowed\n";</span>
<span class="gi">+}</span>
<span class="gi">+$vncReadOnlyPort = 50 + $vncPort;</span>
$desktopLog = "$vncUserDir/$host:$displayNumber.log";
unlink($desktopLog);
<span class="gu">@@ -247,6 +264,12 @@</span>
$cmd .= " -rfbwait $rfbwait";
$cmd .= " -rfbauth $vncPasswdFile";
$cmd .= " -rfbport $vncPort";
<span class="gi">+if ($useVncReadOnlyPort eq "true") {</span>
<span class="gi">+ $cmd .= " -readonlyport $vncReadOnlyPort";</span>
<span class="gi">+}</span>
<span class="gi">+if ($useReadOnlyPasswd eq "true") {</span>
<span class="gi">+ $cmd .= " -readonlyauth $vncPasswdFile.readonly";</span>
<span class="gi">+}</span>
$cmd .= ' -fp "' . $fontPath . '"';
$cmd .= " -co $colorPath" if ($colorPath);
$cmd .= " -alwaysshared" if ($opt{'-alwaysshared'});
</pre></div>
</figcaption></figure>
<h2 id="c-code">C-code<a class="headerlink" href="#c-code" title="Permanent link">¶</a></h2>
<figure class="code">
<figcaption><span>[Patch for the c code] vnc-3.3.7.readonly.patch</span> <a href="/code/files/vnc-3.3.7.readonly.patch">download</a>
<div class="codehilite"><pre><span></span><span class="gh">diff -urNb vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/auth.c vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/auth.c</span>
<span class="gd">--- vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/auth.c 2002-09-01 17:58:21.000000000 +0200</span>
<span class="gi">+++ vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/auth.c 2007-06-11 19:22:04.000000000 +0200</span>
<span class="gu">@@ -36,12 +36,18 @@</span>
over MAX_AUTH_TRIES */
static int rfbAuthFailure();
<span class="gi">+static int rfbReadOnlyAuthFailure();</span>
static CARD32 rfbAuthReenable(OsTimerPtr timer, CARD32 now, pointer arg);
<span class="gi">+static CARD32 rfbReadOnlyAuthReenable(OsTimerPtr timerReadOnly, CARD32 now, pointer arg);</span>
char *rfbAuthPasswdFile = NULL;
<span class="gi">+char *rfbReadOnlyAuthPasswdFile = NULL;</span>
int rfbAuthTries = 0;
<span class="gi">+int rfbReadOnlyAuthTries = 0;</span>
Bool rfbAuthTooManyTries = FALSE;
<span class="gi">+Bool rfbReadOnlyAuthTooManyTries = FALSE;</span>
static OsTimerPtr timer = NULL;
<span class="gi">+static OsTimerPtr timerReadOnly = NULL;</span>
/*
<span class="gu">@@ -85,6 +91,45 @@</span>
}
}
<span class="gi">+/* rfbAuthNewReadOnlyClient is called when we reach the point of authenticating</span>
<span class="gi">+ * a new read only client. As authentication isn't being used we simply send</span>
<span class="gi">+ * rfbNoAuth.</span>
<span class="gi">+ */</span>
<span class="gi">+</span>
<span class="gi">+void</span>
<span class="gi">+rfbAuthNewReadOnlyClient(cl)</span>
<span class="gi">+ rfbClientPtr cl;</span>
<span class="gi">+{ </span>
<span class="gi">+ char buf[4 + CHALLENGESIZE];</span>
<span class="gi">+ int len;</span>
<span class="gi">+ </span>
<span class="gi">+ cl->state = RFB_AUTHENTICATION;</span>
<span class="gi">+</span>
<span class="gi">+ if (rfbReadOnlyAuthPasswdFile && !cl->reverseConnection) {</span>
<span class="gi">+</span>
<span class="gi">+ if (rfbReadOnlyAuthTooManyTries) {</span>
<span class="gi">+ rfbClientConnFailed(cl, "Too many authentication failures on read only port");</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ *(CARD32 *)buf = Swap32IfLE(rfbVncAuth);</span>
<span class="gi">+ vncRandomBytes(cl->authChallenge);</span>
<span class="gi">+ memcpy(&buf[4], (char *)cl->authChallenge, CHALLENGESIZE);</span>
<span class="gi">+ len = 4 + CHALLENGESIZE;</span>
<span class="gi">+ </span>
<span class="gi">+ } else {</span>
<span class="gi">+ </span>
<span class="gi">+ *(CARD32 *)buf = Swap32IfLE(rfbNoAuth);</span>
<span class="gi">+ len = 4;</span>
<span class="gi">+ cl->state = RFB_INITIALISATION;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ if (WriteExact(cl->sock, buf, len) < 0) {</span>
<span class="gi">+ rfbLogPerror("rfbAuthNewReadOnlyClient: write");</span>
<span class="gi">+ rfbCloseSock(cl->sock);</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+}</span>
/*
* rfbAuthProcessClientMessage is called when the client sends its
<span class="gu">@@ -107,16 +152,20 @@</span>
rfbLog("rfbAuthProcessClientMessage: read failed\n");
else
rfbLogPerror("rfbAuthProcessClientMessage: read");
<span class="gd">- rfbAuthFailure();</span>
<span class="gi">+ if(!cl->readOnly) rfbAuthFailure();</span>
<span class="gi">+ else rfbReadOnlyAuthFailure();</span>
rfbCloseSock(cl->sock);
return;
}
<span class="gd">- passwd = vncDecryptPasswdFromFile(rfbAuthPasswdFile);</span>
<span class="gi">+ if (!cl->readOnly) passwd = vncDecryptPasswdFromFile(rfbAuthPasswdFile);</span>
<span class="gi">+ else passwd = vncDecryptPasswdFromFile(rfbReadOnlyAuthPasswdFile);</span>
if (passwd == NULL) {
<span class="gd">- rfbLog("rfbAuthProcessClientMessage: could not get password from %s\n",</span>
<span class="gi">+ if (!cl->readOnly) rfbLog("rfbAuthProcessClientMessage: could not get password from %s\n",</span>
rfbAuthPasswdFile);
<span class="gi">+ else rfbLog("rfbAuthProcessClientMessage: could not get (read-only) password from %s\n",</span>
<span class="gi">+ rfbReadOnlyAuthPasswdFile);</span>
authResult = Swap32IfLE(rfbVncAuthFailed);
<span class="gu">@@ -140,7 +189,8 @@</span>
rfbLog("rfbAuthProcessClientMessage: authentication failed from %s\n",
cl->host);
<span class="gd">- authResult = rfbAuthFailure();</span>
<span class="gi">+ if (!cl->readOnly) authResult = rfbAuthFailure();</span>
<span class="gi">+ else authResult = rfbReadOnlyAuthFailure();</span>
authResult = Swap32IfLE(authResult);
if (WriteExact(cl->sock, (char *)&authResult, 4) < 0) {
<span class="gu">@@ -150,7 +200,8 @@</span>
return;
}
<span class="gd">- rfbAuthTries = 0;</span>
<span class="gi">+ if (!cl->readOnly) rfbAuthTries = 0;</span>
<span class="gi">+ else rfbReadOnlyAuthTries = 0;</span>
authResult = Swap32IfLE(rfbVncAuthOK);
<span class="gu">@@ -184,6 +235,25 @@</span>
return rfbVncAuthFailed;
}
<span class="gi">+static int rfbReadOnlyAuthFailure()</span>
<span class="gi">+{</span>
<span class="gi">+ int i;</span>
<span class="gi">+</span>
<span class="gi">+ rfbReadOnlyAuthTries++;</span>
<span class="gi">+</span>
<span class="gi">+ if (rfbReadOnlyAuthTries >= MAX_AUTH_TRIES) {</span>
<span class="gi">+</span>
<span class="gi">+ CARD32 delay = AUTH_TOO_MANY_BASE_DELAY;</span>
<span class="gi">+ for (i = MAX_AUTH_TRIES; i < rfbReadOnlyAuthTries; i++)</span>
<span class="gi">+ delay *= 2;</span>
<span class="gi">+ timerReadOnly = TimerSet(timerReadOnly, 0, delay, rfbReadOnlyAuthReenable, NULL);</span>
<span class="gi">+</span>
<span class="gi">+ rfbReadOnlyAuthTooManyTries = TRUE;</span>
<span class="gi">+ return rfbVncAuthTooMany;</span>
<span class="gi">+ }</span>
<span class="gi">+</span>
<span class="gi">+ return rfbVncAuthFailed;</span>
<span class="gi">+}</span>
static CARD32
rfbAuthReenable(OsTimerPtr timer, CARD32 now, pointer arg)
<span class="gu">@@ -191,3 +261,10 @@</span>
rfbAuthTooManyTries = FALSE;
return 0;
}
<span class="gi">+</span>
<span class="gi">+static CARD32</span>
<span class="gi">+rfbReadOnlyAuthReenable(OsTimerPtr timerReadOnly, CARD32 now, pointer arg)</span>
<span class="gi">+{</span>
<span class="gi">+ rfbReadOnlyAuthTooManyTries = FALSE;</span>
<span class="gi">+ return 0;</span>
<span class="gi">+}</span>
<span class="gh">diff -urNb vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/init.c vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/init.c</span>
<span class="gd">--- vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/init.c 2003-02-28 19:47:10.000000000 +0100</span>
<span class="gi">+++ vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/init.c 2007-06-11 19:25:10.000000000 +0200</span>
<span class="gu">@@ -213,6 +213,19 @@</span>
return 2;
}
<span class="gi">+ if (strcasecmp(argv[i], "-readonlyport") == 0) { /* -readonlyport port */</span>
<span class="gi">+ if (i + 1 >= argc) UseMsg();</span>
<span class="gi">+ readOnlyPort = atoi(argv[i+1]);</span>
<span class="gi">+ rfbAlwaysShared = TRUE;</span>
<span class="gi">+ return 2;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ if (strcasecmp(argv[i], "-readonlymsg") == 0) { /* -readonlymsg msg */</span>
<span class="gi">+ if (i + 1 >= argc) UseMsg();</span>
<span class="gi">+ readOnlyMsg = argv[i+1];</span>
<span class="gi">+ return 2;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
if (strcasecmp(argv[i], "-rfbport") == 0) { /* -rfbport port */
if (i + 1 >= argc) UseMsg();
rfbPort = atoi(argv[i+1]);
<span class="gu">@@ -236,6 +249,12 @@</span>
return 2;
}
<span class="gi">+ if (strcasecmp(argv[i], "-readonlyauth") == 0) { /* -readonlyauth passwd-file */</span>
<span class="gi">+ if (i + 1 >= argc) UseMsg();</span>
<span class="gi">+ rfbReadOnlyAuthPasswdFile = argv[i+1];</span>
<span class="gi">+ return 2;</span>
<span class="gi">+ }</span>
<span class="gi">+</span>
if (strcasecmp(argv[i], "-httpd") == 0) {
if (i + 1 >= argc) UseMsg();
httpDir = argv[i+1];
<span class="gu">@@ -874,6 +893,12 @@</span>
ErrorF("-nocursor don't put up a cursor\n");
ErrorF("-rfbauth passwd-file use authentication on RFB protocol\n");
ErrorF("-httpd dir serve files via HTTP from here\n");
<span class="gi">+ ErrorF("-readonlyport port port for read-only RFB\n");</span>
<span class="gi">+ ErrorF("-readonlymsg msg message to alert authenticated user that\n"</span>
<span class="gi">+ " the readonly port is active.\n");</span>
<span class="gi">+ ErrorF("-readonlyauth passwd-file use authentication on RFB protocol\n"</span>
<span class="gi">+ " for the read-only port\n");</span>
<span class="gi">+</span>
ErrorF("-httpport port port for HTTP\n");
ErrorF("-deferupdate time time in ms to defer updates "
"(default 40)\n");
<span class="gh">diff -urNb vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/rfb.h vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/rfb.h</span>
<span class="gd">--- vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/rfb.h 2003-02-28 19:47:10.000000000 +0100</span>
<span class="gi">+++ vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/rfb.h 2007-06-11 19:22:04.000000000 +0200</span>
<span class="gu">@@ -133,6 +133,8 @@</span>
RFB_NORMAL /* normal protocol messages */
} state;
<span class="gi">+ Bool readOnly;</span>
<span class="gi">+ </span>
Bool reverseConnection;
Bool readyForSetColourMapEntries;
<span class="gu">@@ -293,6 +295,10 @@</span>
extern int rfbMaxClientWait;
<span class="gi">+extern int readOnlyPort;</span>
<span class="gi">+extern int readOnlyListenSock;</span>
<span class="gi">+extern char *readOnlyMsg;</span>
<span class="gi">+</span>
extern int rfbPort;
extern int rfbListenSock;
extern Bool rfbLocalhostOnly;
<span class="gu">@@ -418,9 +424,11 @@</span>
/* auth.c */
extern char *rfbAuthPasswdFile;
<span class="gi">+extern char *rfbReadOnlyAuthPasswdFile;</span>
extern Bool rfbAuthenticating;
extern void rfbAuthNewClient(rfbClientPtr cl);
<span class="gi">+extern void rfbAuthNewReadOnlyClient(rfbClientPtr cl);</span>
extern void rfbAuthProcessClientMessage(rfbClientPtr cl);
<span class="gh">diff -urNb vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/rfbserver.c vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/rfbserver.c</span>
<span class="gd">--- vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/rfbserver.c 2003-02-28 19:47:10.000000000 +0100</span>
<span class="gi">+++ vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/rfbserver.c 2007-06-11 19:22:04.000000000 +0200</span>
<span class="gu">@@ -53,6 +53,8 @@</span>
Bool rfbDontDisconnect = FALSE;
int rfbMaxRects = 50;
<span class="gi">+char *readOnlyMsg = "READONLY PORT ACTIVIATED";</span>
<span class="gi">+</span>
static rfbClientPtr rfbNewClient(int sock);
static void rfbProcessClientProtocolVersion(rfbClientPtr cl);
static void rfbProcessClientNormalMessage(rfbClientPtr cl);
<span class="gu">@@ -72,6 +74,27 @@</span>
rfbClientPtr cl;
cl = rfbNewClient(sock);
<span class="gi">+ cl->readOnly = 0;</span>
<span class="gi">+</span>
<span class="gi">+#ifdef CORBA</span>
<span class="gi">+ if (cl != NULL)</span>
<span class="gi">+ newConnection(cl, (KEYBOARD_DEVICE|POINTER_DEVICE), 1, 1, 1);</span>
<span class="gi">+#endif</span>
<span class="gi">+}</span>
<span class="gi">+</span>
<span class="gi">+/* </span>
<span class="gi">+ * rfbNewReadOnlyClientConnection is called from sockets.c when a new</span>
<span class="gi">+ * read-only connection comes in.</span>
<span class="gi">+ */</span>
<span class="gi">+</span>
<span class="gi">+void</span>
<span class="gi">+rfbNewReadOnlyClientConnection(sock)</span>
<span class="gi">+ int sock;</span>
<span class="gi">+{</span>
<span class="gi">+ rfbClientPtr cl;</span>
<span class="gi">+</span>
<span class="gi">+ cl = rfbNewClient(sock);</span>
<span class="gi">+ cl->readOnly = 1;</span>
#ifdef CORBA
if (cl != NULL)
<span class="gu">@@ -324,8 +347,8 @@</span>
/* Minor version mismatch - warn but try to continue */
rfbLog("Ignoring minor version mismatch\n");
}
<span class="gd">-</span>
<span class="gd">- rfbAuthNewClient(cl);</span>
<span class="gi">+ if (cl->readOnly) rfbAuthNewReadOnlyClient(cl);</span>
<span class="gi">+ else rfbAuthNewClient(cl);</span>
}
<span class="gu">@@ -364,11 +387,12 @@</span>
rfbClientPtr cl;
{
rfbClientInitMsg ci;
<span class="gd">- char buf[256];</span>
<span class="gd">- rfbServerInitMsg *si = (rfbServerInitMsg *)buf;</span>
<span class="gi">+ char *buf;</span>
<span class="gi">+ rfbServerInitMsg *si;</span>
struct passwd *user;
int len, n;
rfbClientPtr otherCl, nextCl;
<span class="gi">+ char *format, *msg;</span>
if ((n = ReadExact(cl->sock, (char *)&ci,sz_rfbClientInitMsg)) <= 0) {
if (n == 0)
<span class="gu">@@ -379,34 +403,62 @@</span>
return;
}
<span class="gd">- si->framebufferWidth = Swap16IfLE(rfbScreen.width);</span>
<span class="gd">- si->framebufferHeight = Swap16IfLE(rfbScreen.height);</span>
<span class="gd">- si->format = rfbServerFormat;</span>
<span class="gd">- si->format.redMax = Swap16IfLE(si->format.redMax);</span>
<span class="gd">- si->format.greenMax = Swap16IfLE(si->format.greenMax);</span>
<span class="gd">- si->format.blueMax = Swap16IfLE(si->format.blueMax);</span>
<span class="gd">-</span>
user = getpwuid(getuid());
if (strlen(desktopName) > 128) /* sanity check on desktop name len */
desktopName[128] = 0;
<span class="gi">+ #define FORMAT1 "%s's %s desktop (%s:%s) %s"</span>
<span class="gi">+ #define FORMAT2 "%s desktop (%s:%s) %s"</span>
<span class="gi">+ </span>
<span class="gi">+ if (!cl->readOnly && readOnlyMsg != NULL && readOnlyListenSock >= 0)</span>
<span class="gi">+ {</span>
<span class="gi">+ msg = readOnlyMsg;</span>
<span class="gi">+ }</span>
<span class="gi">+ else msg = "";</span>
<span class="gi">+</span>
<span class="gi">+ if (user) format = FORMAT1;</span>
<span class="gi">+ else format = FORMAT2;</span>
<span class="gi">+</span>
<span class="gi">+ len = sz_rfbServerInitMsg + strlen(format) +</span>
<span class="gi">+ strlen(user->pw_name) + strlen(desktopName) +</span>
<span class="gi">+ strlen(rfbThisHost) + strlen(display) +</span>
<span class="gi">+ strlen(msg);</span>
<span class="gi">+</span>
<span class="gi">+ buf = (char *)malloc(len + 100); /* mmmm paranoid */</span>
<span class="gi">+</span>
if (user) {
<span class="gd">- sprintf(buf + sz_rfbServerInitMsg, "%s's %s desktop (%s:%s)",</span>
<span class="gd">- user->pw_name, desktopName, rfbThisHost, display);</span>
<span class="gi">+ sprintf(buf + sz_rfbServerInitMsg, FORMAT1,</span>
<span class="gi">+ user->pw_name, desktopName, rfbThisHost, display, msg);</span>
} else {
<span class="gd">- sprintf(buf + sz_rfbServerInitMsg, "%s desktop (%s:%s)",</span>
<span class="gd">- desktopName, rfbThisHost, display);</span>
<span class="gi">+ sprintf(buf + sz_rfbServerInitMsg, FORMAT2,</span>
<span class="gi">+ desktopName, rfbThisHost, display, msg);</span>
}
<span class="gi">+ </span>
<span class="gi">+ si = (rfbServerInitMsg *)buf;</span>
<span class="gi">+ </span>
len = strlen(buf + sz_rfbServerInitMsg);
si->nameLength = Swap32IfLE(len);
<span class="gi">+ si->framebufferWidth = Swap16IfLE(rfbScreen.width);</span>
<span class="gi">+ si->framebufferHeight = Swap16IfLE(rfbScreen.height);</span>
<span class="gi">+ si->format = rfbServerFormat;</span>
<span class="gi">+ si->format.redMax = Swap16IfLE(si->format.redMax);</span>
<span class="gi">+ si->format.greenMax = Swap16IfLE(si->format.greenMax);</span>
<span class="gi">+ si->format.blueMax = Swap16IfLE(si->format.blueMax);</span>
<span class="gi">+</span>
<span class="gi">+</span>
if (WriteExact(cl->sock, buf, sz_rfbServerInitMsg + len) < 0) {
rfbLogPerror("rfbProcessClientInitMessage: write");
rfbCloseSock(cl->sock);
<span class="gi">+ free(buf);</span>
return;
}
<span class="gi">+ free(buf);</span>
<span class="gi">+ buf = NULL;</span>
<span class="gi">+ si = NULL;</span>
<span class="gi">+ </span>
cl->state = RFB_NORMAL;
if (!cl->reverseConnection &&
<span class="gu">@@ -650,6 +702,7 @@</span>
if (!isKeyboardEnabled(cl))
return;
#endif
<span class="gi">+ if (!cl->readOnly)</span>
KbdAddEvent(msg.ke.down, (KeySym)Swap32IfLE(msg.ke.key), cl);
return;
<span class="gu">@@ -681,6 +734,7 @@</span>
else
pointerClient = cl;
<span class="gi">+ if (!cl->readOnly)</span>
PtrAddEvent(msg.pe.buttonMask,
Swap16IfLE(msg.pe.x), Swap16IfLE(msg.pe.y), cl);
return;
<span class="gu">@@ -708,6 +762,7 @@</span>
return;
}
<span class="gi">+ if (!cl->readOnly)</span>
rfbSetXCutText(str, msg.cct.length);
xfree(str);
<span class="gh">diff -urNb vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/sockets.c vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/sockets.c</span>
<span class="gd">--- vnc-3.3.7/Xvnc/programs/Xserver/hw/vnc/sockets.c 2007-06-09 22:27:05.000000000 +0200</span>
<span class="gi">+++ vnc-3.3.7.readonly/Xvnc/programs/Xserver/hw/vnc/sockets.c 2007-06-11 19:22:04.000000000 +0200</span>
<span class="gu">@@ -61,6 +61,9 @@</span>
int rfbListenSock = -1;
Bool rfbLocalhostOnly = FALSE;
<span class="gi">+int readOnlyPort = 0;</span>
<span class="gi">+int readOnlyListenSock = -1;</span>
<span class="gi">+</span>
static fd_set allFds;
static int maxFd = 0;
<span class="gu">@@ -117,6 +120,17 @@</span>
FD_ZERO(&allFds);
FD_SET(rfbListenSock, &allFds);
maxFd = rfbListenSock;
<span class="gi">+ </span>
<span class="gi">+ if (readOnlyPort != 0) {</span>
<span class="gi">+ rfbLog("rfbInitSockets: listening for readonly connections on %d\n",readOnlyPort);</span>
<span class="gi">+ if ((readOnlyListenSock = ListenOnTCPPort(readOnlyPort)) < 0) {</span>
<span class="gi">+ rfbLogPerror("ListenOnTCPPort(read-only)");</span>
<span class="gi">+ exit(1);</span>
<span class="gi">+ }</span>
<span class="gi">+ AddEnabledDevice(readOnlyListenSock);</span>
<span class="gi">+ FD_SET(readOnlyListenSock, &allFds);</span>
<span class="gi">+ maxFd = max(readOnlyListenSock,maxFd);</span>
<span class="gi">+ }</span>
}
<span class="gu">@@ -143,7 +157,6 @@</span>
rfbNewClientConnection(inetdSock);
inetdInitDone = TRUE;
}
<span class="gd">-</span>
memcpy((char *)&fds, (char *)&allFds, sizeof(fd_set));
tv.tv_sec = 0;
tv.tv_usec = 0;
<span class="gu">@@ -155,21 +168,17 @@</span>
rfbLogPerror("rfbCheckFds: select");
return;
}
<span class="gd">-</span>
if (rfbListenSock != -1 && FD_ISSET(rfbListenSock, &fds)) {
<span class="gd">-</span>
if ((sock = accept(rfbListenSock,
(struct sockaddr *)&addr, &addrlen)) < 0) {
rfbLogPerror("rfbCheckFds: accept");
return;
}
<span class="gd">-</span>
if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) {
rfbLogPerror("rfbCheckFds: fcntl");
close(sock);
return;
}
<span class="gd">-</span>
if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,
(char *)&one, sizeof(one)) < 0) {
rfbLogPerror("rfbCheckFds: setsockopt");
<span class="gu">@@ -191,6 +200,41 @@</span>
return;
}
<span class="gi">+ if ((readOnlyListenSock != -1) && FD_ISSET(readOnlyListenSock, &fds)) {</span>
<span class="gi">+ if ((sock = accept(readOnlyListenSock,</span>
<span class="gi">+ (struct sockaddr *)&addr, &addrlen)) < 0) {</span>
<span class="gi">+ rfbLogPerror("rfbCheckFds: accept");</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) {</span>
<span class="gi">+ rfbLogPerror("rfbCheckFds: fcntl");</span>
<span class="gi">+ close(sock);</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,</span>
<span class="gi">+ (char *)&one, sizeof(one)) < 0) {</span>
<span class="gi">+ rfbLogPerror("rfbCheckFds: setsockopt");</span>
<span class="gi">+ close(sock);</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
<span class="gi">+ fprintf(stderr,"\n");</span>
<span class="gi">+ rfbLog("Got read-only connection from client %s\n",</span>
<span class="gi">+ inet_ntoa(addr.sin_addr));</span>
<span class="gi">+</span>
<span class="gi">+ AddEnabledDevice(sock);</span>
<span class="gi">+ FD_SET(sock, &allFds);</span>
<span class="gi">+ maxFd = max(sock,maxFd);</span>
<span class="gi">+ </span>
<span class="gi">+ rfbNewReadOnlyClientConnection(sock);</span>
<span class="gi">+ </span>
<span class="gi">+ FD_CLR(rfbListenSock, &fds);</span>
<span class="gi">+ if (--nfds == 0)</span>
<span class="gi">+ return;</span>
<span class="gi">+ }</span>
<span class="gi">+ </span>
for (sock = 0; sock <= maxFd; sock++) {
if (FD_ISSET(sock, &fds) && FD_ISSET(sock, &allFds)) {
rfbProcessClientMessage(sock);
</pre></div>
</figcaption></figure>Ubuntu pbuilder java2007-07-12T00:00:00+02:002009-01-19T17:25:08+01:00henriktag:community.riocities.com,2007-07-12:/Ubuntu_pbuilder_java.html<h1 id="using-ubuntu-debian-pbuilder-with-sun-java">Using Ubuntu (& Debian) pbuilder with Sun Java<a class="headerlink" href="#using-ubuntu-debian-pbuilder-with-sun-java" title="Permanent link">¶</a></h1>
<p>If your package needs a version of Java from Sun to build you will get into problems building it with pbuilder as the license question will not be shown (and hence it can not be answered).</p>
<p>Examples of Build Depends that fails without …</p><h1 id="using-ubuntu-debian-pbuilder-with-sun-java">Using Ubuntu (& Debian) pbuilder with Sun Java<a class="headerlink" href="#using-ubuntu-debian-pbuilder-with-sun-java" title="Permanent link">¶</a></h1>
<p>If your package needs a version of Java from Sun to build you will get into problems building it with pbuilder as the license question will not be shown (and hence it can not be answered).</p>
<p>Examples of Build Depends that fails without this small patch:</p>
<div class="codehilite"><pre><span></span>Build-Depends: debhelper (>= 4.0.0), j2sdk1.4 | java2-compiler
Build-Depends: debhelper (>= 4.0.0), sun-java6-jdk | java2-compiler
</pre></div>
<p>The patch attached to this page (against pbuilder version: 0.161ubuntu2) allows pbuilder to be used.</p>
<p>Note you have to list muliverse as a component in pbuilderrc as well e.g.</p>
<div class="codehilite"><pre><span></span>COMPONENTS="main universe restricted multiverse"
</pre></div>
<p>or for Debian you will need non-free and contrib as well</p>
<div class="codehilite"><pre><span></span>COMPONENTS="main contrib non-free"
</pre></div>
<p>Patches:</p>
<h2 id="_1"><a class="headerlink" href="#_1" title="Permanent link">¶</a></h2>
<figure class='code'>
<figcaption><span>[Patch for pbuilder 0.181] pbuilder-0.181.javafix.patch</span> <a href='/code/files/pbuilder-0.181.javafix.patch'>download</a>
<div class="codehilite"><pre><span></span><span class="gd">--- pbuilder-0.181/pbuilder-satisfydepends-aptitude 2007-11-24 14:35:27.000000000 +0100</span>
<span class="gi">+++ pbuilder-0.181.javafix/pbuilder-satisfydepends-aptitude 2009-01-19 16:32:36.000000000 +0100</span>
<span class="gu">@@ -85,6 +85,12 @@</span>
$CHROOTEXEC sh -c "cat \"$BUILD_DEP_DEB_CONTROL\""
$CHROOTEXEC sh -c "dpkg-deb -b \"$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy\""
$CHROOTEXEC apt-get -y --force-yes install aptitude
<span class="gi">+ JAVA_FIX=$(echo $DEPENDS | xargs -n1 | tr -d , | egrep "sun-java6-jre|sun-java6-jdk|sun-java6-bin|sun-java5-jre|sun-java5-jdk|sun-java5-bin" | head -n1)</span>
<span class="gi">+ if [ -n "$JAVA_FIX" ]; then</span>
<span class="gi">+ echo "---- $JAVA_FIX license question fix ----" </span>
<span class="gi">+ $CHROOTEXEC apt-get -y install debconf</span>
<span class="gi">+ printf "$JAVA_FIX shared/accepted-sun-dlj-v1-1 boolean true\n" | $CHROOTEXEC debconf-set-selections -</span>
<span class="gi">+ fi</span>
$CHROOTEXEC dpkg -i "$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy.deb" || true
$CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false -o Aptitude::CmdLine::Ignore-Trust-Violations=true -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy
# check whether the aptitude's resolver kept the package
</pre></div>
</figure>
<h2 id="_2"><a class="headerlink" href="#_2" title="Permanent link">¶</a></h2>
<figure class='code'>
<figcaption><span>[Patch for pbuilder 0.161ubuntu2] pbuilder-0.161ubuntu2.javafix.patch</span> <a href='/code/files/pbuilder-0.161ubuntu2.javafix.patch'>download</a>
<div class="codehilite"><pre><span></span><span class="gh">diff -u pbuilder-0.161ubuntu2/pbuilder-satisfydepends pbuilder-0.161ubuntu2.javafix/pbuilder-satisfydepends</span>
<span class="gd">--- pbuilder-0.161ubuntu2/pbuilder-satisfydepends 2006-11-22 03:57:38.000000000 +0100</span>
<span class="gi">+++ pbuilder-0.161ubuntu2.javafix/pbuilder-satisfydepends 2007-07-12 15:20:02.000000000 +0200</span>
<span class="gu">@@ -126,6 +126,30 @@</span>
fi
fi
echo " -> Trying ${CURRENTREALPKGNAME}"
<span class="gi">+ </span>
<span class="gi">+ # Java license question fixes</span>
<span class="gi">+ if [ $CURRENTREALPKGNAME == "j2re1.4" ];then</span>
<span class="gi">+ echo "---- j2re1.4 debconf license question fix ----"</span>
<span class="gi">+ $CHROOTEXEC apt-get -y install debconf</span>
<span class="gi">+ printf "j2re1.4 j2re1.4/stopthread boolean false\nj2re1.4 j2re1.4/license boolean true\n" | $CHROOTEXEC debconf-set-selections -</span>
<span class="gi">+ fi</span>
<span class="gi">+ if [ $CURRENTREALPKGNAME == "j2sdk1.4" ];then</span>
<span class="gi">+ echo "---- j2sdk1.4 debconf license question fix ----"</span>
<span class="gi">+ $CHROOTEXEC apt-get -y install debconf</span>
<span class="gi">+ printf "j2sdk1.4 j2sdk1.4/stopthread boolean false\nj2sdk1.4 j2sdk1.4/license boolean true\n" | $CHROOTEXEC debconf-set-selections -</span>
<span class="gi">+</span>
<span class="gi">+ # For sdk we need both fixes</span>
<span class="gi">+ echo "---- j2re1.4 debconf license question fix (part of j2sdk1.4 fix)----"</span>
<span class="gi">+ printf "j2re1.4 j2re1.4/stopthread boolean false\nj2re1.4 j2re1.4/license boolean true\n" | $CHROOTEXEC debconf-set-selections -</span>
<span class="gi">+ fi</span>
<span class="gi">+ </span>
<span class="gi">+ case "$CURRENTREALPKGNAME" in</span>
<span class="gi">+ sun-java6-jre|sun-java6-jdk|sun-java6-bin|sun-java5-jre|sun-java5-jdk|sun-java5-bin)</span>
<span class="gi">+ echo "---- $CURRENTREALPKGNAME debconf license question fix ----"</span>
<span class="gi">+ $CHROOTEXEC apt-get -y install debconf</span>
<span class="gi">+ printf "$CURRENTREALPKGNAME shared/accepted-sun-dlj-v1-1 boolean true\n" | $CHROOTEXEC debconf-set-selections -</span>
<span class="gi">+ ;;</span>
<span class="gi">+ esac</span>
if $CHROOTEXEC /usr/bin/apt-get -s install ${INSTALLPKGLIST} ${CURRENTREALPKGNAME} >& /dev/null; then
SATISFIED="yes"
</pre></div>
</figure>Openbsd qemu cf net48012006-11-28T00:00:00+01:002014-11-23T09:28:40+01:00henriktag:community.riocities.com,2006-11-28:/Openbsd_qemu_cf_net4801.html<p>Installing OpenBSD on CF under kvm (qemu) on Debian for later net4801 deployment</p>
<p>Pre requisites</p>
<div class="codehilite"><pre><span></span> Fast 1GB CF Card
Debian (or other GNU/Linux distribution)
CF-card reader
</pre></div>
<p>Preparations for installation</p>
<div class="codehilite"><pre><span></span>debian$ wget http://ftp.sunet.se/pub/OpenBSD/5.1/i386/cd51.iso
</pre></div>
<p>Plug-in the CF card in the cf …</p><p>Installing OpenBSD on CF under kvm (qemu) on Debian for later net4801 deployment</p>
<p>Pre requisites</p>
<div class="codehilite"><pre><span></span> Fast 1GB CF Card
Debian (or other GNU/Linux distribution)
CF-card reader
</pre></div>
<p>Preparations for installation</p>
<div class="codehilite"><pre><span></span>debian$ wget http://ftp.sunet.se/pub/OpenBSD/5.1/i386/cd51.iso
</pre></div>
<p>Plug-in the CF card in the cf card reader. If your system auto mounts the file system on the CF card, umount it. </p>
<p>Change the permission of /dev/sdb (or the device name your cf got when you plugged it in) you can access it as non root user. e.g.</p>
<div class="codehilite"><pre><span></span>debian$ sudo chmod 777 /dev/sdb
</pre></div>
<p>Start kvm:</p>
<div class="codehilite"><pre><span></span>debian$ kvm -hda /dev/sdb -cdrom cd51.iso -boot d
</pre></div>
<p>Perform a normal OpenBSD install with the following partition table</p>
<div class="codehilite"><pre><span></span>wd0a 300m /
(wd0b 0 swap)
wd0d 120m /var
wd0e 80m /home
wd0f 500(rest) /usr
</pre></div>
<p>Note: skipping /tmp for later</p>
<p>IP-network settings: use dhcp for now (Note: change this later when you do system configuration after reboot)</p>
<p>Installation options</p>
<div class="codehilite"><pre><span></span> http installation
Server: ftp.sunet.se
</pre></div>
<p>I used the following sets</p>
<div class="codehilite"><pre><span></span> [X] bsd
[X] bsd.rd
[ ] bsd.mp
[X] base51.tgz
[X] etc51.tgz
[ ] comp51.tgz
[X] man51.tgz
[ ] game51.tgz
[ ] xbase51.tgz
[ ] xetc51.tgz
[ ] xshare51.tgz
[ ] xfont51.tgz
[ ] xserv51.tgz
</pre></div>
<p>After installation (do not reboot before this)</p>
<p>Edit /mnt/etc/fstab and change /tmp and /var/run to mfs</p>
<div class="codehilite"><pre><span></span>openbsd# echo "swap /tmp mfs rw,nodev,nosuid,-s=19456 0 0" >> /mnt/etc/fstab
openbsd# echo "swap /var/run mfs rw,nodev,nosuid,-s=19456 0 0" >> /mnt/etc/fstab
</pre></div>
<p>apply the following change to /mnt/etc/rc</p>
<div class="codehilite"><pre><span></span> umount -a >/dev/null 2>&1
mount -a -t nonfs,vnd
+chmod 1777 /tmp
mount -uw / # root on nfs requires this, others aren't hurt
rm -f /fastboot # XXX (root now writeable)
</pre></div>
<p>If you use ed</p>
<div class="codehilite"><pre><span></span>openbsd# ed /mnt/etc/rc
/mount -a -t nonfs/
a
chmod 1777 /tmp
ctrl-d
w
q
</pre></div>
<p>A word of warning, starting with OpenBSD 5.6 /etc/rc is no longer a config file so this need to be redone after unpacking baseNN.tgz</p>
<p>Example of what should be done when you later upgrade</p>
<div class="codehilite"><pre><span></span># cp /bin/ed /bin/oed
# tar -C / -xzphf base56.tgz
# /bin/oed /etc/rc
/mount -a -t nonfs/
a
chmod 1777 /tmp
ctrl-d
w
q
</pre></div>
<p>Fix the domain name (will be my.domain by default)</p>
<div class="codehilite"><pre><span></span>openbsd# echo "<hostname>.<domain>" > /mnt/etc/myname # (e.g. calvin.example.com)
</pre></div>
<p>Now it's time to halt and restart the system</p>
<div class="codehilite"><pre><span></span>openbsd# halt
</pre></div>
<p>Exit qemu (close the window) and restart qemu</p>
<div class="codehilite"><pre><span></span>debian$ kvm -hda /dev/sdb
</pre></div>
<p>System configuration after reboot</p>
<p>When the system is up after the first reboot we can use vi instead of ed to perform some more configurations.</p>
<p>Enable soft updates and disable atime by editing /etc/fstab (we will reboot later)</p>
<div class="codehilite"><pre><span></span><DUID> / ffs rw,softdep,noatime 1 1
<DUID> /home ffs rw,nodev,nosuid,softdep,noatime 1 2
<DUID> /usr ffs rw,nodev,softdep,noatime 1 2
<DUID> /var ffs rw,nodev,nosuid,softdep,noatime 1 2
swap /tmp mfs rw,nodev,nosuid,-s=19456 0 0
swap /var/run mfs rw,nodev,nosuid,-s=19456 0 0
</pre></div>
<p>Fix /etc/hosts (my.domain will be there as well).</p>
<p>Install BASH, WGET, LSOF & NGREP</p>
<div class="codehilite"><pre><span></span>openbsd# pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.1/packages/i386/bash-4.2.20.tgz
openbsd# pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.1/packages/i386/wget-1.13.4.tgz
openbsd# pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.1/packages/i386/lsof-4.83p7.tgz
openbsd# pkg_add -v http://ftp.sunet.se/pub/OpenBSD/5.1/packages/i386/ngrep-1.45p4.tgz
</pre></div>
<p>Verify that bash is in /etc/shells</p>
<div class="codehilite"><pre><span></span>openbsd# grep bash /etc/shells
/usr/local/bin/bash
</pre></div>
<p>Change shell to bash</p>
<div class="codehilite"><pre><span></span>openbsd# chsh -s bash
openbsd# chsh -s bash <user>
</pre></div>
<p>Continue configuring the system (e.g. disable ident, daytime and time for both IPv4 and IPv6 in /etc/inetd.conf)</p>
<p>Before last qemu shutdown (before moving CF to the <strong>net4801</strong> box): </p>
<p>Edit /etc/ttys and fix the tty00 line</p>
<div class="codehilite"><pre><span></span>tty00 "/usr/libexec/getty std.19200" vt220 on secure
</pre></div>
<p>Add the file /etc/boot.conf</p>
<div class="codehilite"><pre><span></span>stty com0 19200
set tty com0
</pre></div>Ubuntu Dapper with dm-crypt2006-09-04T13:21:51+02:002006-09-04T13:21:51+02:00henriktag:community.riocities.com,2006-09-04:/Ubuntu_Dapper_dm-crypt.html<h1 id="installing-ubuntu-with-encrypted-root-and-swap">Installing Ubuntu with encrypted root and swap<a class="headerlink" href="#installing-ubuntu-with-encrypted-root-and-swap" title="Permanent link">¶</a></h1>
<p>Installing Ubuntu Dapper Drake 6.06 LTS with encrypted root and swap (LUKS+LVM2)</p>
<p><strong>Based on</strong>: </p>
<ul>
<li>
<p>http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedLVM2Root</p>
</li>
<li>
<p>http://www.sicherheitsschwankung.de/node/16</p>
</li>
<li>
<p>http://ner.dy.fi/deb/</p>
</li>
</ul>
<p><strong>Tested with</strong>: Ubuntu Dapper 6.06 LTS …</p><h1 id="installing-ubuntu-with-encrypted-root-and-swap">Installing Ubuntu with encrypted root and swap<a class="headerlink" href="#installing-ubuntu-with-encrypted-root-and-swap" title="Permanent link">¶</a></h1>
<p>Installing Ubuntu Dapper Drake 6.06 LTS with encrypted root and swap (LUKS+LVM2)</p>
<p><strong>Based on</strong>: </p>
<ul>
<li>
<p>http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedLVM2Root</p>
</li>
<li>
<p>http://www.sicherheitsschwankung.de/node/16</p>
</li>
<li>
<p>http://ner.dy.fi/deb/</p>
</li>
</ul>
<p><strong>Tested with</strong>: Ubuntu Dapper 6.06 LTS</p>
<h2 id="what-will-be-done">What will be done<a class="headerlink" href="#what-will-be-done" title="Permanent link">¶</a></h2>
<p><strong>Partition table of the disk</strong>
<table border="1">
<tr>
<td>/dev/hda1</td><td>(bootable)</td><td>ext3/boot</td><td>100MB</td><td>-</td>
</tr>
<tr>
<td>/dev/hda2</td><td>-</td><td>swap</td><td>500MB</td><td>(enc)</td>
</tr>
<tr>
<td>/dev/hda3</td><td>-</td><td>LVM2</td><td>rest of disk</td><td>(enc)</td>
</tr>
</table></p>
<p><strong>LVM Setup</strong>
<table border="1">
<tr>
<td>lv_root</td><td>reiserfs</td><td>4000MB</td>
</tr>
<tr>
<td>lv_home</td><td>reiserfs</td><td>rest of disk</td>
</tr>
</table></p>
<h2 id="instruction">Instruction<a class="headerlink" href="#instruction" title="Permanent link">¶</a></h2>
<ol>
<li>
<p>Boot LiveCD</p>
</li>
<li>
<p>Open Terminal</p>
</li>
<li>
<p>Obtain priviliges</p>
<div class="codehilite"><pre><span></span>$ sudo bash
</pre></div>
</li>
<li>
<p>Partition the disk according to the partition table above</p>
</li>
<li>
<p>reboot LiveCD and open a Terminal (<strong>Note</strong>: reboot is sometimes needed in order for the new partitions to show in /dev) </p>
<div class="codehilite"><pre><span></span>$ sudo bash
<span class="c1"># modprobe aes-i586</span>
<span class="c1"># modprobe dm-crypt</span>
</pre></div>
</li>
<li>
<p>Bring up the network</p>
</li>
<li>
<p>add universe repos to <code>/etc/apt/sources.list</code></p>
</li>
<li>
<p>Update and install</p>
<div class="codehilite"><pre><span></span># apt-get update
# apt-get install cryptsetup lvm2
</pre></div>
</li>
<li>
<p>Randomize the partitions </p>
<div class="codehilite"><pre><span></span># dd if=/dev/urandom of=/dev/hda2
# dd if=/dev/urandom of=/dev/hda3
</pre></div>
</li>
<li>
<p>Create filesystem on <code>/dev/hda1</code></p>
<div class="codehilite"><pre><span></span>mkfs.ext3 /dev/hda1
</pre></div>
</li>
<li>
<p>LUKS on <code>/dev/hda3</code></p>
<div class="codehilite"><pre><span></span># cryptsetup luksFormat /dev/hda3
WARNING!
========
This will overwrite data on /dev/hda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
# cryptsetup luksOpen /dev/hda3 vg_crypt
Enter LUKS passphrase:
key slot 0 unlocked.
</pre></div>
</li>
<li>
<p>edit <code>/etc/lvm/lvm.conf</code> to support lvm devices on device-mapper:</p>
<div class="codehilite"><pre><span></span>filter = [ "r|/dev/cdrom|", "r|/dev/hda*|" ]
types = [ "device-mapper", 16 ]
</pre></div>
</li>
<li>
<p>Restart LVM</p>
<div class="codehilite"><pre><span></span># /etc/init.d/lvm restart
</pre></div>
</li>
<li>
<p>Setup LVM</p>
<div class="codehilite"><pre><span></span># pvcreate /dev/mapper/vg_crypt
# vgcreate vg_crypt /dev/mapper/vg_crypt
# lvcreate -v -L 4G -n lv_root vg_crypt
# lvcreate -L XG -n lv_home vg_crypt
</pre></div>
</li>
<li>
<p>Create Filesystems on root and home</p>
<div class="codehilite"><pre><span></span># mkfs.resiserfs /dev/mapper/vg_crypt-lv_root
# mkfs.resiserfs /dev/mapper/vg_crypt-lv_home
</pre></div>
</li>
<li>
<p>Disable some checks and actions in partman</p>
<div class="codehilite"><pre><span></span># rm /lib/partman/finish.d/05proper_mountpints
# rm /lib/partman/finish.d/10check_swap
# rm /lib/partman/finish.d/10check_basicfilesystems
# rm /lib/partman/commit.d/50format*
# rm /lib/partman/commit.d/45format_swap
</pre></div>
</li>
<li>
<p>Install the system</p>
<div class="codehilite"><pre><span></span>Double click on "Install" (make selections for your setup)
Use "Manually edit partition table"
Click "Forward"
Click "Forward" (do nothing)
At screen "Prepare mount points", remove all disk mounting configuration (all config selection should be fully empty), click "Forward".
Then do the following before continuing the installation (at "Ready to install")...
# mkdir /target/
# mount /dev/mapper/vg_crypt-lv_root /target
# mkdir /target/boot
# mkdir /target/home
# mount /dev/mapper/vg_crypt-lv_home /target/home
# mount /dev/hda1 /target/boot
...continue installation, by clicking "Install"
sedWhen installation is ready click: "Continue using the live CD"
</pre></div>
</li>
<li>
<p>Post installation tasks (re-mount drives under <code>/target</code> again before continuing)</p>
<div class="codehilite"><pre><span></span># cp /etc/lvm/lvm.conf /target/etc/lvm/
# mount --bind /sys /target/sys/
# mount --bind /proc /target/proc/
# mount --bind /dev /target/dev/
# chroot /target
</pre></div>
</li>
</ol>
<p>18.1. check that <code>/etc/hosts</code> and <code>/etc/hostname</code> are correct.</p>
<p>18.2. add universe to <code>/etc/apt/sources.list</code> and update</p>
<div class="codehilite"><pre><span></span> # apt-get update
# apt-get install cryptsetup lvm2 dmsetup module-init-tools initramfs-tools
# wget http://ner.dy.fi/deb/initramfs-cryptsetup_0.43_all.deb
# dpkg -i initramfs-cryptsetup_0.43_all.deb
</pre></div>
<p>18.3. edit <code>/etc/crypttab</code> and add</p>
<div class="codehilite"><pre><span></span> swap /dev/hda2 /dev/urandom swap
</pre></div>
<p>18.4. Run</p>
<div class="codehilite"><pre><span></span> # /etc/init.d/cryptdisks start
</pre></div>
<p>18.5. fix <code>/etc/fstab</code></p>
<div class="codehilite"><pre><span></span> /dev/mapper/vg_crypt-lv_root / reiserfs notail 0 1
/dev/hda1 /boot ext3 defaults 0 2
/dev/mapper/vg_crypt-lv_home /home reiserfs defaults 0 2
/dev/mapper/swap none swap sw 0 0
</pre></div>
<p>18.6. Setup <code>/etc/mkinitramfs/cryptsetup.conf</code> by setting to following varibles</p>
<div class="codehilite"><pre><span></span> CRYPTOLVM="/dev/hda3"
CRYPTOVG="vg_crypt"
</pre></div>
<p>18.7. Create an initrd with crypt support</p>
<div class="codehilite"><pre><span></span> # mkinitramfs -o /boot/initrd.img-2.6.15-XX-386-crypt 2.6.15-XX-386 (replace XX with rev e.g. 21)
</pre></div>
<p>18.8. edit <code>/boot/grub/menu.lst</code></p>
<div class="codehilite"><pre><span></span>First add a new entry:
### END DEBIAN AUTOMAGIC KERNELS LIST
title Ubuntu, kernel 2.6.15-XX-386 (cryptodisk)
root (hd0,0)
kernel /vmlinuz-2.6.15-XX-386 root=/dev/mapper/vg_crypt-lv_root ro
initrd /initrd.img-2.6.15-XX-386-crypt
savedefault
boot
Then fix so "update-grub" will do the right thing when upgrading kernels in the future
# kopt=root=/dev/mapper/vg_crypt-lv_root ro
# defoptions=quiet
</pre></div>
<p>18.9 exit (from the chroot)</p>
<ol>
<li>Reboot and choose the new option in grub (and hope)</li>
</ol>
<h2 id="after-reboot">After reboot<a class="headerlink" href="#after-reboot" title="Permanent link">¶</a></h2>
<p>Open a terminal and update</p>
<div class="codehilite"><pre><span></span>$ sudo aptitude update
$ sudo aptitude dist-upgrade
</pre></div>MollieLog62005-10-27T00:00:00+02:002005-10-27T00:00:00+02:00bengttag:community.riocities.com,2005-10-27:/MollieLog6.html<p>Howto for postfix, mailscanner, cyrus installation on Sarge</p>
<figure class='code'>
<figcaption><span>MollieLog6.txt</span> <a href='/code/files/MollieLog6.txt'>download</a>
<div class="codehilite"><pre><span></span><span class="n">To</span> <span class="n">DO</span>
<span class="o">=========</span>
<span class="n">FireWall</span> <span class="p">(</span><span class="n">razor</span> <span class="n">tcp</span> <span class="n">port</span> <span class="mi">2703</span> <span class="n">and</span> <span class="mi">7</span><span class="p">)</span>
<span class="n">snort</span><span class="o">/</span><span class="n">portsentry</span>
<span class="n">Make</span> <span class="n">Jail</span> <span class="n">of</span> <span class="n">Apache</span> <span class="o">+</span> <span class="n">SquirrelMail</span> <span class="o">+</span> <span class="n">PHP</span>
<span class="n">DShield</span><span class="o">?</span>
<span class="n">Basic</span> <span class="n">stuff</span>
<span class="o">===========</span>
<span class="n">VIA</span> <span class="n">EPIA</span> <span class="n">Mini</span><span class="o">-</span><span class="n">ITX</span> <span class="n">M6000</span>
<span class="mi">2</span><span class="o">*</span> <span class="mi">20</span><span class="n">GB</span> <span class="n">Hard</span> <span class="n">disk</span>
<span class="mi">512</span> <span class="n">MB</span> <span class="n">Ram</span>
<span class="n">hda1</span> <span class="o">/</span> <span class="mf">4.8</span><span class="n">G</span>
<span class="n">hda5</span> <span class="o">/</span><span class="n">var …</span></pre></div></figcaption></figure><p>Howto for postfix, mailscanner, cyrus installation on Sarge</p>
<figure class='code'>
<figcaption><span>MollieLog6.txt</span> <a href='/code/files/MollieLog6.txt'>download</a>
<div class="codehilite"><pre><span></span><span class="n">To</span> <span class="n">DO</span>
<span class="o">=========</span>
<span class="n">FireWall</span> <span class="p">(</span><span class="n">razor</span> <span class="n">tcp</span> <span class="n">port</span> <span class="mi">2703</span> <span class="n">and</span> <span class="mi">7</span><span class="p">)</span>
<span class="n">snort</span><span class="o">/</span><span class="n">portsentry</span>
<span class="n">Make</span> <span class="n">Jail</span> <span class="n">of</span> <span class="n">Apache</span> <span class="o">+</span> <span class="n">SquirrelMail</span> <span class="o">+</span> <span class="n">PHP</span>
<span class="n">DShield</span><span class="o">?</span>
<span class="n">Basic</span> <span class="n">stuff</span>
<span class="o">===========</span>
<span class="n">VIA</span> <span class="n">EPIA</span> <span class="n">Mini</span><span class="o">-</span><span class="n">ITX</span> <span class="n">M6000</span>
<span class="mi">2</span><span class="o">*</span> <span class="mi">20</span><span class="n">GB</span> <span class="n">Hard</span> <span class="n">disk</span>
<span class="mi">512</span> <span class="n">MB</span> <span class="n">Ram</span>
<span class="n">hda1</span> <span class="o">/</span> <span class="mf">4.8</span><span class="n">G</span>
<span class="n">hda5</span> <span class="o">/</span><span class="n">var</span> <span class="mf">2.8</span><span class="n">G</span>
<span class="n">hda6</span> <span class="o">/</span><span class="n">tmp</span> <span class="mf">0.5</span><span class="n">G</span>
<span class="n">hda7</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span> <span class="mi">11</span><span class="n">G</span>
<span class="n">hda8</span> <span class="n">swap</span> <span class="mf">0.5</span><span class="n">G</span>
<span class="n">Install</span> <span class="n">minimum</span> <span class="n">Debian</span> <span class="o">-</span> <span class="n">Sarge</span><span class="p">.</span>
<span class="n">Make</span> <span class="n">sure</span> <span class="n">you</span> <span class="n">get</span> <span class="n">a</span> <span class="mf">2.6</span> <span class="n">kernel</span> <span class="n">with</span> <span class="n">RAID</span> <span class="n">support</span><span class="p">.</span>
<span class="n">General</span> <span class="n">stuff</span>
<span class="o">================================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">ntp</span><span class="o">-</span><span class="n">simple</span> <span class="n">ntpdate</span> <span class="n">ssh</span> <span class="n">openssl</span> <span class="n">less</span> <span class="n">wget</span> <span class="n">sharutils</span> <span class="n">locales</span>
<span class="n">Time</span> <span class="n">Servers</span> <span class="n">use</span> <span class="n">the</span> <span class="n">pool</span><span class="p">.</span><span class="n">ntp</span><span class="p">.</span><span class="n">org</span> <span class="n">and</span> <span class="n">asia</span><span class="p">.</span><span class="n">pool</span><span class="p">.</span><span class="n">ntp</span><span class="p">.</span><span class="n">org</span> <span class="n">or</span> <span class="n">europe</span><span class="p">.</span><span class="n">pool</span><span class="p">.</span><span class="n">ntp</span><span class="p">.</span><span class="n">org</span>
<span class="p">(</span><span class="n">Check</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.pool.ntp.org)</span>
<span class="n">dpkg</span><span class="o">-</span><span class="n">reconfigure</span> <span class="n">locales</span>
<span class="n">Languages</span>
<span class="n">en_US</span> <span class="n">ISO</span><span class="o">-</span><span class="mi">8859</span><span class="o">-</span><span class="mi">1</span>
<span class="n">en_US</span><span class="p">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span>
<span class="n">sv_SE</span> <span class="n">ISO</span><span class="o">-</span><span class="mi">8859</span><span class="o">-</span><span class="mi">1</span>
<span class="n">sv_SE</span><span class="p">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span>
<span class="n">zh_CN</span> <span class="n">GB2312</span>
<span class="n">zh_CN</span><span class="p">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span>
<span class="n">zh_TW</span> <span class="n">BIG5</span>
<span class="n">zh_TW</span><span class="p">.</span><span class="n">UTF</span><span class="o">-</span><span class="mi">8</span>
<span class="n">inetd</span>
<span class="o">=====</span>
<span class="n">more</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">inetd</span><span class="p">.</span><span class="n">conf</span>
<span class="k">for</span> <span class="n">each</span> <span class="n">service</span> <span class="n">that</span> <span class="n">are</span> <span class="n">enabled</span>
<span class="n">update</span><span class="o">-</span><span class="n">inetd</span> <span class="o">--</span><span class="n">disable</span> <span class="o"><</span><span class="n">service</span><span class="o">></span>
<span class="p">(</span> <span class="n">update</span><span class="o">-</span><span class="n">inetd</span> <span class="o">--</span><span class="n">disable</span> <span class="n">discard</span> <span class="n">daytime</span> <span class="n">time</span> <span class="p">)</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">inetd</span> <span class="n">stop</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">inetd</span>
<span class="n">Add</span> <span class="n">the</span> <span class="n">following</span> <span class="n">after</span> <span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">sh</span>
<span class="cp"># Do not use inetd</span>
<span class="n">exit</span> <span class="mi">0</span>
<span class="n">nsswitch</span><span class="p">.</span><span class="n">conf</span>
<span class="o">=============</span>
<span class="nl">passwd</span><span class="p">:</span> <span class="n">files</span> <span class="n">compat</span>
<span class="nl">group</span><span class="p">:</span> <span class="n">files</span> <span class="n">compat</span>
<span class="nl">shadow</span><span class="p">:</span> <span class="n">files</span> <span class="n">compat</span>
<span class="n">CYRUS</span>
<span class="o">================================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">cyrus21</span><span class="o">-</span><span class="n">imapd</span> <span class="n">cyrus21</span><span class="o">-</span><span class="n">admin</span> <span class="n">cyrus21</span><span class="o">-</span><span class="n">pop3d</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">libdb3</span><span class="o">-</span><span class="n">util</span> <span class="n">sasl2</span><span class="o">-</span><span class="n">bin</span>
<span class="o">-></span> <span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cyrus</span><span class="p">.</span><span class="n">conf</span>
<span class="n">select</span> <span class="n">imaps</span><span class="p">,</span> <span class="n">pop3s</span><span class="p">,</span> <span class="n">and</span> <span class="n">imap</span> <span class="p">(</span><span class="k">for</span> <span class="n">squirrelmail</span><span class="p">,</span> <span class="k">using</span> <span class="n">https</span><span class="p">)</span>
<span class="nl">Event</span><span class="p">:</span>
<span class="o">------</span>
<span class="cp"># Creating SQUAT index to speed up searches. Every 76 minute.</span>
<span class="n">squat</span> <span class="n">cmd</span><span class="o">=</span><span class="s">"/usr/sbin/squatter -r user"</span> <span class="n">period</span><span class="o">=</span><span class="mi">76</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">imapd</span><span class="p">.</span><span class="n">conf</span>
<span class="nl">admins</span><span class="p">:</span> <span class="n">root</span>
<span class="nl">sasl_pwcheck_method</span><span class="p">:</span> <span class="n">saslauthd</span>
<span class="nl">sasl_mech_list</span><span class="p">:</span> <span class="n">PLAIN</span> <span class="n">LOGIN</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">saslauthd</span>
<span class="n">START</span><span class="o">=</span><span class="n">yes</span>
<span class="n">MECHANISMS</span><span class="o">=</span><span class="s">"shadow"</span>
<span class="n">Testing</span> <span class="n">Cyrus</span> <span class="n">Imap</span>
<span class="o">------------------</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="err">#</span> <span class="n">telnet</span> <span class="mf">127.0.0.1</span> <span class="n">imap</span>
<span class="n">Trying</span> <span class="mf">127.0.0.1</span><span class="p">...</span>
<span class="n">Connected</span> <span class="n">to</span> <span class="mf">127.0.0.1</span><span class="p">.</span>
<span class="n">Escape</span> <span class="n">character</span> <span class="n">is</span> <span class="err">'</span><span class="o">^</span><span class="p">]</span><span class="err">'</span><span class="p">.</span>
<span class="o">*</span> <span class="n">OK</span> <span class="n">mollie</span> <span class="n">Cyrus</span> <span class="n">IMAP4</span> <span class="n">v2</span><span class="mf">.1.14</span><span class="o">-</span><span class="n">IPv6</span><span class="o">-</span><span class="n">Debian</span><span class="o">-</span><span class="mf">2.1.14</span><span class="o">-</span><span class="mi">1</span> <span class="n">server</span> <span class="n">ready</span>
<span class="n">Fix</span> <span class="n">mailboxes</span>
<span class="o">-------------</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">saslauthd</span> <span class="n">start</span>
<span class="n">cyradm</span> <span class="n">localhost</span>
<span class="n">createmailbox</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span>
<span class="n">setacl</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span> <span class="n">anyone</span> <span class="n">p</span>
<span class="n">li</span> <span class="o">==></span> <span class="n">Lookup</span> <span class="o">+</span> <span class="n">Insert</span> <span class="p">(</span><span class="n">not</span> <span class="n">read</span><span class="p">)</span>
<span class="n">setacl</span> <span class="n">user</span><span class="p">.</span><span class="n">johan</span><span class="p">.</span><span class="n">INBOX</span> <span class="n">ake</span> <span class="n">li</span>
<span class="n">setacl</span> <span class="n">user</span><span class="p">.</span><span class="n">maria</span><span class="p">.</span><span class="n">INBOX</span> <span class="n">ake</span> <span class="n">li</span>
<span class="n">Postfix</span>
<span class="o">=========================================</span>
<span class="n">good</span> <span class="n">overwiev</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.akadia.com/services/postfix_mta.html</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">postfix</span><span class="o">-</span><span class="n">tls</span> <span class="n">postfix</span><span class="o">-</span><span class="n">pcre</span>
<span class="o">-></span> <span class="n">Internet</span>
<span class="o">-></span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="o">-></span> <span class="n">No</span>
<span class="o">-></span> <span class="n">Erase</span> <span class="n">all</span>
<span class="o">-></span> <span class="n">No</span>
<span class="o">-></span> <span class="n">NONE</span> <span class="p">(</span><span class="k">for</span> <span class="n">mail</span> <span class="n">to</span> <span class="n">root</span><span class="p">)</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">main</span><span class="p">.</span><span class="n">cf</span>
<span class="n">mydomain</span> <span class="o">=</span> <span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">myhostname</span> <span class="o">=</span> <span class="n">mollie</span><span class="p">.</span><span class="n">$mydomain</span>
<span class="n">mynetworks</span> <span class="o">=</span> <span class="mf">127.0.0.0</span><span class="o">/</span><span class="mi">8</span><span class="p">,</span> <span class="mf">192.168.10.0</span><span class="o">/</span><span class="mi">24</span>
<span class="cp"># Only trust local computer</span>
<span class="cp">#mynetworks_style = host</span>
<span class="n">mydestination</span> <span class="o">=</span> <span class="n">$mydomain</span><span class="p">,</span> <span class="n">$myhostname</span><span class="p">,</span> <span class="n">localhost</span><span class="p">,</span> <span class="n">localhost</span><span class="p">.</span><span class="n">$mydomain</span><span class="p">,</span> <span class="n">mail</span><span class="p">.</span><span class="n">$mydomain</span><span class="p">,</span> <span class="n">www</span><span class="p">.</span><span class="n">$mydomain</span>
<span class="n">mailbox_transport</span> <span class="o">=</span> <span class="n">cyrus</span>
<span class="n">local_recipient_maps</span> <span class="o">=</span>
<span class="n">delay_warning_time</span> <span class="o">=</span> <span class="mi">4</span><span class="n">h</span>
<span class="cp"># Only report major errors</span>
<span class="n">notify_classes</span> <span class="o">=</span> <span class="n">resource</span><span class="p">,</span> <span class="n">software</span>
<span class="n">Turn</span> <span class="n">on</span> <span class="n">Verbose</span> <span class="n">logging</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">master</span><span class="p">.</span><span class="n">cf</span>
<span class="n">change</span> <span class="s">"smtpd"</span> <span class="n">to</span> <span class="s">"smtpd -v"</span>
<span class="n">Column</span> <span class="n">number</span> <span class="err">#</span><span class="mi">5</span> <span class="p">(</span><span class="n">chroot</span><span class="p">)</span> <span class="n">should</span> <span class="n">have</span> <span class="s">"n"</span> <span class="k">for</span> <span class="n">NO</span><span class="p">,</span> <span class="n">and</span> <span class="s">"-"</span> <span class="k">for</span> <span class="n">YES</span>
<span class="n">Start</span> <span class="n">with</span> <span class="n">running</span> <span class="n">postfix</span> <span class="n">in</span> <span class="n">normal</span> <span class="n">mode</span><span class="p">.</span> <span class="o">--></span> <span class="n">n</span>
<span class="cp">#cyrus unix - n n - - pipe</span>
<span class="cp"># flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m "${extension}" ${user}</span>
<span class="cp"># Cyrus 2.1.5 (Amos Gouaux)</span>
<span class="n">cyrus</span> <span class="n">unix</span> <span class="o">-</span> <span class="n">n</span> <span class="n">n</span> <span class="o">-</span> <span class="o">-</span> <span class="n">pipe</span>
<span class="n">user</span><span class="o">=</span><span class="n">cyrus</span> <span class="n">argv</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">cyrdeliver</span> <span class="o">-</span><span class="n">e</span> <span class="o">-</span><span class="n">r</span> <span class="err">$</span><span class="p">{</span><span class="n">sender</span><span class="p">}</span> <span class="o">-</span><span class="n">m</span> <span class="err">$</span><span class="p">{</span><span class="n">extension</span><span class="p">}</span> <span class="err">$</span><span class="p">{</span><span class="n">user</span><span class="p">}</span>
<span class="n">Make</span> <span class="n">sure</span> <span class="n">that</span> <span class="n">postfix</span> <span class="n">can</span> <span class="n">talk</span> <span class="n">with</span> <span class="n">saslauthd</span>
<span class="n">adduser</span> <span class="n">postfix</span> <span class="n">sasl</span>
<span class="n">Prepare</span> <span class="n">a</span> <span class="n">test</span> <span class="n">account</span> <span class="n">temporarily</span>
<span class="n">adduser</span> <span class="n">test</span>
<span class="n">start</span> <span class="n">postfix</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">postfix</span> <span class="n">stop</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">postfix</span> <span class="n">start</span>
<span class="n">Debug</span> <span class="n">in</span> <span class="n">one</span> <span class="n">window</span>
<span class="n">tail</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">mail</span><span class="p">.</span><span class="n">log</span>
<span class="n">mail</span> <span class="n">test</span>
<span class="n">Verify</span>
<span class="n">less</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">cyrus</span><span class="o">/</span><span class="n">mail</span><span class="o">/</span><span class="n">t</span><span class="o">/</span><span class="n">user</span><span class="o">/</span><span class="n">test</span><span class="o">/</span><span class="mf">1.</span>
<span class="n">telnet</span> <span class="n">localhost</span> <span class="mi">25</span>
<span class="n">EHLO</span> <span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">quit</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">mail</span><span class="err">#</span> <span class="n">telnet</span> <span class="n">localhost</span> <span class="mi">25</span>
<span class="n">Trying</span> <span class="mf">127.0.0.1</span><span class="p">...</span>
<span class="n">Connected</span> <span class="n">to</span> <span class="n">localhost</span><span class="p">.</span>
<span class="n">Escape</span> <span class="n">character</span> <span class="n">is</span> <span class="err">'</span><span class="o">^</span><span class="p">]</span><span class="err">'</span><span class="p">.</span>
<span class="mi">220</span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span> <span class="n">ESMTP</span> <span class="n">Postfix</span> <span class="p">(</span><span class="n">Debian</span><span class="o">/</span><span class="n">GNU</span><span class="p">)</span>
<span class="n">ehlo</span> <span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span><span class="o">-</span><span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span><span class="o">-</span><span class="n">PIPELINING</span>
<span class="mi">250</span><span class="o">-</span><span class="n">SIZE</span> <span class="mi">10240000</span>
<span class="mi">250</span><span class="o">-</span><span class="n">ETRN</span>
<span class="mi">250</span> <span class="mi">8</span><span class="n">BITMIME</span>
<span class="n">quit</span>
<span class="mi">221</span> <span class="n">Bye</span>
<span class="n">Connection</span> <span class="n">closed</span> <span class="n">by</span> <span class="n">foreign</span> <span class="n">host</span><span class="p">.</span>
<span class="n">Telnet</span> <span class="n">from</span> <span class="n">a</span> <span class="n">remote</span> <span class="n">host</span>
<span class="n">telnet</span> <span class="o"><</span><span class="n">ip</span><span class="o">></span> <span class="mi">25</span>
<span class="n">ehlo</span> <span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="n">quit</span>
<span class="n">bengt</span><span class="err">@</span><span class="nl">dellie</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">telnet</span> <span class="mf">192.168.20.50</span> <span class="mi">25</span>
<span class="n">Trying</span> <span class="mf">192.168.20.50</span><span class="p">...</span>
<span class="n">Connected</span> <span class="n">to</span> <span class="mf">192.168.20.50</span><span class="p">.</span>
<span class="n">Escape</span> <span class="n">character</span> <span class="n">is</span> <span class="err">'</span><span class="o">^</span><span class="p">]</span><span class="err">'</span><span class="p">.</span>
<span class="mi">220</span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span> <span class="n">ESMTP</span> <span class="n">Postfix</span> <span class="p">(</span><span class="n">Debian</span><span class="o">/</span><span class="n">GNU</span><span class="p">)</span>
<span class="n">ehlo</span> <span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span><span class="o">-</span><span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span><span class="o">-</span><span class="n">PIPELINING</span>
<span class="mi">250</span><span class="o">-</span><span class="n">SIZE</span> <span class="mi">10240000</span>
<span class="mi">250</span><span class="o">-</span><span class="n">ETRN</span>
<span class="mi">250</span> <span class="mi">8</span><span class="n">BITMIME</span>
<span class="n">mail</span> <span class="nl">from</span><span class="p">:</span><span class="n">bengt</span><span class="err">@</span><span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span> <span class="n">Ok</span>
<span class="n">rcpt</span> <span class="nl">to</span><span class="p">:</span><span class="n">test</span><span class="err">@</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="mi">250</span> <span class="n">Ok</span>
<span class="n">data</span>
<span class="mi">354</span> <span class="n">End</span> <span class="n">data</span> <span class="n">with</span> <span class="o"><</span><span class="n">CR</span><span class="o">><</span><span class="n">LF</span><span class="o">></span><span class="p">.</span><span class="o"><</span><span class="n">CR</span><span class="o">><</span><span class="n">LF</span><span class="o">></span>
<span class="n">Test</span> <span class="n">from</span> <span class="n">remote</span> <span class="n">host</span>
<span class="n">test</span> <span class="err">#</span><span class="mi">2</span>
<span class="p">.</span>
<span class="mi">250</span> <span class="nl">Ok</span><span class="p">:</span> <span class="n">queued</span> <span class="n">as</span> <span class="n">DBB4A4F882</span>
<span class="n">quit</span>
<span class="mi">221</span> <span class="n">Bye</span>
<span class="n">Connection</span> <span class="n">closed</span> <span class="n">by</span> <span class="n">foreign</span> <span class="n">host</span><span class="p">.</span>
<span class="n">bengt</span><span class="err">@</span><span class="nl">dellie</span><span class="p">:</span><span class="o">~</span><span class="err">$</span>
<span class="cp">###### Make sure that you do not use an IP address from your MYNETWORKS range.</span>
<span class="n">Verify</span> <span class="n">to</span> <span class="n">an</span> <span class="n">external</span> <span class="n">address</span>
<span class="n">Same</span> <span class="n">as</span> <span class="n">above</span><span class="p">,</span> <span class="n">but</span> <span class="n">change</span> <span class="n">RCPT</span> <span class="nl">TO</span><span class="p">:</span><span class="o"><</span><span class="n">remote</span><span class="err">@</span><span class="n">user</span><span class="p">.</span><span class="n">com</span><span class="o">></span>
<span class="n">rcpt</span> <span class="nl">to</span><span class="p">:</span><span class="o"><</span><span class="n">remote</span><span class="err">@</span><span class="n">user</span><span class="p">.</span><span class="n">com</span><span class="o">></span>
<span class="mi">554</span> <span class="o"><</span><span class="n">remote</span><span class="err">@</span><span class="n">user</span><span class="p">.</span><span class="n">com</span><span class="o">>:</span> <span class="n">Recipient</span> <span class="n">address</span> <span class="nl">rejected</span><span class="p">:</span> <span class="n">Relay</span> <span class="n">access</span> <span class="n">denied</span>
<span class="n">Add</span> <span class="n">checks</span> <span class="n">to</span> <span class="n">postfix</span>
<span class="o">---------------------</span>
<span class="cp">#---------------------</span>
<span class="n">smtpd_helo_required</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">disable_vrfy_command</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_recipient_restrictions</span> <span class="o">=</span>
<span class="n">permit_sasl_authenticated</span>
<span class="n">permit_mynetworks</span>
<span class="n">reject_invalid_hostname</span>
<span class="n">reject_non_fqdn_hostname</span>
<span class="n">reject_non_fqdn_sender</span>
<span class="n">reject_non_fqdn_recipient</span>
<span class="n">reject_unknown_sender_domain</span>
<span class="n">reject_unknown_recipient_domain</span>
<span class="n">reject_unauth_destination</span>
<span class="n">check_recipient_access</span> <span class="nl">pcre</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">recipient_checks</span><span class="p">.</span><span class="n">pcre</span>
<span class="n">check_helo_access</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">helo_checks</span>
<span class="n">check_sender_access</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">sender_checks</span>
<span class="n">check_client_access</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">client_checks</span>
<span class="n">check_client_access</span> <span class="nl">pcre</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">client_checks</span><span class="p">.</span><span class="n">pcre</span>
<span class="n">permit</span>
<span class="n">smtpd_data_restrictions</span> <span class="o">=</span>
<span class="n">reject_unauth_pipelining</span>
<span class="n">permit</span>
<span class="n">client_checks</span><span class="p">.</span><span class="n">db</span> <span class="n">helo_checks</span><span class="p">.</span><span class="n">db</span> <span class="n">relay_certs</span><span class="p">.</span><span class="n">db</span>
<span class="n">sender_checks</span><span class="p">.</span><span class="n">db</span> <span class="n">sender_login_maps</span><span class="p">.</span><span class="n">db</span> <span class="n">tls_per_site</span><span class="p">.</span><span class="n">db</span>
<span class="cp"># Copy the template *checks and *checks.pcre files to /etc/postfix</span>
<span class="n">Convert</span> <span class="n">text</span> <span class="n">files</span> <span class="n">to</span> <span class="n">hash</span> <span class="n">db</span>
<span class="o">-----------------------------</span>
<span class="n">postmap</span> <span class="n">helo_checks</span>
<span class="n">postmap</span> <span class="n">sender_checks</span>
<span class="n">postmap</span> <span class="n">client_checks</span>
<span class="n">Certificates</span>
<span class="o">------------</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.eclectica.ca/howto/ssl-cert-howto.php</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span>
<span class="n">Modify</span> <span class="n">openssl</span><span class="p">.</span><span class="n">cfg</span>
<span class="n">dir</span> <span class="o">=</span> <span class="p">.</span><span class="o">/</span> <span class="err">###</span> <span class="n">CA_default</span>
<span class="n">certificate</span> <span class="o">=</span> <span class="n">$dir</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">private_key</span> <span class="o">=</span> <span class="n">$dir</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_cakey</span><span class="p">.</span><span class="n">pem</span>
<span class="n">default_days</span> <span class="o">=</span> <span class="mi">1095</span>
<span class="n">default_bits</span> <span class="o">=</span> <span class="mi">2048</span>
<span class="n">countryName_default</span> <span class="o">=</span> <span class="n">SE</span>
<span class="n">stateOrProvinceName_default</span> <span class="o">=</span> <span class="n">Sweden</span>
<span class="n">localityName_default</span> <span class="o">=</span> <span class="n">Linkoeping</span>
<span class="mf">0.</span><span class="n">organizationName_default</span> <span class="o">=</span> <span class="n">Family</span> <span class="n">Thuree</span><span class="err">'</span><span class="n">s</span> <span class="n">mail</span> <span class="n">server</span>
<span class="n">organizationalUnitName_default</span> <span class="o">=</span> <span class="n">Mail</span> <span class="n">Server</span>
<span class="n">commonName_default</span> <span class="o">=</span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">emailAddress_default</span> <span class="o">=</span> <span class="n">postmaster</span><span class="err">@</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">unique_subject</span> <span class="o">=</span> <span class="n">no</span>
<span class="n">To</span> <span class="n">make</span> <span class="n">certificate</span> <span class="n">authority</span>
<span class="o">-----------------------------</span>
<span class="n">mkdir</span> <span class="n">newcerts</span> <span class="n">certs</span> <span class="k">private</span>
<span class="n">echo</span> <span class="s">"01"</span> <span class="o">></span> <span class="n">serial</span>
<span class="n">touch</span> <span class="n">index</span><span class="p">.</span><span class="n">txt</span>
<span class="cp"># Create CA cert</span>
<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="k">new</span> <span class="o">-</span><span class="n">x509</span> <span class="o">-</span><span class="n">extensions</span> <span class="n">v3_ca</span> <span class="o">-</span><span class="n">keyout</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_cakey</span><span class="p">.</span><span class="n">pem</span> \
<span class="o">-</span><span class="n">out</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">days</span> <span class="mi">1095</span>
<span class="cp"># Create local cert.</span>
<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="k">new</span> <span class="o">-</span><span class="n">nodes</span> <span class="o">-</span><span class="n">out</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_req</span><span class="p">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">keyout</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span>
<span class="cp"># Sign the local cert.</span>
<span class="n">openssl</span> <span class="n">ca</span> <span class="o">-</span><span class="n">out</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">cert</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">infiles</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_req</span><span class="p">.</span><span class="n">pem</span>
<span class="cp"># Verify the newly created certificates</span>
<span class="n">openssl</span> <span class="n">s_client</span> <span class="o">-</span><span class="n">connect</span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="n">smtp</span> <span class="o">-</span><span class="n">starttls</span> <span class="n">smtp</span>
<span class="n">openssl</span> <span class="n">s_client</span> <span class="o">-</span><span class="n">connect</span> <span class="n">mollie</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span><span class="n">smtps</span> <span class="o">-</span><span class="n">cert</span> <span class="n">denton_cert</span><span class="p">.</span><span class="n">pem</span> <span class="o">-</span><span class="n">CAfile</span> <span class="n">denton_cacert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">openssl</span> <span class="n">verify</span> <span class="o">-</span><span class="n">purpose</span> <span class="n">sslclient</span> <span class="o">-</span><span class="n">CAfile</span> <span class="n">certs</span><span class="o">/</span><span class="n">cacert</span><span class="p">.</span><span class="n">pem</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">openssl</span> <span class="n">verify</span> <span class="o">-</span><span class="n">purpose</span> <span class="n">sslserver</span> <span class="o">-</span><span class="n">CAfile</span> <span class="n">certs</span><span class="o">/</span><span class="n">cacert</span><span class="p">.</span><span class="n">pem</span> <span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="cp"># To revoke a certifikate</span>
<span class="cp"># Check index.txt for which sequential number it is... in this case 02.</span>
<span class="n">openssl</span> <span class="n">ca</span> <span class="o">-</span><span class="n">revoke</span> <span class="n">newcerts</span><span class="o">/</span><span class="mf">02.</span><span class="n">pem</span>
<span class="cp"># Then create and sign the local cert again.</span>
<span class="n">cp</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">postfix</span>
<span class="n">chown</span> <span class="nl">postfix</span><span class="p">:</span><span class="n">postfix</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">postfix</span>
<span class="n">chmod</span> <span class="mo">0400</span> <span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">postfix</span>
<span class="n">Modify</span> <span class="n">postfix</span> <span class="n">to</span> <span class="n">use</span> <span class="n">the</span> <span class="n">certificates</span>
<span class="o">--------------------------------------</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.tribulaciones.org/docs/postfix-sasl-tls-howto.html</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">main</span><span class="p">.</span><span class="n">cf</span>
<span class="n">broken_sasl_auth_clients</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">tls_random_source</span> <span class="o">=</span> <span class="nl">dev</span><span class="p">:</span><span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">urandom</span>
<span class="n">relay_clientcerts</span> <span class="o">=</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">relay_certs</span>
<span class="n">smtpd_recipient_restrictions</span> <span class="o">=</span> <span class="n">permit_tls_clientcerts</span> <span class="p">...</span>
<span class="cp">#</span>
<span class="cp"># Server - SMTPD - Postfix receiving mails</span>
<span class="cp">#</span>
<span class="n">smtpd_use_tls</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_tls_cert_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">smtpd_tls_key_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">postfix</span>
<span class="n">smtpd_tls_CAfile</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">smtpd_tls_CApath</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">tls_peers</span>
<span class="n">smtpd_tls_ask_ccert</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_tls_loglevel</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">smtpd_tls_received_header</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_tls_session_cache_timeout</span> <span class="o">=</span> <span class="mi">3600</span><span class="n">s</span>
<span class="n">smtpd_tls_auth_only</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_tls_received_header</span> <span class="o">=</span> <span class="n">no</span>
<span class="cp">#smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache</span>
<span class="n">smtpd_sasl_auth_enable</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtpd_sasl_security_options</span> <span class="o">=</span> <span class="n">noanonymous</span>
<span class="n">smtpd_sasl_local_domain</span> <span class="o">=</span>
<span class="cp">#</span>
<span class="cp"># Client - SMTP - Postfix sending mails </span>
<span class="cp">#</span>
<span class="n">smtp_use_tls</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtp_tls_cert_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">smtp_tls_key_file</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">postfix</span>
<span class="n">smtp_tls_CAfile</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">smtp_tls_CApath</span> <span class="o">=</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">tls_peers</span>
<span class="n">smtp_tls_note_starttls_offer</span> <span class="o">=</span> <span class="n">yes</span>
<span class="n">smtp_tls_per_site</span> <span class="o">=</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">tls_per_site</span>
<span class="n">smtp_sasl_security_options</span> <span class="o">=</span>
<span class="n">smtp_tls_loglevel</span> <span class="o">=</span> <span class="mi">1</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">sasl</span><span class="o">/</span><span class="n">smtpd</span><span class="p">.</span><span class="n">conf</span>
<span class="nl">mech_list</span><span class="p">:</span> <span class="n">plain</span> <span class="n">login</span>
<span class="nl">pwcheck_method</span><span class="p">:</span> <span class="n">saslauthd</span>
<span class="cp"># Generate a fingerprint of the clients cert which you want to allow to relay.</span>
<span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="n">fingerprint</span> <span class="o">-</span><span class="n">in</span> <span class="n">denton_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">relay_certs</span>
<span class="o"><</span><span class="n">fingerprint</span><span class="o">></span> <span class="n">denton</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="cp"># Add the hosts to which you MUST use TLS encryption.</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">tls_per_site</span>
<span class="n">denton</span><span class="p">.</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span> <span class="n">MUST</span>
<span class="n">postmap</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">relay_certs</span>
<span class="n">postmap</span> <span class="nl">hash</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">tls_per_site</span>
<span class="n">postfix</span> <span class="n">reload</span>
<span class="cp"># Make sure that postfix can authenticate by using cyrus sasl.</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">libsasl2</span> <span class="n">libsasl2</span><span class="o">-</span><span class="n">modules</span>
<span class="cp"># To make SASL work in CHROOT environment</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">postfix</span>
<span class="n">mkdir</span> <span class="o">-</span><span class="n">p</span> <span class="n">var</span><span class="o">/</span><span class="n">run</span>
<span class="n">cd</span> <span class="n">var</span><span class="o">/</span><span class="n">run</span>
<span class="n">mv</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">saslauthd</span> <span class="p">.</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span>
<span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">saslauthd</span><span class="o">/</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">saslauthd</span> <span class="p">(</span><span class="n">add</span> <span class="n">last</span><span class="p">)</span>
<span class="cp"># Fix the saslauth directory</span>
<span class="k">if</span> <span class="p">[</span> <span class="o">!</span> <span class="o">-</span><span class="n">d</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">saslauthd</span> <span class="p">];</span> <span class="n">then</span>
<span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">saslauthd</span><span class="o">/</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span>
<span class="n">fi</span>
<span class="n">Norton</span> <span class="n">Antivirus</span>
<span class="o">================</span>
<span class="n">Turn</span> <span class="n">off</span> <span class="n">Norton</span> <span class="n">Antivirus</span> <span class="n">scanning</span> <span class="n">on</span> <span class="n">outgoing</span> <span class="n">mails</span><span class="p">,</span> <span class="n">it</span> <span class="n">blocks</span> <span class="n">the</span> <span class="n">STARTTLS</span> <span class="n">command</span>
<span class="n">Modify</span> <span class="n">cyrus</span> <span class="n">to</span> <span class="n">use</span> <span class="n">certificates</span>
<span class="o">--------------------------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">imapd</span><span class="p">.</span><span class="n">conf</span>
<span class="nl">tls_cert_file</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cert</span><span class="p">.</span><span class="n">pem</span>
<span class="nl">tls_key_file</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">cyrus</span>
<span class="nl">tls_ca_file</span><span class="p">:</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">certs</span><span class="o">/</span><span class="n">mollie_cacert</span><span class="p">.</span><span class="n">pem</span>
<span class="nl">tls_require_cert</span><span class="p">:</span> <span class="n">no</span>
<span class="n">cp</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">cyrus</span>
<span class="n">chown</span> <span class="nl">cyrus</span><span class="p">:</span><span class="n">mail</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">cyrus</span>
<span class="n">chmod</span> <span class="mo">0400</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="k">private</span><span class="o">/</span><span class="n">mollie_key</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">cyrus</span>
<span class="n">Verify</span> <span class="n">that</span> <span class="n">IMAPS</span> <span class="n">is</span> <span class="n">properly</span> <span class="n">configured</span><span class="p">.</span>
<span class="o">-----------------------------------------</span>
<span class="n">openssl</span> <span class="n">s_client</span> <span class="o">-</span><span class="n">connect</span> <span class="nl">localhost</span><span class="p">:</span><span class="n">imaps</span>
<span class="n">Verify</span> <span class="n">postfix</span><span class="o">-</span><span class="n">tls</span>
<span class="o">------------------</span>
<span class="n">postfix</span> <span class="n">reload</span>
<span class="n">telnet</span> <span class="mf">127.0.0.1</span> <span class="mi">25</span>
<span class="n">ehlo</span> <span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="o">--></span> <span class="n">Look</span> <span class="k">for</span> <span class="n">STARTTLS</span>
<span class="n">starttls</span>
<span class="o">--></span> <span class="n">Ready</span> <span class="n">to</span> <span class="n">start</span> <span class="n">TLS</span>
<span class="n">Verify</span> <span class="n">cyrus</span>
<span class="o">------------</span>
<span class="n">From</span> <span class="n">another</span> <span class="n">computer</span><span class="p">,</span> <span class="n">run</span> <span class="n">the</span> <span class="n">imtest</span> <span class="n">program</span>
<span class="n">imtest</span> <span class="o">-</span><span class="n">t</span> <span class="s">""</span> <span class="mf">192.168.20.50</span> <span class="o">-</span><span class="n">a</span> <span class="o"><</span><span class="n">user</span><span class="o">></span>
<span class="o"><</span><span class="n">ctrl</span><span class="o">-</span><span class="n">d</span><span class="o">></span> <span class="n">when</span> <span class="n">finished</span>
<span class="n">Misc</span>
<span class="o">====</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">gotmail</span> <span class="n">fetchmail</span> <span class="n">fetchyahoo</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">etc</span>
<span class="n">cp</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">doc</span><span class="o">/</span><span class="n">fetchmail</span><span class="o">/</span><span class="n">examples</span><span class="o">/</span><span class="n">fetchmailrc</span><span class="p">.</span><span class="n">example</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">fetchmailrc</span>
<span class="n">chmod</span> <span class="mo">0600</span> <span class="n">fetchmailrc</span>
<span class="n">chown</span> <span class="nl">fetchmail</span><span class="p">:</span><span class="n">root</span> <span class="n">fetchmailrc</span>
<span class="n">vi</span> <span class="n">fetchmailrc</span>
<span class="n">poll</span> <span class="n">aaa</span><span class="p">.</span><span class="n">bbb</span><span class="p">.</span><span class="n">ccc</span> <span class="n">with</span> <span class="n">protocol</span> <span class="n">pop3</span><span class="o">/</span><span class="n">imap</span>
<span class="cp"># interval 6 # Only if you want it to be done less regurlarly...</span>
<span class="n">user</span> <span class="s">"XXXX"</span> <span class="n">with</span> <span class="n">password</span> <span class="s">"YYYYY"</span><span class="p">,</span> <span class="n">is</span> <span class="s">"ZZZZ"</span> <span class="n">here</span>
<span class="n">fetchall</span>
<span class="n">ssl</span>
<span class="n">Fix</span> <span class="k">for</span> <span class="n">FetchMail</span> <span class="n">dying</span>
<span class="o">-----------------------</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">fetchmail</span>
<span class="cp">#</span>
<span class="cp"># Check regurarly if fetchmail is running, and if not restart it.</span>
<span class="cp">#</span>
<span class="err">@</span><span class="n">hourly</span> <span class="n">root</span> <span class="n">test</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">CheckFetchMail</span> <span class="o">&&</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">CheckFetchMail</span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> <span class="mi">2</span><span class="o">>&</span><span class="mi">1</span>
<span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">CheckFetchMail</span>
<span class="cp">#!/bin/sh</span>
<span class="k">if</span> <span class="p">[</span> <span class="err">`</span><span class="n">ps</span> <span class="o">-</span><span class="n">eaf</span> <span class="o">|</span> <span class="n">grep</span> <span class="n">fetchmail</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">v</span> <span class="err">'</span><span class="n">grep</span> <span class="n">fetch</span><span class="err">'</span> <span class="o">|</span> <span class="n">wc</span> <span class="o">-</span><span class="n">l</span><span class="err">`</span> <span class="o">-</span><span class="n">eq</span> <span class="mi">0</span> <span class="p">];</span> <span class="n">then</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">fetchmail</span> <span class="n">restart</span>
<span class="n">fi</span>
<span class="n">gotmail</span>
<span class="o">-------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">gotmail</span>
<span class="cp"># get hotmail every 15 minutes</span>
<span class="mi">08</span><span class="p">,</span><span class="mi">23</span><span class="p">,</span><span class="mi">38</span><span class="p">,</span><span class="mi">53</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">jade</span> <span class="k">if</span> <span class="p">[</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">gotmail</span> <span class="p">];</span> <span class="n">then</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">gotmail</span> <span class="n">fi</span>
<span class="mo">03</span><span class="p">,</span><span class="mi">18</span><span class="p">,</span><span class="mi">32</span><span class="p">,</span><span class="mi">47</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">bengt</span> <span class="k">if</span> <span class="p">[</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">gotmail</span> <span class="p">];</span> <span class="n">then</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">gotmail</span> <span class="n">fi</span>
<span class="n">vi</span> <span class="o"><</span><span class="n">user</span><span class="o">>/</span><span class="p">.</span><span class="n">gotmailrc</span>
<span class="n">username</span><span class="o">=<</span><span class="n">hotmail</span> <span class="n">user</span> <span class="n">name</span> <span class="n">before</span> <span class="err">@</span><span class="o">></span>
<span class="n">password</span><span class="o">=<</span><span class="n">password</span><span class="o">></span>
<span class="n">forward</span><span class="o">=<</span><span class="n">Forward</span> <span class="k">this</span> <span class="n">mail</span> <span class="n">to</span> <span class="n">bengt</span><span class="err">@</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span><span class="o">></span>
<span class="n">retry</span><span class="o">-</span><span class="n">limit</span><span class="o">=</span><span class="mi">3</span>
<span class="n">silent</span>
<span class="k">delete</span>
<span class="n">common</span> <span class="n">compression</span> <span class="n">packets</span> <span class="o">-</span> <span class="n">To</span> <span class="n">enable</span> <span class="n">MailScanner</span> <span class="n">to</span> <span class="n">scan</span> <span class="n">zip</span> <span class="n">files</span><span class="p">.</span>
<span class="o">==========================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">lha</span> <span class="n">zoo</span> <span class="n">unzoo</span> <span class="n">arc</span> <span class="n">bzip2</span> <span class="n">unarj</span> <span class="n">unrar</span> <span class="n">unzip</span>
<span class="n">SPF</span>
<span class="o">===</span>
<span class="n">Information</span> <span class="n">can</span> <span class="n">be</span> <span class="n">found</span> <span class="n">here</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//spf.pobox.com/index.html</span>
<span class="n">Add</span> <span class="k">this</span> <span class="n">to</span> <span class="n">your</span> <span class="n">MX</span> <span class="n">record</span> <span class="k">if</span> <span class="n">your</span> <span class="n">mailserver</span> <span class="n">has</span> <span class="n">a</span> <span class="k">static</span> <span class="n">IP</span> <span class="n">address</span>
<span class="n">thuree</span><span class="p">.</span><span class="n">com</span> <span class="n">IN</span> <span class="n">TXT</span> <span class="n">v</span><span class="o">=</span><span class="n">spf1</span> <span class="n">mx</span> <span class="nl">a</span><span class="p">:</span><span class="o"><</span><span class="n">IP</span><span class="o">></span> <span class="o">~</span><span class="n">all</span>
<span class="n">To</span> <span class="n">verify</span><span class="p">,</span> <span class="n">send</span> <span class="n">an</span> <span class="n">email</span> <span class="n">to</span> <span class="n">echo</span><span class="err">@</span><span class="n">generic</span><span class="o">-</span><span class="n">nic</span><span class="p">.</span><span class="n">net</span> <span class="n">and</span> <span class="n">check</span> <span class="n">the</span> <span class="n">responce</span><span class="p">.</span>
<span class="n">AntiVirus</span>
<span class="o">===============================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">installer</span> <span class="n">clamav</span> <span class="n">clamav</span><span class="o">-</span><span class="n">testfiles</span>
<span class="o">*</span> <span class="n">Clamav</span> <span class="o">-</span> <span class="n">Select</span> <span class="n">MANUAL</span> <span class="n">update</span> <span class="n">of</span> <span class="n">virus</span> <span class="n">definitions</span><span class="p">.</span>
<span class="p">(</span><span class="k">this</span> <span class="n">since</span> <span class="n">mailscanner</span> <span class="n">will</span> <span class="n">handle</span> <span class="n">the</span> <span class="n">updates</span><span class="p">)</span>
<span class="o">*</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span> <span class="o">-</span> <span class="n">Download</span> <span class="n">and</span> <span class="n">install</span>
<span class="cp">## Temporary workaround </span>
<span class="cp">## mkdir -p /usr/share/MailScanner/MailScanner</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">mailscanner</span> <span class="n">tnef</span> <span class="n">spamassassin</span> <span class="n">razor</span> <span class="n">file</span>
<span class="n">copy</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">pgm</span><span class="o">-</span><span class="n">autoupdate</span> <span class="n">to</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">pgm</span><span class="o">-</span><span class="n">autoupdate</span>
<span class="n">It</span><span class="err">'</span><span class="n">s</span> <span class="n">on</span> <span class="n">workie</span> <span class="n">debian</span><span class="o">/</span><span class="n">MyMailScanner</span>
<span class="o">----------------------------</span>
<span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">pgm</span><span class="o">-</span><span class="n">autoupdate</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">weekly</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">VirusDefUpdate</span>
<span class="o">----------------------------</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="err">#</span> <span class="n">more</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">VirusDefUpdate</span>
<span class="cp"># Regular cron jobs for updating Virus Definitions,</span>
<span class="cp"># using MailScanners autoupdate function</span>
<span class="cp">#</span>
<span class="cp"># If you only want to receive e-mail only when an error occours, then you want</span>
<span class="cp"># to include the -quiet parameter</span>
<span class="mi">27</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="k">if</span> <span class="p">[</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">autoupdate</span> <span class="p">];</span> <span class="n">then</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">f</span><span class="o">-</span><span class="n">prot</span><span class="o">-</span><span class="n">autoupdate</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">f</span><span class="o">-</span><span class="n">prot</span> <span class="o">-</span><span class="n">cron</span><span class="p">;</span> <span class="n">fi</span>
<span class="cp"># ClamAV's virus definition is by default done in -quiet mode.</span>
<span class="cp"># Only errors will be reported.</span>
<span class="mi">46</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="k">if</span> <span class="p">[</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">clamav</span><span class="o">-</span><span class="n">autoupdate</span> <span class="p">];</span> <span class="n">then</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">autoupdate</span><span class="o">/</span><span class="n">clamav</span><span class="o">-</span><span class="n">autoupdate</span> <span class="p">;</span> <span class="n">fi</span>
<span class="o">~</span>
<span class="o">----------------------------</span>
<span class="n">Test</span> <span class="n">the</span> <span class="n">anti</span> <span class="n">virus</span> <span class="n">programs</span>
<span class="o">----------------------------</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">tmp</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.eicar.org/download/eicar.com</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.eicar.org/download/eicar.com.txt</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.eicar.org/download/eicar_com.zip</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//www.eicar.org/download/eicarcom2.zip</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="err">#</span> <span class="n">clamscan</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar</span><span class="p">.</span><span class="nl">com</span><span class="p">:</span> <span class="n">Eicar</span><span class="o">-</span><span class="n">Test</span><span class="o">-</span><span class="n">Signature</span> <span class="n">FOUND</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar</span><span class="p">.</span><span class="n">com</span><span class="p">.</span><span class="nl">txt</span><span class="p">:</span> <span class="n">Eicar</span><span class="o">-</span><span class="n">Test</span><span class="o">-</span><span class="n">Signature</span> <span class="n">FOUND</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar_com</span><span class="p">.</span><span class="nl">zip</span><span class="p">:</span> <span class="n">Eicar</span><span class="o">-</span><span class="n">Test</span><span class="o">-</span><span class="n">Signature</span> <span class="n">FOUND</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicarcom2</span><span class="p">.</span><span class="nl">zip</span><span class="p">:</span> <span class="n">Eicar</span><span class="o">-</span><span class="n">Test</span><span class="o">-</span><span class="n">Signature</span> <span class="n">FOUND</span>
<span class="o">-----------</span> <span class="n">SCAN</span> <span class="n">SUMMARY</span> <span class="o">-----------</span>
<span class="n">Known</span> <span class="nl">viruses</span><span class="p">:</span> <span class="mi">10609</span>
<span class="n">Scanned</span> <span class="nl">directories</span><span class="p">:</span> <span class="mi">1</span>
<span class="n">Scanned</span> <span class="nl">files</span><span class="p">:</span> <span class="mi">7</span>
<span class="n">Infected</span> <span class="nl">files</span><span class="p">:</span> <span class="mi">5</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">/</span><span class="n">tmp</span><span class="err">#</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span> <span class="n">ei</span><span class="o">*</span>
<span class="n">Virus</span> <span class="n">scanning</span> <span class="n">report</span> <span class="o">-</span> <span class="mi">22</span> <span class="n">August</span> <span class="mi">2004</span> <span class="err">@</span> <span class="mi">16</span><span class="o">:</span><span class="mi">09</span>
<span class="n">F</span><span class="o">-</span><span class="n">PROT</span> <span class="n">ANTIVIRUS</span>
<span class="n">Program</span> <span class="nl">version</span><span class="p">:</span> <span class="mf">4.4.4</span>
<span class="n">Engine</span> <span class="nl">version</span><span class="p">:</span> <span class="mf">3.14.11</span>
<span class="n">VIRUS</span> <span class="n">SIGNATURE</span> <span class="n">FILES</span>
<span class="n">SIGN</span><span class="p">.</span><span class="n">DEF</span> <span class="n">created</span> <span class="mi">18</span> <span class="n">August</span> <span class="mi">2004</span>
<span class="n">SIGN2</span><span class="p">.</span><span class="n">DEF</span> <span class="n">created</span> <span class="mi">18</span> <span class="n">August</span> <span class="mi">2004</span>
<span class="n">MACRO</span><span class="p">.</span><span class="n">DEF</span> <span class="n">created</span> <span class="mi">16</span> <span class="n">August</span> <span class="mi">2004</span>
<span class="nl">Search</span><span class="p">:</span> <span class="n">eicar</span><span class="p">.</span><span class="n">com</span> <span class="n">eicar</span><span class="p">.</span><span class="n">com</span><span class="p">.</span><span class="n">txt</span> <span class="n">eicar_com</span><span class="p">.</span><span class="n">zip</span> <span class="n">eicarcom2</span><span class="p">.</span><span class="n">zip</span>
<span class="nl">Action</span><span class="p">:</span> <span class="n">Report</span> <span class="n">only</span>
<span class="nl">Files</span><span class="p">:</span> <span class="s">"Dumb"</span> <span class="n">scan</span> <span class="n">of</span> <span class="n">all</span> <span class="n">files</span>
<span class="nl">Switches</span><span class="p">:</span> <span class="o">-</span><span class="n">ARCHIVE</span> <span class="o">-</span><span class="n">PACKED</span> <span class="o">-</span><span class="n">SERVER</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar</span><span class="p">.</span><span class="n">com</span> <span class="nl">Infection</span><span class="p">:</span> <span class="n">EICAR_Test_File</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar</span><span class="p">.</span><span class="n">com</span><span class="p">.</span><span class="n">txt</span> <span class="nl">Infection</span><span class="p">:</span> <span class="n">EICAR_Test_File</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicar_com</span><span class="p">.</span><span class="n">zip</span><span class="o">-></span><span class="n">eicar</span><span class="p">.</span><span class="n">com</span> <span class="nl">Infection</span><span class="p">:</span> <span class="n">EICAR_Test_File</span>
<span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">eicarcom2</span><span class="p">.</span><span class="n">zip</span><span class="o">-></span><span class="n">eicar_com</span><span class="p">.</span><span class="n">zip</span><span class="o">-></span><span class="n">eicar</span><span class="p">.</span><span class="n">com</span> <span class="nl">Infection</span><span class="p">:</span> <span class="n">EICAR_Test_File</span>
<span class="n">Results</span> <span class="n">of</span> <span class="n">virus</span> <span class="nl">scanning</span><span class="p">:</span>
<span class="nl">Files</span><span class="p">:</span> <span class="mi">4</span>
<span class="nl">MBRs</span><span class="p">:</span> <span class="mi">0</span>
<span class="n">Boot</span> <span class="nl">sectors</span><span class="p">:</span> <span class="mi">0</span>
<span class="n">Objects</span> <span class="nl">scanned</span><span class="p">:</span> <span class="mi">7</span>
<span class="nl">Infected</span><span class="p">:</span> <span class="mi">4</span>
<span class="nl">Suspicious</span><span class="p">:</span> <span class="mi">0</span>
<span class="nl">Disinfected</span><span class="p">:</span> <span class="mi">0</span>
<span class="nl">Deleted</span><span class="p">:</span> <span class="mi">0</span>
<span class="nl">Renamed</span><span class="p">:</span> <span class="mi">0</span>
<span class="nl">Time</span><span class="p">:</span> <span class="mi">0</span><span class="o">:</span><span class="mo">00</span>
<span class="n">Fix</span> <span class="n">Postfix</span><span class="o">&</span><span class="n">MailScanner</span> <span class="n">so</span> <span class="n">it</span> <span class="n">scans</span> <span class="k">for</span> <span class="n">Viruses</span>
<span class="o">-----------------------------------------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">main</span><span class="p">.</span><span class="n">cf</span>
<span class="n">header_checks</span> <span class="o">=</span> <span class="nl">regexp</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">header_checks</span>
<span class="n">hash_queue_depth</span> <span class="o">=</span> <span class="mi">2</span>
<span class="n">hash_queue_names</span> <span class="o">=</span> <span class="n">incoming</span> <span class="n">deferred</span> <span class="n">hold</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">header_checks</span>
<span class="o">/^</span><span class="nl">Received</span><span class="p">:</span><span class="o">/</span> <span class="n">HOLD</span>
<span class="n">Use</span> <span class="n">greylistning</span> <span class="n">with</span> <span class="n">PostFix</span>
<span class="o">------------------------------</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">postgrey</span>
<span class="n">add</span> <span class="n">a</span> <span class="s">"check_policy_service"</span> <span class="n">in</span> <span class="n">main</span><span class="p">.</span><span class="n">cf</span>
<span class="n">reject_unauth_destination</span>
<span class="n">check_policy_service</span> <span class="nl">inet</span><span class="p">:</span><span class="mf">127.0.0.1</span><span class="o">:</span><span class="mi">60000</span>
<span class="n">check_recipient_access</span> <span class="nl">pcre</span><span class="p">:</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">recipient_checks</span><span class="p">.</span><span class="n">pcre</span>
<span class="n">Fix</span> <span class="n">MailScanner</span> <span class="n">configuration</span>
<span class="o">-----------------------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">MailScanner</span><span class="p">.</span><span class="n">conf</span>
<span class="nf">%org</span><span class="o">-</span><span class="n">name</span><span class="o">%</span> <span class="o">=</span> <span class="n">thuree</span>
<span class="n">Run</span> <span class="n">As</span> <span class="n">User</span> <span class="o">=</span> <span class="n">postfix</span>
<span class="n">Run</span> <span class="n">As</span> <span class="n">Group</span> <span class="o">=</span> <span class="n">postfix</span>
<span class="n">Incoming</span> <span class="n">Queue</span> <span class="n">Dir</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">hold</span>
<span class="n">Outgoing</span> <span class="n">Queue</span> <span class="n">Dir</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">incoming</span>
<span class="n">MTA</span> <span class="o">=</span> <span class="n">postfix</span>
<span class="n">SendMail2</span> <span class="o">=</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">sendmail</span>
<span class="n">Virus</span> <span class="n">Scanners</span> <span class="o">=</span> <span class="n">f</span><span class="o">-</span><span class="n">prot</span> <span class="n">clamav</span>
<span class="n">SpamAssassin</span> <span class="n">User</span> <span class="n">State</span> <span class="n">Dir</span> <span class="o">=</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spamassassin</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spam</span><span class="p">.</span><span class="n">assassin</span><span class="p">.</span><span class="n">prefs</span><span class="p">.</span><span class="n">conf</span>
<span class="n">bayes_ignore_header</span> <span class="n">X</span><span class="o">-</span><span class="n">thuree</span><span class="o">-</span><span class="n">MailScanner</span>
<span class="n">mkdir</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spamassassin</span>
<span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="nl">postfix</span><span class="p">:</span><span class="n">postfix</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span>
<span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="nl">postfix</span><span class="p">:</span><span class="n">postfix</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">MailScanner</span>
<span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="nl">postfix</span><span class="p">:</span><span class="n">postfix</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">MailScanner</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">mailscanner</span>
<span class="n">run_mailscanner</span><span class="o">=</span><span class="mi">1</span>
<span class="n">Simple</span> <span class="n">monitoring</span> <span class="p">(</span><span class="n">need</span> <span class="n">to</span> <span class="n">modify</span> <span class="n">to</span> <span class="n">work</span> <span class="n">with</span> <span class="n">multiple</span> <span class="n">scanners</span> <span class="n">and</span> <span class="n">yesterday</span><span class="p">,</span> <span class="n">last</span> <span class="n">week</span> <span class="n">etc</span><span class="p">)</span>
<span class="o">-----------------</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//web.csma.biz/apps/vnames.pl</span>
<span class="n">vi</span> <span class="n">vnames</span><span class="p">.</span><span class="n">pl</span>
<span class="n">$Scanner</span> <span class="o">=</span> <span class="s">"f-prot,clamav"</span><span class="p">;</span>
<span class="n">$MailLogFile</span> <span class="o">=</span><span class="s">"/var/log/mail.log"</span><span class="p">;</span>
<span class="n">$StatsFile</span> <span class="o">=</span> <span class="s">"/root/scripts/virus.log"</span><span class="p">;</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">crontab</span>
<span class="mi">58</span> <span class="mi">23</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">vnames</span><span class="p">.</span><span class="n">pl</span> <span class="n">youremail</span><span class="err">@</span><span class="n">host</span><span class="p">.</span><span class="n">com</span>
<span class="n">Test</span> <span class="n">MailScanning</span> <span class="n">med</span> <span class="n">AntiVirus</span>
<span class="o">-------------------------------</span>
<span class="n">bengt</span><span class="err">@</span><span class="nl">dellie</span><span class="p">:</span><span class="o">~</span><span class="err">$</span> <span class="n">telnet</span> <span class="mf">192.168.20.50</span> <span class="mi">25</span>
<span class="n">ehlo</span> <span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="n">mail</span> <span class="nl">from</span><span class="p">:</span><span class="n">bengt</span><span class="err">@</span><span class="n">test</span><span class="p">.</span><span class="n">com</span>
<span class="n">rcpt</span> <span class="nl">to</span><span class="p">:</span><span class="n">test</span><span class="err">@</span><span class="n">thuree</span><span class="p">.</span><span class="n">com</span>
<span class="n">data</span>
<span class="n">Test</span> <span class="n">from</span> <span class="n">remote</span> <span class="n">host</span> <span class="n">with</span> <span class="n">the</span> <span class="n">eicar</span><span class="p">.</span><span class="n">com</span> <span class="n">virus</span> <span class="n">attachment</span>
<span class="n">SpamAssassin</span>
<span class="o">============</span>
<span class="n">Fetch</span> <span class="n">some</span> <span class="n">predefined</span> <span class="n">rules</span> <span class="k">for</span> <span class="n">spam</span> <span class="n">assassin</span><span class="p">.</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">tmp</span><span class="o">/</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//mailscanner.prolocation.net/fetchbigevil-0.2.tar.gz</span>
<span class="n">wget</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//mailscanner.prolocation.net/fetchbackhair-0.1.tar.gz</span>
<span class="n">gunzip</span> <span class="n">fetch</span><span class="o">*</span>
<span class="n">tar</span> <span class="n">xvf</span> <span class="n">fetchbi</span><span class="o">*</span>
<span class="n">tar</span> <span class="n">xvf</span> <span class="n">fetchba</span><span class="o">*</span>
<span class="p">.</span><span class="o">/</span><span class="n">update</span><span class="o">-</span><span class="n">b</span><span class="o">*</span>
<span class="n">mv</span> <span class="n">update</span><span class="o">-</span><span class="n">b</span><span class="o">*</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">daily</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">daily</span><span class="o">/</span><span class="n">update</span><span class="o">-</span><span class="n">backhair</span>
<span class="o">--></span> <span class="n">Add</span> <span class="n">below</span> <span class="n">to</span> <span class="n">just</span> <span class="n">before</span> <span class="n">reload</span> <span class="o"><--</span>
<span class="n">cp</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="n">backhair</span><span class="p">.</span><span class="n">cf</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="mi">90</span><span class="n">_backhair</span><span class="p">.</span><span class="n">cf</span>
<span class="o">--></span> <span class="n">also</span><span class="p">,</span> <span class="n">change</span> <span class="n">from</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">rc</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span> <span class="o">--></span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">daily</span><span class="o">/</span><span class="n">update</span><span class="o">-</span><span class="n">bigevil</span>
<span class="o">--></span> <span class="n">Add</span> <span class="n">below</span> <span class="n">to</span> <span class="n">just</span> <span class="n">before</span> <span class="n">reload</span> <span class="o"><--</span>
<span class="n">cp</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="n">bigevil</span><span class="p">.</span><span class="n">cf</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">share</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="mi">90</span><span class="n">_bigevil</span><span class="p">.</span><span class="n">cf</span>
<span class="o">--></span> <span class="n">also</span><span class="p">,</span> <span class="n">change</span> <span class="n">from</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">rc</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span> <span class="o">--></span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">spamassassin</span>
<span class="n">mv</span> <span class="n">local</span><span class="p">.</span><span class="n">cf</span> <span class="n">local</span><span class="p">.</span><span class="n">cf</span><span class="p">.</span><span class="n">org</span>
<span class="n">ln</span> <span class="o">-</span><span class="n">s</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spam</span><span class="p">.</span><span class="n">assassin</span><span class="p">.</span><span class="n">prefs</span><span class="p">.</span><span class="n">conf</span> <span class="n">local</span><span class="p">.</span><span class="n">cf</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spam</span><span class="p">.</span><span class="n">assassin</span><span class="p">.</span><span class="n">prefs</span><span class="p">.</span><span class="n">conf</span>
<span class="cp">#auto_whitelist_path /var/lib/MailScanner/auto-whitelist</span>
<span class="n">auto_whitelist_path</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="k">auto</span><span class="o">-</span><span class="n">whitelist</span>
<span class="cp">#bayes_path /var/lib/MailScanner/bayes</span>
<span class="n">bayes_path</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spamassassin</span><span class="o">/</span><span class="n">bayes</span>
<span class="n">skip_rbl_checks</span> <span class="mi">0</span>
<span class="cp"># English, Chinese, Swedish, Norwegian, Danish</span>
<span class="n">ok_locales</span> <span class="n">en</span> <span class="n">zh</span> <span class="n">sv</span> <span class="n">no</span> <span class="n">da</span>
<span class="cp"># Allow Western and Chinese character sets</span>
<span class="n">ok_locales</span> <span class="n">en</span> <span class="n">zh</span>
<span class="n">score</span> <span class="n">RCVD_IN_BL_SPAMCOP_NET</span> <span class="mf">2.25</span>
<span class="n">score</span> <span class="n">RCVD_IN_OPM</span> <span class="mf">0.5</span>
<span class="n">score</span> <span class="n">RCVD_IN_DSBL</span> <span class="mf">0.5</span>
<span class="n">score</span> <span class="n">RCVD_IN_SBL</span> <span class="mf">0.5</span>
<span class="n">score</span> <span class="n">RCVD_IN_NJABL</span> <span class="mf">0.5</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">LearnSpams</span>
<span class="o">-------------------------</span>
<span class="cp">#</span>
<span class="cp"># Regurlarly re-learn miss-categorized spams and hams</span>
<span class="cp">#</span>
<span class="mi">17</span> <span class="mi">2</span><span class="p">,</span><span class="mi">8</span><span class="p">,</span><span class="mi">14</span><span class="p">,</span><span class="mi">20</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="n">test</span> <span class="o">-</span><span class="n">x</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">SA</span><span class="o">-</span><span class="n">AutoLearn</span> <span class="o">&&</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">SA</span><span class="o">-</span><span class="n">AutoLea</span>
<span class="n">rn</span> <span class="o">></span> <span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">null</span> <span class="mi">2</span><span class="o">>&</span><span class="mi">1</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">root</span><span class="o">/</span><span class="n">scripts</span><span class="o">/</span><span class="n">SA</span><span class="o">-</span><span class="n">AutoLearn</span>
<span class="o">-----------------------------</span>
<span class="cp">#!/bin/sh</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">mailscanner</span> <span class="n">stop</span>
<span class="cp">#Learn hams from all mailboxes</span>
<span class="n">sa</span><span class="o">-</span><span class="n">learn</span> <span class="o">--</span><span class="n">ham</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">cyrus</span><span class="o">/</span><span class="n">mail</span><span class="cm">/*/*/</span><span class="err">*/</span><span class="n">SaLearn</span><span class="o">/</span><span class="n">Ham</span><span class="o">/</span>
<span class="cp">#Learn spams from all mailboxes</span>
<span class="n">sa</span><span class="o">-</span><span class="n">learn</span> <span class="o">--</span><span class="n">spam</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">cyrus</span><span class="o">/</span><span class="n">mail</span><span class="cm">/*/*/</span><span class="err">*/</span><span class="n">SaLearn</span><span class="o">/</span><span class="n">Spam</span><span class="o">/</span>
<span class="cp">#Just to make sure postfix owns these files</span>
<span class="n">chown</span> <span class="o">-</span><span class="n">R</span> <span class="nl">postfix</span><span class="p">:</span><span class="n">postfix</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">spool</span><span class="o">/</span><span class="n">MailScanner</span><span class="o">/</span><span class="n">spamassassin</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">mailscanner</span> <span class="n">start</span>
<span class="n">PostFix</span> <span class="n">log</span> <span class="n">summary</span>
<span class="o">===================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">pflogsumm</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cron</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">pflogsumm</span>
<span class="cp">#</span>
<span class="cp"># Cron job to compute statistics over the mail traffic using our postfix server</span>
<span class="cp">#</span>
<span class="cp"># Daily statistics</span>
<span class="mi">10</span> <span class="mi">0</span> <span class="o">*</span> <span class="o">*</span> <span class="o">*</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">pflogsumm</span><span class="p">.</span><span class="n">pl</span> <span class="o">-</span><span class="n">d</span> <span class="n">yesterday</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">mail</span><span class="p">.</span><span class="n">log</span> <span class="mi">2</span><span class="o">>&</span><span class="mi">1</span> <span class="o">|/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">mailx</span> <span class="o">-</span><span class="n">s</span> <span class="s">"`uname -n` daily mail stats"</span> <span class="n">postmaster</span>
<span class="cp">#</span>
<span class="cp"># Weekly statistics</span>
<span class="mi">10</span> <span class="mi">7</span> <span class="o">*</span> <span class="o">*</span> <span class="mi">7</span> <span class="n">root</span> <span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">pflogsumm</span><span class="p">.</span><span class="n">pl</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">log</span><span class="o">/</span><span class="n">mail</span><span class="p">.</span><span class="n">log</span><span class="mf">.0</span> <span class="mi">2</span><span class="o">>&</span><span class="mi">1</span> <span class="o">|/</span><span class="n">usr</span><span class="o">/</span><span class="n">bin</span><span class="o">/</span><span class="n">mailx</span> <span class="o">-</span><span class="n">s</span> <span class="s">"`uname -n` weekly mail stats"</span> <span class="n">postmaster</span>
<span class="n">Apache</span> <span class="o">&</span> <span class="n">SquirrelMail</span>
<span class="o">=====================</span>
<span class="nl">mollie</span><span class="p">:</span><span class="o">~</span><span class="err">#</span> <span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">squirrelmail</span>
<span class="n">mkdir</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">php4</span>
<span class="n">chown</span> <span class="n">www</span><span class="o">-</span><span class="n">data</span><span class="p">.</span><span class="n">www</span><span class="o">-</span><span class="n">data</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">php4</span>
<span class="n">Configure</span> <span class="n">Apache</span>
<span class="o">----------------</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apache2</span><span class="o">/</span><span class="n">conf</span><span class="p">.</span><span class="n">d</span>
<span class="n">cp</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">squirrelmail</span><span class="o">/</span><span class="n">apache</span><span class="p">.</span><span class="n">conf</span> <span class="n">mail</span><span class="p">.</span><span class="n">conf</span>
<span class="n">vi</span> <span class="n">mail</span><span class="p">.</span><span class="n">conf</span>
<span class="n">change</span> <span class="n">alias</span> <span class="n">to</span> <span class="o">/</span><span class="n">mail</span>
<span class="n">Redirect</span> <span class="k">static</span> <span class="n">to</span> <span class="n">https</span> <span class="p">(</span><span class="n">uncomment</span> <span class="n">all</span> <span class="n">lines</span> <span class="n">in</span> <span class="n">the</span> <span class="n">end</span><span class="p">,</span> <span class="n">except</span> <span class="n">check</span> <span class="k">for</span> <span class="n">mod_ssl</span><span class="p">)</span>
<span class="n">Start</span> <span class="n">ssl</span>
<span class="o">---------</span>
<span class="n">a2enmod</span> <span class="n">ssl</span>
<span class="n">apache2</span><span class="p">.</span><span class="n">conf</span>
<span class="n">AddLanguage</span> <span class="n">zh</span><span class="o">-</span><span class="n">CN</span> <span class="p">.</span><span class="n">cn</span>
<span class="n">LanguagePriority</span> <span class="n">en</span> <span class="n">sv</span> <span class="n">zh</span><span class="o">-</span><span class="n">CN</span> <span class="n">da</span> <span class="n">nl</span> <span class="n">et</span> <span class="n">fr</span> <span class="n">de</span> <span class="n">el</span> <span class="n">it</span> <span class="n">ja</span> <span class="n">ko</span> <span class="n">no</span> <span class="n">pl</span> <span class="n">pt</span> <span class="n">pt</span><span class="o">-</span><span class="n">br</span> <span class="n">ltz</span> <span class="n">ca</span> <span class="n">es</span>
<span class="n">Comment</span> <span class="n">out</span> <span class="n">DefaultCharset</span>
<span class="n">Fix</span> <span class="n">expired</span> <span class="n">SSL</span> <span class="n">certificate</span>
<span class="o">---------------------------</span>
<span class="n">cd</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">apache</span><span class="o">-</span><span class="n">ssl</span>
<span class="n">openssl</span> <span class="n">genrsa</span> <span class="o">-</span><span class="n">out</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">key</span> <span class="mi">1024</span>
<span class="cp"># Possible 2048 instead of 1024</span>
<span class="n">chmod</span> <span class="mi">600</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">key</span>
<span class="n">openssl</span> <span class="n">req</span> <span class="o">-</span><span class="k">new</span> <span class="o">-</span><span class="n">key</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">key</span> <span class="o">-</span><span class="n">out</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">csr</span>
<span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="n">req</span> <span class="o">-</span><span class="n">days</span> <span class="mi">730</span> <span class="o">-</span><span class="n">in</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">csr</span> <span class="o">-</span><span class="n">signkey</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">key</span> <span class="o">-</span><span class="n">out</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">crt</span>
<span class="n">mv</span> <span class="n">apache</span><span class="p">.</span><span class="n">pem</span> <span class="n">apache</span><span class="p">.</span><span class="n">pem</span><span class="p">.</span><span class="n">old</span>
<span class="n">cp</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">key</span> <span class="n">apache</span><span class="p">.</span><span class="n">pem</span>
<span class="n">cat</span> <span class="n">www</span><span class="p">.</span><span class="n">euhq</span><span class="p">.</span><span class="n">org</span><span class="p">.</span><span class="n">crt</span> <span class="o">>></span> <span class="n">apache</span><span class="p">.</span><span class="n">pem</span>
<span class="n">chmod</span> <span class="mi">600</span> <span class="n">apache</span><span class="p">.</span><span class="n">pem</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">apache</span><span class="o">-</span><span class="n">ssl</span> <span class="n">restart</span>
<span class="n">Fix</span> <span class="n">robots</span><span class="p">.</span><span class="n">txt</span>
<span class="o">--------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">robots</span><span class="p">.</span><span class="n">txt</span>
<span class="n">User</span><span class="o">-</span><span class="nl">agent</span><span class="p">:</span> <span class="o">*</span>
<span class="nl">Disallow</span> <span class="p">:</span> <span class="o">/</span>
<span class="n">Fix</span> <span class="n">index</span><span class="p">.</span><span class="n">html</span>
<span class="o">--------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">www</span><span class="o">/</span><span class="n">index</span><span class="p">.</span><span class="n">html</span>
<span class="n">No</span> <span class="n">directory</span> <span class="n">listing</span> <span class="n">allowed</span><span class="p">.</span>
<span class="n">Configure</span> <span class="n">SquirrelMail</span>
<span class="o">----------------------</span>
<span class="n">vi</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">php4</span><span class="o">/</span><span class="n">apache2</span><span class="o">/</span><span class="n">php</span><span class="p">.</span><span class="n">ini</span>
<span class="cp">#max_execution_time = 30 ; Maximum execution time of each script, in seconds</span>
<span class="n">max_execution_time</span> <span class="o">=</span> <span class="mi">180</span> <span class="p">;</span> <span class="n">Maximum</span> <span class="n">execution</span> <span class="n">time</span> <span class="n">of</span> <span class="n">each</span> <span class="n">script</span><span class="p">,</span> <span class="n">in</span> <span class="n">seconds</span>
<span class="n">max_input_time</span> <span class="o">=</span> <span class="mi">60</span> <span class="p">;</span> <span class="n">Maximum</span> <span class="n">amount</span> <span class="n">of</span> <span class="n">time</span> <span class="n">each</span> <span class="n">script</span> <span class="n">may</span> <span class="n">spend</span> <span class="n">parsing</span> <span class="n">request</span> <span class="n">data</span>
<span class="cp">#memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)</span>
<span class="n">memory_limit</span> <span class="o">=</span> <span class="mi">80</span><span class="n">M</span> <span class="p">;</span> <span class="n">Maximum</span> <span class="n">amount</span> <span class="n">of</span> <span class="n">memory</span> <span class="n">a</span> <span class="n">script</span> <span class="n">may</span> <span class="nf">consume</span> <span class="p">(</span><span class="mi">8</span><span class="n">MB</span><span class="p">)</span>
<span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">squirrelmail</span><span class="o">-</span><span class="n">configure</span>
<span class="n">Plugins</span> <span class="n">marked</span> <span class="n">with</span> <span class="s">"*"</span> <span class="n">from</span> <span class="n">www</span><span class="p">.</span><span class="n">squirrelmail</span><span class="p">.</span><span class="n">org</span>
<span class="o">-------</span>
<span class="n">Installed</span> <span class="n">Plugins</span>
<span class="mf">1.</span> <span class="n">message_details</span>
<span class="mf">2.</span> <span class="n">sent_subfolders</span>
<span class="mf">3.</span> <span class="n">abook_take</span>
<span class="mf">4.</span> <span class="n">info</span>
<span class="mf">5.</span> <span class="n">mail_fetch</span>
<span class="mf">6.</span> <span class="n">squirrelspell</span>
<span class="mf">7.</span> <span class="n">translate</span>
<span class="mf">8.</span> <span class="n">change_passwd</span> <span class="o">*</span>
<span class="mf">9.</span> <span class="n">compatibility</span> <span class="o">*</span>
<span class="mf">10.</span> <span class="n">timeout_user</span> <span class="o">*</span>
<span class="mf">11.</span> <span class="n">pupdate</span> <span class="o">*</span>
<span class="mf">12.</span> <span class="n">avelsieve</span> <span class="o">*</span>
<span class="mf">13.</span> <span class="n">unsafe_image_rules</span> <span class="o">*</span>
<span class="mf">14.</span> <span class="n">view_as_html</span> <span class="o">*</span>
<span class="mf">15.</span> <span class="n">notify</span> <span class="o">*</span>
<span class="mf">16.</span> <span class="n">newmail</span>
<span class="mf">17.</span> <span class="n">fortune</span>
<span class="mf">18.</span> <span class="n">listcommands</span>
<span class="n">Turn</span> <span class="n">on</span> <span class="n">Threaded</span> <span class="n">view</span> <span class="n">in</span> <span class="n">SquirrelMail</span>
<span class="n">config</span><span class="p">.</span><span class="n">pl</span><span class="p">,</span> <span class="n">option</span> <span class="mi">4</span><span class="p">,</span> <span class="n">selection</span> <span class="mi">10</span> <span class="o">&</span> <span class="mi">11</span>
<span class="n">Spell</span> <span class="n">check</span> <span class="k">for</span> <span class="n">SquirrelMail</span>
<span class="o">-----------------------------</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">ispell</span> <span class="n">wamerican</span>
<span class="n">ADD</span> <span class="n">a</span> <span class="n">New</span> <span class="n">User</span>
<span class="o">==============</span>
<span class="n">adduser</span> <span class="o"><</span><span class="n">mailbox</span><span class="o">></span>
<span class="n">cyradm</span> <span class="n">localhost</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">Junk</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">Junk</span><span class="p">.</span><span class="n">Spam</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">Junk</span><span class="p">.</span><span class="n">AutoSpam</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">SaLearn</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">SaLearn</span><span class="p">.</span><span class="n">Spam</span>
<span class="n">cm</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span><span class="p">.</span><span class="n">SaLearn</span><span class="p">.</span><span class="n">Ham</span>
<span class="n">sam</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">child</span><span class="o">></span> <span class="o"><</span><span class="n">parent</span><span class="o">></span> <span class="n">li</span>
<span class="n">sam</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">parent</span><span class="o">></span><span class="p">.</span><span class="o"><</span><span class="n">child</span><span class="o">></span><span class="n">Spam</span> <span class="o"><</span><span class="n">child</span><span class="o">></span> <span class="n">li</span>
<span class="n">quit</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.oreilly.de/catalog/mimap/chapter/ch09.html</span>
<span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">postfix</span> <span class="n">restart</span>
<span class="n">sieveshell</span> <span class="o">-</span><span class="n">u</span> <span class="o"><</span><span class="n">user</span><span class="o">></span> <span class="o">-</span><span class="n">a</span> <span class="o"><</span><span class="n">user</span><span class="o">></span> <span class="o"><</span><span class="n">imap</span> <span class="n">server</span><span class="o">></span>
<span class="n">sieveshell</span> <span class="n">localhost</span> <span class="p">(</span><span class="n">as</span> <span class="n">the</span> <span class="n">correct</span> <span class="n">user</span><span class="p">)</span>
<span class="n">put</span> <span class="o"><</span><span class="n">sieve</span> <span class="n">script</span><span class="p">)</span>
<span class="n">activate</span> <span class="o"><</span><span class="n">sieve</span> <span class="n">script</span><span class="o">></span>
<span class="n">Some</span> <span class="n">PostFix</span> <span class="n">commands</span>
<span class="o">=====================</span>
<span class="n">mailq</span> <span class="o">-></span> <span class="n">List</span> <span class="n">the</span> <span class="n">queued</span> <span class="n">mails</span><span class="p">.</span>
<span class="n">postsuper</span> <span class="o">-</span><span class="n">d</span> <span class="o"><</span><span class="n">ID</span><span class="o">></span> <span class="o">-></span> <span class="n">will</span> <span class="k">delete</span> <span class="n">a</span> <span class="n">mail</span> <span class="n">from</span> <span class="n">a</span> <span class="n">queue</span>
<span class="n">Cyrus</span>
<span class="o">=====</span>
<span class="n">For</span> <span class="n">the</span> <span class="n">administrator</span> <span class="o">--</span> <span class="n">So</span> <span class="n">he</span> <span class="n">can</span> <span class="k">delete</span> <span class="n">and</span> <span class="n">manage</span> <span class="n">the</span> <span class="n">mailboxes</span><span class="p">.</span>
<span class="n">cyradm</span>
<span class="n">setaclmailbox</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span> <span class="o"><</span><span class="n">admin_userid</span><span class="o">></span> <span class="n">c</span>
<span class="n">deletemailbox</span> <span class="n">user</span><span class="p">.</span><span class="o"><</span><span class="n">mailbox</span><span class="o">></span>
<span class="n">Dshield</span> <span class="o">?</span>
<span class="o">=========</span>
<span class="nl">http</span><span class="p">:</span><span class="c1">//www.dshield.org/</span>
<span class="n">To</span> <span class="n">help</span> <span class="n">test</span> <span class="n">PostFix</span>
<span class="o">====================</span>
<span class="n">apt</span><span class="o">-</span><span class="n">get</span> <span class="n">install</span> <span class="n">swaks</span> <span class="p">(</span><span class="n">on</span> <span class="n">another</span> <span class="n">computer</span> <span class="n">recommended</span><span class="p">)</span>
<span class="n">Sieve</span> <span class="n">Example</span>
<span class="o">=============</span>
<span class="n">Sieve</span> <span class="n">scripts</span>
<span class="o">=============</span>
<span class="cp"># Draft 1</span>
<span class="cp"># Bengt Thuree 2004-02-21</span>
<span class="cp"># Spam, List and system Rules</span>
<span class="n">require</span> <span class="s">"fileinto"</span><span class="p">;</span>
<span class="k">if</span> <span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"X-thuree-MailScanner-SpamScore"</span><span class="p">]</span> <span class="s">"ssssssssssss"</span> <span class="p">{</span>
<span class="n">fileinto</span> <span class="s">"INBOX.Spam"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"X-thuree-MailScanner-SpamScore"</span><span class="p">]</span> <span class="s">"ssssss"</span> <span class="p">{</span>
<span class="n">fileinto</span> <span class="s">"INBOX.PossibleSpam"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"List-Id"</span><span class="p">]</span> <span class="s">"debian-user"</span> <span class="p">{</span>
<span class="n">fileinto</span> <span class="s">"INBOX.debian-user"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"Subject"</span><span class="p">]</span> <span class="s">"assp - Open Discussion"</span> <span class="p">{</span>
<span class="n">fileinto</span> <span class="s">"INBOX.assp"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="n">anyof</span> <span class="p">(</span>
<span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"From"</span><span class="p">]</span> <span class="s">"daemon@mollie.thuree.com"</span> <span class="p">,</span>
<span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"From"</span><span class="p">]</span> <span class="s">"root@thuree.com"</span>
<span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"From"</span><span class="p">]</span> <span class="s">"root@mollie.thuree.com"</span>
<span class="p">)</span> <span class="p">{</span>
<span class="n">fileinto</span> <span class="s">"INBOX.mollie"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="nl">header</span> <span class="p">:</span><span class="n">contains</span> <span class="p">[</span><span class="s">"From"</span><span class="p">]</span> <span class="s">"JENSVirusCheckService"</span> <span class="p">{</span>
<span class="cp"># discard;</span>
<span class="n">fileinto</span> <span class="s">"INBOX.Spam"</span><span class="p">;</span>
<span class="n">stop</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">PostFix</span> <span class="n">files</span>
<span class="o">=============</span>
<span class="n">init</span><span class="p">.</span><span class="n">d</span><span class="o">/</span><span class="n">postfix</span>
<span class="o">--------------</span>
<span class="cp">#!/bin/sh -e</span>
<span class="cp"># Start or stop Postfix</span>
<span class="cp">#</span>
<span class="cp"># LaMont Jones <lamont@debian.org></span>
<span class="cp"># based on sendmail's init.d script</span>
<span class="n">PATH</span><span class="o">=/</span><span class="nl">bin</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="nl">bin</span><span class="p">:</span><span class="o">/</span><span class="nl">sbin</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span>
<span class="n">DAEMON</span><span class="o">=/</span><span class="n">usr</span><span class="o">/</span><span class="n">sbin</span><span class="o">/</span><span class="n">postfix</span>
<span class="n">DAEMON2</span><span class="o">=</span><span class="s">"/usr/sbin/postfix -c /etc/postfix.outgoing"</span>
<span class="n">PIDFILE</span><span class="o">=/</span><span class="n">var</span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">postfix</span><span class="p">.</span><span class="n">pid</span>
<span class="n">NAME</span><span class="o">=</span><span class="n">Postfix</span>
<span class="n">TZ</span><span class="o">=</span>
<span class="n">unset</span> <span class="n">TZ</span>
<span class="cp"># Defaults - don't touch, edit /etc/default/postfix</span>
<span class="n">SYNC_CHROOT</span><span class="o">=</span><span class="s">"y"</span>
<span class="n">test</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">postfix</span> <span class="o">&&</span> <span class="p">.</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="k">default</span><span class="o">/</span><span class="n">postfix</span>
<span class="cp">#test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0</span>
<span class="n">test</span> <span class="o">-</span><span class="n">x</span> <span class="n">$DAEMON</span> <span class="o">&&</span> <span class="n">test</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">main</span><span class="p">.</span><span class="n">cf</span> <span class="o">&&</span> <span class="n">test</span> <span class="o">-</span><span class="n">f</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="p">.</span><span class="n">outgoing</span><span class="o">/</span><span class="n">main</span><span class="p">.</span><span class="n">cf</span> <span class="o">||</span> <span class="n">exit</span> <span class="mi">0</span>
<span class="k">case</span> <span class="s">"$1"</span> <span class="n">in</span>
<span class="n">start</span><span class="p">)</span>
<span class="n">echo</span> <span class="o">-</span><span class="n">n</span> <span class="s">"Starting mail transport agent: Postfix"</span>
<span class="cp"># postmap all needed files first</span>
<span class="n">POSTMAP_FILES</span><span class="o">=</span><span class="s">"client_checks helo_checks relay_certs sender_checks tls_per_site"</span>
<span class="k">for</span> <span class="n">POSTMAP_FILE</span> <span class="n">in</span> <span class="err">$</span><span class="p">{</span><span class="n">POSTMAP_FILES</span><span class="p">};</span> <span class="k">do</span>
<span class="n">postmap</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="err">$</span><span class="p">{</span><span class="n">POSTMAP_FILE</span><span class="p">}</span>
<span class="n">postmap</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="p">.</span><span class="n">outgoing</span><span class="o">/</span><span class="err">$</span><span class="p">{</span><span class="n">POSTMAP_FILE</span><span class="p">}</span>
<span class="n">done</span>
<span class="cp"># see if anything is running chrooted.</span>
<span class="n">NEED_CHROOT</span><span class="o">=</span><span class="err">$</span><span class="p">(</span><span class="n">awk</span> <span class="err">'</span><span class="o">/^</span><span class="p">[</span><span class="mi">0</span><span class="o">-</span><span class="mi">9</span><span class="n">a</span><span class="o">-</span><span class="n">z</span><span class="p">]</span><span class="o">/</span> <span class="o">&&</span> <span class="p">(</span><span class="n">$5</span> <span class="o">~</span> <span class="s">"[-yY]"</span><span class="p">)</span> <span class="p">{</span> <span class="n">print</span> <span class="s">"y"</span><span class="p">;</span> <span class="n">exit</span><span class="p">}</span><span class="err">'</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">postfix</span><span class="o">/</span><span class="n">master</span><span class="p">.</span><span class="n">cf</span><span class="p">)</span>
<span class="k">if</span> <span class="p">[</span> <span class="o">-</span><span class="n">n</span> <span class="s">"$NEED_CHROOT"</span> <span class="p">]</span> <span class="o">&&</span> <span class="p">[</span> <span class="o">-</span><span class="n">n</span> <span class="s">"$SYNC_CHROOT"</span> <span class="p">];</span> <span class="n">then</span>
<span class="cp"># Make sure that the chroot environment is set up correctly.</span>
<span class="n">oldumask</span><span class="o">=</span><span class="err">$</span><span class="p">(</span><span class="n">umask</span><span class="p">)</span>
<span class="n">umask</span> <span class="mo">022</span>
<span class="n">cd</span> <span class="err">$</span><span class="p">(</span><span class="n">postconf</span> <span class="o">-</span><span class="n">h</span> <span class="n">queue_directory</span><span class="p">)</span>
<span class="cp"># if we're using unix:passwd.byname, then we need to add etc/passwd.</span>
<span class="n">local_maps</span><span class="o">=</span><span class="err">$</span><span class="p">(</span><span class="n">postconf</span> <span class="o">-</span><span class="n">h</span> <span class="n">local_recipient_maps</span><span class="p">)</span>
<span class="k">if</span> <span class="p">[</span> <span class="s">"X$local_maps"</span> <span class="o">!=</span> <span class="s">"X${local_maps#*unix:passwd.byname}"</span> <span class="p">];</span> <span class="n">then</span>
<span class="cp"># if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then</span>
<span class="n">sed</span> <span class="err">'</span><span class="n">s</span><span class="o">/^</span><span class="err">\</span><span class="p">([</span><span class="o">^:</span><span class="p">]</span><span class="o">*</span><span class="err">\</span><span class="p">)</span><span class="o">:</span><span class="p">[</span><span class="o">^:</span><span class="p">]</span><span class="err">*/\</span><span class="mi">1</span><span class="o">:</span><span class="n">x</span><span class="o">/</span><span class="err">'</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">passwd</span> <span class="o">></span> <span class="n">etc</span><span class="o">/</span><span class="n">passwd</span>
<span class="n">chmod</span> <span class="n">a</span><span class="o">+</span><span class="n">r</span> <span class="n">etc</span><span class="o">/</span><span class="n">passwd</span>
<span class="cp"># fi</span>
<span class="n">fi</span>
<span class="n">FILES</span><span class="o">=</span><span class="s">"etc/localtime etc/services etc/resolv.conf etc/hosts \</span>
<span class="s"> etc/nsswitch.conf etc/sasldb2"</span>
<span class="k">for</span> <span class="n">file</span> <span class="n">in</span> <span class="n">$FILES</span><span class="p">;</span> <span class="k">do</span>
<span class="p">[</span> <span class="o">-</span><span class="n">d</span> <span class="err">$</span><span class="p">{</span><span class="n">file</span><span class="o">%</span><span class="cm">/*} ] || mkdir -p ${file%/*}</span>
<span class="cm"> if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi</span>
<span class="cm"> if [ -f ${file} ]; then chmod a+rX ${file}; fi</span>
<span class="cm"> done</span>
<span class="cm"> rm -f usr/lib/zoneinfo/localtime</span>
<span class="cm"> ln -sf /etc/localtime usr/lib/zoneinfo/localtime</span>
<span class="cm"> rm -f lib/libnss_*so*</span>
<span class="cm"> tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -</span>
<span class="cm"> </span>
<span class="cm"> # Fix peers SSL certificates</span>
<span class="cm"> mkdir -p etc/ssl/tls_peers</span>
<span class="cm"> #if [ -f /etc/ssl/tls_peers/* ]; then</span>
<span class="cm"> c_rehash /etc/ssl/tls_peers/</span>
<span class="cm"> #fi</span>
<span class="cm"> tar cf - /etc/ssl/tls_peers/ 2> /dev/null | tar xf -</span>
<span class="cm"> cp -rp etc $(postconf -c /etc/postfix.outgoing -h queue_directory)</span>
<span class="cm"> cd $(postconf -c /etc/postfix.outgoing -h queue_directory)</span>
<span class="cm"> mkdir -p usr/lib/zoneinfo</span>
<span class="cm"> mkdir -p var/run</span>
<span class="cm"> rm -f usr/lib/zoneinfo/localtime</span>
<span class="cm"> ln -sf /etc/localtime usr/lib/zoneinfo/localtime</span>
<span class="cm"> rm -f lib/libnss_*so*</span>
<span class="cm"> tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -</span>
<span class="cm"> umask $oldumask</span>
<span class="cm"> fi</span>
<span class="cm"> ${DAEMON} start 2>&1 |</span>
<span class="cm"> (grep -v 'starting the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> ${DAEMON2} start 2>&1 |</span>
<span class="cm"> (grep -v 'starting the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> echo "."</span>
<span class="cm"> ;;</span>
<span class="cm"> stop)</span>
<span class="cm"> echo -n "Stopping mail transport agent: Postfix"</span>
<span class="cm"> ${DAEMON} stop 2>&1 |</span>
<span class="cm"> (grep -v 'stopping the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> ${DAEMON2} stop 2>&1 |</span>
<span class="cm"> (grep -v 'stopping the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> echo "."</span>
<span class="cm"> ;;</span>
<span class="cm"> restart)</span>
<span class="cm"> $0 stop</span>
<span class="cm"> $0 start</span>
<span class="cm"> ;;</span>
<span class="cm"> force-reload|reload)</span>
<span class="cm"> echo -n "Reloading Postfix configuration..."</span>
<span class="cm"> ${DAEMON} reload 2>&1 |</span>
<span class="cm"> (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> ${DAEMON2} reload 2>&1 |</span>
<span class="cm"> (grep -v 'refreshing the Postfix' 1>&2 || /bin/true)</span>
<span class="cm"> echo "done."</span>
<span class="cm"> ;;</span>
<span class="cm"> flush)</span>
<span class="cm"> ${DAEMON} flush</span>
<span class="cm"> ${DAEMON2} flush</span>
<span class="cm"> ;;</span>
<span class="cm"> check)</span>
<span class="cm"> ${DAEMON} check</span>
<span class="cm"> ${DAEMON2} check</span>
<span class="cm"> ;;</span>
<span class="cm"> *)</span>
<span class="cm"> echo "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|force-reload}"</span>
<span class="cm"> exit 1</span>
<span class="cm"> ;;</span>
<span class="cm">esac</span>
<span class="cm">exit 0</span>
<span class="cm">---------------</span>
<span class="cm">mollie:/etc/postfix# more recipient_checks.pcre</span>
<span class="cm"># Note: You must have PCRE support support built in to Postfix at</span>
<span class="cm"># compile time to use this. (Tho I've been told the following are</span>
<span class="cm"># valid POSIX RE's ["regexp:" map type], as well.)</span>
<span class="cm">#</span>
<span class="cm"># Postfix doesn't relay by default. But it may *appear* to do so</span>
<span class="cm"># to some testers. The first two statements below remove all</span>
<span class="cm"># doubt.</span>
<span class="cm">/^\@/ 550 Invalid address format.</span>
<span class="cm">/[!%\@].*\@/ 550 This server disallows weird address syntax.</span>
<span class="cm"># Let email to the following destinations bypass all the remaining</span>
<span class="cm"># "reject" and "check" tests. We always want to let email for these</span>
<span class="cm"># recipients in.</span>
<span class="cm">/^postmaster\@/ OK</span>
<span class="cm">/^hostmaster\@/ OK</span>
<span class="cm">/^abuse\@/ OK</span>
<span class="cm"># Note: The "OK"s above, for postmaster, etc., will *not*</span>
<span class="cm"># bypass header and body checks. There is currently no way</span>
<span class="cm"># to do so with Postfix :(</span>
<span class="cm">#</span>
<span class="cm"># Remember where I said, at the very beginning, about how</span>
<span class="cm"># order is important? Whatever you do, do *not* place an</span>
<span class="cm"># access map like this one before the "permit mynetworks"</span>
<span class="cm"># and "reject_unauth_destination" statements. Not unless</span>
<span class="cm"># you want to be an open relay, anyway.</span>
<span class="cm">---</span>
<span class="cm">mollie:/etc/postfix# more helo_checks.pcre</span>
<span class="cm"># Note: You must have PCRE support support built in to Postfix at</span>
<span class="cm"># compile time to use this.</span>
<span class="cm">#</span>
<span class="cm"># No, you won't find this entry in my "smtpd_recipient_restrictions,"</span>
<span class="cm"># above. I'm not doing this check (at this time).</span>
<span class="cm"># If you want to be really picky about it: HELO'ing with an IP</span>
<span class="cm"># address is RFC-compliant - *if* it's enclosed in square-brackets</span>
<span class="cm"># ("[]"s). (One would think "reject_invalid_hostname" checks for</span>
<span class="cm"># this, but it does not.)</span>
<span class="cm">#</span>
<span class="cm"># Somebody HELO'ing with a non-RFC-compliant dotted-quad IP</span>
<span class="cm"># address? For shame! (I don't do this check, btw.)</span>
<span class="cm">/^[0-9]+(\.[0-9]+){3}$/ REJECT Invalid hostname</span>
<span class="cm">---</span>
<span class="cm">mollie:/etc/postfix# more client_checks.pcre</span>
<span class="cm"># Postfix' dbm/hash files don't allow CIDR notation, netmasks</span>
<span class="cm"># or address ranges, but you can achieve the same end with</span>
<span class="cm"># regular expressions.</span>
<span class="cm">#</span>
<span class="cm"># Again: these are in PCRE notation. But you could accomplish</span>
<span class="cm"># the same with POSIX RE's. (I just don't know how.)</span>
<span class="cm"># 10.9.8.0 - 10.9.9.255</span>
<span class="cm">/10\.9\.[89]\.\d+/ REJECT</span>
<span class="cm"># 10.9.8.0 - 10.9.10.255 is generally no good, but 10.9.8.7 is OK</span>
<span class="cm">/10\.9\.8\.7/ OK</span>
<span class="cm">/10\.9\.([89]|10)\.\d+/ 554 Go away. We don't want any!</span>
<span class="cm"># A much more complex example of listing a (CIDR) IP range</span>
<span class="cm"># (If this makes your eyes cross, just ignore it for now)</span>
<span class="cm"># 10.33.192.0/19 = 10.33.192.0 - 10.33.223.255</span>
<span class="cm">/^10\.33\.((19[2-9])|(2(0[0-9]|1[0-9]|2[0-3])))\.\d{1,3}$/ REJECT</span>
<span class="cm"># Postfix experimental release 20030706 contains experimental</span>
<span class="cm"># support for CIDR-based lookup tables, so the regexp-type lookups</span>
<span class="cm"># for address ranges may soon no longer be necessary. To see if</span>
<span class="cm"># your version of Postfix supports CIDR-based maps, do a "man</span>
<span class="cm"># cidr_table" and look for "cidr" in the output of "postconf -m".</span>
<span class="cm">---</span>
<span class="cm">mollie:/etc/postfix# more helo_checks</span>
<span class="cm"># This file has to be "compiled" with "postmap"</span>
<span class="cm"># Reject anybody that HELO's as being in our own domain(s)</span>
<span class="cm"># (Note that if you followed the order suggested in the main.cf</span>
<span class="cm"># examples, above, that machines in mynetworks will be okay.)</span>
<span class="cm">thuree.com REJECT You are not in thuree.com</span>
<span class="cm"># Somebody HELO'ing with our IP address?</span>
<span class="cm">192.168.20.50 REJECT You are not 192.168.20.50</span>
<span class="cm"># Somebody HELO'ing as "localhost?" Impossible, we're "localhost"</span>
<span class="cm">localhost REJECT You are not me</span>
<span class="cm">---</span>
<span class="cm">mollie:/etc/postfix# more sender_checks</span>
<span class="cm"># This file must be "compiled" with "postmap"</span>
<span class="cm"># Using a domain name</span>
<span class="cm"># example.tld 554 Spam not tolerated here</span>
<span class="cm"># Maybe example2.tld is on a DNSbl, but we want to let their</span>
<span class="cm"># email in anyway.</span>
<span class="cm"># example2.tld OK</span>
<span class="cm"># We get lots of spam from example3.tld, but we have somebody</span>
<span class="cm"># there from which we do want to hear</span>
<span class="cm"># someuser@example3.tld OK</span>
<span class="cm"># example3.tld REJECT</span>
<span class="cm">---</span>
<span class="cm">mollie:/etc/postfix# more client_checks</span>
<span class="cm"># This file must be "compiled" with "postmap"</span>
<span class="cm"># Using a domain name</span>
<span class="cm"># example.tld 554 Spam not tolerated here</span>
<span class="cm"># Maybe example2.tld is on a DNSbl, but we want to let their</span>
<span class="cm"># email in anyway.</span>
<span class="cm"># example2.tld OK</span>
<span class="cm"># Checking by IP address</span>
<span class="cm"># 10.0.0.0/8</span>
<span class="cm">10 554 Go away!</span>
<span class="cm"># 172.16/16</span>
<span class="cm">172.16 554 Bugger off!</span>
<span class="cm"># 192.168.4/24 is bad, but 192.168.4.128 is okay</span>
<span class="cm"># 192.168.4.128 OK</span>
<span class="cm"># 192.168.4 554 Take a hike!</span>
</pre></div>
</figure>ExtraIgnore4LogCheck2005-10-09T00:00:00+02:002005-10-09T00:00:00+02:00bengttag:community.riocities.com,2005-10-09:/ExtraIgnore4LogCheck.html<p>Some extra rules for Logcheck to ignore</p>
<figure class='code'>
<figcaption><span>ExtraIgnore4LogCheck.txt</span> <a href='/code/files/ExtraIgnore4LogCheck.txt'>download</a>
<div class="codehilite"><pre><span></span>^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating
^\w …</pre></div></figcaption></figure><p>Some extra rules for Logcheck to ignore</p>
<figure class='code'>
<figcaption><span>ExtraIgnore4LogCheck.txt</span> <a href='/code/files/ExtraIgnore4LogCheck.txt'>download</a>
<div class="codehilite"><pre><span></span>^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV updated
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, orig_to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended: deferred transport\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/n?qmgr\[[0-9]+\]: [[:alnum:]]+: to=<[^[:space:]]+>, relay=none, delay=[0-9]+, status=deferred \(delivery temporarily suspended:
deferred transport\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: hold: header Received:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/pickup\[[0-9]+\]: [[:alnum:]]+: uid=[0-9]+ from=<[[:alnum:]]+> orig_id=[[:xdigit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Requeue: [.[:xdigit:]]+ to [[:xdigit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Enabling SpamAssassin auto-whitelist functionality...
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected [\"-._[:alnum:]]+ to /var/spool/MailScanner/
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and will disarm HTML message in [[:xdigit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and have disarmed HTML message in [[:xdigit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected HTML-specific exploits in [[:xdigit:]]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: ClamAV found [0-9]+ infections
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Cleaned: Delivered [0-9]+ cleaned messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Other Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Windows/DOS Executable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: No executables
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin timed out and was killed, failure [1-9] of 20
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Found phishing fraud from
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Found ip-based phishing fraud from
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Read [0-9]+ hostnames from the phishing whitelist
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: [[:alnum:][:punct:]]+: HTML.Phishing.Auction-[0-9]+ FOUND
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: ClamAV scanner using unrar command /usr/bin/unrar
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [0-9] lockers
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/ctl_cyrusdb\[[0-9]+\]: removing log file: [[:alnum:][:punct:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: device eth[0-9] (entered|left) promiscuous mode$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: eth[0-9]: Promiscuous mode enabled.$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ snort:
</pre></div>
</figure>HardeningHowTo2005-10-09T00:00:00+02:002005-10-09T00:00:00+02:00bengttag:community.riocities.com,2005-10-09:/HardeningHowTo.html<p>Simple checklist for hardening a server</p>
<figure class='code'>
<figcaption><span>HardeningHowTo.txt</span> <a href='/code/files/HardeningHowTo.txt'>download</a>
<div class="codehilite"><pre><span></span>inetd - We do not use inetd.
=====
more /etc/inetd.conf
for each service that are enabled
update-inetd --disable <service>
( update-inetd --disable discard daytime time )
/etc/init.d/inetd stop
vi /etc/init.d/inetd
Add the following after /bin/sh
# Do …</pre></div></figcaption></figure><p>Simple checklist for hardening a server</p>
<figure class='code'>
<figcaption><span>HardeningHowTo.txt</span> <a href='/code/files/HardeningHowTo.txt'>download</a>
<div class="codehilite"><pre><span></span>inetd - We do not use inetd.
=====
more /etc/inetd.conf
for each service that are enabled
update-inetd --disable <service>
( update-inetd --disable discard daytime time )
/etc/init.d/inetd stop
vi /etc/init.d/inetd
Add the following after /bin/sh
# Do not use inetd
exit 0
# If you really have to use inetd, use xinetd instead.
PAM (only allow one user to su root)
---
vi /etc/pam.d/su
auth required pam_wheel.so group=wheel
addgroup --system wheel
adduser root wheel
adduser bengt wheel
# Make sure root can only login from console (have to su to become root)
vi /etc/security/access.conf
-:wheel:ALL EXCEPT LOCAL
# Make sure root can not SSH directly
vi /etc/ssh/sshd_config
PermitRootLogin No
Harden tools
============
apt-get install harden harden-servers harden-clients harden-tools harden-nids harden-environment
apt-get install logcheck samhain sash osh john gnupg tiger chkrootkit acct host whois lsof psad
* Create sashroot account - Yes
* Clone root password
* Purge sashroot account when purging
Default answers on evertything.
## Snort is installed by default???
echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf
# If you need to run a dangerous service, do not install the hardening packages, but check which
# packages should be removed and remove all except the ones you have to have.
configure samhain
-----------------
vi /etc/samhain/samhainrc
LoginCheckActive=1
file=/etc/postfix/prng_exch
file=/etc/postfix/helo_checks.db
file=/etc/postfix/sender_checks.db
file=/etc/postfix/client_checks.db
file=/etc/postfix/tls_per_site.db
file=/etc/postfix/relay_certs.db
file=/etc/postfix.outgoing/prng_exch
file=/etc/postfix.outgoing/helo_checks.db
file=/etc/postfix.outgoing/sender_checks.db
file=/etc/postfix.outgoing/client_checks.db
file=/etc/postfix.outgoing/tls_per_site.db
file=/etc/postfix.outgoing/relay_certs.db
configure tiger
---------------
vi /etc/tiger/tigerrc
# Observe that you might have other running processes
Tiger_Listening_Every=N
Tiger_Running_Procs='syslogd cron atd klogd postfix cyrus '
# Tiger_Listening_ValidProcs='imapd smtpd'
vi /etc/cron.d/tiger
... > /dev/null 2>&1
fix logcheck
------------
vi /etc/logcheck/ignore.d.server/MOLLIE
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected HTML-specific exploits in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Detected and will disarm HTML message in [:alnum:]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Filename Checks: Windows/DOS Executable
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Content Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Saved infected [":alnum:]+ to
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Silent: Delivered [0-9]+ messages containing silent viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Notices: Warned about [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found virus
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: [-:alnum:]+ found [0-9]+ infections
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus Scanning: Found [0-9]+ viruses
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Other Checks: Found [0-9]+ problems
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Infected message [:alnum:]+ came from [.0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV updated
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot successfully updated.
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/cleanup\[[0-9]+\]: [[:alnum:]]+: message-id=<([^[:space:]]+|)> \(added by ([^[:space:]]+|)\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ F-Prot autoupdate\[[0-9]+\]: F-Prot did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ClamAV-autoupdate\[[0-9]+\]: ClamAV did not need updating
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Found [0-9]+ messages waiting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: New Batch: Scanning [0-9]+ messages, [0-9]+ bytes
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Virus and Content Scanning: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Uninfected: Delivered [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Found [0-9]+ spam messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Using locktype = flock
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Postfix queue structure is depth [0-9]
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ [[:alnum:]]+: MailScanner setting (UID|GID) to postfix \([0-9]+\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner E-Mail Virus Scanner version [0-9]+.[0-9]+.[0-9]+ starting...
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: MailScanner child dying of old age
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: SpamAssassin timed out and was killed, consecutive failure [1-4] of [0-9]+
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ MailScanner\[[0-9]+\]: Spam Checks: Starting
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ fetchmail\[[0-9]+\]: +[0-9]+ +messages \([0-9]+ seen\)? for
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/[a-zA-Z0-9_]+\[[0-9]+\]: +SQUAT returned [0-9]+ messages
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ cyrus/lmtpd\[[0-9]+\]: DBERROR db3: [0-5] lockers
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ CRON\[[0-9]+\]: \(pam\_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: [[:alnum:]]+: reject: RCPT from [^[:space:]]+: [0-9]+ [^[:space:]]+: User unknown in local
recipient table; from=[^[:space:]]+ to=[^[:space:]]+ proto=(ESMTP|SMTP) helo=[^[:space:]]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/qmgr\[[0-9]+\]: [[:alnum:]]+: to=[^[:space:]]+, orig_to=[^[:space:]]+, relay=[^[:space:]]+, delay=[0-9]+, st
atus=deferred \(deferred transport\)
NARC
====
?????
?????
?????
Hardening checks
================
netstat -pn -l -A inet
nmap -sT <IP>
nmap -sU <IP>
lsof -i | grep LISTEN #(on the local computer)
lsof -i :<port#>
nmap
====
From another computer
nmap -p 22,25,80,143,443,465,993,995 denton # 143 should be close
nmap -sT <IP> --> fast
Interesting ports on (192.168.20.50):
(The 1546 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
143/tcp open imap
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
nmap -sU 192.168.20.50 --> takes long time though.
</pre></div>
</figure>Openbsd on net48012005-09-11T00:00:00+02:002010-05-20T14:30:18+02:00henriktag:community.riocities.com,2005-09-11:/Openbsd_on_net4801.html
<p>Installing OpenBSD 4.7 on a Soekris net4801 (with Debian as a boot server)</p>
<p>Pre requisites for boot server:</p>
<ul>
<li>Debian (Lenny 5.0)</li>
</ul>
<p>Pre requisites for net4801 (also tested with net5501):</p>
<ul>
<li>Fast 512MB CF card</li>
</ul>
<h1 id="configure-debian-boot-server">Configure (Debian) boot server<a class="headerlink" href="#configure-debian-boot-server" title="Permanent link">¶</a></h1>
<p>Create and populate directories for tftpd (I use <strong>/var/lib/tftpboot …</strong></p>
<p>Installing OpenBSD 4.7 on a Soekris net4801 (with Debian as a boot server)</p>
<p>Pre requisites for boot server:</p>
<ul>
<li>Debian (Lenny 5.0)</li>
</ul>
<p>Pre requisites for net4801 (also tested with net5501):</p>
<ul>
<li>Fast 512MB CF card</li>
</ul>
<h1 id="configure-debian-boot-server">Configure (Debian) boot server<a class="headerlink" href="#configure-debian-boot-server" title="Permanent link">¶</a></h1>
<p>Create and populate directories for tftpd (I use <strong>/var/lib/tftpboot</strong> as "base dir")</p>
<div class="codehilite"><pre><span></span># mkdir -p <base dir>/etc
# cd <base dir>
# wget http://ftp.eu.openbsd.org/pub/OpenBSD/4.7/i386/pxeboot
# wget http://ftp.eu.openbsd.org/pub/OpenBSD/4.7/i386/bsd.rd
</pre></div>
<p>Create a boot config file for the net4801 <basedir>/etc/boot.conf containing the following</basedir></p>
<div class="codehilite"><pre><span></span>set tty com0
stty com0 19200
boot bsd.rd
</pre></div>
<p>Install the tftp server <strong>atftpd</strong></p>
<div class="codehilite"><pre><span></span> # apt-get install atftpd
(give your <base dir> as base dir)
</pre></div>
<p>Install and configure <strong>dhcp3</strong></p>
<div class="codehilite"><pre><span></span># apt-get install dhcp3-server
</pre></div>
<p>edit /etc/dhcp3/dhcpd.conf and add the following (using subnet 192.168.1.0/24 as an example)</p>
<div class="codehilite"><pre><span></span>subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.210 192.168.1.220;
option domain-name-servers 192.168.1.1;
option routers 192.168.1.1;
}
allow booting;
allow bootp;
option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
group {
option vendor-class-identifier "PXEClient";
next-server <IP ADDR of tftpd server>;
filename "pxeboot";
option PXE.mtftp-ip 0.0.0.0;
vendor-option-space PXE;
host <hostname of net4801> {
hardware ethernet <MAC address of net4801>;
fixed-address <IP address for net4801>;
}
}
</pre></div>
<h1 id="install-on-net4801">Install on net4801<a class="headerlink" href="#install-on-net4801" title="Permanent link">¶</a></h1>
<p>Connect the serial cable to the net4801 and power on the net4801</p>
<div class="codehilite"><pre><span></span>Press Ctrl-P for entering Monitor.
boot>
</pre></div>
<p>Boot from network</p>
<div class="codehilite"><pre><span></span>boot> boot f0
</pre></div>
<p>Then perform the OpenBSD install </p>
<p>Make sure to switch the default console</p>
<div class="codehilite"><pre><span></span>Change the default console to com0? [no] yes
Available speeds are: 9600 19200 38400 57600 115200.
Which one should com0 use? (or 'done') [9600] 19200
</pre></div>
<p>Partition table (custom layout)</p>
<div class="codehilite"><pre><span></span>wd0a 150m /
wd0d 80m /var
wd0e 40m /home
wd0f 218(rest) /usr
</pre></div>
<p>Note: skipping /tmp for later</p>
<p>I used the following sets</p>
<div class="codehilite"><pre><span></span> [X] bsd
[X] bsd.rd
[ ] bsd.mp
[X] base47.tgz
[X] etc47.tgz
[X] misc47.tgz
[ ] comp47.tgz
[X] man47.tgz
[ ] game47.tgz
[ ] xbase47.tgz
[ ] xetc47.tgz
[ ] xshare47.tgz
[ ] xfont47.tgz
[ ] xserv47.tgz
</pre></div>
<h1 id="after-installation-do-not-reboot-before-performing-these-steps">After installation (do <strong>not</strong> reboot before performing these steps)<a class="headerlink" href="#after-installation-do-not-reboot-before-performing-these-steps" title="Permanent link">¶</a></h1>
<p>Edit /mnt/etc/fstab and add /tmp and /var/run as mfs</p>
<div class="codehilite"><pre><span></span># echo "swap /tmp mfs rw,nodev,nosuid,-s=19456 0 0" >> /mnt/etc/fstab
# echo "swap /var/run mfs rw,nodev,nosuid,-s=19456 0 0" >> /mnt/etc/fstab
</pre></div>
<p>apply the following change to /mnt/etc/rc</p>
<div class="codehilite"><pre><span></span>@@ -122,6 +122,7 @@
umount -a >/dev/null 2>&1
mount -a -t nonfs,vnd
+chmod 1777 /tmp
mount -uw / # root on nfs requires this, others aren't hurt
rm -f /fastboot # XXX (root now writeable)
</pre></div>
<p>If you use ed</p>
<div class="codehilite"><pre><span></span># ed /mnt/etc/rc
/mount -a -t nonfs/
a
chmod 1777 /tmp
ctrl-d
w
q
</pre></div>
<p>Now it's time to <strong>reboot</strong></p>
<h1 id="system-configuration-after-reboot">System configuration after reboot<a class="headerlink" href="#system-configuration-after-reboot" title="Permanent link">¶</a></h1>
<p>When the system is up after the first reboot we can use <strong>vi</strong> instead of <strong>ed</strong> to perform
some more configurations.</p>
<p>Enable <strong>soft updates</strong> by editing /etc/fstab (we will reboot later)</p>
<div class="codehilite"><pre><span></span>/dev/wd0a / ffs rw,softdep 1 1
/dev/wd0e /home ffs rw,nodev,nosuid,softdep 1 2
/dev/wd0f /usr ffs rw,nodev,softdep 1 2
/dev/wd0d /var ffs rw,nodev,nosuid,softdep 1 2
swap /tmp mfs rw,nodev,nosuid,-s=19456 0 0
swap /var/run mfs rw,nodev,nosuid,-s=19456 0 0
</pre></div>
<p>Install BASH(static), WGET & LSOF</p>
<div class="codehilite"><pre><span></span># pkg_add -v http://ftp.eu.openbsd.org/pub/OpenBSD/4.7/packages/i386/bash-4.0.35.tgz
# pkg_add -v http://ftp.eu.openbsd.org/pub/OpenBSD/4.7/packages/i386/wget-1.12p0.tgz
# pkg_add -v http://ftp.eu.openbsd.org/pub/OpenBSD/4.7/packages/i386/lsof-4.82p1.tgz
</pre></div>
<p>Check that bash is in /etc/shells</p>
<div class="codehilite"><pre><span></span># grep bash /etc/shells
/usr/local/bin/bash
</pre></div>
<p>Change shell to bash</p>
<div class="codehilite"><pre><span></span># chsh -s bash
</pre></div>
<p><strong>Add users with adduser</strong></p>
<div class="codehilite"><pre><span></span># adduser
Enter your default shell: bash csh ksh nologin sh [sh]: bash
</pre></div>
<p>Make sure that at least one normal user belongs to group 'wheel' with login class 'staff'</p>
<p><strong>Disable some services in /etc/inetd.conf</strong></p>
<div class="codehilite"><pre><span></span>127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
##ident stream tcp nowait _identd /usr/libexec/identd identd -el
##ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
##daytime stream tcp nowait root internal
##daytime stream tcp6 nowait root internal
##time stream tcp nowait root internal
##time stream tcp6 nowait root internal
</pre></div>
<p>and reload</p>
<div class="codehilite"><pre><span></span># kill -HUP `cat /var/run/inetd.pid`
</pre></div>
<p><strong>Enable caching DNS</strong> (add the following to /etc/rc.conf.local)</p>
<div class="codehilite"><pre><span></span> named_flags=""
</pre></div>
<p>Note: The rest is not tested with 4.7 (only with 3.7)</p>
<p><strong>Configure pppoe</strong> (<a href="http://openbsdsupport.org/obsd_dsl.html">http://openbsdsupport.org/obsd_dsl.html</a>)</p>
<p>I use the 'sis2' interface for pppoe</p>
<p>/etc/ppp/ppp.conf</p>
<div class="codehilite"><pre><span></span><span class="k">default</span><span class="o">:</span>
<span class="kd">set</span> <span class="n">log</span> <span class="n">Phase</span> <span class="n">Chat</span> <span class="n">LCP</span> <span class="n">IPCP</span> <span class="n">CCP</span> <span class="n">tun</span> <span class="n">command</span>
<span class="kd">set</span> <span class="n">redial</span> <span class="mi">15</span> <span class="mi">0</span>
<span class="kd">set</span> <span class="n">reconnect</span> <span class="mi">15</span> <span class="mi">10000</span>
<span class="n">pppoe</span><span class="o">:</span>
<span class="kd">set</span> <span class="n">device</span> <span class="s2">"!/usr/sbin/pppoe -i sis2"</span>
<span class="n">disable</span> <span class="n">acfcomp</span> <span class="n">protocomp</span>
<span class="n">deny</span> <span class="n">acfcomp</span>
<span class="kd">set</span> <span class="n">mtu</span> <span class="n">max</span> <span class="mi">1492</span>
<span class="kd">set</span> <span class="n">mru</span> <span class="n">max</span> <span class="mi">1492</span>
<span class="kd">set</span> <span class="n">speed</span> <span class="n">sync</span>
<span class="kd">set</span> <span class="n">authname</span> <span class="s2">"<login name at ISP>"</span>
<span class="kd">set</span> <span class="n">authkey</span> <span class="s2">"<password at ISP>"</span>
<span class="n">add</span> <span class="k">default</span> <span class="n">HISADDR</span>
<span class="n">enable</span> <span class="n">mssfixup</span>
</pre></div>
<p><strong>Make sure sis2 comes up after reboot</strong></p>
<div class="codehilite"><pre><span></span># echo "up" > /etc/hostname.sis2
</pre></div>
<p><strong>Enable IP-forwarding</strong></p>
<div class="codehilite"><pre><span></span># sysctl -w net.inet.ip.forwarding=1
# vi /etc/sysctl.conf (remove # in front of net.inet.ip.forwarding=1)
</pre></div>
<p>I <strong>rebooted</strong> the system at this point</p>
<h1 id="test-pppoe">Test pppoe<a class="headerlink" href="#test-pppoe" title="Permanent link">¶</a></h1>
<p>fix search and nameserver settings in /etc/resolv.conf</p>
<div class="codehilite"><pre><span></span>search <your domain>
nameserver 127.0.0.1
lookup file bind
</pre></div>
<p><strong>Bring up pppoe</strong></p>
<div class="codehilite"><pre><span></span># ppp -ddial pppoe
</pre></div>
<p>you should get a tun0 device (check with ifconfig -a), Try to ping something you know.</p>
<p><strong>Bring down pppoe</strong></p>
<div class="codehilite"><pre><span></span># pkill ppp
</pre></div>
<p><strong>Fix your firewall rules! and enable pf</strong></p>
<p>/etc/rc.conf</p>
<div class="codehilite"><pre><span></span> pf=YES # Packet filter / NAT
</pre></div>
<p><strong>Active firewall rules at ppp connection</strong></p>
<p>/etc/ppp/ppp.linkup</p>
<div class="codehilite"><pre><span></span>MYADDR:
!sh -c "/sbin/pfctl -f /etc/pf.conf"
</pre></div>
<p><strong>Make ppp auto start</strong>
add the following to /etc/rc.local</p>
<div class="codehilite"><pre><span></span> # Start PPPoE
echo -n ' PPPoE'
ppp -ddial pppoe
sleep 20 (5)
</pre></div>Debian Canon iP4000R2005-09-08T00:00:00+02:002005-09-16T11:33:56+02:00henriktag:community.riocities.com,2005-09-08:/Debian_Canon_iP4000R.html<h1 id="setting-up-a-canon-ip4000r-printer-on-a-debian-system-with-cups">Setting up a Canon iP4000R printer on a Debian system with CUPS<a class="headerlink" href="#setting-up-a-canon-ip4000r-printer-on-a-debian-system-with-cups" title="Permanent link">¶</a></h1>
<p>Basics for my setup:</p>
<div class="codehilite"><pre><span></span><span class="n">Printer</span><span class="o">:</span> <span class="n">Canon</span> <span class="n">PIXMA</span> <span class="n">iP4000R</span>
<span class="n">Cups</span><span class="o">:</span> <span class="n">Version</span> <span class="mf">1.1</span><span class="o">.</span><span class="mi">23</span><span class="o">-</span><span class="mi">10</span>
<span class="n">Debian</span><span class="o">:</span> <span class="n">Sarge</span> <span class="mf">3.1</span>
</pre></div>
<h2 id="download-the-version-250-filters-from-canon-httpcwebcanonjpdrv-updbjbjlinux250html">Download the version 2.50 filters from Canon (http://cweb.canon.jp/drv-upd/bj/bjlinux250.html)<a class="headerlink" href="#download-the-version-250-filters-from-canon-httpcwebcanonjpdrv-updbjbjlinux250html" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>$ wget ftp://download.canon …</pre></div><h1 id="setting-up-a-canon-ip4000r-printer-on-a-debian-system-with-cups">Setting up a Canon iP4000R printer on a Debian system with CUPS<a class="headerlink" href="#setting-up-a-canon-ip4000r-printer-on-a-debian-system-with-cups" title="Permanent link">¶</a></h1>
<p>Basics for my setup:</p>
<div class="codehilite"><pre><span></span><span class="n">Printer</span><span class="o">:</span> <span class="n">Canon</span> <span class="n">PIXMA</span> <span class="n">iP4000R</span>
<span class="n">Cups</span><span class="o">:</span> <span class="n">Version</span> <span class="mf">1.1</span><span class="o">.</span><span class="mi">23</span><span class="o">-</span><span class="mi">10</span>
<span class="n">Debian</span><span class="o">:</span> <span class="n">Sarge</span> <span class="mf">3.1</span>
</pre></div>
<h2 id="download-the-version-250-filters-from-canon-httpcwebcanonjpdrv-updbjbjlinux250html">Download the version 2.50 filters from Canon (http://cweb.canon.jp/drv-upd/bj/bjlinux250.html)<a class="headerlink" href="#download-the-version-250-filters-from-canon-httpcwebcanonjpdrv-updbjbjlinux250html" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>$ wget ftp://download.canon.jp/pub/driver/bj/linux/bjfilter-common-2.50-2.i386.rpm
</pre></div>
<p>and the filter for your printer (in my case iP400R)</p>
<div class="codehilite"><pre><span></span>$ wget ftp://download.canon.jp/pub/driver/bj/linux/bjfilter-pixusip4100-lprng-2.50-2.i386.rpm
$ wget ftp://download.canon.jp/pub/driver/bj/linux/bjfilter-pixusip4100-2.50-2.i386.rpm
</pre></div>
<h2 id="convert-the-rpms-to-debs">Convert the rpm's to deb's<a class="headerlink" href="#convert-the-rpms-to-debs" title="Permanent link">¶</a></h2>
<div class="codehilite"><pre><span></span>$ fakeroot alien --to-deb bjfilter-common-2.50-2.i386.rpm
bjfilter-common_2.50-3_i386.deb generated
$ fakeroot alien --to-deb bjfilter-pixusip4100-lprng-2.50-2.i386.rpm
bjfilter-pixusip4100-lprng_2.50-3_i386.deb generated
$ fakeroot alien --to-deb bjfilter-pixusip4100-2.50-2.i386.rpm
bjfilter-pixusip4100_2.50-3_i386.deb generated
</pre></div>
<h2 id="install">Install<a class="headerlink" href="#install" title="Permanent link">¶</a></h2>
<p>Become root and install with dpkg</p>
<div class="codehilite"><pre><span></span># dpkg -i bjfilter-common_2.50-3_i386.deb
# dpkg -i bjfilter-pixusip4100-lprng_2.50-3_i386.deb
# dpkg -i bjfilter-pixusip4100_2.50-3_i386.deb
</pre></div>
<p>Manually install depends</p>
<div class="codehilite"><pre><span></span># apt-get install libpng2 libxml1 libtiff4
</pre></div>
<p>Apply a workaround as libtiff3g used by <code>/usr/local/bin/bjfilterpixusip4100</code> is not available in Sarge</p>
<div class="codehilite"><pre><span></span># ln -s /usr/lib/libtiff.so.4 /usr/lib/libtiff.so.3
</pre></div>
<p>Restart CUPS</p>
<div class="codehilite"><pre><span></span># /etc/init.d/cupsys restart
</pre></div>
<p>Add the printer with your favourite cups tool (it will be in the Canon list), that's all!</p>
<p>Use the following uri for network printing</p>
<div class="codehilite"><pre><span></span>DeviceURI lpd://<printer address>/p1
</pre></div>