Running Oracle Sun Ray 5.4 Software template in Proxmox

Aquire the Sun Ray software template (which is about to be discontinued) and unpack the template file.

Contents:

OVM_OL6U3_X86_64_SRS5.4_PVHVM.mf:  ASCII text
OVM_OL6U3_X86_64_SRS5.4_PVHVM.ova: POSIX tar archive
OVM_OL6U3_X86_64_SRS5.4_PVHVM.ovf: XML document text

Create a VM in proxmox with two ZFS volumes.
Read the OVM_OL6U3_X86_64_SRS5.4_PVHVM.ovf to get an idea on how much resources the machine should use.

Unpack the tar file:

OVM_OL6U3_X86_64_SRS5.4_PVHVM.ova

This will give you:

Product.img: gzip compressed data, was “Product.img”, last modified: Fri May  3 15:01:48 2013, max compression, from Unix

System.img:  gzip compressed data, was “System.img”, last modified: Fri May  3 14:59:13 2013, max compression, from Unix

These RAW images needs to be unpacked:

mv Product.img Product.gz && gunzip Product
mv System.img System.gz && gunzip System.gz

Now look at their properties:

System:                            DOS/MBR boot sector; GRand Unified Bootloader, stage1 version 0x3, boot drive 0x80, 1st sector stage2 0x8480e, GRUB version 0.94

Product:                           Linux rev 1.0 ext4 filesystem data, UUID=d0dd198a-031a-4dbe-8345-b411986f460e, volume name “Product-SRS54” (extents) (large files) (huge files)

Find the VM:s zfs volumes in /dev/zvol. For instance:

dd if=System of=/dev/zvol/vmpool/vm-107-disk-1 bs=1M

dd if=Product of=/dev/zvol/vmpool/vm-107-disk-2 bs=1M

When you boot your VM, you’ll probably encounter kernel panic because its unable to find the volume groups since the disks are named using xen standard (xvdb and so on)

Enter the grub menu, edit the last alternative in the menu. Remove “rhgb quiet” and add init=/bin/bash and then boot. Remount / as rw. Edit /etc/fstab and set /opt to the correct disk. Make sure /boot is correct as well.

Also adjust grub settings for new disks. Then you can enable public yum repository and install all the available updates and receive a new kernel that you can actually boot from. Make sure the grub config also points to the newest kernel.

The default sun ray admin password is 5r5demo and can be reset using 

/opt/SUNWut/sbin/utpw

If you need to restart the sun ray services, run:

Warm Restart

/opt/SUNWut/sbin/utstart

Cold Restart

/opt/SUNWut/sbin/utstart -c

SNMPD and other tools on Zyxel NAS540

Sometimes I like to buy solutions that work out of the box, I don’t want to spend time fiddeling with everything. However, I usually end up with buying a solution that does not do what I want out of the box and I spend lots of time fiddeling with it.

This NAS540 was rather cheap and houses 4 bays. It runs some semi-lockedin linux but allows ssh access with the same login for admin/root as the admin login from the web interface so you can easily poke around with its sometimes confusing internals.

 

There are tons of different 3rd party package managers I believe (or I don’t know what the hell I’m looking at).

The common Optoware is outdated/deprecated. Whats apparently cool now is metarepository which can enable several repositores, and from there you can install Entware-NG which has a crapload of packages, but its missing the glorious nmon so you will have to compile that manually (I did it and it works great).

You can probably install entware-ng without metarepository but using both should be a bit more satisfactory.

So, it starts bad. The official instructions talk about some web_prefix file that we can use to add the repository and make it visible from the filesystem. I never got that working but I found another file that was pointing to official zyxel ftp instead.

In my case, I replaced the line below which was found in /etc/package_src_url

ftp://ftp2.zyxel.com/NAS540/zypkg/5.11

with http://downloads.zyxel.nas-central.org/Users/Mijzelf/zypkg-repo/NAS540/zypkg/5.11/

5.11 is the current firmware version on my NAS. Edit to whatever you are running.

So from here you can go into the nas web ui and into packages and hit refresh.
Now your package list will only list MetaRepository. Go ahead and install.
Follow the link in the description field:
http://NAS_IP:5000/pkg/MetaRepository/pkgcgi.cgi

Here you can see how it enables several repositories.
My list looks like this:

# Official repository
ftp://ftp2.zyxel.com/+ ZyXEL
http://downloads.zyxel.nas-central.org/Users/Mijzelf/zypkg-repo/ + NAS540
# Local repository
/i-data/sysvol/admin/MyRepo/ Local

Go back and refresh the list in package management. If you still only see MetaRepository, you might need to revert /etc/package_src_url to the stock one and refresh again. Can be a little bit tricky.

So now you should install Entware-ng to get access to even more packages.
randomtools is nice as well since you’ll get rsync and so on.

Now go back into your filthy and moisty shell and install snmpd (prefer statically linked for clandestine environments such as this nas):

/opt/bin/opkg install snmpd-static

Entware creates a symlink to /opt so you can place your snmpd.conf in

/opt/etc/snmp/

You can summon the daemon by invoking:
/opt/sbin/snmpd

You might wanna hack togheter an init script for this service.

Security patches in CentOS

No and nein.. yum –security check-update/update does NOT work in CentOS. This is simply because the CentOS is missing this metadata. When you are using RHEL you pay for this metadata. This is not entirely obvious at first glance, but I guess they didn’t want to alter the source code for yum, which still provides –security parameter for CentOS.

If you want automatically flagged packages, buy RHEL license and use RHEL instead…or if you are a dev, use the free developer program.

Otherwise, use https://cefs.steve-meier.de/

Sadly his parser is not open source so you need to rely on this guy. He hasn’t failed this far though.

 

fluentd: Install fluent-plugin-mysql on RHEL 7

fluent-plugin-mysql is a fluentd plugin that allows you to send logdata to MySQL/Mariadb database. However, it is a bit hard to find the exact details on how to install this in RHEL 7 (minimal install).

So here we go…

  • yum-config-manager –enable rhel-7-server-optional-rpms
  • yum install -y ruby-devel mysql-devel
  • /opt/td-agent/embedded/bin/fluent-gem install fluent-plugin-mysql
  • Profit!!

virt-manager xforward to OSX (release mouse)

When you forward virt-manager from a linux machine to OS X and try to release the mouse from the console, you might have noticed that this won’t work.

If you use XQuartz, simply go into preferences, select “Option keys send Alt_L and Alt_R”.

Source: https://major.io/2013/03/20/virt-manager-wont-release-the-mouse-when-using-ssh-forwarding-from-os-x/

Pac Manager 4.5.5.7 on CentOS 7.1

This one is a sweet dependency hell, however, it is possible to get Pac Manager running using CentOS repo:s only (incl. epel) and one wget from cpan.

Since I’m running FreeBSD and Os X on my workstations and I have found that Pac Manager is the only really good connection manager I have encountered, I decided to set it up on a CentOS 7 vm and forward X over ssh to my FreeBSD workstation (Sure you can port the application, but for now this is the easy way).

So, this guide will show you how to get it running under a minimal CentOS 7 installation.  I’ve only tried with Pac Manager v 4.5.5.7 but could probably work with other versions as well.

I’ve sourced parts of the solution from forums and pac manager discussion board, most of them were broken in one way or another but this one has been refined several times using a clean CentOS 7 installations.

Manual installation

  1. Download pac-4.5.5.7-all.tar.gz from source forge.
  2. tar zvxf pac-4.5.5.7-all.tar.gz
  3. cd pac
  4. The embedded gnome2 vte modules are causing conflicts, removing them will force the application to look system wide instead:
    find . -name “Vte.so*” -exec rm -v {} +
  5. Perform a bunch of yum installs. 
    First enable epel repo:
    sudo yum install epel-release

    sudo yum install ftp perl-Gtk2.x86_64 unique-devel.x86_64 libglade2-devel.x86_64 perl-Socket6.x86_64 vte-devel.x86_64 GConf2-devel.x86_64 cpan perl-Gtk2 perl-YAML uuid-perl.x86_64 perl-Crypt-CBC.noarch

  6. Install development tools (maybe overkill with group install though):
    sudo yum groupinstall “Development tools”
  7. Bunch of cpan installs.You will be asked a few questions in some of these cpan installs, like

    This module requires X::Z to install itself.
    Install X::Z from CPAN? [n]

    Press Y on these.

    sudo cpan -if Module::Build
    sudo cpan -i IO::Stty
    sudo cpan -i Glib
    sudo cpan -i Expect
    sudo cpan -i Cairo
    sudo cpan -i Pango
    sudo cpan -if Gnome2::GConf
    sudo cpan -i Gtk2
    sudo cpan -i Gtk2::Unique
    sudo cpan -i Net:ARP
    sudo cpan -i Crypt::Rijndael
    sudo cpan -i Crypt::Blowfish
    sudo cpan -i Gtk2::Ex::Simple::List
    sudo cpan -i Gtk2::GladeXML

  8. Install Gnome2 vte:wget http://search.cpan.org/CPAN/authors/id/X/XA/XAOC/Gnome2-Vte-0.11.tar.gz
    tar zvxf Gnome2-Vte-0.11.tar.gz
    cd Gnome2-Vte-0.11
    sudo perl Makefile.PL
    sudo make
    sudo make install
  9. Try starting pac now.

    Things needed for x11 forwarding (if you installed CentOS 7.1 minimal)

  1. sudo yum install xorg-x11-xauth dbus-x11
  2. Again, possibly overkill with groupinstall…
    sudo yum groupinstall ‘Fonts’
  3. Now you should be able to start pac manger by running the following command from the pac manager directory (don’t forget to ssh -X user@host):
    dbus-launch ./pac

Sometimes, when running dbus-launcher ./pac I get:

Gtk-WARNING **: cannot open display: localhost:10.0 at /usr/local/lib64/perl5/Gtk2.pm line 168.

Log out/in from the SSH session solves this for me.

Scripted Installation

This script will install all dependences, except the ones related to X11 forwarding. Download the script from github:

https://github.com/telefax/Pac-manager-Dependency-installer-for-CentOS-7

 

Debian Wheezy on Dell Latitude E7240

This laptop has actually been ubuntu certified and Dell has an ubuntu image at their website. Since I’m not really an Ubuntu fan and like to make stuff a bit complicated just because I want to have it the way I want it, I decided to go for Debian Wheezy (7.8).
At first, I was going with Freebsd 10.1 but since the wifi drivers has not yet been ported Stable from Openbsd and the FreeBSD port that exists only compiles in Freebsd 11 which is not stable and has shitloads of verbose messages spewn out by the OS all the time…so, maybe later.

So, here is a summary:

Wifi

WIFI doesn’t work out of the box
The wifi chipset is Intel dual band wireless ac 7260, but a few sites suggest it also has a Intel Centrino Ultimate N 6300 in some editions.

For 7260 you have to download a newer kernel.

Sound

Almost works out the box but alsa sort of defaults to wrong sound card, rather confusing at first, but google foo says:

/etc/modprobe.d/alsa-base.conf:
options snd_hda_codec_realtek index=1
options snd_hda_intel index

Suspend/Resume

Not tested very thoroughly, but initially it seems to work good as intended.

Docking Station

Requires MST support in the kernel for multiple screens. I did some quick test by fetching liquorix-kernel but didn’t get it to work correctly (only mirrored screens). Didn’t spend much time trying though.

Securing Openssh logins with SSH Key pairs

Here is my attempt to assemble a non-bullshit guide since the interwebs are so flooded with unnecessary obscurantism concerning this subject. I favor Debian but the general traits are applicable on most Linux distributions.

Let’s begin:

What you have realized a long time ago

  • Password only logins sucks.

Mission Objectives

  • Implement Public key based authentication.
  • Generate 4096 Bit private key.
  • Optionally, Convert your private key to PKCS8 format.
  • Profit!

Lingo

Public key = Resides in your home directory on the server you want to SSH to.
Private Key = Your Super secret key that you access your server with.
You unlock the key locally with the password
you supplied at the time of generation. It should be hard to steal!
But we can at least take some precautions to make it harder to crack. Still, if it get stolen and you are aware of it, generate new keys anyway.

Create the secret holy divine key file to use when you SSH to the server

Note: Due to wordpress inability to wrap your code or display vertical scrollbar when it’s needed, please make sure you see the whole commands, otherwise manually scroll vertically.

    1. Create a .ssh directory in your home dir (probably exists already):
      mkdir -p $HOME/.ssh

      Make sure you allow no one else access here than yourself:

      chmod 0700 $HOME/.ssh
    2. Create the Key files (preferably avoid running this ON the actual server, since your private key shouldn’t touch your server). Use a strong password.
      ssh-keygen -t rsa -b 4096 -f my_new_keys
      
    3. Ship the my_new_keys.pub to the server:
       ssh-copy-id -i my_key.pub "user@server"
    4. Now, you can see if your key works (if you use putty, google for puttygen and openssh keys to convert your private key to putty format):
      ssh user@server -i my_new_keys
      

PKCS8

Optionally, change the format of the private key you just generated to PKCS8 for stronger security.

Make sure your SSH-client can handle PKCS8. The server needs no modification since this is client side.
This will let you input your password to decrypt the key with the password you decided earlier, and encrypt it again using the pkcs8 key format.

openssl pkcs8 -topk8 -v2 des3 -in my_new_keys -passin OLDPASS -out NEWPASS

Confgure SSHD

Now it is time to change some things in your sshd config on your server.
Make sure you have the following set in /etc/sshd/sshd_conf

PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes

This will force you to only use your private key when you login to your server.

Or specify a user that can only login via ssh using key:

Match User SuperBOFH
PasswordAuthentication no

Or match a whole group:

Match Group sudoers
PasswordAuthentication no

Re-load openssh after changed has been done to the sshd_conf file:

 service ssh reload 

Now keep your private key safe! Preferably on an encrypted usb thumb drive or similar.

???
PROFIT