User:needle
- rewrite Vpnc
- rewrite Rsyslog
- add openconnect
- add libreswan
- add strongswan
needle uses gentoo linux for working and does IP for living. Since years.
Building and breaking IP networks using the most flexible, most configurable and the most stable linux distribution available out there: gentoo linux.
My main area of interest is:
- networking
- IP networks
- IP network related software
- IP routing
And all kinds of cross - $vendor/$platform/$implementation/$protocol related issues.
Yes, I read RFC's. Operating IP networks, troubleshooting IP related or protocol related issues, in different networking environements, using different implementations, needs one common basis - That is what RFC's are good for. You will spot all kind issues among the above mentioned $variables, you really would not belive it is real!? Specifically, RFC's that are:
- Partially implemented
- Wrong implemented
- Not implemented at all
- Implemented, but in that one specific implementation detail it differs from the RFC, root of $EVENT_CASCADE
In the worst imabinable network or protocol troubleshooting situation, do not trust that all involved parties:
- $vendor
- $hardware-platform
- $operating-system
- $software
comply to listed RFC's on own websites. Read it, look it up, troubleshoot or debug this $issue using the listed RFC.
Most sighted $issues are really just stupid bugs, or the typo in the code manner.
If they are professionals, and on a rare ocassion you might get feedback like this:
$feature on $implementation was not planned at this $scale, you hit specific $edge case. You are the first to notice this, thanks for reporting. It is already fixed in the latest code. We will get back to you, for testing.
needle is on the #gentoo Gentoo Linux Support and the #gentoo-wiki Gentoo Wiki channels on the Libera.Chat IRC network.
Documentation URL
Writing IT related documentation like in RFC:
OATH Toolkit - PAM authentication error
Error:
If the system files involved in authentication are corrupt, this might generate following PAM authentication syslog error:
error: PAM: User not known to the underlying authentication module for znurt from 192.0.2.10
Authentication issue related to corrupt files on the test system:
- /etc/shadow
- /etc/passwd
Fix:
Sanitize using the tool pwck:
root #pwckuser 'adm': directory '/var/adm' does not exist user 'lp': directory '/var/spool/lpd' does not exist user 'news': directory '/usr/lib/news' does not exist user 'games': directory '/usr/games' does not exist user 'polkituser': no group 1011 pwck: no change
less is more
USE flag ebuild suggestions for more out of the box gentoo 'fun' by simply using 'less' of all that USE flags where not necessarily needed.
Resulting in:
- less maintanance
- less corner cases
- less snakeflow configurations
- less annoying preset default behaviours
- less pulled package dependencies
- less code
- less bugs
- less attack vector
- less ressources usage CPU/RAM
- less CPU cycles wasted on unused code
- less complexity
- less time spent on troubleshooting complex systems
- less build packages
- less electrical energy used
That is resulting in:
- more easy configuration
- more easy setup
- more unification
- more chance for automating stuff
- more automation
- more time for important stuff
MPD minimal USE flag combo
only 6 USE flags is good enough for the gentoo system to be playing most audio files. Shown used libraries, could be swapped out as drop-in replacement, if minimal configuration should be kept. No extencive libraries testing done here, more pragmatical approach. work for me(tm). If something is missing just add this on top of that USE flag combo, recompile, and you are done. A good starting point for minimal configuration of for troubleshooting, sorting out libraries etc.
user $equery uses mpd | grep ++alsa +curl +flac +mad +vorbis +wavpack
SMW
This wiki has SMW support, create easy examples for demonstration using: Special:Version#mw-version-ext
Perfect example collections for SMW:
Here are few simple SMW examples for the beginning.
SHA-512 to Blowfish migration testing
(glibc)bcrypt implementation status
List of events why bcrypt still not is availble in the mainstream linux distribution sector: https://access.redhat.com/articles/1519843.
A bug reported, in the year 2006. Now nearly 2 decades ago.
Before reading furhter. Read about bcrypt
rounds or cost, take a close look at the generated salt. Use a professional password when using bcrypt.This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.
Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:
user $man 3 cryptOver here it looks like in depicted table, this man 3 crypto
ID Method
────────────────────────────────────────────────────────────────────────────
1 MD5
2a Blowfish (not in mainline glibc; added in some Linux distributions)
5 SHA-256 (since glibc 2.7)
6 SHA-512 (since glibc 2.7)
Create a test user here larry the target system:
root #useradd -m -G users,wheel,audio -s /bin/bash larryEmerge
Review and set USE flags before emerging the package, enable the bcrypt USE flag
root #emerge --ask sys-apps/shadowVerify the package sys-apps/shadow has the
bcrypt USE flag enabled. And the package has been rebuild using that flag.Generate
Now, configure bcrypt to create really safe password hashes. If you are an expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:
user $htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%
Generated prefix, here $2y$ is NOT interesting. There is NO difference between $2a$ or $2y$ in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.
Generated crypto prefix, is only important in the context of the specific application, operating system, and used libraries to distinguish kaputt crypto $2a$ from fixed crypto $2y$.
Replace
Now using a text editor edit the /etc/shadow file
root #vim /etc/shadowAnd replace following test user created SHA-512 hash:
... larry:$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0:16134:0:99999:7::: ...
With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the example:
... larry:$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK:16134:0:99999:7::: ...
Sanitize
Run pwck to assure file consistency and to sanitize system files involved.
root #pwckBest practice: Always sanitize files if there is a $tool for it. This saves a lot of time spent on needless troubleshooting.
Verify
Open a SSH connection to localhost, using that changed test username, here larry:
user $ssh larry@localhostIf authentication succeeds, then you are ready to plan the migration, on working users.
Clean up
After the testing is finished, remove larry from the system
root #userdel larryetckeeper whitelist configuration
Create a .gitignore file before running the etckeeper initialization.
This example below shows how to save explicit files to the etckeeper repository. This is the reverse approach, compared to the default etckeeper configuration, which
The first entry * ignores ALL files in the /etc directory, following ! negated entries mark the interesting files that will be saved to the repository.
Configuration example for saving these 3 files:
- /etc/crontab
- /etc/inittab
- /etc/resolv.conf
/etc/.gitignore# ignore everything
*
# now add interesting files
!crontab
!inittab
!resolv.conf
Configuration example for /etc/apache2/ directory:
/etc/.gitignore# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/*
Configuration example for directories containing subdirectcories with interesting files:
- /etc/apache2/httpd.conf
- /etc/apache2/vhosts.d/
- /etc/apache2/modules.d/
/etc/.gitignore# ignore everything
*
# now add interesting files and dirs
!apache2/
!apache2/httpd.conf
!apache2/modules.d/
!apache2/modules.d/*
!apache2/vhosts.d/
!apache2/vhosts.d/*
Automated rebuild of portage packages
This solution relies on the sys-process/cronie and the usage of anacron USE flag.
What does that anacron USE flag do, verify using the euse tool:
user $euse -i anacron[- ] anacron (sys-process/cronie): Install the periodic anacron command scheduler.
it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.
Install cronie:
root #emerge --ask sys-process/cronieSchedule daily rebuild by adding following file in the /etc/cron.daily/ directory:
user:Sam suggested sanity checks are missing the pre-upgrade and post-emerge routines are not handled by this script. Read Portage_log and elogv for final solution.
/etc/cron.daily/portage#!/bin/sh
#
# Sync portage using eix-sync
# -U Do not touch the database, do not show differences
# -T Do not measure time
/usr/bin/eix-sync -U -T
if [ $? -eq 0 ]; then
logger "eix-sync has finished."
else
logger "eix-sync has exited with error code: $?"
fi
# Now update the database
/usr/bin/eix-update
if [ $? -eq 0 ]; then
logger "eix-update has finished."
else
logger "eix-update has exited with error code: $?"
fi
# Emerge world packages. For skipping bugged ebuild,
# add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file
emerge -uDN @world
if [ $? -eq 0 ]; then
logger "emerge --world has finished."
else
logger "emerge --world has exited with error code: $?"
fi
# And keep everything working
emerge @preserved-rebuild
if [ $? -eq 0 ]; then
logger "emerge @preserved-rebuild has finished."
else
logger "emerge @preserved-rebuild has exited with error code: $?"
fi
# Write a message to syslog portage rebuild has finished now.
logger "daily cron portage update has finished with exit status: $?"
Make the /etc/cron.daily/portage file executable by adding the +x flag:
root #chmod +x /etc/cron.daily/portageThis will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.
Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of app-portage/portage-utils ebuild.
/root/bin/emergelog.sh#!/bin/sh
qlop -H -s -d today
qlop -H -m -u -d today
Make the /root/bin/emergelog.sh file executable by adding the +x flag:
root #chmod +x ~/bin/emergelog.shBecause I am even to tazy to run that command manually, I add following lines to the /root/.profile file, this calls the upper /root/bin/emergelog.sh, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the /var/log/emerge.log file:
/root/.profileecho "Last emerged packages:"
sh ~/bin/emergelog.sh
echo ""
echo "Last emerge.log entries:"
tail -n 8 /var/log/emerge.log
echo ""
And this is the prompt how it looks like after successful authentication:
root #Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2
Last emerge.log entries:
1587455666: *** Finished. Cleaning up...
1587455669: *** exiting successfully.
1587455669: *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675: *** emerge --keep-going @preserved-rebuild
1587455687: *** Finished. Cleaning up...
1587455690: *** exiting successfully.
1587455691: *** terminating.
This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:
root #emerge --ask app-admin/needrestartDefault configuration needs to be adjusted to the own system. Do not rely on defaults. app-admin/needstart needs further configuration. The list of all configuration files:
user $tree /etc/needrestartThis solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.
laptop_mode laptop roaming howto
Additional software
These packages are all needed to get it to run:
- openrc — a dependency-based init system for Unix-like systems that maintains compatibility with the system-provided init system - with enabled USE flag netifrc
- wpa_supplicant — a Wi-Fi supplicant
- sys-apps/ifplugd - Brings up/down ethernet ports automatically with cable detection
- dhcpcd — a popular DHCP client capable of handling both IPv4 and IPv6 configuration.
- app-laptop/laptop-mode-tools - Linux kernel laptop_mode user-space utilities
Configuration
OpenRC
Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using sys-apps/openrc. OpenRC configuration and management is more complex compared to the app-laptop/laptop-mode-tools configuration approach, but also much more flexible. A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:
user $rc-status defaultRunlevel: default lm_sensors [ started ] sysklogd [ started ] sensord [ started ] alsasound [ started ] acpid [ started ] cupsd [ started ] cronie [ started ] chronyd [ started ] laptop_mode [ started ] local [ started ] sshd [ started ]
Following daemons need to be managed by laptop-tools:
user $rc-status defaultnet.eth0 [ started ] net.wlan0 [ started ] sshd [ started ] cupsd [ started ]
Remove the daemons from the openrc default startup level
root #rc-update del net.eth0 defaultroot #rc-update del net.wlan0 defaultroot #rc-update del net.sshd defaultroot #rc-update del net.cupsd defaultVerify the default startup of openrc:
user $rc-status defaultRunlevel: default lm_sensors [ started ] sysklogd [ started ] sensord [ started ] alsasound [ started ] acpid [ started ] cronie [ started ] chronyd [ started ] laptop_mode [ started ] local [ started ]
Laptop-mode-tools
The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:
- laptop is running on AC power
- laptop is running on battery
laptop-mode tools has 2 according ACPI states named batt and lm-ac:
- batt
- lm-ac
- nolm-ac
The 3-rd state nolm-ac (laptop-mode tools daemon NOT running) is not used.
Get an overview of the laptop-mode directory:
user $tree -L 1 /etc/laptop-mode/etc/laptop-mode ├── batt-start ├── batt-stop ├── conf.d ├── laptop-mode.conf ├── lm-ac-start ├── lm-ac-stop ├── lm-profiler.conf ├── modules ├── nolm-ac-start └── nolm-ac-stop
Each of the 3 predefined states batt lm-ac and nolm-ac have a -start and -stop suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.
The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.
There are 2 states in which the laptop is working:
- laptop is docked, ac connected, wired access, printing available, ssh daemon running
- laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni
Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.
Change to the directory:
root #cd /etc/laptop-mode/batt-start/Create a symlink to daemons to be run while on battery:
root #ln -s /etc/init.d/net.wlan0 . Change to the directory /etc/laptop-mode/batt-stop/:
root #cd /etc/laptop-mode/batt-stop/Create a symlink to deamons to be stopped while on battery:
root #ln -s /etc/init.d/cupsd . root #ln -s /etc/init.d/net.eth0 . root #ln -s /etc/init.d/sshd . Start and Stop daemons handled by the battery status after configuration:
user $tree -L 1 /etc/laptop-mode/batt-st*tree -L 1 /etc/laptop-mode/batt-st* /etc/laptop-mode/batt-start └── net.wlan0 -> /etc/init.d/net.wlan0 /etc/laptop-mode/batt-stop ├── cupsd -> /etc/init.d/cupsd ├── net.eth0 -> /etc/init.d/net.eth0 └── sshd -> /etc/init.d/sshd
Start and Stop daemons handled by the battery status:
user $tree -L 1 /etc/laptop-mode/lm-ac-st*/etc/laptop-mode/lm-ac-start ├── cupsd -> /etc/init.d/cupsd ├── net.eth0 -> /etc/init.d/net.eth0 └── sshd -> /etc/init.d/sshd /etc/laptop-mode/lm-ac-stop └── net.wlan0 -> /etc/init.d/net.wlan0
Verification
Docked laptop and service status:
user $rc-status defaultRunlevel: default lm_sensors [ started ] sysklogd [ started ] sensord [ started ] alsasound [ started ] mpd [ started ] acpid [ started ] cronie [ started ] chronyd [ started ] laptop_mode [ started ] local [ started ] Dynamic Runlevel: hotplugged Dynamic Runlevel: needed/wanted net.eth0 [ started ] cupsd [ started ] Dynamic Runlevel: manual sshd [ started ]
Undocked status:
user $rc-status defaultRunlevel: default lm_sensors [ started ] sysklogd [ started ] sensord [ started ] alsasound [ started ] mpd [ started ] acpid [ started ] cronie [ started ] chronyd [ started ] laptop_mode [ started ] local [ started ] Dynamic Runlevel: hotplugged Dynamic Runlevel: needed/wanted net.wlan0 [ started ]
This is a ready, easy to use, running configuration.
Enable IPv6 privacy extensions (RFC4941)
IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this. To enable privacy extensions on gentoo permanently add following lines and reboot the system:
/etc/sysctl.confEnabling IPv6 privacy extensions...
# Enabling IPv6 privacy extensions for specified interfaces.
# here eth0 and wlan0
# net.ipv6.conf.eth0.use_tempaddr = 2
# net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
# Setting q shorter timeout for a temporary IPv6 prefix
# default setting is one day
net.ipv6.conf.eth0.temp_prefered_lft = 14400
net.ipv6.conf.wlan0.temp_prefered_lft = 14400
The setting net.ipv6.conf.all.use_tempaddr is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.
There are two old bugs in the Linux kernel bugtracker for this issue:
Wiki templates for templates
Command sequence for old gentoo boxes to update after a long time
This is a basic sequence of commands for updating older gentoo boxes.
Divide and conquer: Update the toolchain first, then resolve the blocks manually afterwards.
Sync portage tree:
root #eix-syncUpdate the portage application:
root #emerge --oneshot portageEmerge latest linux kernel first:
root #emerge gentoo-sourcesShow available kernel sources:
root #eselect kernel listSet the latest linux kernel version:
root #eselect kernel set <input>Emerge GCC first:
root #emerge --oneshot gccShow availabe GCC compilers:
root #eselect gcc listSet the latest available GCC compiler in the list:
root #eselect gcc set <input>Check if the desired GCC has been set, apply portage postinstall hint:
root #eselect gcc listEmerge latest glibc
root #emerge --oneshot glibcCheck the latest gentoo related toolchain changes on the wiki, bugs, etc: Project:Toolchain
Emerge latest binutils:
root #emerge binutilsShow current available binutils:
root #eselect binutils listSet the latest binutils version:
root #eselect binutils set <input>Verify binutils setting:
root #eselect binutils listEmerge latest python
root #emerge --oneshot pythonEmerge latest perl:
root #emerge --oneshot perlEmerge latest iproute2
root #emerge --oneshot iproute2Update the system with following command, resolve dependency errors:
root #emerge -vauDN systemUpdate the system with following command, resolve dependency errors:
root #emerge -vauDN worldNow it is done.
table example
A example technique of presenting IP network tools outputs, also CLI output, in a simple manner to the reader. Without writing to much about it and getting into to much details, while at same time explaining the displayed command line output, and mentioning correct "technical term" the user can search for, if he is interested to read more about it:
- command
- table
cli command example
Mention command that is used in the CLI below ip maddress show eth0. The reader notices first the large amount of result entries, but doing it that way, makes him remembering the command easier. Choose one, most specific and matching command that shows results, and makes displayed information useful for the current configuration step:
user $ip maddress show eth01: eth0 link 33:33:00:00:00:01 link 01:20:5f:00:00:01 link 33:33:ff:be:b4:cd link 01:20:5f:00:00:fb inet 224.0.0.251 inet 224.0.0.1 inet6 ff02::1:ffbe:b4cd inet6 ff02::1 inet6 ff01::1
rough overview
- Show a table having not more than 3 columns.
- Regarding the grouping, 3 is best, more than 3 might be beyond the scope of that particular wiki entry.
- Try match the CLI sorting into the table. (does not always work) perfect sample shown here
Write something between CLI output above and table entry below.
| Address layer | Address range | Description |
|---|---|---|
link
|
33:33:xx:xx:xx:xx | Ethernet Address Mapping Space - IPv6 Packets over Ethernet |
inet
|
224.0.0.0/4 | IP Multicast Address Space |
inet6
|
ff00::/8 | IPv6 Multicast Address Space |
Complex technology, shown in a simple way. Now the reader can read on, following more important CLI instructions down below this entry, without being stopped at this IP multicast configuration part.
- And the reader has reached a goal. The readers CLI output matches the wiki example. This can only get good here following the examples.