User:needle

From Gentoo Wiki
Jump to:navigation Jump to:search

Needle
Contact info
needle (IRC)


User info
Gentoo user since 2006
deThis user is a native speaker of German.
plThis user is a native speaker of Polish.
en-3This user is able to contribute with an advanced level of English.
ruThis user is a native speaker of Russian.

Meet me in the #gentoo IRC support channel on libera.chat

SMW

This wiki has SMW support. Special:Version#mw-version-ext

  • create easy examples for demonstration.

Create simple example on Logging table - available software using SMW.

SHA-512 to Blowfish migration testing

Important
Before reading furhter. Read about bcrypt rounds or cost, take a close look at the generated salt. Use a professional password when using bcrypt.

This is a test, done before migration. If the test succeeds, the target system is considered safe for migration. The steps described here, should work for every other user that is to be migrated. This short description is meant for nodes only with few users.

Take sure your target system supports Blowfish, apparently it is not available everywhere on every linux:

user $man 3 crypt

Over here it looks like in depicted table, this man 3 crypto

       ID   Method
       ────────────────────────────────────────────────────────────────────────────
       1    MD5
       2a   Blowfish (not in mainline glibc; added in some Linux distributions)
       5    SHA-256 (since glibc 2.7)
       6    SHA-512 (since glibc 2.7)


Create a test user here larry the target system:

root #useradd -m -G users,wheel,audio -s /bin/bash larry

Emerge

Review and set USE flags before emerging the package, enable the bcrypt USE flag

root #emerge --ask sys-apps/shadow
Note
Verify the package sys-apps/shadow has the bcrypt USE flag enabled. And the package has been rebuild using that flag

.

Generate

Now, configure bcrypt to create really safe password hashes.

If you are expert in fastfood security done is 5 seconds, here a quick cli to generate a hash:

user $htpasswd -bnBC 15 "" G3n70o_L1nuX-r0ck5?! | tr -d ':\n'
$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK%

Generated prefix, here $2y$ is NOT interesting. There is NO difference between $2a$ or $2y$ in any sense. If implemented correctly, all created hashes are working the same. No matter which prefix, is generated using Blowfish.

Replace

Now using a text editor edit the /etc/shadow file

root #vim /etc/shadow

And replace following test user created SHA-512 hash

   ...
   larry:$6$W2LZ5IsI$KVrGRLf7YbTPKA.t/4gvwOr4wtHBdvF6DYpSV93ZvkdkNy0qZFu0VMt7Igy7EzW8GIEED8tVdD5vq2/HpMn7b0:16134:0:99999:7:::
   ...

With this generated bcrypt hash, notice the cost of bcrypt, it is not the real time of rounds depicted below, it is fake here for the examle:

   ...
   larry:$2y$15$ibqikJGVNIsDx3LcQF0DduUaa0ropb9wG8bbEkEHWIqPtD3T52cQK:16134:0:99999:7:::
   ...

Verify

Open a SSH connection to localhost, using that changed test username, here larry:

user $ssh larry@localhost

If authentication succeeds, then you are ready to plan the migration, on working users.

Clean up

After the testing is finished, remove larry from the system

root #userdel larry

etckeeper whitelist configuration

Note
Create a .gitignore file before running the etckeeper initialization.

This example below shows how to save explicit files to the etckeeper repository. This is the reverse approach, compared to the default etckeeper configuration, which

The first entry * ignores ALL files in the /etc directory, following ! negated entries mark the interesting files that will be saved to the repository.

Configuration example for saving these 3 files:

  • /etc/crontab
  • /etc/inittab
  • /etc/resolv.conf
FILE /etc/.gitignore
# ignore everything
*
# now add interesting files
!crontab
!inittab
!resolv.conf

Configuration example for /etc/apache2/ directory:

FILE /etc/.gitignore
# ignore everything
*	 
# now add interesting files and dirs
!apache2/
!apache2/*

Configuration example for directories containing subdirectcories with interesting files:

  • /etc/apache2/httpd.conf
  • /etc/apache2/vhosts.d/
  • /etc/apache2/modules.d/
FILE /etc/.gitignore
# ignore everything	 
* 
# now add interesting files and dirs	 
!apache2/
!apache2/httpd.conf
!apache2/modules.d/
!apache2/modules.d/*
!apache2/vhosts.d/
!apache2/vhosts.d/*

Automated rebuild of portage packages

This solution relies on the sys-process/cronie and the usage of anacron USE flag.

What does that anacron USE flag do, verify using the euse tool:

user $euse -i anacron
[-      ] anacron (sys-process/cronie):
Install the periodic anacron command scheduler.

it is a added feature or function to cronie. The anacron USE flag re-schedules missed cron jobs for machines that are not 24/7 online, like f.e. laptops, workstations. Apart from that it is working like an usual cron scheduler. This feature does not rely on the separate anacron package.

Install cronie:

root #emerge --ask sys-process/cronie

Schedule daily rebuild by adding following file in the /etc/cron.daily/ directory:

Note
user:Sam suggested sanity checks are missing the pre-upgrade and post-emerge routines are not handled by this script. Read Portage_log and elogv for final solution.
FILE /etc/cron.daily/portage
#!/bin/sh
#
# Sync portage using eix-sync
# -U   Do not touch the database, do not show differences
# -T   Do not measure time
/usr/bin/eix-sync -U -T
if [ $? -eq 0 ]; then
    logger "eix-sync has finished."
else
    logger "eix-sync has exited with error code: $?"
fi

# Now update the database
/usr/bin/eix-update
if [ $? -eq 0 ]; then
    logger "eix-update has finished."
else
    logger "eix-update has exited with error code: $?"
fi

# Emerge world packages. For skipping bugged ebuild, 
# add "EMERGE_DEFAULT_OPTS= --keep-going"* to make.conf file
emerge -uDN @world
if [ $? -eq 0 ]; then
    logger "emerge --world has finished."
else
    logger "emerge --world has exited with error code: $?"
fi

# And keep everything working
emerge @preserved-rebuild
if [ $? -eq 0 ]; then
     logger "emerge @preserved-rebuild has finished."
else
      logger "emerge @preserved-rebuild has exited with error code: $?"
fi

# Write a message to syslog portage rebuild has finished now.
logger "daily cron portage update has finished with exit status: $?"

Make the /etc/cron.daily/portage file executable by adding the +x flag:

root #chmod +x /etc/cron.daily/portage

This will schedule run the eix-sync and ebuild jobs, at ~03:00 AM. And if the job has been missed because host was turned off, the job gets scheduled after a the host has been turned on again.

Now it would be nice to see, what has been rebuild and how it worked out without using any complex commands. Add a bash script to the ~/bin directory of the root user. The script runs 2 qlop commands showing the results from beginning of the day. qlop is part of app-portage/portage-utils ebuild.

FILE /root/bin/emergelog.sh
#!/bin/sh
qlop -H -s -d '1 day ago'
qlop -H -m -u -d '1 day ago'

Make the /root/bin/emergelog.sh file executable by adding the +x flag:

root #chmod +x ~/bin/emergelog.sh

Because I am even to tazy to run that command manually, I add following lines to the /root/.profile file, this calls the upper /root/bin/emergelog.sh, each time the root user authenticates to this host. Additionally this lists the last 8 lines of the /var/log/emerge.log file:

FILE /root/.profile
echo "Last emerged packages:"
sh ~/bin/emergelog.sh
echo ""
echo "Last emerge.log entries:"
tail -n 8 /var/log/emerge.log
echo ""

And this is the prompt how it looks like after successful authentication:

root #
Last emerged packages:
2020-04-21T02:30:13 *** gentoo
2020-04-21T03:22:44 >>> dev-util/re2c
2020-04-21T03:32:45 >>> net-misc/whois
2020-04-21T08:20:39 >>> dev-libs/libpcre2

Last emerge.log entries:
1587455666:  *** Finished. Cleaning up...
1587455669:  *** exiting successfully.
1587455669:  *** terminating.
1587455675: Started emerge on: Apr 21, 2020 09:54:34
1587455675:  *** emerge --keep-going @preserved-rebuild
1587455687:  *** Finished. Cleaning up...
1587455690:  *** exiting successfully.
1587455691:  *** terminating.

This is a optional step and could be useful on always on systems, for the update routine to be sane. If the update routine has changed the daemons libriaries, that particular service would need a unattended restart. To accomplish ths use following tool:

root #emerge --ask app-admin/needrestart

Default configuration needs to be adjusted to the own system. Do not rely on defaults. app-admin/needstart needs further configuration. The list of all configuration files:

user $tree /etc/needrestart

This solution works 99% of the time. If packages fail to build, this needs to be resolved manually by doing a world rebuild, and inspecting what has gone wrong.

laptop_mode laptop roaming howto

Additional software

These packages are all needed to get it to run:

Configuration

OpenRC

Managing daemon status and interfaces reflecting the current powerlevel AC or running on battery. This can be accomplished by using sys-apps/openrc. OpenRC configuration and management is more complex compared to the app-laptop/laptop-mode-tools configuration approach, but also much more flexible. A simplified openrc configuration is needed. Dynamic services are handled by laptop-mode-tools. Overview of running daemons handled by openrc runlevel default, note laptop_mode daemon is started here:

user $rc-status default
Runlevel: default
 lm_sensors                                                        [  started  ]
 sysklogd                                                          [  started  ]
 sensord                                                           [  started  ]
 alsasound                                                         [  started  ]
 acpid                                                             [  started  ]
 cupsd                                                             [  started  ]
 cronie                                                            [  started  ]
 chronyd                                                           [  started  ]
 laptop_mode                                                       [  started  ]
 local                                                             [  started  ]
 sshd                                                              [  started  ]

Following daemons need to be managed by laptop-tools:

user $rc-status default
 net.eth0                                                          [  started  ]
 net.wlan0                                                         [  started  ]
 sshd                                                              [  started  ]
 cupsd                                                             [  started  ]

Remove the daemons from the openrc default startup level

root #rc-update del net.eth0 default
root #rc-update del net.wlan0 default
root #rc-update del net.sshd default
root #rc-update del net.cupsd default

Verify the default startup of openrc:

user $rc-status default
Runlevel: default
 lm_sensors                                                        [  started  ]
 sysklogd                                                          [  started  ]
 sensord                                                           [  started  ]
 alsasound                                                         [  started  ]
 acpid                                                             [  started  ]
 cronie                                                            [  started  ]
 chronyd                                                           [  started  ]
 laptop_mode                                                       [  started  ]
 local                                                             [  started  ]

Laptop-mode-tools

The laptop_mode tools dynamic configuration relies on default 2 ACPI levels:

  • laptop is running on AC power
  • laptop is running on battery

laptop-mode tools has 2 according ACPI states named batt and lm-ac:

  • batt
  • lm-ac
  • nolm-ac

The 3-rd state nolm-ac (laptop-mode tools daemon NOT running) is not used.

Get an overview of the laptop-mode directory:

user $tree -L 1 /etc/laptop-mode
 /etc/laptop-mode
 ├── batt-start
 ├── batt-stop
 ├── conf.d
 ├── laptop-mode.conf
 ├── lm-ac-start
 ├── lm-ac-stop
 ├── lm-profiler.conf
 ├── modules
 ├── nolm-ac-start
 └── nolm-ac-stop

Each of the 3 predefined states batt lm-ac and nolm-ac have a -start and -stop suffix in the directory structure. There is also a conf.d directory for services configuration that would be handled by laptop-mode and a modules directory for modules to be used explicitelly.

The goal is reached when the laptop automatically determines which daemons need to be started and which need to be stopped depending on the ACPI battery level.

There are 2 states in which the laptop is working:

  • laptop is docked, ac connected, wired access, printing available, ssh daemon running
  • laptop is not docked, battery, wireless access, no priting available, no ssh daemon runni

Adjust the previosly removed daemons to laptop-mode. Change to the battery level. wlan is the only one service needed while running on battery.

Change to the directory:

root #cd /etc/laptop-mode/batt-start/

Create a symlink to daemons to be run while on battery:

root #ln -s /etc/init.d/net.wlan0 .

Change to the directory /etc/laptop-mode/batt-stop/:

root #cd /etc/laptop-mode/batt-stop/

Create a symlink to deamons to be stopped while on battery:

root #ln -s /etc/init.d/cupsd .
root #ln -s /etc/init.d/net.eth0 .
root #ln -s /etc/init.d/sshd .

Start and Stop daemons handled by the battery status after configuration:

user $tree -L 1 /etc/laptop-mode/batt-st*
tree -L 1 /etc/laptop-mode/batt-st*
/etc/laptop-mode/batt-start
└── net.wlan0 -> /etc/init.d/net.wlan0
/etc/laptop-mode/batt-stop
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd

Start and Stop daemons handled by the battery status:

user $tree -L 1 /etc/laptop-mode/lm-ac-st*
/etc/laptop-mode/lm-ac-start
├── cupsd -> /etc/init.d/cupsd
├── net.eth0 -> /etc/init.d/net.eth0
└── sshd -> /etc/init.d/sshd
/etc/laptop-mode/lm-ac-stop
└── net.wlan0 -> /etc/init.d/net.wlan0

Verification

Docked laptop and service status:

user $rc-status default
Runlevel: default
 lm_sensors                                                        [  started  ]
 sysklogd                                                          [  started  ]
 sensord                                                           [  started  ]
 alsasound                                                         [  started  ]
 mpd                                                               [  started  ]
 acpid                                                             [  started  ]
 cronie                                                            [  started  ]
 chronyd                                                           [  started  ]
 laptop_mode                                                       [  started  ]
 local                                                             [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
 net.eth0                                                          [  started  ]
 cupsd                                                             [  started  ]
Dynamic Runlevel: manual
 sshd                                                              [  started  ]

Undocked status:

user $rc-status default
Runlevel: default
 lm_sensors                                                        [  started  ]
 sysklogd                                                          [  started  ]
 sensord                                                           [  started  ]
 alsasound                                                         [  started  ]
 mpd                                                               [  started  ]
 acpid                                                             [  started  ]
 cronie                                                            [  started  ]
 chronyd                                                           [  started  ]
 laptop_mode                                                       [  started  ]
 local                                                             [  started  ]
Dynamic Runlevel: hotplugged
Dynamic Runlevel: needed/wanted
 net.wlan0                                                         [  started  ]

This is a ready, easy to use, running configuration.

Enable IPv6 privacy extensions (RFC4941)

IPv6 privacy extensions are disabled by default on GNU/linux, they lead to problems if users are not aware of this. To enable privacy extensions on gentoo permanently add following lines and reboot the system:

FILE /etc/sysctl.confEnabling IPv6 privacy extensions
...
# Enabling IPv6 privacy extensions for specified interfaces. 
# here eth0 and wlan0
# net.ipv6.conf.eth0.use_tempaddr = 2
# net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

# Setting q shorter timeout for a temporary IPv6 prefix
# default setting is one day
net.ipv6.conf.eth0.temp_prefered_lft = 14400
net.ipv6.conf.wlan0.temp_prefered_lft = 14400

The setting net.ipv6.conf.all.use_tempaddr is used to propagate its value to all interfaces currently attached to the system. This setting might not work reliably for all interfaces. At least not on my own tested gentoo installations up to kernel 4.14.

There are two old bugs in the Linux kernel bugtracker for this issue:

Wiki templates for templates

Command sequence for old gentoo boxes to update after a long time

This is a basic sequence of commands for updating older gentoo boxes.

Divide and conquer: Update the toolchain first, then resolve the blocks manually afterwards.

Sync portage tree:

root #eix-sync

Update the portage application:

root #emerge --oneshot portage

Sync portage again:

root #eix-sync

Emerge GCC first:

root #emerge --oneshot gcc

Show availabe GCC compilers:

root #eselect gcc list

Set the latest available GCC compiler in the list:

root #eselect gcc set <input>

Check if the desired GCC has been set, apply portage postinstall hint:

root #eselect gcc list

Emerge latest glibc

root #emerge --oneshot glibc

Check the latest gentoo related toolchain changes on the wiki, bugs, etc: Project:Toolchain

Emerge latest linux kernel:

root #emerge gentoo-sources

Show available kernel sources:

root #eselect kernel list

Set the latest linux kernel version:

root #eselect kernel set <input>

Emerge latest binutils:

root #emerge binutils

Show current available binutils:

root #eselect binutils list

Set the latest binutils version:

root #eselect binutils set <input>

Verify binutils setting:

root #eselect binutils list

Emerge latest python

root #emerge --oneshot python

Emerge latest perl:

root #emerge --oneshot perl

Emerge latest iproute2

root #emerge --oneshot iproute2

Update the system with following command, resolve dependency errors:

root #emerge -vauDN system

Update the system with following command, resolve dependency errors:

root #emerge -vauDN world

Now it is done.