Category: Computer

Computer Stuff

[Ubuntu] Freeradius: Improve Uptime

As a network admin, you're going to have at least one Freeradius running, mostly for 802.1x authentication. At my place the problem arised, that the service was down too often - for different reasons.

1.) Logrotate
If you're using logrotate, you should check out /etc/logrotate.d/freeradius:

/var/log/freeradius/*.log {
weekly
rotate 52
compress
delaycompress
notifempty
missingok
postrotate
invoke-rc.d freeradius reload >/dev/null 2>&1 || true
endscript
}

Logrotate does restart freeradius after it swapped the logs with reload, which often results in a crash or race condition (freeradius does not shutdown fast enough, and the restarting process thinks it already got one running process - and both terminate). So to change that, you should stop the process, wait, and start again.

/var/log/freeradius/*.log {
weekly
rotate 52
compress
delaycompress
notifempty
missingok
postrotate
invoke-rc.d freeradius stop >/dev/null 2>&1 || true
sleep 5
invoke-rc.d freeradius start >/dev/null 2>&1 || true
endscript
}

2.) Monit
monit is an monitoring programm which checks wheter a service is still running.
Install via: sudo apt-get install monit
Configure:

vi /etc/monit/conf.d/freeradius

check process freeradius with pidfile "/var/run/freeradius/freeradius.pid"
start program "/etc/init.d/freeradius start"
stop program "/etc/init.d/freeradius stop"
if failed host 127.0.0.1 port 1812 type udp protocol radius secret RADIUSSECRET then alert
if failed host 127.0.0.1 port 1813 type udp protocol radius secret RADIUSSECRET then alert
if 5 restarts within 5 cycles then timeout

sudo service monit restart

You should change the RADIUSSECRET to the one of your freeradius.

[Ubuntu] Letsencrypt with Apache and Freeradius

This little tutorial describes how to use Letsencrypt with Apache, Freeradius and Auto-Renewal of the Certificates.

#Install Letsencrypt
sudo apt-get update
sudo apt-get install git
cd /opt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt

#Become root
sudo su

#"Order" certificates (replace SERVERDOMAIN.COM with the DNS of your Server!)
./letsencrypt-auto --apache -d SERVERDOMAIN.COM --rsa-key-size 4096
Enter Contact Mail: mail@SERVERDOMAIN.COM
Configuration Type: Secure #is best, as it does redirect insecure http to https)

#Read PATH variable
echo $PATH

#Cronjob for certificate renewal
#you should under all circumstances replace the string following PATH= with your own, as read with the command above.
#Seperate with ; from the rest of the command like shown in the example
crontab -e

#letsencrypt
30 2 * * 1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games;/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/freeradius restart
35 2 * * 1 /etc/init.d/apache2 restart

#Configure Freeradius
cp -r /etc/freeradius/certs/ /etc/freeradius/certs_bkp
rm /etc/freeradius/certs/*.pem
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf_bkp

vi /etc/freeradius/eap.conf

#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
certdir = /etc/letsencrypt/live/SERVERDOMAIN.COM
cadir = /etc/letsencrypt/live/SERVERDOMAIN.COM
#dh_file = ${certdir}/dh
dh_file = ${confdir}/certs/dh
#private_key_password = whatever
private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/cert.pem
CA_file = ${cadir}/fullchain.pem

#Configure access rights on /etc/letsencrypt
cd /etc/letsencrypt/
chgrp -R ssl-cert archive csr keys live options-ssl-apache.conf renewal # set group of cert/key dirs to ssl-cert
find . -type d -exec chmod g+xs {} \; # directories executable and setguid (set group ssl-cert for new files/dirs)
find . -type f -exec chmod g+r {} \; # files readable

#Restart Freeradius
service freeradius stop
service freeradius start

Additional infos: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

[Docker] Keep Docker Container up-to-date with Watchtower

If you're using Docker, you know you will need to update these containers from time to time by hand. Mostly with an docker pull repo/DockerContainerName and an docker-compose up -d. If you want to automate this, you can now use Watchtower: https://github.com/CenturyLinkLabs/watchtower

Using it, is very easy. Just run following command to let all your containers automatically update via watchtower:

docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
centurylink/watchtower

If you want choosen containers to be updated, include the names of the running containers as arguments, i.e.:


docker run -d \
--name watchtower \
-v /var/run/docker.sock:/var/run/docker.sock \
centurylink/watchtower gogs_gogs_1 drone_drone_1

This Info was brought to you by Christopher Perrin @ https://blog.screebo.net/ ;).

[Ubuntu] Networked UPS with apcupsd, APC 750 and Windows

Due to some serious power outages, I had to install an UPS at the Office of one client. It is an rather small setup: One low-power Ubuntu Server, one Laptop with one TFT Screen, one i3 Desktop with two TFT Screens, one network switch. All in all, about 400VA. I had an old APC Smart UPS 750 VA at hand and used it.
Idea was to connect the UPS via USB directly to the Server and hook Laptop and Desktop to that Server via Network. As soon as the Server found that the whole Powergrid went offline, all pcs should shutdown automatically: Enter apcupsd.

Power installation:
Connect the UPS input to the power grid, connect the UPS out to your PCs. NEVER CONNECT ANY LASER PRINTER TO THAT OUTPUT!
Power up the UPS.

Server installation:
Connect the UPS USB Port to the Server.
Install apcupsd:
sudo apt-get install apcupsd
Configure apcupsd:
sudo vi /etc/apcupsd/apcupsd.conf
In my case I configured that settings:

UPSNAME blaUPS # How you want to name your ups
UPSCABLE smart # in my case, it is a smart cable
UPSTYPE usb # on usb
POLLTIME 60 # poll ups every 60 seconds
ONBATTERYDELAY 10 # delay alarm for 10 seconds
BATTERYLEVEL 10 # on less than 10 percent battery level shutdown server
MINUTES 3 # on less than 3 minutes battery runtime shutdown server
NETSERVER on # activate network server
NISIP 0.0.0.0 # allow access from all nics
NISPORT 3551 # default port for network server

Allow port 3551, tcp through iptables!

Restart apcupsd:
sudo service apcupsd restart

Give status of current apcupsd session:
sudo service apcupsd status

Client installation on Windows:
Download latest version for Windows (i.e. winapcupsd-3.14.13.exe), you only need apcupsd Service and Tray Applet.
Leave everything on default on setup and configure apcupsd.conf

UPSNAME blaUPS # How you want to name your ups
UPSCABLE ether # network to server
UPSTYPE net # on network
DEVICE IP:3551 # for IP, enter the IP of the server
POLLTIME 15 # poll ups every 15 seconds
ONBATTERYDELAY 10 # delay alarm for 10 seconds
BATTERYLEVEL 20 # on less than 20 percent battery level shutdown client
MINUTES 3 # on less than 3 minutes battery runtime shutdown client
NETSERVER on # activate network server
NISIP 127.0.0.1 # allow access only from localhost

And thats it 🙂

[Art] real-time operator

real-time operator was an project of Melanie Windl, an artist from the University of Mainz, Germany on which I helped as technical advisor and programmer. The idea of the project was to live-record sounds from the staircase of the Tokyo Wondersite and replay them using different filters on multiple ballons (using exciters). The project was realised using three Raspberry Pi, Modell B+, some USB Soundcards and PureData. You can find more about the project here: https://atelier-windl.com/portfolio/real-time-operator-2/

Festival / Festival
real-time operator
09.01.-07.02.2016
Tokyo Wonder Site Hongo
2-4 16 Hongo, Bunkyo-ku, Tokyo 113-0033, Japan

real_02

A short video showing the project can be found here

Where can I find the free VMware Player?

I was looking for the free VMware Player, which was available for quite some time.
Turned out, the free Player still exists - but is now called "VMware Workstation Player (formerly known as Player Pro)".
If you got to this website: http://www.vmware.com/products/player/ - you will find a lot of text about some paid version - but if you look up closely to the last paragraph "VMware Workstation 12 Player Free for Personal Use" - you will find the text "environment you may use Workstation 12 Player at no cost.
Download Workstation 12 Player for personal use." - and the "Download" writen in faint blue color - yep - that is a somehow hidden link. Click it! ( Hint: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0 ) - And there you will be able to download the latest version for free.

Bonus: The compatible VIX 1.15.2 API can be found here: https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0|PLAYER-1210|drivers_tools

Update: For VMware Player 14, the link changed to: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/14_0

 

[Docker] Install Gogs as Docker container

Gogs (Go Git Service) is an awesome Github/Gitlab like solution, completly written in Go(lang) - which makes it blazing fast - and lightweight.
And as there is even an Docker Container of Gogs available - I thought - why not using this to finally move from my SSH-only-Git to an "real" Gitservice :).

We are going to use docker-compose in this example - so I assume you have installed this as shown in my last guide on Docker.

# Create docker-compose.yml in ~/gogs/
cd ~
mkdir gogs
cd gogs
vi docker-compose.yml
# Copy this content into your docker-compose.yml file

gogs:
  restart: unless-stopped
  image: gogs/gogs
  volumes:
    - /var/gogs:/data
  ports:
    - "10022:22"
    - "3000:3000"

After that save the file and issue docker-compose up in your terminal. Docker will start to pull the gogs image from the hub and launching gogs. All your gogs files will be saved on your local drive in /var/gogs. You can find the overview of the file structure here.
After Docker is ready - launching your favorite browser and go to http://127.0.0.1:3000.

Now its time to configure gogs. Please bear in mind the important information of the Gogs Guide regarding Settings in a Docker installation.

Regarding this, we will use following settings:
As Database type, we choose SQLite3. As path, already data/gogs.db is choosen, which is important: A Docker Container is non-persistent - so if you restart that container, all files not saved in a mounted directory (like your /var/gogs, which is mounted as data in the docker session of gogs...) will be lost.
As name, we choose something catchy like PiGit or so - as you wish.
We won't touch the repo path (/data/git/gogs-repositories), nor the user (git). As Domain, we could choose our http://mydnshost.com.
As SSH Port, we choose 10022. HTTP Port remains as 3000 and the application domain should be something like http://mydnshost.com:3000 - while 3000 is the exposed HTTP port - so someone can actually access your Gogs service.

You can also configure your mail server - as you wish.

Regarding the server and additional settings, I did choose the Offline Mode, but enabled Gravatar, disabled User Registration and Captchas and I did enable "Need to be registred to see contents" - as I want my Gogs Server to be actually reachable from the net - but I only want to create user accounts by hand - and not have my server filed with stuff of foreign people.

The last step is to create an Admin User Account. I would recommend to do this "now". After that, click "Install Gogs". And then - you can login :)!

The cool thing about gogs: You can even migrate from other Git Services to your new Gogs Server via the "Migration" Tab (+ next to your User Icon after you have logged in). Please bear in mind, that only http/https and local paths do work for that.

If you create a new repo, you should always check the "Init the repo", so that you can directly clone and use it.

Regardings cloning: You can access your repo via the webpage (ip:3000) or ssh (ip:10022). To use ssh, you need to insert your public key in the "SSH Key" tab in your gogs settings.

If you expose the 3000 and 10022 ports via your Firewall/Router, you can access gogs from everywhere - or you just use VPN to get into your network.

Bonus: Making Gogs Secure with Letsencrypt
If you already have an Letsenrcypt certificate for your server / pc, you can easily get gogs to use that: Just go to /var/gogs/gogs/data and copy your fullchain.pem and privkey.pem from your letsencrypt folder ( /etc/letsencrypt/live/[yourdomain]/ ) and give your user access to it via chown.
After that, go to /var/gogs/gogs/conf open app.ini and add following settings under [server]:
PROTOCOL = https
CERT_FILE = data/fullchain.pem
KEY_FILE = data/privkey.pem

If there should be another entry like PROTOCOL = http, just delete it. Save that file, go back to your open docker terminal with gogs running, CTRL + C and enter docker-compose up -d. With that, it will restart in detached mode. And more important: Your service will automatically start on every reboot of your system.

If you ever would need to stop gogs, just go again to your docker-compose file, i.e. cd ~/gogs/ and enter docker-compose stop.
You can also watch what your docker container is doing with the command docker ps

Happy coding!

[Docker] OpenWRT Images for x86, x64, Raspberry Pi and Raspberry Pi 2

As some of you know, I am trying to learn to use Docker.
I love the simplicity of this tool and the fact that a lot of my Appliances could be built and mainted more efficiently with the use of it.
So I thought "Well, I should at least try to create some useful Images for the Docker Registry / Hub" - and so I came up with the Github Repo of x-drum which I could not help - but fork ;). So, x-drum showed an easy way to build x86 Images for 14.07 and 15.05 OpenWRT.
And I thought "well, lets extend that". So now, we also got 12.09 OpenWRT x86, as well as trunk x86... and while I was doing some research, I slapped the x64 Versions for trunk and 15.05 on as well :).

But wait - somethings missing - yeah: We need some Raspberry Pi Stuff ;):
The guys over at Hypriot did an really awesome job with creating Hypriot OS - basically an bootable Image for RPi1/2 to use a recent Version of Docker :). But - truth been told - they already created some special RPi (ARM) Images on the Docker Hub - but... it would be nice to get some more base images to play with...

So I basically used Hypriot OS on a RPi 1 to create the OpenWRT 12.09, 14.07, 15.05 and Trunk Docker Images - and on a RPi 2 to create OpenWRT 15.05 and Trunk Docker Images.
The RPi 1 Images are also usable on a RPi 2 - so I recommend to use them. RPi 2 Images are only usable on a RPi 2 :).

Everything can be grabbed from my Github Repo: https://github.com/nmaas87/docker-openwrt or directly on Docker Hub.
The x86/x64 Images can be found on https://hub.docker.com/r/nmaas87/docker-openwrt/, while the RPi 1 and RPi 2 Images are here: https://hub.docker.com/r/nmaas87/rpi-openwrt/.

Have fun :)!