Recent Posts

luks and lvm and partitioning and filesystem from the shell
posted on 2016-08-24 20:58

Don't overwrite your devices via cp. But we've all been there, done that.

If you don't want to reinstall 'just because', an idea might be to use testdisk depending on what you did.

Getting nice partition layout I tend to use parted (see below), for creating partitions cgdisk (for GPT stuff) or cfdisk (for MBR creation only IIRC) are decent choices.

Back on topic.

preparation

Partitions were still present in my cause, so no need create them anew.

If you have to, do parted /dev/sda p and parted /dev/sdX u b p and use your phone to make photos, in case you have to redo something.

luks

Create and open the cryptocontainer to hold the complete partition, wherein the LVM and your filesystems will lie.

cryptsetup --cipher=aes-xts-plain64 luksFormat /dev/sdXN --force-password
cryptsetup open /dev/sdXN sdXN_crypt

Did you really type an uppercased YES when you were promted? The password you were prompted for is the one you will have to enter in the future.

In case you did something wrong:

cryptsetup close
cryptsetup erase /dev/sdaX

Then start by recreating the container. Did you really type an uppercased YES when you were promted?

lvm2

After the crypto device was opened, you can reference it through the device mapper. Now create the physical volume (PV), volume group (VG) and logical volumes (LV's) where your system will be installed later on:

pvcreate /dev/mapper/sdXN_crypt
vgcreate `hostname` /dev/mapper/sdXN_crypt
lvcreate -L 2G -n swap `hostname`
lvcreate -l 100%FREE -n root `hostname`

Here is a catch: I did not have to recreate a separate /boot partition, as I already had one. If you don't create one first. It has to be located outside the crypto container, else you won't be able too boot after your installation.

If something went wrong, here's how to delete things, too. Choose what you need in particular:

pvremove /dev/sdXN_crypt
vgremove `hostname`
lvremove /dev/`hostname`/<LVname>

filesystems and swap

Create swap:

mkswap /dev/mapper/`hostname`-swap

Create root filesystem:

mkfs -t ext4 /dev/mapper/`hostname`-root

This is pretty much it. From here on you can chroot or do whatever else you want.

Maybe you only want the container for data but for installing a system on there. In that case not calling the LV 'root' and omitting the swap partition up there would have been a wise choice.

postgres introduction
posted on 2016-08-24 10:50

Client is run through the postgres system user named 'postgres'. Homedir is /var/lib/postgresql usually.

Connection info

.my.cnf equivalent is the .pgpass in postgres user homedir, containing the following syntax:

hostname:port:database:username:password

Command history

For .mysql_history equivalent, see .psql_history in postgres user homedir (/var/lib/postgres/.psql_history).

Apostrophe's usage

  • use single ones for strings/values
  • use double ones for objects (user-/table-/dbnames... )

Most important shell commands

  • createdb DATABASE
  • dropdb DATABASE
  • createuser ROLE
  • dropuser ROLE
  • su -c psql postgres # invoking the CLI as any user

As postgres user:

  • psql -c 'SQL_STATEMENT' = mysql -e 'SQL_STATEMENT' with .my.cnf
  • psql DATABASE # open client and connects to database

psql cli commands

help = shows help howto
\h = show help for sql commands
\h create role; = show help on CREATE ROLE command
\? = show pg shortcuts
\l = "show databases;"
\l+ = "show databases" and their size
\d+ = show 
\dt = "show tables;"
\du = show roles (users)
\dp = show privileges
\c DATABASE = "use DATABASE"

User management

Postgres user managemen differs in that there are 'roles'. These can be tweaked to work like users or like groups.

See below.

Main use cases

Create db with corresponding user:

createdb DATABASENAME
createuser DATABASENAME
su -c psql DATABASENAME postgres
grant all privileges on DATABASENAME to DATABASENAME;
\q

Change password:

su -c psql postgres
alter role DATABASENAME with password 'PASSWORD';
\q
roccat kova buttons in linux
posted on 2016-08-23 11:00

This was tested on debian 8 and seems to work so far.

echo "deb http://ppa.launchpad.net/berfenger/roccat/ubuntu trusty main" > /etc/apt/sources.list.d/roccat.list
echo "deb-src http://ppa.launchpad.net/berfenger/roccat/ubuntu trusty main" > /etc/apt/sources.list.d/roccat.list
sudo roccatkovaplusconfig

My main problem was to fix the mousebuttons on the left side so the forward/backward-browser-history functions worked.

There is easyshift, which basically is a meta-button, usually on the left-backward button. It seems these can only be set onto the backwards buttons on the sides.

Setting the left side buttons to these did the trick:

  • Button 8 (Browser backward)
  • Button 9 (Browser forward)

Apply and exit.

linux create patches via diff and apply via patch
posted on 2016-08-22 19:14

Since I tend to forget this way too often...

create a patch

diff -u <file1> <file2> > <filename>.patch

test a patch

patch --dry-run <file> < <filename>.patch

apply a patch

patch -p0 <file> < <filename>.patch

-p0 strips no prefixes, -p1 strips the leftmost path folder, etc.

apply a patch and create backup of the original

patch -b -p0 <file> < <filename>.patch

Creates <file>.orig in the process.

reverse an applied patch

patch -R <file> < <filename>.patch
mysql 5.7 fix root user
posted on 2016-08-22 13:42

In mysql 5.7 the auth mechanism changed, documentation can be found in the official manual here.

Using the system root user (or sudo) you can connect to the mysql database with the mysql 'root' user via CLI. All other users will work, too.

In phpmyadmin, for example, however, all mysql users will work, but not the mysql 'root' user.

This comes from here:

$ mysql -Ne "select Host,User,plugin from mysql.user where user='root';"

+-----------+------+-----------------------+
| localhost | root | auth_socket           |
|  hostname | root | mysql_native_password |
+-----------+------+-----------------------+

To 'fix' this security feature, do:

mysql -Ne "update mysql.user set plugin='mysql_native_password' where User='root' and Host='localhost'; flush privileges;"

More on this can also be found here in the manual.

proxmox usb passthrough to VM
posted on 2016-08-17 09:35

This works while the VM is already running, no reboot needed.

Plug the USB device into your hypervisor.

lsusb to see if it's there:

root@server:~# lsusb
Bus 002 Device 002: ID 8087:8002 Intel Corp. 
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:800a Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 003: ID 0557:2419 ATEN International Co., Ltd 
Bus 003 Device 002: ID 0557:7000 ATEN International Co., Ltd Hub
Bus 003 Device 004: ID 1058:25a2 Western Digital Technologies, Inc. 
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Here the Identifier is 1058:25a2.

Now qm list to discern your vm's id.

root@server:~# qm list
      VMID NAME                 STATUS     MEM(MB)    BOOTDISK(GB) PID       
     10280 vm_01                running    25600           5580.00 482591    
     10281 vm_02                running    6144             500.00 764248

Enter console via qm monitor <vmid>:

root@server:~# qm monitor 10280
Entering Qemu Monitor for VM 10280 - type 'help' for help
qm> 

There do info usbhost:

qm> info usbhost
  Bus 3, Addr 3, Port 12.1, Speed 1.5 Mb/s
    Class 00: USB device 0557:2419
  Bus 3, Addr 4, Port 1, Speed 480 Mb/s
    Class 00: USB device 1058:25a2, Elements 25A2
qm> 

Via the device identifier we know its bus 3 and port 1. Now attach it to the virtual machine:

qm> device_add usb-host,hostbus=3,hostport=1
qm> 

lsblk from within the VM shows me the plugged in harddisk.

cisco sg300 setup
posted on 2016-08-13 17:52

These are the notes for setting up a cisco sg300 10 port switch with vlans via the cli. It's the best cheap switch with managing that happens to have a CLI that is similar to the ones on the bigger switches from cisco, and it comes with a serial interface.

standard ip

Use this IP for acessing SSH or the webgui in your browser:

192.168.1.254

standard password

user: cisco
pass: cisco

serial connection

In case you need it because you cannot access the switch via IP any longer (scanning 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 sure takes too much time to be feasible...), use its serial interface.

baud:      115200 (if not set otherwise)
bits:      8
parity:    N
stopbits:  1
no flow control

To use it, connect a USB-to-Serial computer with your laptop and use putty/screen/minicom, depending on the OS you use.

foreword

First, all commands are abbreviated here. Use ? in the CLI if you want to know what you type here, use it alone, after some characters or as a parameter on its own after a command.

cisco devices have different modes, and you edit the configuration in RAM after you logged in. To change all possible settings, you have to go into configure mode (conf), and to save it, the volatile configuration has to be copied back to the flash memory (copy run start or wr).

In normal mode there just are not so many options. To jump back, exit. More on the modes later on.

Sadly, ctrl+d doesn't work, but ctrl-z is its substitute.

first steps (after logging in and likely changing the password)

'backspace' key:

ctrl + h

delete current line;

ctrl + u
ctrl + k

disable/enable the output paging bullshit: (You know screen's copy mode via ctrl+a,[ so PGUP and PGDN work?')

terminal datadump
terminal no datadump

enable / disable command history / set its maximum size:

terminal history
terminal no history
terminal history size 206

show current configuration:

show run

show current access methods:

show line

save the changes up until now:

# choose 'yes', of course, when being prompted
copy run start

# this also works but is deprecated
wr t

configuration

For ease of use, when configure mode is needed, all the steps are shown. You can stay in configure mode if you want and perform several steps at once if you please.

hostname:

conf t
hostname <my_new_hostname>
ctrl-z
copy run start

search domain

conf t
ip domain name <your_search_domain>
ctrl-z
copy run start

create a new user and revoke admin rights from the standard 'cisco' user:

conf t username <new_user> privilege 15 password <new_password> username cisco privilege 1 password <doesnt_matter_you_dont_need_it_anymore> ctrl-z copy run start

What this was actually about was using the different privilege modes present on cisco switches.

privilege level 1      = user mode, '>' prompt
privilege level 2 - 15 = privileged EXEC mode, '#' prompt
configure              = configure mode, '(config)' prompt

You can do fine-grained access-levelling, with commands available only at different privilege modes (i.e. 3, 6, 10, 14, 15, however you see it fitting), but we want to disable the basic account and create a new one.

Level 15 can do everything. Regular workflow is logging in, and using the enable password to elevate to administrator levels if need be.

Via enable <number> and disable <number> you can enter higher or lower privilege modes, compared to your current one that can be looked up via show privilege.

While in configure mode, you can enter sub-modes for some of the commands, ex, end and ctrl-z will work there, too.

set default gateway

conf t
ip default-gateway <your_gw_ip>
do copy run start

The do keyword lets you run EXEC keywords from within configure mode.

set default ip

debugging iptables with traced packets
posted on 2016-08-10 19:14

For debugging iptables (make all interactions of a packet in the netfilter chains visible via syslog!), tracing helps quite a bit.

prerequisite

modprobe ipt_LOG # this is for ipv3
modprobe ip6t_LOG # this is for ipv6

ICMP tracing

For tracing ICMP packets:

# IPv4
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
# IPv6
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE

ping the destination server with its firewall from the source server and let run tail -f /var/log/syslog | grep TRACE in parallel.

UDP tracing with netcat

iptables -t raw -A PREROUTING -p udp -s 10.0.0.0/24 -j TRACE
iptables -t raw -A OUTPUT     -p udp -s 10.0.0.0/24 -j TRACE

Change 10.0.0.0/24 to the IP where your source server comes from.

On the destination server do:

nc -ulp 12345

On the source server do:

nc -u <dst_server_ip> 12345

and type a bit and hit enter.

Now you should see in /var/log/syslog on the destination server what happens to your packets.

iptables and netfilter chains diagram
posted on 2016-08-10 18:56

This is a NICE diagram I stumbled across here:

 +---------------------+                              +-----------------------+
 | NETWORK INTERFACE   |                              | NETWORK INTERFACE     |
 +----------+----------+                              +-----------------------+
            |                                                    ^
            |                                                    |
            |                                                    |
            v                                                    |
 +---------------------+                                         |
 | PREROUTING          |                                         |
 +---------------------+                                         |
 |                     |                                         |
 | +-----------------+ |                                         |
 | | raw             | |                                         |
 | +--------+--------+ |                                         |
 |          v          |                                         |
 | +-----------------+ |                              +----------+------------+
 | | conn. tracking  | |                              | POSTROUTING           |
 | +--------+--------+ |                              +-----------------------+
 |          v          |                              |                       |
 | +-----------------+ |                              | +-------------------+ |
 | | mangle          | |                              | | source NAT        | |
 | +--------+--------+ |                              | +-------------------+ |
 |          v          |                              |          ^            |
 | +-----------------+ |                              | +--------+----------+ |
 | | destination NAT | |                              | | mangle            | |
 | +-----------------+ |                              | +-------------------+ |
 +----------+----------+  +------------------------+  +-----------------------+
            |             | FORWARD                |             ^
            |             +------------------------+             |
            v             |                        |             |
     +-------------+      | +--------+  +--------+ |             |
     | QOS ingress +----->| | mangle +->| filter | |------------>+
     +------+------+      | +--------+  +--------+ |             |
            |             |                        |             |
            |             +------------------------+             |
            |                                                    |
            |                                                    |
            v                                                    |
 +---------------------+                              +----------+------------+
 | INPUT               |                              | OUTPUT                |
 +---------------------+                              +-----------------------+
 |                     |                              |                       |
 |  +---------------+  |                              |  +-----------------+  |
 |  | mangle        |  |                              |  | filter          |  |
 |  +-------+-------+  |                              |  +-----------------+  |
 |          v          |                              |          ^            |
 |  +---------------+  |                              |  +-------+---------+  |
 |  | filter        |  |                              |  | destination NAT |  |
 |  +---------------+  |                              |  +-----------------+  |
 +----------+----------+                              |          ^            |
            |                                         |  +-------+---------+  |
            |                                         |  | mangle          |  |
            |                                         |  +-----------------+  |
            |                                         |          ^            |
            |                                         |  +-------+---------+  |
            |                                         |  | conn. tracking  |  |
            |                                         |  +-----------------+  |
            |                                         |          ^            |
            |                                         |  +-------+---------+  |
            |                                         |  | raw             |  |
            |                                         |  +-----------------+  |
            |                                         +-----------------------+
            v                                                    ^
+----------------------------------------------------------------+------------+
|                             LOCAL PROCESS                                   |
+-----------------------------------------------------------------------------+
mysql: extract table dump from database dump
posted on 2016-08-10 09:08

Usually complete databases are dumped via mysqldump so you get a consistent backup. Dumping table after single table would only work if the database were made read-only during the backup, and is too much of a hazzle normally.

To restore a single table but not the whole database, the regular approach is to restore the dump to new database, and only dump the table you need.

However with huge dumps like 1GB and bigger this becomes cumbersome. Since a mysql dump are just all the SQL statements in plaintext, you can easily strip all other information via sed from the dump file:

sed -n -e "/DROP TABLE.*`my_table_i_want`/,/UNLOCK TABLES/p" mysql_dump_file.sql > my_table_i_want.sql

This will restore all necessary information for the table my_table_i_want from the dumpfile mysql_dump_file.sql into file my_table_i_want.sql.

Next

This blog covers .csv, .htaccess, .vmx, /etc/network/interfaces, /etc/sudoers, /proc, 14.04, AS, ASA, ControlPanel, DS1054Z, HWR, Hyper-V, IPSEC, KVM, LVM, LXC, MTU, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSL, TLS, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bonding, booknotes, bootable, bsd, btrfs, c-states, caching, ccl, centos, certificate, certifices, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, cluster, coleslaw, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, desktop, df, dhclient, dhcp, diff, dig, display manager, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factoryreset, fail2ban, fbsd, fedora, filesystem, find, firewall, firmware, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, ftp, ftps, g-states, ghostscript, git, git-filter-branch, github, gitolite, gradle, grep, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, htop, htpasswd, http, httpd, https, i3, icmp, iftop, iis, imagemagick, init, innoDB, inodes, intel, ios, iostat, ip, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, juniper, junit, kali, kde, kernel, keyremap, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, lmctfy, loadbalancing, locale, log, logrotate, looback, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, micro sd, microsoft, minicom, mkfs, mktemp, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, os, oscilloscope, overview, parallel, parameter expansion, parted, passwd, patch, pdf, performance, pfsense, php, phpmyadmin, pi, pidgin, pidstat, pins, plesk, plugin, posix, postfix, postgres, postgresql, poudriere, preview, profiling, prompt, promxox, proxmox, puppet, pv, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, slattach, slip, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, submodules, subzone, sudo, sudoers, sup, swaks, switch, switching, synaptics, synergy, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, testdisk, testing, tmux, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, udev, uefi, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, w701, wakeonlan, wargames, web, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, yum, zones, zsh

View posts from 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas