Recent Posts

proxmox: what is an EFI disk?
posted on 2017-01-07 21:22

Proxmox lets you create an EFI disk in the most recent versions. But what exactly is it?

cat'ing or strings'ing the file which represents it on disk is a first try, but sadly does not help much. Besides that the output looks a little like firmware stuff.

According to the proxmox wiki:

BIOS and UEFI In order to properly emulate a computer, QEMU needs to use a firmware. By default QEMU uses SeaBIOS for this, which is an open-source, x86 BIOS implementation. SeaBIOS is a good choice for most standard setups.

There are, however, some scenarios in which a BIOS is not a good firmware to boot from, e.g. if you want to do VGA passthrough. [5] In such cases, you should rather use OVMF, which is an open-source UEFI implemenation. [6]

If you want to use OVMF, there are several things to consider:

In order to save things like the boot order, there needs to be an EFI Disk. This disk will be included in backups and snapshots, and there can only be one.

You can create such a disk ...

A long story short:

UEFI, like BIOS, is the onboard firmware on your motherboard that let's you boot anything at all. Both happen to use a non-volatile storage on the motherboard to store settings. BIOS its settings, UEFI probably does just the same, but also the locations of start files it uses to boot the operating systems.

ovmf (the UEFI implementation that proxmox uses to emulate an UEFI) cannot use any kind of NVRAM by itself, it just seems to lack any at all. By default, it uses /boot/efi/EFI/BOOT/BOOTX64.EFI to search for the default start file.

If, however, like, after a default debian install, there is no startfile to be found there (debian uses /boot/efi/EFI/debian/grubx64.efi), then it cannot boot.

Two solutions are possible: Copy the grubx64.efi (or whatever it is called) to BOOTX64.EFI path, if you use only default settings besides.

Or use the EFI disk, which should not be so mysterious anymore now, and qemu will simply store the information there. This also has the added benefit that it's possible to store several startfiles for booting, in case you have several installations within the same VM. But its easier to create several vms for that anyway.

stop proxmox nagware
posted on 2017-01-05 05:07

This is said to fix proxmox 'no valid license' dialog box which appears when you login to the web interface and do not have a valid subscription:

find /usr/share/pve-manager -name *.js -exec sed -i 's/PVE.Utils.checked_command(function\s*()\s*{\s*\(.*\)\s*}\s*)\s*;\s*/\1/g' {} \;

TODD: I haven't tested it so far, the post will be updated once I can tell more.

debian add another loopback address
posted on 2017-01-04 15:40

Add to /etc/network/interfaces:

auto lo:1
iface lo:1 inet static
address 127.0.0.2
netmask 255.0.0.0

then

ifup lo:1

and an ip a should show you the new ip being live.

gitolite install
posted on 2017-01-02 22:37

A fast setup of a proper gitolite server setup, since the current debian package is either borked, or I just need sleep. Keep in mind this was written on the fly and may have errors.

assumptions

  • this will use the user git (hope its not used already)
  • put the files in `/var/lib/gitolite
  • use the latest gitolite.
  • GITSERVER: ip or domain name or /etc/hosts alias of your git server
  • debian was used, adopt accordingly if you use redhat derivates or (god help) suse

setup and install

On the server: (as root)

apt install git -y
mkdir -p /var/lib/gitolite/bin
useradd -d /var/lib/gitolite/ -U -s /bin/bash git
passwd git
ssh-keygen -trsa -b4096
cp /root/.ssh/id_rsa.pub /var/lib/gitolite/admin.pub
chown -R git:git /var/lib/gitolite

su - git

cat << EOF > .bash_profile
alias l='ls -alh --color'
export PATH=/var/lib/gitolite/bin:\$PATH
EOF
echo $PATH  ## gitolite path missing
logout
su - git
echo $PATH  ## gitolite path not missing anymore, and 'l' works, too

git clone git://github.com/sitaramc/gitolite
gitolite/install -ln /var/lib/gitolite/bin
gitolite setup -pk admin.pub
logout
cd

git clone git@localhost:gitolite-admin
cd gitolite-admin/conf

Now we're mostly set, but no 'testing.git' repo is needed, so let's just delete it. This is also a showcase how to use the admin repo on the server, in case you manage to fuck up your workstation or ssh key, which we will setup later:

vim conf/gitolite.conf  ## remove 'repo testing' line and the one following it
git add -A .
git commit -m '-testing repo'
git push

In case the rhabarber of 'git config' stuff is annoying:

git config --global user.name root
git config --global user.email root@GITSERVER
git config --global push.default simple  ## adopting default behaviour is usually the way to go

So far, so good.

on deleting repositories

Repositories that existed but were deleted later on will still exist under `/var/lib/gitolite/repositories after deletion:

git@git-1:/var/lib/gitolite/$ gitolite list-repos
gitolite-admin
git@git-1:/var/lib/gitolite/$ gitolite list-phy-repos
gitolite-admin
testing

If you want it to be gone, simple delete the repo folder on disk.

adding your workstation key to gitolite, too?

Likely you want ssh access to root via key (you disable key logins for root in ssh, don't you?), so lets set this up and put the key into gitolite, too. I'll provide an example, my user is called 'sjas', of course.

On my workstation:

ssh-copy-id root@GITSERVER  ## in case you didn't do that already
scp ~/.ssh/id_rsa.pub root@GITSERVER:/root/gitolite-admin/keydir/sjas.pub
ssh root@GITSERVER
cd gitolite-admin

# ... now edit gitolite config... 
# ... see next section how I prefer doing things ...

git add -A .
git commit -m '+workstation key'
git push

splitting the gitolite.conf and groups

I prefer having two files, one for the group definitions, one for repositories. Here are how that these files would look like:

root@git-1:~/gitolite-admin/conf# tail -n +1 *
==> gitolite.conf <==
include "groups.conf"
include "repos.conf"

==> groups.conf <==
@sjas   = sjas
@admins = @sjas admin

==> repos.conf <==
repo    gitolite-admin
    RW+ = @admins admin
repo    ansible
    RW+ = @sjas

The @'s depict groups. Actually you can group users to usergroups and repositories to repository-groups, in case you'd ever need that.

Comments also do work, via #.

Only remember to first define a group prior to ever using it, and first cite the groupnames and then the users in group definitions. That is, on the right side after the equals sign, in case you have no idea what the last sentence meant.

On more about this, go here and here. There's way more you can do, but this should be everything as a bare minimum to do most work you'd ever need to do.

The official documentation looks rather sketchy at first, but is pretty good and all you need is covered there.

apache proxy ssl directives
posted on 2016-12-29 18:01

Likely you'd need these:

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile      CERTFILE
SSLCertificateKeyFile   PRIVKEY
SSLCACertificateFile    CACERTFILE
clustershell
posted on 2016-12-29 13:26

When needing to run commands on several servers over ssh, there's always that for-loop for you.

But you could also try running clustershell:

sjas@ws:~$ clush -w server-[01,02,05,11,12] -b hostname -f
---------------
server-01
---------------
server-01.some-domain.com
---------------
server-02
---------------
server-02.some-domain.com
---------------
server-05
---------------
server-05.some-domain.com
---------------
server-11
---------------
server-11.some-domain.com
---------------
server-12
---------------
server-12.some-domain.com

-b to use it non-interactively and to get the shown aggregated results (the hosts are colored), -w to specify the hosts. Use [ ] instead of { } like you would in bash.

-B also includes STDERR.

A problem you may run into, is when you try to run commands with pipes.

Further you can also predefine hostgroups and copy files from/to remote hosts. This is a rather nice tool.

notes on using vimdiff
posted on 2016-12-29 11:55

Bare minimum to do some work with it:

do - Get changes from other window into the current window.
dp - Put the changes from current window into the other window.

]c - Jump to the next change.
[c - Jump to the previous change.

Ctrl W + Ctrl W - Switch to the other split window.

If you load up two files in splits (:vs or :sp), you can do :diffthis on each window and achieve a diff of files that were already loaded in buffers. :diffoff can be used to turn off the diff mode.

Also helpful: :help copy-diffs, and this link here.

apache webdav configuration
posted on 2016-12-29 10:27

notes up front

  • don't use suexec. just don't.
  • you should be able to configure a vhost on your own, else the apache config will not be of use to you
  • we'll use ssl certifcates, too

setup

Load the apache modules:

a2enmod dav
a2enmod dav_fs

Create certificate:

cd /etc/apache2/ssl
openssl genrsa -out mydomain.de 1024  ## create private key
openssl req -new -key mydomain.de.key -out mydomain.de.csr  ## create certificate signing request
openssl x509 -in mydomain.de.csr  -out mydomain.de.crt -req -signkey mydomain.de.key -days 3650  ## create certificate
rm mydomain.de.csr 

Create a vhost config for your apache, and enable it:

<VirtualHost *:80>

        ServerName mydomain.de
        ServerAlias www.mydomain.de

        DocumentRoot /var/www/mydomain.de/htdocs

        <Directory /var/www/mydomain.de/htdocs/>
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

                DAV on

                AuthType Basic
                AuthName DAV
                AuthUserFile /var/www/mydomain.de/.htpasswd
                Require valid-user
        </Directory>

        ErrorLog /var/www/mydomain.de/logs/error.log
        LogLevel warn
        CustomLog /var/www/mydomain.de/logs/access.log combined

</VirtualHost>

<VirtualHost *:443>

        ServerName mydomain.de
        ServerAlias www.mydomain.de

        DocumentRoot /var/www/mydomain.de/htdocs

        <Directory /var/www/mydomain.de/htdocs/>
                Options Indexes MultiViews
                AllowOverride None
                Order allow,deny
                allow from all

                DAV on

                AuthType Basic
                AuthName DAV
                AuthUserFile /var/www/mydomain.de/.htpasswd
                Require valid-user
        </Directory>

        ErrorLog /var/www/mydomain.de/logs/error.log
        LogLevel warn
        CustomLog /var/www/mydomain.de/logs/access.log combined

        sslengine on
        sslcertificatefile      /etc/apache2/ssl/mydomain.de.crt
        sslcertificatekeyfile   /etc/apache2/ssl/mydomain.de.key

</VirtualHost>

Create a htpasswd file:

htpasswd -c /var/www/mydomain.de/.htpasswd USERNAME

USERNAME and the password you'll enter will be your access credentials.

testing (on linux)

apt install -y cadaver
cadaver https://mydomain.de

Then your are promted for entering the user credentials. ls and help should help you onwards then.

using it with windows

Since this is a setup with SSL (doensn't make much sense to use plain http from my POV), you'll need to import the certifate (mydomain.de.crt) in windows.

Else you will get an error along the lines of Mutual Authentication Failed. The Server's Password Is Out Of Date At The Domain Controller.

It needs to go there: (in windows)

  • win + r
  • certmgr.msc
  • enter
  • trusted root certificates
  • certificates
ubuntu 10.04 change ulimit
posted on 2016-12-27 16:31

When trying to change the ulimit setting for open files this did not work system-wide by changing the /etc/security/limits.conf:

root@server:~# grep -v ^# /etc/security/limits.conf 


* soft nofile 4096
* hard nofile 10240

The only solution was to change the init script of the service needing more open files.

In my case it was a tomcat:

...

case "$1" in
  start)
        ulimit -n 10240

...

That way both the hard and the soft limit gets set to 10240, instead of setting them separately via -Hn and -Sn.

Of course (haha) you need to have enough capability to allow that many files systemwide, either put it into /etc/sysctl.conf and do sysctl -p or just do:

sysctl -w fs.file-max=1000000

Related bug report here.

proxmox delete and recreate cluster
posted on 2016-12-21 22:48

In case you have the questionable idea of renaming a hypervisor of your proxmox cluster, you are going to feel some pain. (It won't work and you will get scared wether you fucked your system landscape up or not. Been there, done that.)

The only viable and reproducible approach I found was removing all cluster configurations from all HV's, rebooting them, then recreating the cluster on one HV and readding all the others again.

read this, or continue at your own peril

To sum it up again, some notes before:

  • tested with proxmox 4.4
  • do all the next steps on all hosts
  • rebooting is neccessary aftwards, of all hv's. maybe not, but at least the first node had to be rebooted
  • the sqlite output, if any is shown, should only appear once
  • working ssh between your hv's is neccessary, errors or warning will prevent you from readding nodes after the cluster recreation
  • backup /etc/pve before doing anything, as you will lose all your vm configurations in the process, but these can be copied back afterwards.
  • no guarantee that this post will cover everything

howto remove all clusterconfigs

Let's go: (this is completely paste-able)

# backup
cp -va /etc/pve /root

systemctl stop pvestatd.service
systemctl stop pvedaemon.service
systemctl stop pve-cluster.service
systemctl stop corosync
systemctl stop pve-cluster
pmxcfs -l
rm /etc/pve/corosync.conf
rm /etc/corosync/*
rm /var/lib/corosync/*
rm -rf /etc/pve/nodes/*
sqlite3 /var/lib/pve-cluster/config.db "select * from tree where name='corosync.conf'"
sqlite3 /var/lib/pve-cluster/config.db "delete from tree where name='corosync.conf'"
sqlite3 /var/lib/pve-cluster/config.db "select * from tree where name='corosync.conf'"

Check for error messages, then:

reboot

Recreate the cluster on the first HV: (or whichever one you see fit)

pvecm create CLUSTER-NAME

Then readd all other HVs to your newly created cluster. From each of them, do:

#test ssh
ssh IP-OF-FIRST-HV

if that does work, add, else see below how to troubleshoot
pvecm add IP-OF-FIRST-HV

troubleshooting SSH issues

Adding nodes works best with keyauth (Don't know wether I ever tried it without, to be honest, but I doubt it works.). In case you have reinstalled a node or something, try connecting via ssh from the host in question to your 'first' hv.

Read the error message closely, as known hosts are stored in /etc/ssh/ssh_known_hosts, not ~/.ssh/known_hosts:

# in case you have trouble on a certain host
> /root/.ssh/known_hosts
> /etc/ssh/ssh_known_hosts
ssh-copy-id FIRST_HV

As said before, ssh errors or warnings won't let you add vm's to a cluster.

browser not working

Once you have completed the stuff above, close all browsertabs you had opened to access your cluster. Simply refreshing them does not seem to work.

finishing touches (fix your vms before you become stressed out)

When looking at the webgui, you might become scared, as all your virtual hosts seem to be missing. This happens with VM's, but I guess the same happens with Containers, too.

In fact, we worked on proxmox cluster filesystem where it stores a lot of its settings, which gets mounted at /etc/pve aftwards. Which happens to be stored completely under /var/lib/pve-cluster/config.db as a sqlite3 database.

There all file contents (the actual character that get written into the config file(s)), the inode of the file that shall be created, along with the folder structure etc. etc. .

Once your cluster is running, try diff / colordiff to spot the exact differences. (I.e. colordiff /root/pve /etc/pve to see the file contents) Or a simple find /root/pve -iname "*conf" might also do.

Copy the configs back to their original locations, and everything should be fine.

Next

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas