See: encfs
Plenty of guides online.
Saturday, 11 October 2014
Friday, 19 September 2014
Mount read-only a Linux ext3/ext4 partition from within Mac OS
http://diesistmein.name/?p=30
or some variation.
Might help: http://osxdaily.com/2014/03/20/mount-ext-linux-file-system-mac/
Friday, 15 August 2014
OpenVPN version 2.3.2: using new easyrsa mechanism for multiple users
- Server setup
- ./easyrsa init-pki
- don't do this twice!
- ./easyrsa build-ca
- User key and cert signing request on complete separate machine
- ./easyrsa init-pki
- don't do this twice!
- ./easyrsa gen-req myuser
- Server signs user cert req
- ./easyrsa import-req myuser.req myuser
- ./easyrsa sign-req client myuser
Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.
Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
Wednesday, 6 August 2014
Very fast editing over sshfs
Update: this can cause some of your ssh sessions to hang, so be aware of that.
Add this to your ~/.ssh/config
Host myserver.mydomain.com
ControlMaster auto
ControlPath /tmp/%r@%h:%p
Then, say you have root access via your ssh pub key
mkdir tmp001
sshfs -o uid=1000 root@myserver.mydomain.com:/var/www tmp001
Now, the files in tmp001 map to your remote /var/www directory. And access to them uses an ssh session that is maintained in your /tmp directory, i.e. all interactions are performed over the same ssh session.
To see the tmp file, if you just opened the sshfs session in the last 10 mins
find /tmp -mmin -10 -ls
Add this to your ~/.ssh/config
Host myserver.mydomain.com
ControlMaster auto
ControlPath /tmp/%r@%h:%p
Then, say you have root access via your ssh pub key
mkdir tmp001
sshfs -o uid=1000 root@myserver.mydomain.com:/var/www tmp001
Now, the files in tmp001 map to your remote /var/www directory. And access to them uses an ssh session that is maintained in your /tmp directory, i.e. all interactions are performed over the same ssh session.
To see the tmp file, if you just opened the sshfs session in the last 10 mins
find /tmp -mmin -10 -ls
Friday, 1 August 2014
AWS cli: rework EBS volume on AMI launch: switch to SSD, "delete on termination" to true
aws
ec2
run-instances
--image-id
ami-aaaaaa
--instance-type
hi1.4xlarge
--security-group-ids
sg-eeeeeeee
--subnet-id
subnet-cccccccc
--block-device-mappings
'[
{
"DeviceName":"/dev/sdb",
"VirtualName":"ephemeral0"
},
{
"DeviceName":"/dev/sdc",
"VirtualName":"ephemeral1"
},
{
"DeviceName":"/dev/sdd",
"Ebs":
{
"SnapshotId":"snap-6",
"VolumeType":"gp2",
"DeleteOnTermination":"true"
}
}
]'
--region
us-east-1
Switch to high IOPS
aws
ec2
run-instances
--image-id
ami-aaaaaa
--instance-type
hi1.4xlarge
--security-group-ids
sg-eeeeeeee
--subnet-id
subnet-cccccccc
--block-device-mappings
'[
{
"DeviceName":"/dev/sdb",
"VirtualName":"ephemeral0"
},
{
"DeviceName":"/dev/sdc",
"VirtualName":"ephemeral1"
},
{
"DeviceName":"/dev/sdd",
"Ebs":
{
"SnapshotId":"snap-6",
"VolumeType":"io1",
"Iops":4000,
"DeleteOnTermination":"true"
}
}
]'
--region
us-east-1
Monday, 28 July 2014
Change graphite's default dashboard graph colors
- cp -v /opt/graphite/conf/graphTemplates.conf.example /opt/graphite/conf/graphTemplates.conf
- vi /opt/graphite/conf/graphTemplates.conf
- change '[default]' section to '[uggs]'
- change another section, e.g. '[solarized-dark]', to '[default]'
- reload dashboard and you should see changed colors
Wednesday, 23 July 2014
Ganglia on Amazon Linux (and other RedHat derivatives)
The below is for setting up unicast, not multicast. AWS does not support multicast networking.
Key concepts: gmond daemons run on every server and use C code to collect the server's stats; this data is stored in local memory. Multiple gmonds can send their data on to one central gmond to hold, call this a gmond "bank"; this "bank" also uses only memory to store the server stats. gmetad comes along and collects the data from the gmond "banks" and stores in it rrds, these are files; the web interface uses these rrd files, and it usually runs on the same server as gmetad.
Cluster name: cluster name is key in grouping data and getting it from gmond to gmond and then on to gmetad. data_source is the way gmetad find the "banks"; and, by the way, you can have redundant "banks" for one cluster data_source.
Getting rid of multicast settings: comment out all references to multicast: bind_hostname, mcast_join, bind. Comment them all out.
UDP vs TCP, and port 8649: port 8649 is the default. UDP traffic on port 8649 is used for gmond intercommunication. And TCP traffic on port 8649 is used by the gmetad daemon to pull data from all your gmond "banks". Run "tcpdump -i any -nn port 8649" ALL THE TIME ON EVERY SERVER in a separate terminal when debugging.
Source: http://www.admin-magazine.com/HPC/Articles/Monitoring-HPC-Systems
Key concepts: gmond daemons run on every server and use C code to collect the server's stats; this data is stored in local memory. Multiple gmonds can send their data on to one central gmond to hold, call this a gmond "bank"; this "bank" also uses only memory to store the server stats. gmetad comes along and collects the data from the gmond "banks" and stores in it rrds, these are files; the web interface uses these rrd files, and it usually runs on the same server as gmetad.
Cluster name: cluster name is key in grouping data and getting it from gmond to gmond and then on to gmetad. data_source is the way gmetad find the "banks"; and, by the way, you can have redundant "banks" for one cluster data_source.
Getting rid of multicast settings: comment out all references to multicast: bind_hostname, mcast_join, bind. Comment them all out.
UDP vs TCP, and port 8649: port 8649 is the default. UDP traffic on port 8649 is used for gmond intercommunication. And TCP traffic on port 8649 is used by the gmetad daemon to pull data from all your gmond "banks". Run "tcpdump -i any -nn port 8649" ALL THE TIME ON EVERY SERVER in a separate terminal when debugging.
Source: http://www.admin-magazine.com/HPC/Articles/Monitoring-HPC-Systems
- mkdir ganglia_rpms
- cd ganglia_rpms/
- wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmond-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/libganglia-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-debuginfo-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-devel-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmetad-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/ganglia-gmond-modules-python-3.6.0-1.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/libconfuse-2.6-2.el6.rf.x86_64.rpm
- wget http://vuksan.com/centos/RPMS-6/x86_64/libconfuse-devel-2.6-2.el6.rf.x86_64.rpm
- yum localinstall ganglia-*.rpm lib*.rpm
- yum install httpd
- yum install php
- cd
- mkdir ganglia-web-dev
- cd ganglia-web-dev/
- wget http://downloads.sourceforge.net/project/ganglia/ganglia-web/3.5.12/ganglia-web-3.5.12.tar.gz
- tar zxvf ganglia-web-3.5.12.tar.gz
- cd ganglia-web-3.5.12
- vi Makefile
- GDESTDIR = /var/www/html/ganglia
- APACHE_USER = apache
- make install
- cp apache.conf /etc/httpd/conf.d/ganglia.conf
- vi /etc/httpd/conf.d/ganglia.conf
- /usr/share/ganglia-webfrontend -> /var/www/html/ganglia
- service httpd start
- setenforce 0
- not needed on Amazon Linux
- vi /etc/ganglia/gmond.conf
- vi /etc/ganglia/gmetad.conf
- service gmond start
- service gmetad start
Tuesday, 8 July 2014
Latest graphite on Amazon Linux at AWS
- yum update -y;reboot
- yum -y groupinstall "Development Tools"
- yum -y install git-core python-pip mlocate
- yum -y install python-rrdtool pycairo-devel
- mkdir -p /root/graphite-install
- cd /root/graphite-install
- git clone https://github.com/graphite-project/carbon.git
- git clone https://github.com/graphite-project/whisper.git
- git clone https://github.com/graphite-project/ceres
- git clone https://github.com/graphite-project/graphite-web.git
- cd /root/graphite-install/whisper
- git checkout 0.9.x
- python setup.py install
- cd /root/graphite-install/ceres
- # only has master branch, but it works with others
- pip install -r requirements.txt
- python setup.py install
- cd /root/graphite-install/carbon
- git checkout 0.9.x
- pip install -r requirements.txt
- python setup.py install
- cd /root/graphite-install/graphite-web
- git checkout 0.9.x
- yum install libffi-devel -y # some developer broke things, add this
- pip install -r requirements.txt
- python check-dependencies.py
- python setup.py install
- cp -v /opt/graphite/conf/carbon.conf.example /opt/graphite/conf/carbon.conf
- cp -v /opt/graphite/conf/storage-schemas.conf.example /opt/graphite/conf/storage-schemas.conf
- cp -v /opt/graphite/conf/storage-aggregation.conf.example /opt/graphite/conf/storage-aggregation.conf
- cp -v /opt/graphite/webapp/graphite/local_settings.py.example /opt/graphite/webapp/graphite/local_settings.py
- cp -v /opt/graphite/conf/graphite.wsgi.example /opt/graphite/conf/graphite.wsgi
- vi /opt/graphite/webapp/graphite/local_settings.py
- set SECRET_KEY param
- uncomment DATABASE section
- add these lines to /root/.bash_profile
- export GRAPHITE_ROOT=/opt/graphite
- export PYTHONPATH=$GRAPHITE_ROOT/webapp:$GRAPHITE_ROOT/whisper
- source /root/.bash_profile
- django-admin.py syncdb --settings=graphite.settings
- yum -y install httpd24 mod24_wsgi
- mkdir /etc/httpd/vhosts.d
- add to end of /etc/httpd/conf/httpd.conf
- IncludeOptional vhosts.d/*.conf
- create /etc/httpd/vhosts.d/graphite.conf with below
- mkdir /var/run/wsgi;chmod -v 777 /var/run/wsgi
- apachectl -S
- check for errors
- service httpd start
- /opt/graphite/bin/carbon-cache.py start
- find /opt/graphite/storage -type d -exec chmod -v 777 {} \;
- find /opt/graphite/storage -type f -exec chmod -v 666 {} \;
- echo '127.0.1.3 graphite' >> /etc/hosts
- curl -I http://graphite
- on local machine
- make same /etc/hosts entry
- port forward 127.0.1.3:8081 to remote-server:80
- curl -I http://graphite:8081
- END
WSGISocketPrefix /var/run/wsgi
<VirtualHost *:80>
ServerName graphite
DocumentRoot "/opt/graphite/webapp"
ErrorLog logs/webapp_error.log
CustomLog logs/webapp_access.log common
WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
WSGIProcessGroup graphite
WSGIApplicationGroup %{GLOBAL}
WSGIImportScript /opt/graphite/conf/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
WSGIScriptAlias / /opt/graphite/conf/graphite.wsgi
Alias /content/ /opt/graphite/webapp/content/
<Location "/content/">
SetHandler None
Require all granted
</Location>
Alias /media/ "@DJANGO_ROOT@/contrib/admin/media/"
<Location "/media/">
SetHandler None
Require all granted
</Location>
<Directory /opt/graphite/conf/>
Require all granted
</Directory>
</VirtualHost>
Saturday, 14 June 2014
MacBook Pro Retina display on Ubuntu not working, which package to install
sudo apt-get install nvidia-331
Thursday, 5 June 2014
OpenVPN: push all LAN traffic through an OpenVPN client to the other side
- Local variables for this post, adjust to fit your setup:
- OpenVPN client server IP
- 192.168.1.200
- Remote network
- 172.16.1.0/24
- Add this to the client server that is using OpenVPN to connect to the remote server:
- sudo iptables -A POSTROUTING -o tun0 -j MASQUERADE
- as root user, do
- echo 1 > /proc/sys/net/ipv4/ip_forward
- Add this to your local computer
- Linux:
- ip route add 172.16.1.0/24 via 192.168.1.200
- Mac:
- route -n add 172.16.1.0/24 192.168.1.200
NOTE: take a look at /etc/sysctl.conf if you want the ip_forward to last through reboots of client server: net.ipv4.ip_forward=1
Thursday, 29 May 2014
Wednesday, 28 May 2014
unbound: default to Google's DNS
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
unbound: custom records
server:
verbosity: 1
interface: 0.0.0.0
access-control: 10.0.0.0/8 allow
local-zone: "mydomain.internal" static
local-data: "app01.mydomain.internal IN A 10.0.0.10"
local-data: "app02.mydomain.internal IN A 10.0.0.11"
local-data: "biggie01.mydomain.internal IN A 10.0.0.12"
local-data: "mysql01.mydomain.internal IN A 10.0.0.20"
local-data: "mysql02.mydomain.internal IN A 10.0.0.31"
local-data: "apache01.mydomain.internal IN A 10.0.0.200"
verbosity: 1
interface: 0.0.0.0
access-control: 10.0.0.0/8 allow
local-zone: "mydomain.internal" static
local-data: "app01.mydomain.internal IN A 10.0.0.10"
local-data: "app02.mydomain.internal IN A 10.0.0.11"
local-data: "biggie01.mydomain.internal IN A 10.0.0.12"
local-data: "mysql01.mydomain.internal IN A 10.0.0.20"
local-data: "mysql02.mydomain.internal IN A 10.0.0.31"
local-data: "apache01.mydomain.internal IN A 10.0.0.200"
Zenoss: CLI discovery and remodel
Become zenoss user 1st
su - zenossRemodel a bunch
for i in server1 server2 server3;do zenmodeler run --now -d $i;doneDiscover a bunch
for i in server1 server2 server3;do zendisc run --deviceclass=/Server/Linux --device=$i;doneSunday, 25 May 2014
Thunderbird version 24.x.y: message layout
I'm pretty certain this is impossible to find.
Preferences -> Layout -> Classic/Wide/Vertical View
Wednesday, 23 April 2014
gnupg
- create
- gpg --gen-key
- if entropy taking too long
- sudo apt-get install rng-tools
- note your key ID from output
- pub 4096R/B110C232 2014-04-23
- here it is: B110C232
- push
- gpg --send-keys --keyserver keyserver.ubuntu.com B110C232
- replace B110C232 with the key ID output from above
- more to come
Thursday, 20 February 2014
Puppet 3.1.1 using Ruby 1.9.3 on Amazon Linux
- yum -y remove ruby
- yum -y install ruby19
- gem install --no-rdoc --no-ri puppet --version=3.1.1
- /usr/local/bin/puppet -V
- add /usr/local/bin to $PATH of users that need it
- vi /usr/local/share/gems1.9/gems/facter-1.7.5/lib/facter/ec2.rb
- change line 28 to:
- if (Facter::Util::EC2.can_connect?)
- Reference: http://projects.puppetlabs.com/issues/7559
- existing line 28 is much longer
- yum -y install ruby19-devel
- yum -y groupinstall "Developer Tools"
- gem install --no-rdoc --no-ri ruby-shadow
Friday, 24 January 2014
Change email contents display font size of Thunderbird
Thunderbird email contents display appears to act similarly to a web brower, so hitting Ctrl and the '-'/'+' signs shrinks/enlarges the font size.
Note: this is not explained anywhere, and the preferences all change a different setting, AFAIK
Note: this is not explained anywhere, and the preferences all change a different setting, AFAIK
Friday, 17 January 2014
MacBook and Openbox: mimic keyboard shortcut Cmd-tab application switcher
<keybind key="W-Tab">
<action name="NextWindow">
<allDesktops>yes</allDesktops>
<finalactions>
<action name="Focus"/>
<action name="Raise"/>
<action name="Unshade"/>
</finalactions>
</action>
</keybind>
<keybind key="W-S-Tab">
<action name="PreviousWindow">
<finalactions>
<action name="Focus"/>
<action name="Raise"/>
<action name="Unshade"/>
</finalactions>
</action>
</keybind>
<action name="NextWindow">
<allDesktops>yes</allDesktops>
<finalactions>
<action name="Focus"/>
<action name="Raise"/>
<action name="Unshade"/>
</finalactions>
</action>
</keybind>
<keybind key="W-S-Tab">
<action name="PreviousWindow">
<finalactions>
<action name="Focus"/>
<action name="Raise"/>
<action name="Unshade"/>
</finalactions>
</action>
</keybind>
Macbook Air and Openbox: copy the Spotlight(TM) keyboard shortcut
<keybind key="W-space">
<action name="Execute">
<command>dmenu_run</command>
</action>
</keybind>
apt-get install suckless-tools
<action name="Execute">
<command>dmenu_run</command>
</action>
</keybind>
apt-get install suckless-tools
LXC and Puppet dev env in 60 seconds
- lxc-create -n puppetmaster01 -t debian
- lxc-create -n puppetclient01 -t debian
- /etc/default/lxc-net
- find subnet defined by LXC_NETWORK
- vi /var/lib/lxc/puppetmaster01/config
- add ip addr ending in .100 to subnet
- for example, lxc.network.ipv4 = 10.0.1.100/24
- vi /var/lib/lxc/puppetclient01/config
- add ip add ending in .101 to subnet
- for example, lxc.network.ipv4 = 10.0.1.101/24
- lxc-start -d -n puppetmaster01
- don't forget the "-d" or you'll be stuck in tty session
- lxc-start -d -n puppetclient01
- lxc-attach -n puppetmaster
- apt-get install puppetmaster
- lxc-attach -n puppetclient01
- apt-get install puppet
- vi /etc/hosts and add entry "puppet" to point at pmaster
- sudo iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp --dport bootpc -j CHECKSUM --checksum-fill
- refresh vm IP
- stop and start vm,
- or kill existing dhclient process on vm, and run dhclient by hand
- pkill dhclient
- dhclient -v eth0
- If that doesn't help your vm to get an IP address from dnsmasq
- delete the iptables rule you just created
- iptables -L -t mangle -n --line-numbers
- show existing rule numbers in left column
- iptables -t mangle -D POSTROUTING <rule #>
- for example, iptables -t mangle -D POSTROUTING 1
Sunday, 5 January 2014
Macbook Air and Openbox: Raise/Lower Volume, Up/Down Brightness
<keybind key="XF86KbdBrightnessUp">
<action name="Execute">
<command>xbacklight +10</command>
</action>
</keybind>
<keybind key="XF86KbdBrightnessDown">
<action name="Execute">
<command>xbacklight -10</command>
</action>
</keybind>
<keybind key="XF86AudioRaiseVolume">
<action name="Execute">
<command>amixer -c 0 set Master 2dB+</command>
</action>
</keybind>
<keybind key="XF86AudioLowerVolume">
<action name="Execute">
<command>amixer -c 0 set Master 2dB-</command>
</action>
</keybind>
<action name="Execute">
<command>xbacklight +10</command>
</action>
</keybind>
<keybind key="XF86KbdBrightnessDown">
<action name="Execute">
<command>xbacklight -10</command>
</action>
</keybind>
<keybind key="XF86AudioRaiseVolume">
<action name="Execute">
<command>amixer -c 0 set Master 2dB+</command>
</action>
</keybind>
<keybind key="XF86AudioLowerVolume">
<action name="Execute">
<command>amixer -c 0 set Master 2dB-</command>
</action>
</keybind>
Subscribe to:
Posts (Atom)