Debian/Ubuntu Tips and Tricks

Debuntu

Debian/Ubuntu Tips and Tricks

Archive for the 'Administration' Category

How Tos on administration. How to make your system run smoothly, tips and tricks on getting over common troubles.

How-To: Bash Parameter Expansion and Default Values

Posted by chantra on 28th January 2013

Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file.
There is much more to bash than running a sequence of commands, one of the features bundled with bash is parameter expansion.

Any shell user has most likely used shell variables, be it $1 or $myvar, to save values... but there is more to it. This tutorial will cover a subset of shell parameter expansion that can become really handy and save you a lot of time.

Read the rest of this entry »

Tags: , , ,
Posted in Administration, HowTo, Softwares, System | No Comments »

Mastering Top

Posted by chantra on 22nd January 2013

top is most likely one of the most known Linux command and also one of the most used one, however most people do not take full advantage of its capabilities.

In this tutorial, we will see a few usages of top that will make allow you to get more out of it.

Read the rest of this entry »

Tags: , ,
Posted in Administration, HowTo, System | 4 Comments »

How-To: OpenVPN on Debian Squeeze with Username/Password authentication

Posted by chantra on 16th January 2013

Creating the configuration

Now that we have our certificates ready, we need to create a set of config for the server and the client.

Server side

On the server side, you will need to create the file /etc/openvpn/server.conf and edit it with:

dev tun
proto udp
port 1194
# since OpenVPN 2.1 we can use topology subnet
topology subnet
# if we want to change the temp directory location
; tmp-dir /dev/shm
# certs
ca keys/ca.crt
cert keys/server01.crt
key keys/server01.key
dh keys/dh1024.pem
# TLS
tls-auth keys/ta.key 0
# Keepalive
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
comp-lzo
# Write operational status to this file
status openvpn-status.log
# Drop privileges
user nobody
group nogroup
# As we dropped privileges, make sure we dont
# close/reopen tun interface amd re-read key files
# accross SIGUSR1
persist-key
persist-tun
# Our subnet
server 10.8.0.0 255.255.255.0
# Redirect all traffic to our OpenVPN server
push "redirect-gateway def1 bypass-dhcp"
# We want client to use our DNS server
push "dhcp-option DNS 10.8.0.1"
ifconfig-pool-persist ipp.txt
# If you want OpenVPN clients
# to be able to connect directly
# to each others
; client-to-client
# Use PAM authentication
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
# we dont want to use client certificate
client-cert-not-required
username-as-common-name
# enable mgmt over telnet
management localhost 1194 mgmt-pw-file
verb 3

Then, we need to copy the certificates/keys in the keys directory of /etc/openvpn:

mkdir /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,server01.crt,server01.key,dh1024.pem,ta.key} /etc/openvpn/keys/

And, in order to be able to manage openvpn from a telnet connection, we will create a file called /etc/openvpn/mgmt-pw-file with password "password":

echo password > /etc/openvpn/mgmt-pw-file
chmod 700 /etc/openvpn/mgmt-pw-file
chown root:root /etc/openvpn/mgmt-pw-file

Everything should be setup for the server side, now we need to edht /etc/default/openvpn to make sure that this configuration get started when using the init script. So, edit that file and make sure it contains:

AUTOSTART="server"

O'rite, you can now restart openvpn service with:

# /etc/init.d/openvpn restart

Now, our server should be up and running. If anything went wrong, /var/log/daemon.log is the place to look into.

At this stage, you should also be able to connect to localhost on TCP port 1194 using telnet. You will be prompted for a password, this is the password you have set in /etc/openvpn/mgmt-pw-file.
Once you logged in, you will be able to access the management interface of openvn!

Enabling IP forwarding

As we will be routing packets, we need to enable IP forwarding. To do this create a file called /etc/sysctl.d/forwarding.conf which contains:

net.ipv4.ip_forward=1

And apply the change with:

root@ovpnrouter:~# sysctl -p /etc/sysctl.d/forwarding.conf
net.ipv4.ip_forward = 1

IPTable

At this stage, the openvpn server could handle clients, forward packets, but packets would be routed with their original private IP. To give proper network connectivity to our OpenVPN clients, we will need to NAT the traffic.
This can be done by using the following command:

root@ovpnrouter:~# iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Configuring Iptable is not in the scope of this article. You might want to refer to IPtables: how to share your internet connection.

Anyhow, let's move forward and set up a client!

Tags: , , , ,
Posted in Administration, HowTo, Networking, Softwares, System | No Comments »

How-To: Running Munin 2.0 on Debian Squeeze (6.0)

Posted by chantra on 7th January 2013

Munin 2.0 has been released and a .deb package has even been backported to Debian Squeeze!.

Version 2.0 comes with a bunch of new features and scalability improvements. This how-to will explain how to install and configure Munin 2.0 using Apache and mod-fcgid on Debian Squeeze.

munin graph

Munin Zoomed Graph

The feature that I was really looking forward in Munin 2 was graph zooming which makes it really easy and convenient to visualize what happened at a given moment in time.

Most of the install process is actually detailed in http://munin-monitoring.org/wiki/CgiHowto2 but there were some missing bits to get it properly working on my set up (Debian Squueze + Apache2), hence while this how-to will look pretty similar to that wiki page, it should hopefully fill the gaps.

I will not cover the munin-node part as there should not be anything different since 1.4 and this old tutorial should still be accurate: How-To: Monitoring A Server With Munin.

Installing Munin

Debian backport is providing a .deb for Debian Squeeze, so once you have added debian backports repository, installing Munin is nearly an apt-get away.

Adding Debian Backport Repository

Create and edit /etc/apt/sources.list.d/backports.list and add:

deb http://backports.debian.org/debian-backports squeeze-backports main

Update your repositories:

# apt-get update

and finally, install Munin from the squeeze-backports:

# apt-get install munin -t squeeze-backports

The default /etc/munin/munin.conf is enough to monitor localhost. Within the next 5 minutes, a cron job will be ran and will start collecting metrics.

Now, we need to configure Apache to serve munin pages.

Apache settings

This new version of Munin now defaults to using CGI to generate HTML and GRAPH, so if you don't have any CGI module installed yet, get it rolling and install one and enable it:

# apt-get install libapache2-mod-fcgid
# a2enmod fcgid

Then, we will create a new virtual host that will serve Munin graphs. So, let's create /etc/apache2/sites-available/munin and edit it with:

<VirtualHost *:80>
        DocumentRoot /var/cache/munin/www
        ServerName munin.example.com
        Alias /static /etc/munin/static
        # Rewrites
        RewriteEngine On
        # HTML
        RewriteCond %{REQUEST_URI} !^/static
        RewriteCond %{REQUEST_URI} .html$ [or]
        RewriteCond %{REQUEST_URI} =/
        RewriteRule ^/(.*)           /usr/lib/munin/cgi/munin-cgi-html/$1 [L]
        # Images
        # - remove path to munin-cgi-graph, if present
        RewriteRule ^/munin-cgi/munin-cgi-graph/(.*) /$1
        RewriteCond %{REQUEST_URI}                 !^/static
        RewriteCond %{REQUEST_URI}                 .png$
        RewriteRule ^/(.*)  /usr/lib/munin/cgi/munin-cgi-graph/$1 [L]
        # Ensure we can run (fast)cgi scripts
        ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
        <Location /munin-cgi/munin-cgi-graph>
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
        <Location /munin-cgi/munin-cgi-html>
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        <Location />
                Options +ExecCGI
                <IfModule mod_fcgid.c>
                        SetHandler fcgid-script
                </IfModule>
                <IfModule !mod_fcgid.c>
                        SetHandler cgi-script
                </IfModule>
                Allow from all
        </Location>
        <Location /static/>
                SetHandler None
                Allow from all
        </Location>
        <Directory /var/cache/munin/www>
                Order allow,deny
                #Allow from localhost 127.0.0.0/8 ::1
                Allow from all
                Options None
                # Set the default expiration time for files to 5 minutes 10 seconds from
                # their creation (modification) time.  There are probably new files by
                # that time.
                #
            <IfModule mod_expires.c>
                ExpiresActive On
                ExpiresDefault M310
            </IfModule>
        </Directory>
</VirtualHost>

Finally, enable this new site:

# a2ensite munin

That's it, we now need to reload apache:

# /etc/init.d/apache2 reload

Now, you should be able to access munin at http://munin.example.com and zoom on graph!

Tags: , , ,
Posted in Administration, HowTo, System | No Comments »

How-To: Change boot runlevel with Grub2

Posted by chantra on 14th December 2012

Linux start up behaviour is driven by the so-called runlevels. It will use the default value provided in /etc/inittab for some systems (Debian...), or /etc/init/rc-sysinit.conf or some others (Ubuntu...).

This tutorial will show how to change the runlevel used during boot by modifying Grub2 start up prompt.

One of the common use case to change runlevel during boot is when you lost the root password and need to change it. In that case, you will want to boot linux in runlevel 1, this runlevel is a single user mode and makes you land on a system directly with a root prompt \o/.
This is also called in many distribution as the Recovery mode or Rescue mode.

Accessing Grub Screen

Grub2 Startup

Grub2 Startup

In order to be able to modify the runlevel used at boot, you will first need to access Grub 2 boot start up screen. Most distro will stay on that screen for about 10 seconds and will boot a default kernel in case you did not touch any keys, on some others, this screen is getting more and more hidden and in that case, you will need to try out a combinaison of either Esc or Shift keys until you get Grub2 startup screen.

Editing boot parameters

Once there, you need to enter

e

On the Grub entry you would like to boot.

Boot parameter edition

Boot parameter edition

This will get you to the boot parameter edition screen.
You now need to go to the end of the linux line and add a 1.

Booting it

Finally, hit F10 or Ctrl-x to boot linux with this new parameter.

root prompt

Root prompt

You should now have a root prompt!

Tags: , ,
Posted in Administration, HowTo, System | No Comments »

How-To: Tmux a Terminal Multiplexer

Posted by chantra on 7th December 2012

As a sysadmin, most of my time is spent working on remote machines and different task. tmux is a terminal multiplexer, meaning it allows you to run multiple terminals in the same windows.

This tutorial will explain the basics features of tmux that should help you be more productive with your every day task.

If you do now have tmux installed yet, well, it is time to fire up a terminal and get it installed:

# apt-get install tmux

Just like screen, tmux has the great feature of being able to detach the sessions, this means that you can start a session on a remote machine from your office, do your work there during the day, detach the session and go how and finally, the day after re-attach to your session and have everything set up just like you left the office the previous day.

So, let's start with handling sessions first

Session Management

Single Session

If you plan to only run a single session on your session, it will be enough to just run:

$ tmux

This should give you a session called [0] and is nothing more than shell.

If you want to exit that process, you can exit like you would do with a normal command prompt, and that would kill the session, or you can type Ctrl-b d and you will detach the session.

The next time you want to attach the session, you will run

$ tmux attach

and that will get you back to it.

Nice, we can now create a session, do some stuff in it, detach it and re-attach it later.

Multiple Session

Let's get a step further and handle multiple session, but before that I think it is worth understanding the jargon used in tmux lingua.

Lingua

tmux

tmux sessions

Tmux can create multiple session, each session is composed of windows, which can then be split vertically and horizontally.

In the picture, you can see that there is 2 sessions (session1 and session2) which respectively contain s1win1, s1win2 for the former and s2win1, s2win2 for the latter.
The window which has the focus is s2win1 in session2. The active session is mentionned between square brackets [session2] while the active window is marked with an asterisk s2win1.

Managing Sessions and Windows

Here are a few commands that we will be using:

  • Ctrl-b c create a new window
  • Ctrl-b , rename window
  • Ctrl b n next window
  • Ctrl b p previous window
  • Ctrl-b : command prompt
  • Ctrl-b w choose window
  • Ctrl-b s choose tree
  • Ctrl-b $ rename session
  • Ctrl-b ? help

Now, let's create some sessions and windows and play a bit with them to get a better understanding of what can be done.

First, we will create a first session called session1 which will have its first window called s1win1:

$ tmux new -s session1 -n s1win1

then, we will create a second session from within the running tmux client instance we are using and will call the sesion session2 with its first window called s2win1. Type Ctrl-b :, this gives you a prompt. now type:

new -s session2 -n s2win1

You should now have created a new session with a new window and this should be your active window.

Let create a new window within that session:

Ctrl-b c

and rename it to s2win2:

Ctrl-b ,

At the prompt, change the name of the window to s2win2 and hit enter.
Good, we now have 2 sessions with some window in them. Let's detach from it and play a bit more with it.

Ctrl-b d

now, from the shell prompt, we can list the sessions with:

$ tmux ls

and re-attach session 1 using:

$ tmux a -t session1

Now, lets rename session1 to myfirstsession:

Ctrl-b $

and type the the name of the session.
Now, let get back to session2 s2win2 by typing:

Ctrl-b s

And using the left-right arrows to fold/unfold the sessions'windows list and up-down to move around.
Finally, once the cursor is on (4) └─> 1: s2win2* hit enter.

To go back to s2win1, type:

Ctrl-b p

and

Ctrl-b n

To switch back to s2win2, or we could have used

Ctrl-b w

to move between windows.
Finally, get close all this up and press

Ctrl-d

twice, this should tell you that the session [exited].
Let's check the sessions left:

$ tmux ls
myfirstsession: 1 windows (created Fri Dec 7 00:00:42 2012) [238x56]

Let's attach to it:

$ tmux a

and close it

Ctrl-d

That's it! we have created multiple sessions and windows, moved around, rename things and finally cleaned everything. There is much more that can be done with tmux but that will be it for this post, and hopefully, more to come soon!

In the meantime, dont forget to use Ctrl-b ? within tmux to access the help along with man tmux for even more help!

Tags: ,
Posted in Administration, HowTo, System | 2 Comments »

How-To: Log HAProxy messages only once

Posted by chantra on 27th January 2012

When enabling logs with HAProxy on a busy web site, hard disk space can quickly become a scarce resource.

The reason is that, most of the time, HAProxy is set to use local0 facility which tend to write logs to a bunch of files in /var/log such as messages...

Thanks to rsyslog, we will be able to canalize those logs to a more appropriate location and only once, saving a bunch of disk space.

This tutorial will go over the steps required to accomplish this set up.

This how-to is based on Debian Lenny, but I believe settings are pretty much the same on the actual stable: Debian Squeeze.

In our setup, we are going to log HAProxy messages in a dedicated directory in order avoid getting too many files in /var/log. Here, I have chosen /var/log/haproxy.

So let's get started and create that directory:

# mkdir /var/log/haproxy

Then, we tell HAProxy to log info and notice messages. this is done by editing /etc/haproxy/haproxy.cfg as follow:

...
global
     log /dev/log   local0 info
     log /dev/log   local0 notice
....
....

Then, we tell rsyslog to catch those messages and write them in a specific file. Create and edit /etc/rsyslog.d/haproxy.conf woth:

if ($programname == 'haproxy' and $syslogseverity-text == 'info') then -/var/log/haproxy/haproxy-info.log
& ~
if ($programname == 'haproxy' and $syslogseverity-text == 'notice') then -/var/log/haproxy/haproxy-notice.log
& ~

Finally, we need to tell logrotate how to rotate those logs. This is done by Creating and editing /etc/logrotate.d/haproxy with:

/var/log/haproxy/*.log {
        weekly
        missingok
        rotate 7
        compress
        delaycompress
        notifempty
        create 640 root adm
        sharedscripts
        postrotate
                /etc/init.d/haproxy reload > /dev/null
        endscript
}

Which basically rotate the file every week and keep 7 week worth of copies.

Now, everything should be set up properly, we just have to restart rsyslog and haproxy to take those new changes into account:

/etc/init.d/rsyslog reload
/etc/init.d/haproxy reload

That's it, now, your notice and info message from haproxy should be in separate files and only there, not in 4 or 5 of them in /var/log.

Tags: ,
Posted in Administration, HowTo, System | 6 Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 3

Posted by chantra on 18th June 2010

This entry is part 3 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Using freeradius for authentication

Here I am going to consider that the freeradius server is set up correctly, meaning that you can already authenticate your users with freeradius using radtest utility.

In order to get ppp to use freeradius, we need to install libradius1:

# apt-get install libradius1

No we need to set up the server we use in /etc/radiusclient/servers. Here we use the default password on localhost:

localhost testing123

and finally, we tell ppp to use the radius plugin by adding at the end of /etc/xl2tpd/ppp-options.xl2tpd :

plugin radius.so

And that should be it!

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | No Comments »

How-To: Set up a L2TP over IPSec VPN using a Radius backend — page 2

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

XL2TP

Now, let's get on the next phase: XL2TP.

Packages Requirements

You can install xl2tp with the following command:

# apt-get install xl2tp

Configuration

The configuration of xl2tp happens in /etc/xl2tpd/xl2tpd.conf. We are going to provide IPs in the range 10.10.10.2-10.10.10.254, 10.10.10.1 being the endpoint IP of the VPN server.

So go ahead and open /etc/xl2tpd/xl2tpd.conf and make it look like:

[global]
ipsec saref = yes
listen-addr = your external IP address
port = 1701
[lns default]
ip range = 10.10.10.2-10.10.10.254
local ip = 10.10.10.1
refuse chap = yes
require pap = yes
require authentication = no
name = LinuxVPNserver
hostname = YourHostName
ppp debug = yes
length bit = yes
pppoptfile = /etc/xl2tpd/ppp-options.xl2tpd

Copy an example config from xl2tp doc:

sudo cp /usr/share/doc/xl2tpd/examples/ppp-options.xl2tpd /etc/xl2tpd/ppp-options.xl2tpd

Now go and edit etc/xl2tpd/ppp-options.xl2tpd and make it look like:

require-pap
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000

Same here, change it with whatever mstches your settings (DNS...)

Finally test your configuration with:

sudo xl2tpd -D

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »

How-To: Set up a L2TP over IPSec VPN using a Radius backend

Posted by chantra on 18th June 2010

This entry is part 1 of 3 in the series How-To: Set up a L2TP over IPSec VPN using a Radius backend

Even though I pretty like OpenVPN, there is still some devices that might not support the TUN/TAP driver needed by OpenVPN.

Take IPhones, Android phones for instance, you need to root them in order to get that feature, assuming somebody has already cooked a ROM for your device.

L2TP is quite and old standard that allow setting up VPNs.

On the other end, it does not provide any kind of encryption mechanism, and as such, it is pretty common to get L2TP running over an IPSec link.

In this tutorial, we are going to set up this kind of VPN. First IPSec will create an encrypted link, then L2TP will create a VPN link.

We are going to use a Pre-Shared Key (or PSK) for IPsec.

L2TP will use PAP as an authentication mechanism.
Why PAP? Because that allow us to store encrypted password instead of plain text one. Some might say that the password will go over the wire unencrypted, but here we have IPSec taking care of not letting our password be seeing by others.

This tutorial was done on Debian Lenny and Windows XP SP3 connected to the service successfully. Android 2.2 client also connected successfully.

Windows mobiles would fail to authenticated as PAP is not supported on the client :s !

So let get started with IPSec.

IPSec

Packages requirements

We are going to use OpenSwan to handle IPSec. On Debian, you can install it with:

# apt-get install openswan

If you are asked questions, just answer the default.

IPSec Configuration

We are going to use the example from /etc/ipsec.d/examples/l2tp-psk.conf and copy the following below # Add connections here in /etc/ipsec.conf.

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # If we consider that we have an internal interface on subnet 192.168.22.0/24,
        # we need to had here we had %v4:!192.168.22.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.22.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
# Add connections here
conn L2TP-PSK-CLIENTS
  #
  # Configuration for one user with any type of IPsec/L2TP client
  # including the updated Windows 2000/XP (MS KB Q818043), but
  # excluding the non-updated Windows 2000/XP.
  #
  #
  # Use a Preshared Key. Disable Perfect Forward Secrecy.
  #
  # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
  # YourIPAddress  %any: "sharedsecret"
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  # we cannot rekey for %any, let client rekey
  rekey=no
  type=transport
  #
  left=%defaultroute
  leftnexthop=%defaultroute
  # or you can use: left=YourIPAddress
  # leftnexthop=YourGatewayIPAddress
  #
  # For updated Windows 2000/XP clients,
  # to support old clients as well, use leftprotoport=17/%any
  leftprotoport=17/1701
  #
  # The remote user.
  #
  right=%any
  rightsubnet=vhost:%priv,%no
  # Using the magic port of "0" means "any one single port". This is
  # a work around required for Apple OSX clients that use a randomly
  # high port, but propose "0" instead of their port.
  rightprotoport=17/%any
# sample VPN connections, see /etc/ipsec.d/examples/

Now we set our preshared key in /etc/ipsec.secrets with the format given in the configuration:

YourIPAddress  %any: PSK "sharedsecret"

And that should be it for the IPsec part. Now you can restart IPSec:

# /etc/init.d/ipsec restart

You might want to check the output of:

# ipsec auto --status

to troubleshoot potential issues.

Firewall

If you have a firewall set up, you can use those settings to allow ipsec:

-A INPUT -i eth0 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT

Well, assuming IPsec part is fine, let go to the xl2tp part now.

Tags: , , , ,
Posted in Administration, HowTo, Networking, System | 1 Comment »