Damme's linux stuff

From World Wide Wiegert Wiki - WWWW
Jump to: navigation, search

Profile.d/damme.sh

alias ls='ls --group-directories-first -hF --color=auto'
alias more='less'
alias nano='nano -w'
alias du='du -c -h'
alias diff='diff --color=auto'
alias grep='grep --color=auto -ni'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
alias free='free -h'
alias ip='ip -color=auto'
alias ll='ls -l'
alias la='ls -A'
alias l='ls -lrtha'

function cdl(){
  cd ""
  ls
}

function cdal(){
  cd ""
  ls -al
}

export LESS=-R
export LESS_TERMCAP_mb=$'\E[1;31m'     # begin blink
export LESS_TERMCAP_md=$'\E[1;36m'     # begin bold
export LESS_TERMCAP_me=$'\E[0m'        # reset bold/blink
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video
export LESS_TERMCAP_se=$'\E[0m'        # reset reverse video
export LESS_TERMCAP_us=$'\E[1;32m'     # begin underline
export LESS_TERMCAP_ue=$'\E[0m'        # reset underline

export EDITOR="nano"

export TERM='xterm-256color'
# if term == rxvt-unicode-256color && file not exists -> xterm-256color

_islinux=false
[[ "$(uname -s)" =~ Linux|GNU|GNU/* ]] && _islinux=true

_isarch=false
[[ -f /etc/arch-release ]] && _isarch=true

_isxrunning=false
[[ -n "$DISPLAY" ]] && _isxrunning=true

_isroot=false
[[ $UID -eq 0 ]] && _isroot=true

C=$(cat /etc/hostname | md5sum)
I="${C:0:1}"
H="${C:1:2}"
CSERV=$((0x${H}))

if [ $CSERV -lt 16 ] ; then
  CSERV=$(($CSERV+16))
fi

if [ $CSERV -gt 231 ] ; then
  CSERV=$(($CSERV-25))
fi

CSERV="$(tput setaf $CSERV)"
CNONE="$(tput sgr0)"
CROOT="$(tput setaf 48)"
if $_isroot; then
  CROOT="$(tput setaf 196)"
fi
CPATH="$(tput setaf 38)"

export PS1="[$CSERV\u@\h$CNONE]$CPATH\w$CROOT\$$CNONE "

[[ -f /bin/neofetch ]] && neofetch --disable packages gpu

Text manipulation

sed -e # Show result, Will not change anything

sed -i 's/[Search]/[Replace]/g' [File]
sed -i '/[row containing]/ s/$/ [append]/' [File] # append to end of line of search

SSH

SOCKS5 proxy

ssh -C -N -D [local port] [name]@[server]

Generate SSH keys

#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa
ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_rsa

# if ~/.ssh/id_rsa.pub is missing!
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

# copy local 'id_rsa.pub' to remote host '~/.ssh/authorized_keys'
ssh-copy-id user@host

# Generate all keys for server
ssh-keygen -A

sshpiper auth process: 

(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys]

pacman

pacman -F $filename # Search package including $filename
pacman -Qo $filename # Search package including $filename
pacman -Ss $package # Search $package
pacman -S $package # Install $package
pacman -R $package # Remove $package

# remove partial packages:
find /var/cache/pacman/pkg/ -iname "*.part" -delete

Filesystems and LVM

MDADM

Growing -> https://raid.wiki.kernel.org/index.php/Growing

LVM

lvcreate -L [SIZE]g -n [NAME] [VG] /dev/[PV]

lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data;
# writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails.

lvconvert --splitcache MyVolGroup/rootvol
lvconvert --uncache MyVolGroup/rootvol

lvresize --resizefs -L +XG vg/lv 

# Move LV Between physical drives in same VG - Can be done LIVE
# Create mirror
lvconvert -m 1 [LV] [NEW DEV] 
# wait for it to copy data (Check via lvs)
# Remove mirror
lvconvert -m 0 [LV] [OLD DEV] 

# Alt: pvmove -n [LV] [OLD DEV] [NEW DEV]

lvcreate --type thin-pool -n thin-pool -L size vg [pv?]

lvs -o +devices

lvremove [LVM]
# Logical volume [LVM] is used by another device.
kpartx -d /dev/mapper/[LVM]
#dmsetup ls
dmsetup remove [LVM]
lvremove [LVM]

fstab

/source /destination none defaults,bind 0 0

#check fstab:
mount -fav

Other

pv -s 20G < /dev/foo > /dev/baz

diskspd.exe –c50G -d300 -r -w40 -t8 -o32 -b64K -Sh -L E:\diskpsdtmp.dat > DiskSpeedResults.txt

Resue Data

https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html

BTRFS

# Resize BTRFS
btrfs filesystem resize max /path
btrfs device usage /path

Raid sas etc

# spin down sas
sdparm --readonly --command=stop /dev/xxx

# spin up sas
sdparm --command=start /dev/xxx

# check status, "Not ready" = not spinning, "Ready" = Spinning
sdparm --command=ready /dev/xxx

Low level format SATA

hdparm -I /dev/sda
# if frozen need to unfreeze
hdparm --user-master u --security-set-pass llformat /dev/sd_
hdparm --user-master u --security-erase llformat /dev/sd_

Docker

docker ps [-a/--all] # print (all) running containers
docker exec -it [container_id] /bin/bash # run shell in container#
docker update --cpuset-cpus="1-5" [container_id]

Reinstall Portainer 

docker stop portainer
docker rm portainer
docker pull portainer/portainer-ce
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce

docker stop portainer && docker rm portainer && docker pull portainer/portainer-ce && docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce

Generate rsa keys for encrypted communication between 

#server:
export PASS=SuperSecret
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix'
export DAYS=3650

openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
openssl req -new -x509 -days $DAYS -key ca-key.pem -sha256 -out ca.pem -passin pass:$PASS -subj $SUBJ

openssl genrsa -out server-key.pem 4096

#client:
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = DNS:$HOSTNAME,IP:10.0.0.200,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS

openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS

/etc/systemd/system/docker.service.d/execstart.conf

[Service]
ExecStart=
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H fd:// -H tcp://0.0.0.0:2376

netcat

echo "test" | nc wiegert.link 12345 # client
nc -l 12345 -k # listener server, k = continuous

systemd

systemctl edit --full lvm2-lvmetad.service # edit service
systemctl edit lvm2-lvmetad.service # edit service override
systemctl daemon-reload # Reload systemd manager configuration

rsync

rsync -rav
rsync -ravHAX
rsync -avHAX --one-file-system

ZFS

ZFS Best practices

Other stuff

Fixperm on files (664) and folders (775): 

find . -type d -exec chown root:share {} \; -exec chmod 775 {} \;
find . -type f -exec chown root:share {} \; -exec chmod 664 {} \;

docker + kvm + networking = :( https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network

pfsense port forwarding while not being default gw: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html#figure-manual-outbound-nat-local-device

smtprelay via gmail with postfix mailutils, s-nail https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/

Nut sending mails -> https://freekode.org/nut-sending-emails/

Secure rsync over SSH without shell access - https://lxadm.com/Secure_rsync_over_SSH_without_shell_access 

ipv4=$(curl -s -X GET -4 https://ifconfig.co)
ipv6=$(curl -s -X GET -6 https://ifconfig.co)

Fail2ban

https://wiki.archlinux.org/index.php/Fail2ban 

sudo pacman -Sy
sudo pacman --noconfirm -S fail2ban
sudo cat << EOF >> /etc/fail2ban/jail.local
[DEFAULT]
bantime = 5d

[sshd]
enabled = true
mode = aggressive
EOF
sudo systemctl enable fail2ban.service
sudo systemctl start fail2ban.service

# Fail2ban status
fail2ban-client status sshd

# Unban ip:
fail2ban-client set sshd unbanip 1.2.3.4

UDEV fun!

KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"

SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"

KERNEL=="ttyUSB*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="1a86", SYMLINK+="GSM-SIM800", MODE="0666"

# Reload and re-trigger udev rules without reboot
udevadm control --reload-rules && udevadm trigger

Wireshark

ssh user@remote "tcpdump -s0 -w - 'port 1234'" | wireshark -k -i -

# Filter macaddress beginning with:
(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)

# First / Last
eth.addr[0:3] == bc:05:43
eth.addr[4:2] == 28:06

Server Queen Specific changes

  • https://forums.servethehome.com/index.php?threads/flash-crossflash-dell-h330-raid-card-to-hba330-12gbps-hba-it-firmware.25498/#post-236242
  • DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD!
  • Added "TimeoutSec=900" in [Service]-Section /etc/systemd/system/lvm2-lvmetad.service , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair.
  • Docker /etc/docker/daemon.json added "iptables": false. Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it.
  • sysctl rules:
#/etc/sysctl.d/40-ipv6.conf:
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.nic0.disable_ipv6 = 1
...
net.ipv6.conf.nicN.disable_ipv6 = 1
  • udev rules:
# /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

# /etc/udev/rules.d/60-md-stripe-cache.rules
# Change stripe cache size to maximum, we got the ram! memory_consumed = system_page_size * nr_disks * stripe_cache_size
# https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="32768"

## TODO ? sudo blockdev --setra ?? -> https://unix.stackexchange.com/questions/71364/persistent-blockdev-setra-read-ahead-setting

# /etc/udev/rules.d/89-usb.rules
#ups and TI zigbee module fix:
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"

# /etc/udev/rules.d/99-bridge.rules
# reload sysctl if br_netfilter is loaded, wierd stuff happens otherwise.
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl --system"

# /usr/lib/udev/rules.d/11-dm-lvm.rules
# Create symlinks for top-level devices only.
## EDIT BY DAMME 2020-07-22 to populate partitions for libvirt
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", SYMLINK+="$env{DM_VG_NAME}/$env{DM_LV_NAME}"
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", RUN+="/sbin/kpartx -un /dev/%E{DM_VG_NAME}/%E{DM_LV_NAME}", GOTO="lvm_end"

New server thoughts

Retrieved from "https://wiki.wiegert.link/index.php?title=Damme%27s_linux_stuff&oldid=409"