Difference between revisions of "Damme's linux stuff"
From World Wide Wiegert Wiki - WWWW
(→LVM) |
|||
| Line 1: | Line 1: | ||
== Profile.d/damme.sh == | == Profile.d/damme.sh == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
alias ls='ls --group-directories-first -hF --color=auto' | alias ls='ls --group-directories-first -hF --color=auto' | ||
alias more='less' | alias more='less' | ||
| Line 79: | Line 79: | ||
== Text manipulation == | == Text manipulation == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
sed -e # Show result, Will not change anything | sed -e # Show result, Will not change anything | ||
| Line 89: | Line 89: | ||
=== SOCKS5 proxy === | === SOCKS5 proxy === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
ssh -C -N -D [local port] [name]@[server] | ssh -C -N -D [local port] [name]@[server] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Generate SSH keys === | === Generate SSH keys === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa | #generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa | ||
ssh-keygen -N '' -f ~/.ssh/id_rsa | ssh-keygen -N '' -f ~/.ssh/id_rsa | ||
| Line 109: | Line 109: | ||
sshpiper auth process: | sshpiper auth process: | ||
<syntaxhighlight lang="json"> | <syntaxhighlight lang="json" line="1"> | ||
(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys] | (client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 115: | Line 115: | ||
== pacman == | == pacman == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
pacman -F $filename # Search package including $filename: | pacman -F $filename # Search package including $filename: | ||
pacman -Ss $package # Search $package | pacman -Ss $package # Search $package | ||
| Line 127: | Line 127: | ||
=== LVM === | === LVM === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast | lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast | ||
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data; | # writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data; | ||
| Line 136: | Line 136: | ||
=== Other === | === Other === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
pv -s 20G < /dev/foo > /dev/baz | pv -s 20G < /dev/foo > /dev/baz | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 144: | Line 144: | ||
== Raid sas etc == | == Raid sas etc == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
# spin down sas | # spin down sas | ||
sdparm --readonly --command=stop /dev/xxx | sdparm --readonly --command=stop /dev/xxx | ||
| Line 156: | Line 156: | ||
== Docker == | == Docker == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
docker ps [-a/--all] # print (all) running containers | docker ps [-a/--all] # print (all) running containers | ||
docker exec -it [container_id] /bin/bash # run shell in container# | docker exec -it [container_id] /bin/bash # run shell in container# | ||
| Line 162: | Line 162: | ||
Reinstall Portainer | Reinstall Portainer | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
docker stop portainer | docker stop portainer | ||
docker rm portainer | docker rm portainer | ||
| Line 170: | Line 170: | ||
Generate rsa keys for encrypted communication between | Generate rsa keys for encrypted communication between | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
export PASS=SuperSecret | export PASS=SuperSecret | ||
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix' | export SUBJ='/C=SE/L=Skällinge/O=Unimatrix' | ||
| Line 195: | Line 195: | ||
== netcat == | == netcat == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
echo "test" | nc wiegert.link 12345 # client | echo "test" | nc wiegert.link 12345 # client | ||
nc -l 12345 -k # listener server, k = continuous | nc -l 12345 -k # listener server, k = continuous | ||
| Line 201: | Line 201: | ||
== systemd == | == systemd == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
systemctl edit --full lvm2-lvmetad.service # edit service | systemctl edit --full lvm2-lvmetad.service # edit service | ||
systemctl edit lvm2-lvmetad.service # edit service override | systemctl edit lvm2-lvmetad.service # edit service override | ||
| Line 208: | Line 208: | ||
== Other stuff == | == Other stuff == | ||
Fixperm on files (664) and folders (775): | Fixperm on files (664) and folders (775): | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
find . -type d -exec chown root:share {} \; -exec chmod 775 {} \; | find . -type d -exec chown root:share {} \; -exec chmod 775 {} \; | ||
find . -type f -exec chown root:share {} \; -exec chmod 664 {} \; | find . -type f -exec chown root:share {} \; -exec chmod 664 {} \; | ||
| Line 223: | Line 223: | ||
== Fail2ban == | == Fail2ban == | ||
https://wiki.archlinux.org/index.php/Fail2ban | https://wiki.archlinux.org/index.php/Fail2ban | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
sudo pacman -Sy | sudo pacman -Sy | ||
sudo pacman --noconfirm -S fail2ban | sudo pacman --noconfirm -S fail2ban | ||
| Line 249: | Line 249: | ||
* udev rules: | * udev rules: | ||
<syntaxhighlight lang="c"> | <syntaxhighlight lang="c" line="1"> | ||
# /etc/sysctl.d/30-ipforward.conf | # /etc/sysctl.d/30-ipforward.conf | ||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
Revision as of 13:47, 24 January 2021
Profile.d/damme.sh
alias ls='ls --group-directories-first -hF --color=auto'
alias more='less'
alias nano='nano -w'
alias du='du -c -h'
alias diff='diff --color=auto'
alias grep='grep --color=auto -ni'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
alias free='free -h'
alias ip='ip -color=auto'
alias ll='ls -l'
alias la='ls -A'
alias l='ls -lrtha'
function cdl(){
cd ""
ls
}
function cdal(){
cd ""
ls -al
}
export LESS=-R
export LESS_TERMCAP_mb=$'\E[1;31m' # begin blink
export LESS_TERMCAP_md=$'\E[1;36m' # begin bold
export LESS_TERMCAP_me=$'\E[0m' # reset bold/blink
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video
export LESS_TERMCAP_se=$'\E[0m' # reset reverse video
export LESS_TERMCAP_us=$'\E[1;32m' # begin underline
export LESS_TERMCAP_ue=$'\E[0m' # reset underline
export EDITOR="nano"
export TERM='xterm-256color'
# if term == rxvt-unicode-256color && file not exists -> xterm-256color
_islinux=false
[[ "$(uname -s)" =~ Linux|GNU|GNU/* ]] && _islinux=true
_isarch=false
[[ -f /etc/arch-release ]] && _isarch=true
_isxrunning=false
[[ -n "$DISPLAY" ]] && _isxrunning=true
_isroot=false
[[ $UID -eq 0 ]] && _isroot=true
C=$(cat /etc/hostname | md5sum)
I="${C:0:1}"
H="${C:1:2}"
CSERV=$((0x${H}))
if [ $CSERV -lt 16 ] ; then
CSERV=$(($CSERV+16))
fi
if [ $CSERV -gt 231 ] ; then
CSERV=$(($CSERV-25))
fi
CSERV="$(tput setaf $CSERV)"
CNONE="$(tput sgr0)"
CROOT="$(tput setaf 48)"
if $_isroot; then
CROOT="$(tput setaf 196)"
fi
CPATH="$(tput setaf 38)"
export PS1="[$CSERV\u@\h$CNONE]$CPATH\w$CROOT\$$CNONE "
[[ -f /bin/neofetch ]] && neofetch --disable packages gpu
Text manipulation
sed -e # Show result, Will not change anything
sed -i 's/[Search]/[Replace]/g' [File]
sed -i '/[row containing]/ s/$/ [append]/' [File] # append to end of line of search
SSH
SOCKS5 proxy
ssh -C -N -D [local port] [name]@[server]
Generate SSH keys
#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa
ssh-keygen -N '' -f ~/.ssh/id_rsa
# if ~/.ssh/id_rsa.pub is missing!
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
# copy local 'id_rsa.pub' to remote host '~/.ssh/authorized_keys'
ssh-copy-id user@host
# Generate all keys for server
ssh-keygen -A
sshpiper auth process:
(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys]
pacman
pacman -F $filename # Search package including $filename:
pacman -Ss $package # Search $package
pacman -S $package # Install $package
pacman -R $package # Remove $package
Filesystems and LVM
MDADM
Growing -> https://raid.wiki.kernel.org/index.php/Growing
LVM
lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data;
# writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails.
lvresize --resizefs -L +XG vg/lv
Other
pv -s 20G < /dev/foo > /dev/baz
Resue Data
https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html
Raid sas etc
# spin down sas
sdparm --readonly --command=stop /dev/xxx
# spin up sas
sdparm --command=start /dev/xxx
# check status, "Not ready" = not spinning, "Ready" = Spinning
sdparm --command=ready /dev/xxx
Docker
docker ps [-a/--all] # print (all) running containers
docker exec -it [container_id] /bin/bash # run shell in container#
Reinstall Portainer
docker stop portainer
docker rm portainer
docker pull portainer/portainer-ce
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce
Generate rsa keys for encrypted communication between
export PASS=SuperSecret
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix'
export DAYS=3650
openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
openssl req -new -x509 -days $DAYS -key ca-key.pem -sha256 -out ca.pem -passin pass:$PASS -subj $SUBJ
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOSTNAME,IP:10.0.0.200,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS
#client:
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS
netcat
echo "test" | nc wiegert.link 12345 # client
nc -l 12345 -k # listener server, k = continuous
systemd
systemctl edit --full lvm2-lvmetad.service # edit service
systemctl edit lvm2-lvmetad.service # edit service override
systemctl daemon-reload # Reload systemd manager configuration
Other stuff
Fixperm on files (664) and folders (775):
find . -type d -exec chown root:share {} \; -exec chmod 775 {} \;
find . -type f -exec chown root:share {} \; -exec chmod 664 {} \;
docker + kvm + networking = :( https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
pfsense port forwarding while not being default gw: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html#figure-manual-outbound-nat-local-device
smtprelay via gmail with postfix mailutils, s-nail https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/
Nut sending mails -> https://freekode.org/nut-sending-emails/
Fail2ban
https://wiki.archlinux.org/index.php/Fail2ban
sudo pacman -Sy
sudo pacman --noconfirm -S fail2ban
sudo cat << EOF >> /etc/fail2ban/jail.local
[DEFAULT]
bantime = 5d
[sshd]
enabled = true
EOF
sudo systemctl enable fail2ban.service
sudo systemctl start fail2ban.service
# Fail2ban status
fail2ban-client status sshd
# Unban ip:
fail2ban-client set sshd unbanip 1.2.3.4
Server Queen Specific changes
- DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD!
- Added "TimeoutSec=900" in [Service]-Section /etc/systemd/system/lvm2-lvmetad.service , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair.
Docker /etc/docker/daemon.json added "iptables": false.Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it.- udev rules:
# /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
# /etc/udev/rules.d/60-md-stripe-cache.rules
# Change stripe cache size to maximum, we got the ram! memory_consumed = system_page_size * nr_disks * stripe_cache_size
# https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="32768"
## TODO ? sudo blockdev --setra ?? -> https://unix.stackexchange.com/questions/71364/persistent-blockdev-setra-read-ahead-setting
# /etc/udev/rules.d/89-usb.rules
#ups and TI zigbee module fix:
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"
# /etc/udev/rules.d/99-bridge.rules
# reload sysctl if br_netfilter is loaded, wierd stuff happens otherwise.
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl --system"
# /usr/lib/udev/rules.d/11-dm-lvm.rules
# Create symlinks for top-level devices only.
## EDIT BY DAMME 2020-07-22 to populate partitions for libvirt
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", SYMLINK+="$env{DM_VG_NAME}/$env{DM_LV_NAME}"
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", RUN+="/sbin/kpartx -un /dev/%E{DM_VG_NAME}/%E{DM_LV_NAME}", GOTO="lvm_end"
- Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
