Difference between revisions of "Damme's linux stuff"
(→Docker) |
|||
(111 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Profile.d/damme.sh == | |||
<syntaxhighlight lang="bash" line="1"> | |||
alias ls='ls --group-directories-first -hF --color=auto' | |||
alias more='less' | |||
alias nano='nano -w' | |||
alias du='du -c -h' | |||
alias diff='diff --color=auto' | |||
alias grep='grep --color=auto -ni' | |||
alias fgrep='fgrep --color=auto' | |||
alias egrep='egrep --color=auto' | |||
alias free='free -h' | |||
alias ip='ip -color=auto' | |||
alias ll='ls -l' | |||
alias la='ls -A' | |||
alias l='ls -lrtha' | |||
function cdl(){ | |||
cd "" | |||
ls | |||
} | |||
function cdal(){ | |||
cd "" | |||
ls -al | |||
} | |||
export LESS=-R | |||
export LESS_TERMCAP_mb=$'\E[1;31m' # begin blink | |||
export LESS_TERMCAP_md=$'\E[1;36m' # begin bold | |||
export LESS_TERMCAP_me=$'\E[0m' # reset bold/blink | |||
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video | |||
export LESS_TERMCAP_se=$'\E[0m' # reset reverse video | |||
export LESS_TERMCAP_us=$'\E[1;32m' # begin underline | |||
export LESS_TERMCAP_ue=$'\E[0m' # reset underline | |||
export EDITOR="nano" | |||
export TERM='xterm-256color' | |||
# if term == rxvt-unicode-256color && file not exists -> xterm-256color | |||
_islinux=false | |||
[[ "$(uname -s)" =~ Linux|GNU|GNU/* ]] && _islinux=true | |||
_isarch=false | |||
[[ -f /etc/arch-release ]] && _isarch=true | |||
_isxrunning=false | |||
[[ -n "$DISPLAY" ]] && _isxrunning=true | |||
_isroot=false | |||
[[ $UID -eq 0 ]] && _isroot=true | |||
C=$(cat /etc/hostname | md5sum) | |||
I="${C:0:1}" | |||
H="${C:1:2}" | |||
CSERV=$((0x${H})) | |||
if [ $CSERV -lt 16 ] ; then | |||
CSERV=$(($CSERV+16)) | |||
fi | |||
if [ $CSERV -gt 231 ] ; then | |||
CSERV=$(($CSERV-25)) | |||
fi | |||
CSERV="$(tput setaf $CSERV)" | |||
CNONE="$(tput sgr0)" | |||
CROOT="$(tput setaf 48)" | |||
if $_isroot; then | |||
CROOT="$(tput setaf 196)" | |||
fi | |||
CPATH="$(tput setaf 38)" | |||
export PS1="[$CSERV\u@\h$CNONE]$CPATH\w$CROOT\$$CNONE " | |||
[[ -f /bin/neofetch ]] && neofetch --disable packages gpu | |||
</syntaxhighlight> | |||
== Text manipulation == | |||
<syntaxhighlight lang="bash" line="1"> | |||
sed -e # Show result, Will not change anything | |||
sed -i 's/[Search]/[Replace]/g' [File] | |||
sed -i '/[row containing]/ s/$/ [append]/' [File] # append to end of line of search | |||
</syntaxhighlight> | |||
== SSH == | == SSH == | ||
<syntaxhighlight lang="bash"> | === SOCKS5 proxy === | ||
ssh- | <syntaxhighlight lang="bash" line="1"> | ||
ssh -C -N -D [local port] [name]@[server] | |||
</syntaxhighlight> | |||
=== Generate SSH keys === | |||
<syntaxhighlight lang="bash" line="1"> | |||
#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa | |||
ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_rsa | |||
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub | # if ~/.ssh/id_rsa.pub is missing! | ||
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub | |||
# copy local 'id_rsa.pub' to remote host '~/.ssh/authorized_keys' | |||
ssh-copy-id user@host | |||
# Generate all keys for server | |||
ssh-keygen -A | |||
</syntaxhighlight> | </syntaxhighlight> | ||
sshpiper auth process: | sshpiper auth process: | ||
<syntaxhighlight lang="json"> | <syntaxhighlight lang="json" line="1"> | ||
(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys] | (client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 16: | Line 115: | ||
== pacman == | == pacman == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
pacman -F $filename # Search package including $filename | pacman -F $filename # Search package including $filename | ||
pacman -Qo $filename # Search package including $filename | |||
pacman -Ss $package # Search $package | pacman -Ss $package # Search $package | ||
pacman -S $package # Install $package | pacman -S $package # Install $package | ||
pacman -R $package # Remove $package | pacman -R $package # Remove $package | ||
# remove partial packages: | |||
find /var/cache/pacman/pkg/ -iname "*.part" -delete | |||
</syntaxhighlight> | |||
== Filesystems and LVM == | |||
=== MDADM === | |||
Growing -> https://raid.wiki.kernel.org/index.php/Growing | |||
=== LVM === | |||
<syntaxhighlight lang="bash" line="1"> | |||
lvcreate -L [SIZE]g -n [NAME] [VG] /dev/[PV] | |||
lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast | |||
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data; | |||
# writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails. | |||
lvconvert --splitcache MyVolGroup/rootvol | |||
lvconvert --uncache MyVolGroup/rootvol | |||
lvresize --resizefs -L +XG vg/lv | |||
# Move LV Between physical drives in same VG - Can be done LIVE | |||
# Create mirror | |||
lvconvert -m 1 [LV] [NEW DEV] | |||
# wait for it to copy data (Check via lvs) | |||
# Remove mirror | |||
lvconvert -m 0 [LV] [OLD DEV] | |||
# Alt: pvmove -n [LV] [OLD DEV] [NEW DEV] | |||
lvcreate --type thin-pool -n thin-pool -L size vg [pv?] | |||
lvs -o +devices | |||
lvremove [LVM] | |||
# Logical volume [LVM] is used by another device. | |||
kpartx -d /dev/mapper/[LVM] | |||
#dmsetup ls | |||
dmsetup remove [LVM] | |||
lvremove [LVM] | |||
</syntaxhighlight> | |||
=== fstab === | |||
<syntaxhighlight lang="bash" line="1"> | |||
/source /destination none defaults,bind 0 0 | |||
#check fstab: | |||
mount -fav | |||
</syntaxhighlight> | |||
=== Other === | |||
<syntaxhighlight lang="bash" line="1"> | |||
pv -s 20G < /dev/foo > /dev/baz | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" line="1"> | |||
diskspd.exe –c50G -d300 -r -w40 -t8 -o32 -b64K -Sh -L E:\diskpsdtmp.dat > DiskSpeedResults.txt | |||
</syntaxhighlight> | |||
=== Resue Data === | |||
https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html | |||
=== BTRFS === | |||
<syntaxhighlight lang="bash" line="1"> | |||
# Resize BTRFS | |||
btrfs filesystem resize max /path | |||
btrfs device usage /path | |||
</syntaxhighlight> | |||
=== Raid sas etc === | |||
<syntaxhighlight lang="bash" line="1"> | |||
# spin down sas | |||
sdparm --readonly --command=stop /dev/xxx | |||
# spin up sas | |||
sdparm --command=start /dev/xxx | |||
# check status, "Not ready" = not spinning, "Ready" = Spinning | |||
sdparm --command=ready /dev/xxx | |||
</syntaxhighlight> | |||
=== Low level format SATA === | |||
<syntaxhighlight lang="bash" line="1"> | |||
hdparm -I /dev/sda | |||
# if frozen need to unfreeze | |||
hdparm --user-master u --security-set-pass llformat /dev/sd_ | |||
hdparm --user-master u --security-erase llformat /dev/sd_ | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== Docker == | == Docker == | ||
<syntaxhighlight lang="bash" line="1"> | |||
docker ps [-a/--all] # print (all) running containers | |||
docker exec -it [container_id] /bin/bash # run shell in container# | |||
docker update --cpuset-cpus="1-5" [container_id] | |||
</syntaxhighlight> | |||
Reinstall Portainer | |||
<syntaxhighlight lang="bash" line="1"> | |||
docker stop portainer | |||
docker rm portainer | |||
docker pull portainer/portainer-ce | |||
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce | |||
docker stop portainer && docker rm portainer && docker pull portainer/portainer-ce && docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce | |||
</syntaxhighlight> | |||
Generate rsa keys for encrypted communication between | Generate rsa keys for encrypted communication between | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
#server: | |||
export PASS=SuperSecret | export PASS=SuperSecret | ||
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix' | export SUBJ='/C=SE/L=Skällinge/O=Unimatrix' | ||
Line 35: | Line 240: | ||
openssl genrsa -out server-key.pem 4096 | openssl genrsa -out server-key.pem 4096 | ||
echo subjectAltName = DNS:$ | #client: | ||
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr | |||
echo subjectAltName = DNS:$HOSTNAME,IP:10.0.0.200,IP:127.0.0.1 >> extfile.cnf | |||
echo extendedKeyUsage = serverAuth >> extfile.cnf | echo extendedKeyUsage = serverAuth >> extfile.cnf | ||
openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ | openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ | ||
-CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS | -CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS | ||
openssl genrsa -out key.pem 4096 | openssl genrsa -out key.pem 4096 | ||
openssl req -subj '/CN=client' -new -key key.pem -out client.csr | openssl req -subj '/CN=client' -new -key key.pem -out client.csr | ||
Line 48: | Line 254: | ||
openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ | openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ | ||
-CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS | -CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS | ||
</syntaxhighlight> | |||
== /etc/systemd/system/docker.service.d/execstart.conf == | |||
<syntaxhighlight lang="bash" line="1"> | |||
[Service] | |||
ExecStart= | |||
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243 | |||
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H fd:// -H tcp://0.0.0.0:2376 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== netcat == | == netcat == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
echo "test" | nc wiegert.link 12345 # client | echo "test" | nc wiegert.link 12345 # client | ||
nc -l 12345 -k # listener server, k = continuous | nc -l 12345 -k # listener server, k = continuous | ||
Line 57: | Line 271: | ||
== systemd == | == systemd == | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
systemctl edit --full lvm2-lvmetad.service # edit service | systemctl edit --full lvm2-lvmetad.service # edit service | ||
systemctl edit lvm2-lvmetad.service # edit service override | systemctl edit lvm2-lvmetad.service # edit service override | ||
systemctl daemon-reload # Reload systemd manager configuration | systemctl daemon-reload # Reload systemd manager configuration | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== rsync == | |||
<syntaxhighlight lang="bash" line="1"> | |||
rsync -rav | |||
rsync -ravHAX | |||
rsync -avHAX --one-file-system | |||
</syntaxhighlight> | |||
== ZFS == | |||
[[ZFS Best practices]] | |||
== Other stuff == | == Other stuff == | ||
Fixperm on files ( | Fixperm on files (664) and folders (775): | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line="1"> | ||
find . -type d -exec chmod | find . -type d -exec chown root:share {} \; -exec chmod 775 {} \; | ||
find . -type f -exec chmod | find . -type f -exec chown root:share {} \; -exec chmod 664 {} \; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 76: | Line 300: | ||
https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/ | https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/ | ||
Nut sending mails | Nut sending mails -> https://freekode.org/nut-sending-emails/ | ||
Secure rsync over SSH without shell access - https://lxadm.com/Secure_rsync_over_SSH_without_shell_access | |||
<syntaxhighlight lang="bash" line="1"> | |||
ipv4=$(curl -s -X GET -4 https://ifconfig.co) | |||
ipv6=$(curl -s -X GET -6 https://ifconfig.co) | |||
</syntaxhighlight> | |||
== Fail2ban == | |||
https://wiki.archlinux.org/index.php/Fail2ban | |||
<syntaxhighlight lang="bash" line="1"> | |||
sudo pacman -Sy | |||
sudo pacman --noconfirm -S fail2ban | |||
sudo cat << EOF >> /etc/fail2ban/jail.local | |||
[DEFAULT] | |||
bantime = 5d | |||
[sshd] | |||
enabled = true | |||
mode = aggressive | |||
EOF | |||
sudo systemctl enable fail2ban.service | |||
sudo systemctl start fail2ban.service | |||
# Fail2ban status | |||
fail2ban-client status sshd | |||
# Unban ip: | |||
fail2ban-client set sshd unbanip 1.2.3.4 | |||
</syntaxhighlight> | |||
== UDEV fun! == | |||
<syntaxhighlight lang="c" line="1"> | |||
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman" | |||
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu" | |||
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666" | |||
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="1a86", SYMLINK+="GSM-SIM800", MODE="0666" | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" line="1"> | |||
# Reload and re-trigger udev rules without reboot | |||
udevadm control --reload-rules && udevadm trigger | |||
</syntaxhighlight> | |||
== Wireshark == | |||
<syntaxhighlight lang="bash" line="1"> | |||
ssh user@remote "tcpdump -s0 -w - 'port 1234'" | wireshark -k -i - | |||
# Filter macaddress beginning with: | |||
(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200) | |||
# First / Last | |||
eth.addr[0:3] == bc:05:43 | |||
eth.addr[4:2] == 28:06 | |||
</syntaxhighlight> | |||
== Server Queen Specific changes == | |||
* https://forums.servethehome.com/index.php?threads/flash-crossflash-dell-h330-raid-card-to-hba330-12gbps-hba-it-firmware.25498/#post-236242 | |||
* DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD! | |||
* Added "TimeoutSec=900" in [Service]-Section '''/etc/systemd/system/lvm2-lvmetad.service''' , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair. | |||
* <del> Docker '''/etc/docker/daemon.json''' added "iptables": false.</del> Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it. | |||
* sysctl rules: | |||
<syntaxhighlight lang="c" line="1"> | |||
#/etc/sysctl.d/40-ipv6.conf: | |||
# Disable IPv6 | |||
net.ipv6.conf.all.disable_ipv6 = 1 | |||
net.ipv6.conf.nic0.disable_ipv6 = 1 | |||
... | |||
net.ipv6.conf.nicN.disable_ipv6 = 1 | |||
</syntaxhighlight> | |||
* Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network | |||
* udev rules: | |||
<syntaxhighlight lang="c" line="1"> | |||
# /etc/sysctl.d/30-ipforward.conf | |||
net.ipv4.ip_forward=1 | |||
net.ipv6.conf.default.forwarding=1 | |||
net.ipv6.conf.all.forwarding=1 | |||
# /etc/udev/rules.d/60-md-stripe-cache.rules | |||
# Change stripe cache size to maximum, we got the ram! memory_consumed = system_page_size * nr_disks * stripe_cache_size | |||
# https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html | |||
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="32768" | |||
## TODO ? sudo blockdev --setra ?? -> https://unix.stackexchange.com/questions/71364/persistent-blockdev-setra-read-ahead-setting | |||
# /etc/udev/rules.d/89-usb.rules | |||
#ups and TI zigbee module fix: | |||
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman" | |||
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu" | |||
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666" | |||
# /etc/udev/rules.d/99-bridge.rules | |||
# reload sysctl if br_netfilter is loaded, wierd stuff happens otherwise. | |||
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl --system" | |||
# /usr/lib/udev/rules.d/11-dm-lvm.rules | |||
# Create symlinks for top-level devices only. | |||
## EDIT BY DAMME 2020-07-22 to populate partitions for libvirt | |||
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", SYMLINK+="$env{DM_VG_NAME}/$env{DM_LV_NAME}" | |||
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", RUN+="/sbin/kpartx -un /dev/%E{DM_VG_NAME}/%E{DM_LV_NAME}", GOTO="lvm_end" | |||
</syntaxhighlight> | |||
== New server thoughts == | |||
* https://www.youtube.com/watch?v=MucGkPUMjNo Building a Power Efficient Home Server! |
Latest revision as of 10:26, 28 February 2024
Profile.d/damme.sh
alias ls='ls --group-directories-first -hF --color=auto'
alias more='less'
alias nano='nano -w'
alias du='du -c -h'
alias diff='diff --color=auto'
alias grep='grep --color=auto -ni'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
alias free='free -h'
alias ip='ip -color=auto'
alias ll='ls -l'
alias la='ls -A'
alias l='ls -lrtha'
function cdl(){
cd ""
ls
}
function cdal(){
cd ""
ls -al
}
export LESS=-R
export LESS_TERMCAP_mb=$'\E[1;31m' # begin blink
export LESS_TERMCAP_md=$'\E[1;36m' # begin bold
export LESS_TERMCAP_me=$'\E[0m' # reset bold/blink
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video
export LESS_TERMCAP_se=$'\E[0m' # reset reverse video
export LESS_TERMCAP_us=$'\E[1;32m' # begin underline
export LESS_TERMCAP_ue=$'\E[0m' # reset underline
export EDITOR="nano"
export TERM='xterm-256color'
# if term == rxvt-unicode-256color && file not exists -> xterm-256color
_islinux=false
[[ "$(uname -s)" =~ Linux|GNU|GNU/* ]] && _islinux=true
_isarch=false
[[ -f /etc/arch-release ]] && _isarch=true
_isxrunning=false
[[ -n "$DISPLAY" ]] && _isxrunning=true
_isroot=false
[[ $UID -eq 0 ]] && _isroot=true
C=$(cat /etc/hostname | md5sum)
I="${C:0:1}"
H="${C:1:2}"
CSERV=$((0x${H}))
if [ $CSERV -lt 16 ] ; then
CSERV=$(($CSERV+16))
fi
if [ $CSERV -gt 231 ] ; then
CSERV=$(($CSERV-25))
fi
CSERV="$(tput setaf $CSERV)"
CNONE="$(tput sgr0)"
CROOT="$(tput setaf 48)"
if $_isroot; then
CROOT="$(tput setaf 196)"
fi
CPATH="$(tput setaf 38)"
export PS1="[$CSERV\u@\h$CNONE]$CPATH\w$CROOT\$$CNONE "
[[ -f /bin/neofetch ]] && neofetch --disable packages gpu
Text manipulation
sed -e # Show result, Will not change anything
sed -i 's/[Search]/[Replace]/g' [File]
sed -i '/[row containing]/ s/$/ [append]/' [File] # append to end of line of search
SSH
SOCKS5 proxy
ssh -C -N -D [local port] [name]@[server]
Generate SSH keys
#generate all keys - don't ask for passkey, save in ~/.ssh/id_rsa
ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_rsa
# if ~/.ssh/id_rsa.pub is missing!
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
# copy local 'id_rsa.pub' to remote host '~/.ssh/authorized_keys'
ssh-copy-id user@host
# Generate all keys for server
ssh-keygen -A
sshpiper auth process:
(client)[id_rsa.pub] -> (sshpiper)[authorized_keys] [id_rsa.pub] -> (target) [authorized_keys]
pacman
pacman -F $filename # Search package including $filename
pacman -Qo $filename # Search package including $filename
pacman -Ss $package # Search $package
pacman -S $package # Install $package
pacman -R $package # Remove $package
# remove partial packages:
find /var/cache/pacman/pkg/ -iname "*.part" -delete
Filesystems and LVM
MDADM
Growing -> https://raid.wiki.kernel.org/index.php/Growing
LVM
lvcreate -L [SIZE]g -n [NAME] [VG] /dev/[PV]
lvcreate --type cache --cachemode writethrough -L 20G -n dataLV_cachepool dataVG/dataLV /dev/fast
# writethrough ensures that any data written will be stored both in the cache pool LV and on the origin LV. The loss of a device associated with the cache pool LV in this case would not mean the loss of any data;
# writeback ensures better performance, but at the cost of a higher risk of data loss in case the drive used for cache fails.
lvconvert --splitcache MyVolGroup/rootvol
lvconvert --uncache MyVolGroup/rootvol
lvresize --resizefs -L +XG vg/lv
# Move LV Between physical drives in same VG - Can be done LIVE
# Create mirror
lvconvert -m 1 [LV] [NEW DEV]
# wait for it to copy data (Check via lvs)
# Remove mirror
lvconvert -m 0 [LV] [OLD DEV]
# Alt: pvmove -n [LV] [OLD DEV] [NEW DEV]
lvcreate --type thin-pool -n thin-pool -L size vg [pv?]
lvs -o +devices
lvremove [LVM]
# Logical volume [LVM] is used by another device.
kpartx -d /dev/mapper/[LVM]
#dmsetup ls
dmsetup remove [LVM]
lvremove [LVM]
fstab
/source /destination none defaults,bind 0 0
#check fstab:
mount -fav
Other
pv -s 20G < /dev/foo > /dev/baz
diskspd.exe –c50G -d300 -r -w40 -t8 -o32 -b64K -Sh -L E:\diskpsdtmp.dat > DiskSpeedResults.txt
Resue Data
https://www.gnu.org/software/ddrescue/manual/ddrescue_manual.html
BTRFS
# Resize BTRFS
btrfs filesystem resize max /path
btrfs device usage /path
Raid sas etc
# spin down sas
sdparm --readonly --command=stop /dev/xxx
# spin up sas
sdparm --command=start /dev/xxx
# check status, "Not ready" = not spinning, "Ready" = Spinning
sdparm --command=ready /dev/xxx
Low level format SATA
hdparm -I /dev/sda
# if frozen need to unfreeze
hdparm --user-master u --security-set-pass llformat /dev/sd_
hdparm --user-master u --security-erase llformat /dev/sd_
Docker
docker ps [-a/--all] # print (all) running containers
docker exec -it [container_id] /bin/bash # run shell in container#
docker update --cpuset-cpus="1-5" [container_id]
Reinstall Portainer
docker stop portainer
docker rm portainer
docker pull portainer/portainer-ce
docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce
docker stop portainer && docker rm portainer && docker pull portainer/portainer-ce && docker run -d -p 8000:8000 -p 9000:9000 --name=portainer --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer/data:/data portainer/portainer-ce
Generate rsa keys for encrypted communication between
#server:
export PASS=SuperSecret
export SUBJ='/C=SE/L=Skällinge/O=Unimatrix'
export DAYS=3650
openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
openssl req -new -x509 -days $DAYS -key ca-key.pem -sha256 -out ca.pem -passin pass:$PASS -subj $SUBJ
openssl genrsa -out server-key.pem 4096
#client:
openssl req -subj "/CN=$HOSTNAME" -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOSTNAME,IP:10.0.0.200,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -days $DAYS -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf -passin pass:$PASS
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile-client.cnf
openssl x509 -req -days $DAYS -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf -passin pass:$PASS
/etc/systemd/system/docker.service.d/execstart.conf
[Service]
ExecStart=
#ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ssl/ca.pem --tlscert=/etc/docker/ssl/server-cert.pem --tlskey=/etc/docker/ssl/server-key.pem -H fd:// -H tcp://0.0.0.0:2376
netcat
echo "test" | nc wiegert.link 12345 # client
nc -l 12345 -k # listener server, k = continuous
systemd
systemctl edit --full lvm2-lvmetad.service # edit service
systemctl edit lvm2-lvmetad.service # edit service override
systemctl daemon-reload # Reload systemd manager configuration
rsync
rsync -rav
rsync -ravHAX
rsync -avHAX --one-file-system
ZFS
Other stuff
Fixperm on files (664) and folders (775):
find . -type d -exec chown root:share {} \; -exec chmod 775 {} \;
find . -type f -exec chown root:share {} \; -exec chmod 664 {} \;
docker + kvm + networking = :( https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
pfsense port forwarding while not being default gw: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html#figure-manual-outbound-nat-local-device
smtprelay via gmail with postfix mailutils, s-nail https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/
Nut sending mails -> https://freekode.org/nut-sending-emails/
Secure rsync over SSH without shell access - https://lxadm.com/Secure_rsync_over_SSH_without_shell_access
ipv4=$(curl -s -X GET -4 https://ifconfig.co)
ipv6=$(curl -s -X GET -6 https://ifconfig.co)
Fail2ban
https://wiki.archlinux.org/index.php/Fail2ban
sudo pacman -Sy
sudo pacman --noconfirm -S fail2ban
sudo cat << EOF >> /etc/fail2ban/jail.local
[DEFAULT]
bantime = 5d
[sshd]
enabled = true
mode = aggressive
EOF
sudo systemctl enable fail2ban.service
sudo systemctl start fail2ban.service
# Fail2ban status
fail2ban-client status sshd
# Unban ip:
fail2ban-client set sshd unbanip 1.2.3.4
UDEV fun!
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"
KERNEL=="ttyUSB*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="1a86", SYMLINK+="GSM-SIM800", MODE="0666"
# Reload and re-trigger udev rules without reboot
udevadm control --reload-rules && udevadm trigger
Wireshark
ssh user@remote "tcpdump -s0 -w - 'port 1234'" | wireshark -k -i -
# Filter macaddress beginning with:
(ether [0:4] & 0xffffff00 = 0x000c2200) or (ether [6:4] & 0xffffff00 = 0x000c2200)
# First / Last
eth.addr[0:3] == bc:05:43
eth.addr[4:2] == 28:06
Server Queen Specific changes
- https://forums.servethehome.com/index.php?threads/flash-crossflash-dell-h330-raid-card-to-hba330-12gbps-hba-it-firmware.25498/#post-236242
- DISABLE WATCHDOG! Server will reboot due to watchdog during reboot in filesystem tasks.. BAD!
- Added "TimeoutSec=900" in [Service]-Section /etc/systemd/system/lvm2-lvmetad.service , otherwise shutdown takes too long time and lvmetad gets killed instead of clean shutdown, Results in failed lv which needs lvchange -ay [lvm] or worse - lvconvert --repair.
Docker /etc/docker/daemon.json added "iptables": false.Update: Use /etc/sysctl.d/30-ipforward.conf and /etc/udev/rules.d/99-bridge.rules instead. Docker kills kvm bridges without it.- sysctl rules:
#/etc/sysctl.d/40-ipv6.conf:
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.nic0.disable_ipv6 = 1
...
net.ipv6.conf.nicN.disable_ipv6 = 1
- Note on sysctl reload : https://serverfault.com/questions/963759/docker-breaks-libvirt-bridge-network
- udev rules:
# /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
# /etc/udev/rules.d/60-md-stripe-cache.rules
# Change stripe cache size to maximum, we got the ram! memory_consumed = system_page_size * nr_disks * stripe_cache_size
# https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html
SUBSYSTEM=="block", KERNEL=="md*", ACTION=="change", TEST=="md/stripe_cache_size", ATTR{md/stripe_cache_size}="32768"
## TODO ? sudo blockdev --setra ?? -> https://unix.stackexchange.com/questions/71364/persistent-blockdev-setra-read-ahead-setting
# /etc/udev/rules.d/89-usb.rules
#ups and TI zigbee module fix:
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="00", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TIherdsman"
KERNEL=="ttyACM*", SUBSYSTEM=="tty", ENV{ID_USB_INTERFACE_NUM}=="03", ENV{ID_VENDOR_ID}=="0451", SYMLINK+="TImcu"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="047c", ATTRS{idProduct}=="ffff", SYMLINK+="DellUPS0", MODE="0666"
# /etc/udev/rules.d/99-bridge.rules
# reload sysctl if br_netfilter is loaded, wierd stuff happens otherwise.
ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl --system"
# /usr/lib/udev/rules.d/11-dm-lvm.rules
# Create symlinks for top-level devices only.
## EDIT BY DAMME 2020-07-22 to populate partitions for libvirt
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", SYMLINK+="$env{DM_VG_NAME}/$env{DM_LV_NAME}"
ENV{DM_VG_NAME}=="?*", ENV{DM_LV_NAME}=="?*", RUN+="/sbin/kpartx -un /dev/%E{DM_VG_NAME}/%E{DM_LV_NAME}", GOTO="lvm_end"
New server thoughts
- https://www.youtube.com/watch?v=MucGkPUMjNo Building a Power Efficient Home Server!