stafwag Blog

staf wagemakers blog

Lookat 1.4.4rc1 Released

It is a national holiday in Belgium so I have some time to code again.

Lookat 1.4.4rc1 is the first release candicate of Lookat 1.4.4

ChangeLog

  • openBSD support
  • English translation issues corrected
  • autoconf updated to 2.69
  • Corrected mirror compile warnings

Lookat 1.4.4rc1 is available at:

http://www.wagemakers.be/english/programs/lookat , download it directly Download latest development release (1.4.4rc1).

Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git/

OpenBSD

I forgot to mention it but Lookat has landed in OpenBSD Thanks to Brian Callahan for the port!

Have fun

Using Squid to Cache FreeBSD Packages

PKGNG config

I manage a few FreeBSD jails behind a squid proxy. pkgng is configured to use the proxy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@rataplan:/root # cat /etc/pkg/FreeBSD.conf 
# $FreeBSD: releng/10.1/etc/pkg/FreeBSD.conf 263938 2014-03-30 15:29:54Z bdrewery $
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
#   mkdir -p /usr/local/etc/pkg/repos
#   echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
#

pkg_env: {

        http_proxy: "http://xxx.xxx.xxx.xxx:3128"

}

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}
root@rataplan:/root # 

SQUID config

Recompile

The squid proxy doesn’t cache to the FreeBSD packages. The squid pkgng package is compiled with “LAX_HTTP Do not enforce strict HTTP compliance” option disabled. which doesn’t allow you to override the cache headers sent by the remote site.

In order to cache the FreeBSD packages we need to recompile squid with “LAX_HTTPD” enabled.

Updating the ports

Physical system

If you use a physical FreeBSD system as your proxy run the “portsnap fetch” command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@rataplan ~]# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... 7 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
Updating from Mon Jun 22 14:30:21 CEST 2015 to Tue Jun 23 08:39:41 CEST 2015.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 417 patches. 
(417/417) 100.00%  done.                                       
done.
Applying patches... 
done.
Fetching 3 new ports or files... done.
[root@rataplan ~]# 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@rataplan ~]# portsnap extract
/usr/ports/.arcconfig
/usr/ports/.gitignore
/usr/ports/CHANGES
/usr/ports/CONTRIBUTING.md
/usr/ports/COPYRIGHT
/usr/ports/GIDs

<snip>

/usr/ports/x11/zenity/
Building new INDEX files... done.
[root@rataplan ~]# 

Jail

If you use an ezjail as your proxy run the “ezjail-admin update -P” command.

Build

Stop SQUID
1
2
3
root@stafproxy:/usr/ports/www/squid # /usr/local/etc/rc.d/squid stop
squid not running? (check /var/run/squid/squid.pid).
root@stafproxy:/usr/ports/www/squid # 
Make config
1
2
3
root@stafproxy:/usr/ports/www/squid # cd
root@stafproxy:/root # cd /usr/ports/www/squid
root@stafproxy:/usr/ports/www/squid # make config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

       ┌─────────────────────────────── squid-3.5.5 ──────────────────────────────────┐
       │ ┌──────────────────────────────────────────────────────────────────────────┐ │  
       │ │ [ ] ARP_ACL         ARP/MAC/EUI based authentification                   │ │  
       │ │ [ ] AUTH_LDAP       Install LDAP authentication helpers                  │ │  
       │ │ [x] AUTH_NIS        Install NIS/YP authentication helpers                │ │  
       │ │ [ ] AUTH_SASL       Install SASL authentication helpers                  │ │  
       │ │ [ ] AUTH_SMB        Install SMB auth. helpers (req. Samba)               │ │  
       │ │ [ ] AUTH_SQL        Install SQL based auth (uses MySQL)                  │ │  
       │ │ [ ] CACHE_DIGESTS   Use cache digests                                    │ │  
       │ │ [ ] DEBUG           Build with extended debugging support                │ │  
       │ │ [ ] DELAY_POOLS     Delay pools (bandwidth limiting)                     │ │  
       │ │ [x] DOCS            Build and/or install documentation                   │ │  
       │ │ [ ] ECAP            Loadable content adaptation modules                  │ │  
       │ │ [ ] ESI             ESI support                                          │ │  
       │ │ [x] EXAMPLES        Build and/or install examples                        │ │  
       │ │ [ ] FOLLOW_XFF      Support for the X-Following-For header               │ │  
       │ │ [x] FS_AUFS         AUFS (threaded-io) support                           │ │  
       │ │ [x] FS_DISKD        DISKD storage engine controlled by separate service  │ │  
       │ │ [ ] FS_ROCK         ROCK storage engine                                  │ │  
       │ │ [x] HTCP            HTCP support                                         │ │  
       │ │ [ ] ICAP            the ICAP client                                      │ │  
       │ │ [ ] ICMP            ICMP pinging and network measurement                 │ │  
       │ │ [x] IDENT           Ident lookups (RFC 931)                              │ │  
       │ │ [x] IPV6            IPv6 protocol support                                │ │  
       │ │ [x] KQUEUE          Kqueue(2) support                                    │ │  
       │ │ [ ] LARGEFILE       Support large (>2GB) cache and log files             │ │  
       │ │ [x] LAX_HTTP        Do not enforce strict HTTP compliance                │ │  
       │ │ [ ] NETTLE          Nettle MD5 algorithm support                         │ │  
       │ │ [x] SNMP            SNMP support                                         │ │  
       │ │ [ ] SSL             SSL gatewaying support                               │ │  
       │ │ [ ] SSL_CRTD        Use ssl_crtd to handle SSL cert requests             │ │  
       │ │ [ ] STACKTRACES     Enable automatic backtraces on fatal errors          │ │  
       │ │ [ ] TP_IPF          Transparent proxying with IPFilter                   │ │  
       │ │ [ ] TP_IPFW         Transparent proxying with IPFW                       │ │  
       │ │ [ ] TP_PF           Transparent proxying with PF                         │ │  
       │ │ [ ] VIA_DB          Forward/Via database                                 │ │  
       │ └─────v(+)─────────────────────────────────────────────────────────82%─────┘ │  
       ├──────────────────────────────────────────────────────────────────────────────┤  
       │                       <  OK  >            <Cancel>                           │  
       └──────────────────────────────────────────────────────────────────────────────┘  
                                                                                         
Make install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@stafproxy:/usr/ports/www/squid # make
===>  License GPLv2 accepted by the user
===>  Found saved configuration for squid-3.5.5
===>   squid-3.5.5 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by squid-3.5.5 for building
===>  Extracting for squid-3.5.5
=> SHA256 Checksum OK for squid3.5/squid-3.5.5.tar.xz.

<snip>

Making install in test-suite
install  -m 0644 /var/ports/basejail/usr/ports/www/squid/work/squid-3.5.5/helpers/basic_auth/DB/passwd.sql  /var/ports/basejail/usr/ports/www/squid/work/stage/usr/local/share/examples/squid
(cd /var/ports/basejail/usr/ports/www/squid/work/squid-3.5.5 && install  -m 0644 QUICKSTART README RELEASENOTES.html doc/debug-sections.txt /var/ports/basejail/usr/ports/www/squid/work/stage/usr/local/share/doc/squid)
/bin/mkdir -p /var/ports/basejail/usr/ports/www/squid/work/stage/var/squid/logs
/bin/rmdir /var/ports/basejail/usr/ports/www/squid/work/stage/var/run/squid
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@stafproxy:/usr/ports/www/squid # make install clean
===>  Installing for squid-3.5.5                                                                                                                                                                                                             
===>   squid-3.5.5 depends on file: /usr/local/bin/perl5.20.2 - found                                                                                                                                                                        
===>  Checking if squid already installed                                                                                                                                                                                                    
===>   Registering installation for squid-3.5.5                                                                                                                                                                                              

<snip>

===> SECURITY REPORT: 
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/squid/basic_radius_auth
/usr/local/sbin/squid

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/squid

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
http://www.squid-cache.org/
pkg lock

Lock the squid package to prevent the upgrade from pkgng tree.

1
2
3
4
root@stafproxy:/usr/ports/www/squid # pkg lock squid
squid-3.5.5: lock this package? [y/N]: y
Locking squid-3.5.5
root@stafproxy:/usr/ports/www/squid #

View the locked pkgng packages

1
2
3
4
root@stafproxy:/usr/ports/www/squid # pkg lock -l
Currently locked packages:
squid-3.5.5
root@stafproxy:/usr/ports/www/squid # 

SQUID config

Update squid.conf

Edit the squid config:

1
2
root@stafproxy:/usr/ports/www/squid # cd /usr/local/etc/squid/
root@stafproxy:/usr/local/etc/squid # vi squid.conf

Add a “refresh_pattern” for “pkgmir.pkg.freebsd.org”:

1
2
3
4
5
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^http://pkgmir.pkg.freebsd.org/.*\.txz          1440    100%    10080 ignore-private ignore-must-revalidate override-expire ignore-no-cache
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Start squid

1
2
3
root@stafproxy:/usr/local/etc/squid # ../rc.d/squid start
Starting squid.
root@stafproxy:/usr/local/etc/squid # 

rc.conf

Make sure that the system is configured to start squid during the system startup.

1
2
3
4
5
6
7
8
root@stafproxy:/usr/local/etc/squid # cat /etc/rc.conf 
#
# squid
#

squid_enable="YES"

root@stafproxy:/usr/local/etc/squid # 

SQUID should cache the pkgng downloads now.

Have fun

Using YubiKey Neo as Gpg Smartcard for SSH Authentication

I purchased a Yubi NEO I’ll use it to hold my Luks password and for ssh authentication instead of the password authentication that I still use.

You’ll find my journey to get the smartcard interface working with ssh on a fedora 22 system below;

Install the yubiclient and smartcard software

Install the ykclient

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ykclient.x86_64 : Yubikey management library and client
[root@vicky ~]# dnf install ykclient
Last metadata expiration check performed 1:00:07 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                    Arch                     Version                         Repository                Size
====================================================================================================================
Installing:
 ykclient                   x86_64                   2.13-1.fc22                     fedora                    35 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 35 k
Installed size: 58 k
Is this ok [y/N]: y
Downloading Packages:
ykclient-2.13-1.fc22.x86_64.rpm                                                      48 kB/s |  35 kB     00:00    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                11 kB/s |  35 kB     00:03     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : ykclient-2.13-1.fc22.x86_64                                                                     1/1 
  Verifying   : ykclient-2.13-1.fc22.x86_64                                                                     1/1 

Installed:
  ykclient.x86_64 2.13-1.fc22                                                                                       

Complete!
[root@vicky ~]# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@vicky ~]# ykinfo
bash: ykinfo: command not found...
Install package 'ykpers' to provide command 'ykinfo'? [N/y] ^C

[root@vicky ~]# dnf install ykpers
Last metadata expiration check performed 1:01:23 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                     Arch                    Version                          Repository               Size
====================================================================================================================
Installing:
 libyubikey                  x86_64                  1.11-3.fc22                      fedora                   33 k
 ykpers                      x86_64                  1.17.1-1.fc22                    fedora                  101 k

Transaction Summary
====================================================================================================================
Install  2 Packages

Total download size: 135 k
Installed size: 372 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): libyubikey-1.11-3.fc22.x86_64.rpm                                             13 kB/s |  33 kB     00:02    
(2/2): ykpers-1.17.1-1.fc22.x86_64.rpm                                               38 kB/s | 101 kB     00:02    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                22 kB/s | 135 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : libyubikey-1.11-3.fc22.x86_64                                                                   1/2 
  Installing  : ykpers-1.17.1-1.fc22.x86_64                                                                     2/2 
  Verifying   : ykpers-1.17.1-1.fc22.x86_64                                                                     1/2 
  Verifying   : libyubikey-1.11-3.fc22.x86_64                                                                   2/2 

Installed:
  libyubikey.x86_64 1.11-3.fc22                             ykpers.x86_64 1.17.1-1.fc22                            

Complete!

Verify that you’ve access to the yubikey

“ykinfo -v” shows you the version on the yubikey.

1
2
3
[root@vicky ~]# ykinfo -v
version: 3.4.0
[root@vicky ~]# 

If you try with the user that you’ll for the yubi authentication you might get a permission denied:

1
2
3
staf@vicky ~]$ ykinfo -v
USB error: Access denied (insufficient permissions)
[staf@vicky ~]$ 

Update the udev permissions

Update rule file

On a fedora 22 system to udev rules for the yubi key are defined in “/usr/lib/udev/rules.d/69-yubikey.rules”

It is a good practice to only grant access to user that will use the yubikey.

1
2
[root@vicky ~]# cd /usr/lib/udev/rules.d/
[root@vicky rules.d]# vi 69-yubikey.rules 
1
2
3
4
5
6
7
8
9
ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="staf", MODE="0600"

LABEL="yubico_end"
Update udev rules
1
2
# udevadm control --reload
# udevadm trigger
Test it again
1
2
3
[staf@vicky ~]$ ykinfo -v
version: 3.4.0
[staf@vicky ~]$ 

Enable the smartcard interface

1
2
3
4
5
6
7
staf@vicky yubi]$ ykpersonalize -m82
Firmware version 3.4.0 Touch level 1551 Program sequence 3

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y
[staf@vicky yubi]$ 

Remove the yubi key from your system and plug it back to activate the new interface.

Install the required smartcard software

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[root@vicky ~]# dnf install pcsc-tools   
Last metadata expiration check performed 0:33:58 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.                                       
====================================================================================================================
 Package                         Arch                  Version                          Repository             Size
====================================================================================================================
Installing:                                                 
 pcsc-lite                       x86_64                1.8.13-1.fc22                    fedora                101 k
 pcsc-lite-asekey                x86_64                3.7-1.fc22                       fedora                 34 k
 pcsc-perl                       x86_64                1.4.12-11.fc22                   fedora                 61 k
 pcsc-tools                      x86_64                1.4.23-1.fc22                    fedora                116 k
 perl-Cairo                      x86_64                1.105-1.fc22                     fedora                126 k
 perl-Glib                       x86_64                1.310-1.fc22                     fedora                362 k
 perl-Gtk2                       x86_64                1.2495-1.fc22                    fedora                1.8 M
 perl-HTML-Tree                  noarch                1:5.03-8.fc22                    fedora                223 k
 perl-Pango                      x86_64                1.226-3.fc22                     fedora                220 k
                                                           
Transaction Summary                                        
====================================================================================================================
Install  9 Packages                                        
                                                            
Total download size: 3.0 M                                  
Installed size: 8.4 M                                       
Is this ok [y/N]: y                                          
Downloading Packages:                                        
(1/9): pcsc-tools-1.4.23-1.fc22.x86_64.rpm                                           38 kB/s | 116 kB     00:03    
(2/9): pcsc-perl-1.4.12-11.fc22.x86_64.rpm                                           20 kB/s |  61 kB     00:03    
(3/9): pcsc-lite-1.8.13-1.fc22.x86_64.rpm                                            23 kB/s | 101 kB     00:04    
(4/9): perl-Glib-1.310-1.fc22.x86_64.rpm                                            159 kB/s | 362 kB     00:02    
(5/9): perl-Cairo-1.105-1.fc22.x86_64.rpm                                            56 kB/s | 126 kB     00:02    
(6/9): perl-HTML-Tree-5.03-8.fc22.noarch.rpm                                         99 kB/s | 223 kB     00:02    
(7/9): perl-Gtk2-1.2495-1.fc22.x86_64.rpm                                           342 kB/s | 1.8 MB     00:05    
(8/9): perl-Pango-1.226-3.fc22.x86_64.rpm                                            89 kB/s | 220 kB     00:02    
(9/9): pcsc-lite-asekey-3.7-1.fc22.x86_64.rpm                                        21 kB/s |  34 kB     00:01    
--------------------------------------------------------------------------------------------------------------------
Total                                                                               257 kB/s | 3.0 MB     00:11     
Running transaction check                                   
Transaction check succeeded.                                
Running transaction test                                     
Transaction test succeeded.                                   
Running transaction                                             
  Installing  : perl-Glib-1.310-1.fc22.x86_64                                                                   1/9 
  Installing  : pcsc-lite-asekey-3.7-1.fc22.x86_64                                                              2/9 
  Installing  : pcsc-lite-1.8.13-1.fc22.x86_64                                                                  3/9 
  Installing  : perl-Cairo-1.105-1.fc22.x86_64                                                                  4/9 
  Installing  : perl-Pango-1.226-3.fc22.x86_64                                                                  5/9 
  Installing  : perl-HTML-Tree-1:5.03-8.fc22.noarch                                                             6/9 
  Installing  : perl-Gtk2-1.2495-1.fc22.x86_64                                                                  7/9 
  Installing  : pcsc-perl-1.4.12-11.fc22.x86_64                                                                 8/9 
  Installing  : pcsc-tools-1.4.23-1.fc22.x86_64                                                                 9/9 
  Verifying   : pcsc-tools-1.4.23-1.fc22.x86_64                                                                 1/9 
  Verifying   : pcsc-lite-1.8.13-1.fc22.x86_64                                                                  2/9 
  Verifying   : pcsc-perl-1.4.12-11.fc22.x86_64                                                                 3/9 
  Verifying   : perl-Glib-1.310-1.fc22.x86_64                                                                   4/9 
  Verifying   : perl-Gtk2-1.2495-1.fc22.x86_64                                                                  5/9 
  Verifying   : perl-Cairo-1.105-1.fc22.x86_64                                                                  6/9 
  Verifying   : perl-HTML-Tree-1:5.03-8.fc22.noarch                                                             7/9 
  Verifying   : perl-Pango-1.226-3.fc22.x86_64                                                                  8/9 
  Verifying   : pcsc-lite-asekey-3.7-1.fc22.x86_64                                                              9/9 

Installed:
  pcsc-lite.x86_64 1.8.13-1.fc22       pcsc-lite-asekey.x86_64 3.7-1.fc22       pcsc-perl.x86_64 1.4.12-11.fc22     
  pcsc-tools.x86_64 1.4.23-1.fc22      perl-Cairo.x86_64 1.105-1.fc22           perl-Glib.x86_64 1.310-1.fc22       
  perl-Gtk2.x86_64 1.2495-1.fc22       perl-HTML-Tree.noarch 1:5.03-8.fc22      perl-Pango.x86_64 1.226-3.fc22      

Complete!
[root@vicky ~]# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@vicky ~]# dnf install opensc
Last metadata expiration check performed 0:37:38 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                  Arch                     Version                           Repository                Size
====================================================================================================================
Installing:
 opensc                   x86_64                   0.14.0-2.fc22                     fedora                   976 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 976 k
Installed size: 2.8 M
Is this ok [y/N]: y
Downloading Packages:
opensc-0.14.0-2.fc22.x86_64.rpm                                                     277 kB/s | 976 kB     00:03    
--------------------------------------------------------------------------------------------------------------------
Total                                                                               203 kB/s | 976 kB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : opensc-0.14.0-2.fc22.x86_64                                                                     1/1 
  Verifying   : opensc-0.14.0-2.fc22.x86_64                                                                     1/1 

Installed:
  opensc.x86_64 0.14.0-2.fc22                                                                                       

Complete!
[root@vicky ~]# dnf search opensc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@vicky ~]# dnf search ccid
Last metadata expiration check performed 0:39:03 ago on Sun Jun 14 09:14:34 2015.
================================================ N/S Matched: ccid =================================================
pcsc-lite-ccid.x86_64 : Generic USB CCID smart card reader driver
libykneomgr.i686 : YubiKey NEO CCID Manager C Library
libykneomgr.x86_64 : YubiKey NEO CCID Manager C Library
[root@vicky ~]# dnf install pcsc-lite-ccid
Last metadata expiration check performed 0:39:34 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                        Arch                   Version                         Repository              Size
====================================================================================================================
Installing:
 pcsc-lite-ccid                 x86_64                 1.4.18-1.fc22                   fedora                 177 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 177 k
Installed size: 599 k
Is this ok [y/N]: y
Downloading Packages:
pcsc-lite-ccid-1.4.18-1.fc22.x86_64.rpm                                              47 kB/s | 177 kB     00:03    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                27 kB/s | 177 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : pcsc-lite-ccid-1.4.18-1.fc22.x86_64                                                             1/1 
  Verifying   : pcsc-lite-ccid-1.4.18-1.fc22.x86_64                                                             1/1 

Installed:
  pcsc-lite-ccid.x86_64 1.4.18-1.fc22                                                                               

Complete!
[root@vicky ~]# 

Start the pcscd service

1
2
3
4
5
root@vicky ~]# systemctl list-unit-files -t service | grep pcscd
pcscd.service                               static  
[root@vicky ~]# systemctl start pcscd
[root@vicky ~]# systemctl enable pcscd
[root@vicky ~]# 

Verify that you are able to see the yubi smartcard

Run pcsc_scan

Execute “pcsc_scan” to verify that you see the smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[staf@vicky ~]$ pcsc_scan 
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.13
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:06.7-1) 00 00
1: Yubico Yubikey NEO OTP+CCID 01 00

Mon Jun 15 11:36:44 2015
Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:06.7-1) 00 00
  Card state: Card removed, 
Reader 1: Yubico Yubikey NEO OTP+CCID 01 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

defined(@array) is deprecated at /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm line 69.
        (Maybe you should just omit the defined()?)
ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
        YubiKey NEO (PKI)
        http://www.yubico.com/

Remote smartcard access

By default only console logins have access to the smartcard if you want to grant access to remote logins (e.g. ssh) create a polkit rule for the user that will use the smartcard.

1
2
[root@vicky ~]# cd /usr/share/polkit-1/rules.d/                                    
[root@vicky rules.d]# vi 30_smartcard_access.rules 
1
2
3
4
5
6
7
8
9
10
11
12
13
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "staf") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'name_of_reader' &&
        subject.user == "staf") {
            return polkit.Result.YES;    }
});

Reset smartcard PIN codes

The default user PIN code is “123456” the default admin PIN code is “12345678”

1
2
3
4
5
6
7
8
9
10
11
12
[staf@vicky ~]$ gpg --change-pin 
gpg: OpenPGP card no. D2760001240102000006035062250000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

#### Change user PIN

Your selection? 
1
2
3
4
5
6
7
8
Your selection? 1

Please enter the PIN
           
New PIN
               
New PIN
PIN changed.     

Change admin PIN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
                 
New Admin PIN
                     
New Admin PIN
PIN changed.     

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 

Generate a new key pair

Execute “gpg –card-edit”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[staf@vicky ~]$ gpg --card-edit 

Application ID ...: D2760001240102000006035062250000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03506225
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ....: 1E41 4C61 B1CE F02A F431  85BF 46B9 3657 54DF 802E
      created ....: 2015-06-15 11:47:23
Encryption key....: BB75 75F4 404A 2681 4331  4B46 34E7 EE51 4199 C702
      created ....: 2015-06-15 11:47:23
Authentication key: A7F8 A844 4762 C44D 20C7  A2AF E06D 602C 069D 7EFF
      created ....: 2015-06-15 11:47:23
General key info..: 
pub  2048R/54DF802E 2015-06-15 qwerty <qwert@qwert>
sec>  2048R/54DF802E  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/069D7EFF  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/4199C702  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225

gpg/card> 

Enable admin commands

1
2
3
4
gpg/card> admin
Admin commands are allowed                                                      
                                                                                
gpg/card>                                                                        

Generate key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
gpg/card> generate 
Make off-card backup of encryption key? (Y/n) n

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin


Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: staf wagemakers
Email address: staf@wagemakers.be
Comment: 
You selected this USER-ID:
    "staf wagemakers <staf@wagemakers.be>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: existing key will be replaced
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 0
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (35 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (9 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key C15CE3D7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   2048R/C15CE3D7 2015-06-15
      Key fingerprint = B702 663D 833B DC19 0EEF  663A 54FA 0B1E C15C E3D7
uid                  staf wagemakers <staf@wagemakers.be>
sub   2048R/D2AEBBA3 2015-06-15
sub   2048R/6C2C699A 2015-06-15


gpg/card> 

Extract the public key

Execute gpg –card-status

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
staf@vicky ~]$ gpg --card-status
Application ID ...: D2760001240102000006035062250000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03506225
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ....: AED7 C79B 574D 45CC 7C1B  CC35 BDDE E66F 0C2C CF82
      created ....: 2015-06-16 06:32:02
Encryption key....: 6650 AB0A 5F31 059F 3221  3F29 C9F3 2031 01B3 1F53
      created ....: 2015-06-16 06:32:02
Authentication key: A387 A45A 446E DC9C D78E  F173 7C19 5D7D A1D9 9813
      created ....: 2015-06-16 06:32:02
General key info..: pub  2048R/0C2CCF82 2015-06-16 staf wagemakers <staf@wagemakers.be>
sec>  2048R/0C2CCF82  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/A1D99813  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/01B31F53  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
[staf@vicky ~]$ 

Run gpgkey2ssh on the authentication key

1
2
3
[staf@vicky ~]$ gpgkey2ssh A1D99813
ssh-rsa qwertyqwertyqwerty COMMENT
[staf@vicky ~]$ 

Test ssh access

Configure the gpg agent

The gpg-agent can be use as a ssh-agent

Enable ssh support in your gpg-agent.conf

Create your gpg-agent.conf file

1
[staf@vicky ~]$ vi .gnupg/gpg-agent.conf
1
2
pinentry-program  /usr/bin/pinentry
enable-ssh-support

Start the gpg-agent

1
2
3
4
5
6
staf@vicky ~]$ gpg-agent --daemon --verbose
gpg-agent[1395]: listening on socket '/home/staf/.gnupg/S.gpg-agent'
gpg-agent[1395]: listening on socket '/home/staf/.gnupg/S.gpg-agent.ssh'
gpg-agent[1396]: gpg-agent (GnuPG) 2.1.4 started
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
[staf@vicky ~]$ 

Export the SSH_AUTH_SOCK variable

1
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

Verify the agent

Run ssh-add -L

1
2
3
[staf@vicky ~]$ ssh-add -L
error fetching identities for protocol 1: agent refused operation
ssh-rsa qwertyqwertyqwerty cardno:xxxx

The public key must be the same as extracted with “gpgkey2ssh”

Add the public key to the remote system

Add this public key to ~/.ssh/authorized_keys on the remote system.

Test

Try to logon to your remote system

1
staf@vicky ~]$ ssh -v xxx.xxx.xxx.xxx

You should get a window that asks for user PIN code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19







               ┌──────────────────────────────────────────────┐
               │ Please enter the PIN                         │
               │                                              │
               │ PIN ________________________________________ │
               │                                              │
               │      <OK>                        <Cancel>    │
               └──────────────────────────────────────────────┘





1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
FreeBSD 10.1-RELEASE-p10 (GENERIC) #0: Wed May 13 06:54:13 UTC 2015

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
Want to run the same command again?
In tcsh you can type "!!"
$ 

CleanUp

Start the gpg-daemon

Add

1
2
gpg-agent --daemon
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

To your .bash_profile or setup a generic script for all users in /etc/profile.d/

Disable password login in the /etc/ssh/sshd_config

Have fun!

Links

Openvas 7: Adding Credentials Failed

I’m creating a new openvas 7 system running centos 7 as a KVM instance.

The installation went fine but it was impossible to create new credentials.

I had a similar issue with my openvas 6 installation, this was resolved by creating the /etc/openvas/gnupg directory and creating the key openvasmd --create-credentials-encryption-key

But on my openvas 7 installation a creation of the encryption key was slooooow. As always Good Randomness is important for creating keys. So I decided to install haveged to get more randomness and hopefully this would speed up key creation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@localhost ~]# yum install haveged

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.cu.be
 * extras: centos.cu.be
 * updates: centos.cu.be
Package haveged-1.9.1-2.el7.art.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# 
[root@localhost ~]# systemct list-unit-files --type=service | grep haveged
-bash: systemct: command not found
[root@localhost ~]# systemctl list-unit-files --type=service | grep haveged
haveged.service                             disabled
[root@localhost ~]# systemctl enable haveged
ln -s '/usr/lib/systemd/system/haveged.service' '/etc/systemd/system/multi-user.target.wants/haveged.service'
[root@localhost ~]# systemctl start haveged
[root@localhost ~]# 

The key creation took a only sec.

1
2
3
[root@localhost ~]# openvasmd --create-credentials-encryption-key
Key creation succeeded.
[root@localhost ~]# 

Adding new credentials works like a charm now.

Happy hacking!

Run Google Chrome Inside a Fedora Docker Container Over Ssh


Update (Mon Jun 8 2015):

Running google-chrome inside a docker container isn’t stable for me. I switched back to LXC to run google-chrome which seems to be more stable.


Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

Run google chrome inside a fedora docker container over ssh

Installation instructions

1/ Clone the git repo

1
$ git clone https://github.com/stafwag/docker-fedora-chrome-ssh.git

2/ Copy your public ssh to id_rsa.pub

1
2
$ cd docker-fedora-chrome-ssh
$ cp ~/.ssh/id_rsa.pub .

3/ Build the docker image

1
$ docker build -t stafwag/docker-fedora-chrome-ssh .

4/ Update your ssh config

1
$ vi ~/.ssh/config
1
2
3
4
5
6
7
Host mychrome
          User      chrome
          Port      8022
          HostName  127.0.0.1
          StrictHostKeyChecking no
          UserKnownHostsFile=/dev/null
          ForwardX11 yes

5/ Start chrome

1
$ ./startchrome.sh

CGIpaf 1.3.4 Released

CGIpaf 1.3.4 has been released

ChangeLog

version 1.3.4 ( 23 Nov 2014 )
  • Cracklib configuration checking has been improved
  • LDFLAGS is passed to the linker correctly
CGIpaf 1.3.4pre1 (15 Sep 2013)
  • PAM is enabled on FreeBSD 7.3 or above
  • PAM is enabled on NetBSD 6.0 or above
  • xmalloc is updated to support systems with non GNU compatible malloc

CGIpaf 1.3.4 is available at: http://www.wagemakers.be/english/programs/cgipaf

Download the tarball directly at: http://www.wagemakers.be/downloads/cgipaf/

Or at the the Git repository on github: https://github.com/stafwag/cgipaf

Have fun…

Lxc Templates in Fedora 20

I’m a big fan of containers and used them a lot on Solaris and jails on Freebsd. Containers/jails are the fastest way to spinup an new system and the easiest way to isolate services.

As always with virtualization you’ve to careful with sharing systems or containers that doesn’t below to the same customer or service on the same physical machine since you’re never sure which traces are left behind in the memory etc.

Linux containers are getting more popular since the release of docker

When I tried to create a few containers on Fedora 20, the first attempt (a debian container) wasn’t an success.

On a newly create debian container networking didn’t work.

First debian container

Creating the container

1
2
3
4
5
6
7
8
9
[root@vicky ~]# lxc-create -n mydebian -t debian

lxc-create: No config file specified, using the default config /etc/lxc/default.conf
debootstrap is /sbin/debootstrap
Checking cache download in /var/cache/lxc/debian/rootfs-squeeze-i386 ... 
Copying rootfs to /var/lib/lxc/mydebian/rootfs...Generating locales (this might 
< snip >
'debian' template installed
'mydebian' created

Booting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@vicky ~]# lxc-start -n mydebian
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Cleaning up ifupdown....
Setting up networking....
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux-ng 2.17.2
done.
Mounting local filesystems...done.
Activating swapfile swap...done.
Cleaning up temporary files....
Configuring network interfaces...ifup: failed to open statefile /etc/network/run/ifstate: No such file or directory
failed.
Setting kernel variables ...done.
Cleaning up temporary files....
INIT: Entering runlevel: 3
Using makefile-style concurrent boot in runlevel 3.
Starting OpenBSD Secure Shell server: sshd.

Debian GNU/Linux 6.0 mydebian console

mydebian login: root
Password: 
Last login: Tue Jun 21 08:05:41 UTC 2014 on console
Linux mydebian 3.14.5-200.fc20.i686 #1 SMP Mon Jun 21 08:13:19 UTC 2014 i686

Network isn’t working…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@mydebian:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr c2:71:98:d8:8f:c3  
          inet6 addr: fe80::c071:98ff:fed8:8fc3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:908 (908.0 B)  TX bytes:738 (738.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@mydebian:~# ifup eth0
ifup: failed to open statefile /etc/network/run/ifstate: No such file or directory
root@mydebian:~# 
root@mydebian:~# cat /etc/network/interfaces 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
root@mydebian:~# 

Fedora container

A Fedora container worked better.

Creating the fedora container

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@vicky ~]# lxc-create -n myfedora -t fedora

lxc-create: No config file specified, using the default config /etc/lxc/default.conf
Host CPE ID from /etc/os-release: cpe:/o:fedoraproject:fedora:20
Checking cache download in /var/cache/lxc/fedora/i686/20/rootfs ... 
Downloading fedora minimal ...
Fetching rpm name from http://be.mirror.eurid.eu/fedora/linux/releases/20/Everything/i386/os//Packages/f...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   290  100   290    0     0    904      0 --:--:-- --:--:-- --:--:--   903
  0     0    0  145k    0     0  47212      0 --:--:--  0:00:03 --:--:-- 58525

<snip>
Updated:
  fedora-release.noarch 0:20-3                                                  

Complete!
Download complete.
Copy /var/cache/lxc/fedora/i686/20/rootfs to /var/lib/lxc/myfedora/rootfs ... 
Copying rootfs to /var/lib/lxc/myfedora/rootfs ...setting root passwd to root
installing fedora-release package
Package fedora-release-20-3.noarch already installed and latest version
Nothing to do
unlink: cannot unlink ‘/var/lib/lxc/myfedora/rootfs/etc/systemd/system/default.target’: No such file or directory
container rootfs and config created
'fedora' template installed
'myfedora' created
[root@vicky ~]# 

Booting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@vicky ~]# lxc-start -n myfedora
systemd 208 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
Detected virtualization 'lxc'.

Welcome to Fedora 20 (Heisenbug)!

Set hostname to <myfedora>.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Listening on Delayed Shutdown Socket.
[  OK  ] Created slice Root Slice.
[  OK  ] Created slice User and Session Slice.
[  OK  ] Started Login Service.
< snip >
[  OK  ] Reached target Multi-User System.

Fedora release 20 (Heisenbug)
Kernel 3.14.5-200.fc20.i686 on an i686 (console)

myfedora login: root
Password: 
Last login: Wed Jun 21 09:12:42 on console

Networking

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
[root@myfedora ~]# ping 8.8.8.8
connect: Network is unreachable
[root@myfedora ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
16: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 5a:89:44:04:99:2b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5889:44ff:fe04:992b/64 scope link 
       valid_lft forever preferred_lft forever
[root@myfedora ~]# ifup eth0

Determining IP information for eth0... done.
[root@myfedora ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=113 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=123 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=123 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 113.751/120.096/123.408/4.488 ms
[root@myfedora ~]# 

New templates

Since I wanted a Debian container I clone the lxc git on github and copied the templates.

Getting the templates

1
2
3
4
5
6
7
8
9
10
[staf@vicky github]$ git clone https://github.com/lxc/lxc 
Cloning into 'lxc'...
remote: Reusing existing pack: 17997, done.
remote: Counting objects: 17, done.
remote: Compressing objects: 100% (17/17), done.
remote: Total 18014 (delta 9), reused 0 (delta 0)
Receiving objects: 100% (18014/18014), 9.14 MiB | 77.00 KiB/s, done.
Resolving deltas: 100% (11555/11555), done.
Checking connectivity... done.
[staf@vicky github]$ 

Configure

Create the configure script and it dependencies

1
2
3
4
5
6
7
8
[staf@vicky lxc]$ autoreconf -i
configure.ac:31: installing 'config/compile'
configure.ac:30: installing 'config/config.guess'
configure.ac:30: installing 'config/config.sub'
configure.ac:29: installing 'config/install-sh'
configure.ac:29: installing 'config/missing'
src/lua-lxc/Makefile.am: installing 'config/depcomp'
[staf@vicky lxc]$ 

Run configure

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[staf@vicky lxc]$ ./configure 
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
<snip>
Documentation:
 - examples: yes
 - API documentation: no
 - user documentation: no

Debugging:
 - tests: no
 - mutex debugging: no

Paths:
 - Logs in configpath: no
[staf@vicky lxc]$ 

Copy the templates

Copy the newly created templates

1
2
3
4
5
6
7
8
9
[staf@vicky templates]$ shopt -s extglob
[staf@vicky templates]$ 
[staf@vicky templates]$ ls !(*\.in|Makefile*)
lxc-alpine     lxc-centos    lxc-fedora        lxc-oracle  lxc-ubuntu-cloud
lxc-altlinux   lxc-cirros    lxc-gentoo        lxc-plamo
lxc-archlinux  lxc-debian    lxc-openmandriva  lxc-sshd
lxc-busybox    lxc-download  lxc-opensuse      lxc-ubuntu
[staf@vicky templates]$ sudo cp !(*\.in|Makefile*)  /usr/share/lxc/templates[sudo] password for staf: 
[staf@vicky templates]$ 

Debian container second try…

And tried to create the debian container again.

1
2
3
4
5
6
7
8
9
10
11
[root@vicky ~]# lxc-ls --fancy
NAME      STATE    IPV4  IPV6  
-----------------------------
mydebian  STOPPED  -     -     
myfedora  STOPPED  -     -     
[root@vicky ~]# lxc-destroy -n mydebian
[root@vicky ~]# lxc-ls --fancy
NAME      STATE    IPV4  IPV6  
-----------------------------
myfedora  STOPPED  -     -     
[root@vicky ~]# 

Creating the container

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[root@vicky ~]# lxc-create -n mydebian -t debian

lxc-create: No config file specified, using the default config /etc/lxc/default.conf
debootstrap is /sbin/debootstrap
Checking cache download in /usr/local/var/cache/lxc/debian/rootfs-wheezy-i386 ... 
Downloading debian minimal ...
W: Cannot check Release signature; keyring file not available /usr/share/keyrings/debian-archive-keyring.gpg
I: Retrieving Release 
I: Validating Packages 
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Found additional required dependencies: insserv libbz2-1.0 libdb5.1 libsemanage-common libsemanage1 libslang2 libustr-1.0-1 
I: Found additional base dependencies: adduser debian-archive-keyring gnupg gpgv isc-dhcp-common libapt-pkg4.12 libbsd0 libclass-isa-perl libedit2 libgdbm3 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3 libkrb5support0 libncursesw5 libprocps0 libreadline6 libssl1.0.0 libstdc++6 libswitch-perl libusb-0.1-4 libwrap0 openssh-client perl perl-modules procps readline-common 
I: Checking component main on http://cdn.debian.net/debian...
I: Validating libacl1 2.2.51-8
I: Validating adduser 3.113+nmu3
<snip>
I: Unpacking debconf...
I: Unpacking debconf-i18n...
I: Unpacking debianutils...
I: Unpacking diffutils...
I: Unpacking dpkg...
I: Unpacking e2fslibs:i386...
<snip>
I: Configuring apt...
I: Configuring openssh-client...
I: Configuring openssh-server...
I: Configuring perl-modules...
I: Configuring libswitch-perl...
I: Configuring perl...
I: Configuring libui-dialog-perl...
I: Base system installed successfully.
Download complete.
Copying rootfs to /var/lib/lxc/mydebian/rootfs...Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
invoke-rc.d: policy-rc.d denied execution of restart.
Timezone in container is not configured. Adjust it manually.
Root password is 'root', please change !
'debian' template installed
'mydebian' created
[root@vicky ~]# 

Booting

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[root@vicky ~]# lxc-start -n mydebian
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Cleaning up temporary files... /tmp /run /run/lock /run/shm.
Mount point '/dev/mqueue' does not exist. Skipping mount. ... (warning).
Mount point '/dev/hugepages' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/systemd' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/cpuset' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/cpu,cpuacct' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/memory' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/devices' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/freezer' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/net_cls' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/blkio' does not exist. Skipping mount. ... (warning).
Mount point '/sys/fs/cgroup/perf_event' does not exist. Skipping mount. ... (warning).
Filesystem type 'fuse.gvfsd-fuse' is not supported. Skipping mount. ... (warning).
Mount point '/run/media/staf/VBOXADDITIONS_4.3.12_93733' does not exist. Skipping mount. ... (warning).
Mount point '/var/lib/nfs/rpc_pipefs' does not exist. Skipping mount. ... (warning).
Mount point '/usr/lib/lxc/rootfs' does not exist. Skipping mount. ... (warning).
Mount point '/usr/lib/lxc/rootfs' does not exist. Skipping mount. ... (warning).
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux 2.20.1
done.
Mounting local filesystems...done.

Debian GNU/Linux 7 mydebian console

mydebian login: root
Password: 
Linux mydebian 3.14.8-200.fc20.i686 #1 SMP Mon Jun 21 09:36:56 UTC 2014 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Networking….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
root@mydebian:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:16:3e:34:d3:02  
          inet addr:192.168.122.198  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe34:d302/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3312 (3.2 KiB)  TX bytes:1806 (1.7 KiB)

root@mydebian:~# ping 8.8.8.8
-bash: ping: command not found
root@mydebian:~# apt-cache search ping | grep util
2ping - Ping utility to determine directional packet loss
galax-extra - XQuery implementation with static typing - utilities
inetutils-ping - ICMP echo tool
iputils-arping - Tool to send ICMP echo requests to an ARP address
iputils-ping - Tools to test the reachability of network hosts
libescape-ruby - HTML/URI/shell escaping utilities for Ruby
mapnik-utils - C++/Python toolkit for developing GIS applications (utilities)
ruby-escape-utils - Faster string escaping routines for your web apps
root@mydebian:~# apt-get install inetutils-ping
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
  inetutils-ping
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 169 kB of archives.
After this operation, 273 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  inetutils-ping
Install these packages without verification [y/N]? y
Get:1 http://cdn.debian.net/debian/ wheezy/main inetutils-ping i386 2:1.9-2 [169 kB]
Fetched 169 kB in 6s (26.4 kB/s)                                               
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package inetutils-ping.
(Reading database ... 9387 files and directories currently installed.)
Unpacking inetutils-ping (from .../inetutils-ping_2%3a1.9-2_i386.deb) ...
Setting up inetutils-ping (2:1.9-2) ...
root@mydebian:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=172.105 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=111.011 ms
^C--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 111.011/141.558/172.105/30.547 ms
root@mydebian:~# 

Size Matters, but …

"dell2713" Size matters, but … resolution and image quality are as import.

Since I was diagnosed with diabetes I have eyes issues things are getting better recently but I still needs glasses for reading etc.

My “no smoking” Piggy Bank was fat enough for some “eye candy”. I bought a Dell UltraSharp U2713HM a 27 inch WQHD (2560x1440) IPS display.

Compared to the others screens I used to work with the image quality is amazing and the higher resolution give so much more space.

Dell 2713HM images