stafwag Blog

staf wagemakers blog

DNS Privacy With Stubby (Part 1 GNU/Linux)

Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service.

DNS is not secure or private

DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.

This make your encrypted DNS traffic a privacy risk and a security risk:

  • anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
  • with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.

Encrypt your dns traffic

Encrypting your network traffic is always a good idea for privacy and security reasons - we encrypt, because we can! - . More information about dns privacy can be found at https://dnsprivacy.org/

On this site you’ll find also the DNS Privacy Daemon - Stubby that let’s you send your DNS request over TLS to an alternative DNS provider. You should use a DNS provider that you trust and has a no logging policy. quad9, cloudflare and google dns are well-known alternative dns providers. At https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers you can find a few other options.

You’ll find my journey to setup Stubby on a few operation systems I use (or I’m force to use) below …

GNU/Linux

Arch Linux

I use Arch Linux on my main workstation. Stubby is already in the Arch repositories this make installation straightforward.

Install stubby

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[root@vicky ~]# pacman -S stubby
resolving dependencies...
looking for conflicting packages...

Packages (5) fstrm-0.4.0-1  getdns-1.4.2-1  protobuf-c-1.3.0-3  unbound-1.7.3-4
             stubby-0.2.3-1

Total Download Size:   1.09 MiB
Total Installed Size:  5.68 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 88476  100 88476    0     0   403k      0 --:--:-- --:--:-- --:--:--  403k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 62480  100 62480    0     0  1271k      0 --:--:-- --:--:-- --:--:-- 1271k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  632k  100  632k    0     0   750k      0 --:--:-- --:--:-- --:--:--  749k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  302k  100  302k    0     0  1615k      0 --:--:-- --:--:-- --:--:-- 1606k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 34052  100 34052    0     0   831k      0 --:--:-- --:--:-- --:--:--  831k
(5/5) checking keys in keyring                       [###########################] 100%
(5/5) checking package integrity                     [###########################] 100%
(5/5) loading package files                          [###########################] 100%
(5/5) checking for file conflicts                    [###########################] 100%
(5/5) checking available disk space                  [###########################] 100%
:: Processing package changes...
(1/5) installing fstrm                               [###########################] 100%
(2/5) installing protobuf-c                          [###########################] 100%
(3/5) installing unbound                             [###########################] 100%
Optional dependencies for unbound
    expat: unbound-anchor [installed]
(4/5) installing getdns                              [###########################] 100%
(5/5) installing stubby                              [###########################] 100%
:: Running post-transaction hooks...
(1/4) Reloading system manager configuration...
(2/4) Creating system user accounts...
(3/4) Creating temporary files...
(4/4) Arming ConditionNeedsUpdate...
[root@vicky ~]# 

choose your upstream dns provider

Edit the stubby.yml file and uncomment the upstream dns server that you want the use. Stubby will loadbalance the dns traffic to all configured upstream dns servers by default. This is configured with the round_robin_upstreams directive, if set to 1 the traffic is loadbalanced, if set 0 stubby will use the first configured dns server.

1
[staf@vicky ~]$ sudo vi /etc/stubby/stubby.yml

enable and start stubby

1
2
3
4
[root@vicky ~]# systemctl enable stubby
Created symlink /etc/systemd/system/multi-user.target.wants/stubby.service -> /usr/lib/systemd/system/stubby.service.
[root@vicky ~]# systemctl start stubby
[root@vicky ~]# 

test

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[root@vicky ~]# dig @127.0.0.1 www.wagemakers.be

; <<>> DiG 9.13.2 <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18226
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fe9d3618b821614f174436385b7acb64a4f4cc6657e14626 (good)
;; QUESTION SECTION:
;www.wagemakers.be.             IN      A

;; ANSWER SECTION:
www.wagemakers.be.      86000   IN      CNAME   wagemakers.be.
wagemakers.be.          86000   IN      A       95.215.185.144

;; Query time: 128 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 20 16:08:36 CEST 2018
;; MSG SIZE  rcvd: 147

[root@vicky ~]# 

Local dns cache with dnsmasq

Change the stubby port.

Edit /etc/stubby/stubby.yml

1
[root@vicky ~]# vi /etc/stubby/stubby.yml

And change the port by modifing the listen_addresses directive

1
2
3
listen_addresses:
  - 127.0.0.1@53000
  - 0::1@53000

restart stubby

1
[root@vicky ~]# systemctl restart stubby.service

and verify that the dns on 127.0.0.1:53 doesn’t work anymore.

1
2
3
4
5
6
7
[root@vicky ~]# dig @127.0.0.1 www.wagemakers.be

; <<>> DiG 9.13.2 <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@vicky ~]# 

ensure that stubby does work on port 53000

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@frija etc]# dig @127.0.0.1 -p 53000 www.wagemakers.be

; <<>> DiG 9.13.2 <<>> @127.0.0.1 -p 53000 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27173
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;www.wagemakers.be.             IN      A

;; ANSWER SECTION:
www.wagemakers.be.      43200   IN      CNAME   wagemakers.be.
wagemakers.be.          43200   IN      A       95.215.185.144

;; Query time: 250 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Tue Aug 21 13:26:37 CEST 2018
;; MSG SIZE  rcvd: 119

[root@frija etc]# 

Install dnsmasq

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@vicky ~]# pacman -S dnsmasq
warning: dnsmasq-2.79-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) dnsmasq-2.79-1

Total Installed Size:  0.70 MiB
Net Upgrade Size:      0.00 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                       [###########################] 100%
(1/1) checking package integrity                     [###########################] 100%
(1/1) loading package files                          [###########################] 100%
(1/1) checking for file conflicts                    [###########################] 100%
(1/1) checking available disk space                  [###########################] 100%
:: Processing package changes...
(1/1) reinstalling dnsmasq                           [###########################] 100%
:: Running post-transaction hooks...
(1/3) Reloading system manager configuration...
(2/3) Creating system user accounts...
(3/3) Arming ConditionNeedsUpdate...
[root@vicky ~]# 

Configure dnsmasq

1
2
3
[root@vicky etc]# cd /etc
[root@vicky etc]# mv /etc/dnsmasq.conf /etc/dnsmasq.conf_org
[root@vicky etc]# vi dnsmasq.conf

It is import to configure stubby to listen the localhost interface only. If you use Linux KVM you probably have a dns serivce running on your bridge interfaces for your virtual machines.

1
2
3
4
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces

Start and enable dnsmasq

1
2
3
4
[root@vicky ~]# systemctl start dnsmasq
[root@vicky ~]# systemctl enable dnsmasq
Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service -> /usr/lib/systemd/system/dnsmasq.service.
[root@vicky ~]# 

Reconfigure your system

reconfigure your system to use dnsmasq as the dns service.

I use netctl on my system. You can update the network configuration with netctl

1
2
[root@vicky netctl]# netctl edit <network_name>
[root@vicky netctl]# netctl restart  <network_name>

If you networkmanager you can use nmcli, nmtui or the GUI network configuration in your desktop environment.

GNU/Linux is GNU/Linux

The configuration on other GNU/Linux distributions is the same as on Arch apart from the installation process. The same method can be use if your (favorite) Linux distribution doesn’t have a stubby package, the installation method of the required package will be different of course.

Debian

Current testing release Debian “buster”

1
$ sudo apt install stubby dnsmasq

Current stable Debian 9 “strech”

Stubby in the getdns-utils in Debian stretch, it’s an older version. Therefor I ended up with building stubby from the source code.

Install the required packages

Install the required packages to build stubby.

1
staf@stretch:~/github$ sudo apt install build-essential git libtool autoconf libssl-dev libyaml-dev
git clone

The getdns git repo;

1
2
3
4
5
6
7
staf@stretch:~/github$ git clone https://github.com/getdnsapi/getdns.git
Cloning into 'getdns'...
remote: Counting objects: 16154, done.
remote: Total 16154 (delta 0), reused 0 (delta 0), pack-reused 16154
Receiving objects: 100% (16154/16154), 9.72 MiB | 1.13 MiB/s, done.
Resolving deltas: 100% (12413/12413), done.
staf@stretch:~/github$ 
checkout the latest stable release

Verify the lastest release tag. The current stable release 1.4.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@stretch:~/github/getdns$ git tag
TNW2015
list
v0.1.0
v0.1.1
v0.1.2
<snip>
v1.4.0
v1.4.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.2
v1.4.2-rc1
staf@stretch:~/github/getdns$ 

checkout the latest stable release.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@stretch:~/github/getdns$ git checkout v1.4.2
Note: checking out 'v1.4.2'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at e481273... Last minute update
staf@stretch:~/github/getdns$ 
build it…
1
2
3
4
5
6
7
staf@stretch:~/github/getdns$ git submodule update --init
staf@stretch:~/github/getdns$ libtoolize -ci
staf@stretch:~/github/getdns$ autoreconf -fi
staf@stretch:~/github/getdns$ mkdir build
staf@stretch:~/github/getdns$ cd build/
staf@stretch:~/github/getdns/build$ ../configure --prefix=/usr/local --without-libidn --without-libidn2 --enable-stub-only --with-stubby
staf@stretch:~/github/getdns/build$ make
make install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
staf@stretch:~/github/getdns/build$ sudo make install
[sudo] password for staf: 
cd src && make install
make[1]: Entering directory '/home/staf/github/getdns/build/src'
<snip>
make[1]: Leaving directory '/home/staf/github/getdns/build/doc'
***
***  !!! IMPORTANT !!!!
***
***  From release 1.2.0, getdns comes with built-in DNSSEC
***  trust anchor management.  External trust anchor management,
***  for example with unbound-anchor, is no longer necessary
***  and no longer recommended.
***
***  Previously installed trust anchors, in the default location -
***
***        /usr/local/etc/unbound/getdns-root.key
***
***  - will be preferred and used for DNSSEC validation, however
***  getdns will fallback to trust-anchors obtained via built-in
***  trust anchor management when the anchors from the default
***  location fail to validate the root DNSKEY rrset.
***
***  To prevent expired DNSSEC trust anchors to be used for
***  validation, we strongly recommend removing the trust anchors
***  on the default location when there is no active external
***  trust anchor management keeping it up-to-date.
***
staf@stretch:~/github/getdns/build$ sudo make install
systemd service

Stubby comes with a systemd service definition. Copy it to the correct location.

1
2
3
staf@stretch:~/github/getdns/build$ cd ..
staf@stretch:~/github/getdns$ cd stubby/systemd/
staf@stretch:~/github/getdns/stubby/systemd$ sudo cp stubby.service /lib/systemd/system/

Update the path to /usr/local

1
staf@stretch:~/github/getdns/stubby/systemd$ sudo vi /lib/systemd/system/stubby.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=stubby DNS resolver

[Service]
User=stubby
DynamicUser=yes
CacheDirectory=stubby
WorkingDirectory=/var/cache/stubby
ExecStart=/usr/local/bin/stubby
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

And create the stubby working directory

1
root@stretch:~# mkdir /var/cache/stubby

ldconfig

update your library cache

1
staf@stretch:~/github/getdns/stubby/systemd$ sudo ldconfig -v

Update the configuration

Edit the stubby.yml configuration file.

1
staf@stretch:~/github/getdns/stubby/systemd$ sudo nvi /usr/local/etc/stubby/stubby.yml

Update the port where stubby will listen to and select the upstream dns service you want to use.

1
2
3
listen_addresses:
  - 127.0.0.1@53000
  - 0::1@53000

start and test

Start stubby….

1
2
3
4
5
6
staf@stretch:~/github/getdns/stubby/systemd$ sudo systemctl list-unit-files | grep -i stubby
stubby.service                              disabled
staf@stretch:~/github/getdns/stubby/systemd$ sudo systemctl enable stubby
Created symlink /etc/systemd/system/multi-user.target.wants/stubby.service /lib/systemd/system/stubby.service.
staf@stretch:~/github/getdns/stubby/systemd$ sudo systemctl start stubby
staf@stretch:~/github/getdns/stubby/systemd$ 

and test it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@stretch:~# dig @127.0.0.1 -p 53000 www.wagemakers.be

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p 53000 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17510
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.wagemakers.be.             IN      A

;; ANSWER SECTION:
www.wagemakers.be.      49704   IN      CNAME   wagemakers.be.
wagemakers.be.          81815   IN      A       95.215.185.144

;; Query time: 72 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Sun Sep 02 10:33:53 CEST 2018
;; MSG SIZE  rcvd: 119

root@stretch:~# 

dnsmasq

Install dnsmasq

1
root@stretch:/etc# apt-get install dnsmasq

Configure dnsmasq

1
2
root@stretch:/etc# mv dnsmasq.conf dnsmasq.conf_org
root@stretch:/etc# vi dnsmasq.conf
1
2
3
4
server=127.0.0.1#53000
listen-address=127.0.0.1
interface=lo
bind-interfaces

Enable and start it…

1
2
3
4
root@stretch:/etc# systemctl enable dnsmasq
Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dnsmasq
root@stretch:/etc# systemctl restart dnsmasq

Verify

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@stretch:/etc# dig @127.0.0.1 www.wagemakers.be

; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57295
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.wagemakers.be.             IN      A

;; ANSWER SECTION:
www.wagemakers.be.      48645   IN      CNAME   wagemakers.be.
wagemakers.be.          80756   IN      A       95.215.185.144

;; Query time: 72 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 02 10:51:32 CEST 2018
;; MSG SIZE  rcvd: 119

root@stretch:/etc# 

reconfigure you system to use dnsmasq….

1
root@stretch:/etc# nvi resolv.conf
1
nameserver 127.0.0.1

Have fun!

Links

Migrate a Windows Vmware Virtual Machine to Linux KVM

Linux KVM is getting more and more useable for desktop virtualization thanks to the the virtio and QXL/SPICE drivers.

Most Linux distributes have the virtio & QXL drivers you might need to install the spice-vdagent.

On Windows you can download and install the virtio and QXL drivers.

Using the virtio drivers will improve your guest system performance and your virtualization experience.

Convert the disk image

merge the vmware disk images…

If you use split disk images on vmware ( or vmware player ) migrate them to a single disk images with the vmware-vdiskmanager command.

1
2
3
4
5
$ vmware-vdiskmanager -r mywin.vmdk -t 0 /tmp/mywin._combined.vmdk
Creating disk '/var/lib/libvirt/images/tmp/mywin._combined.vmdk'
  Convert: 100% done.
Virtual disk conversion successful.
$

convert the vmdk image to qcow2

Convert the VMDK disk image to qcow2

1
[staf@vicky vboxes]$ qemu-img convert -f vmdk -O qcow2 mywin._combined.vmdk mywin.qcow2

mv

1
2
[staf@vicky vboxes]$ sudo mv mywin_combined.qcow2 /var/lib/libvirt/images/
[sudo] password for staf: 

Import the disk image to KVM

We’ll inport the disk image with virt-install it’s also posible to import the images with virt-manager if you prefer a graphical interface or or just being lazy :-)

Available os options

To list the supported operation system you can use the osinfo-query os command

1
2
3
4
5
6
7
8
9
10
11
[staf@vicky ~]$ osinfo-query os | head
 Short ID             | Name                                               | Version  | ID                                      
----------------------+----------------------------------------------------+----------+-----------------------------------------
 alpinelinux3.5       | Alpine Linux 3.5                                   | 3.5      | http://alpinelinux.org/alpinelinux/3.5  
 alpinelinux3.6       | Alpine Linux 3.6                                   | 3.6      | http://alpinelinux.org/alpinelinux/3.6  
 alpinelinux3.7       | Alpine Linux 3.7                                   | 3.7      | http://alpinelinux.org/alpinelinux/3.7  
 altlinux1.0          | Mandrake RE Spring 2001                            | 1.0      | http://altlinux.org/altlinux/1.0        
 altlinux2.0          | ALT Linux 2.0                                      | 2.0      | http://altlinux.org/altlinux/2.0        
 altlinux2.2          | ALT Linux 2.2                                      | 2.2      | http://altlinux.org/altlinux/2.2        
 altlinux2.4          | ALT Linux 2.4                                      | 2.4      | http://altlinux.org/altlinux/2.4        
 altlinux3.0          | ALT Linux 3.0                                      | 3.0      | http://altlinux.org/altlinux/3.0        
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[staf@vicky ~]$ osinfo-query os |  grep -i windows
 win1.0               | Microsoft Windows 1.0                              | 1.0      | http://microsoft.com/win/1.0            
 win10                | Microsoft Windows 10                               | 10.0     | http://microsoft.com/win/10             
 win2.0               | Microsoft Windows 2.0                              | 2.0      | http://microsoft.com/win/2.0            
 win2.1               | Microsoft Windows 2.1                              | 2.1      | http://microsoft.com/win/2.1            
 win2k                | Microsoft Windows 2000                             | 5.0      | http://microsoft.com/win/2k             
 win2k12              | Microsoft Windows Server 2012                      | 6.3      | http://microsoft.com/win/2k12           
 win2k12r2            | Microsoft Windows Server 2012 R2                   | 6.3      | http://microsoft.com/win/2k12r2         
 win2k16              | Microsoft Windows Server 2016                      | 10.0     | http://microsoft.com/win/2k16           
 win2k3               | Microsoft Windows Server 2003                      | 5.2      | http://microsoft.com/win/2k3            
 win2k3r2             | Microsoft Windows Server 2003 R2                   | 5.2      | http://microsoft.com/win/2k3r2          
 win2k8               | Microsoft Windows Server 2008                      | 6.0      | http://microsoft.com/win/2k8            
 win2k8r2             | Microsoft Windows Server 2008 R2                   | 6.1      | http://microsoft.com/win/2k8r2          
 win3.1               | Microsoft Windows 3.1                              | 3.1      | http://microsoft.com/win/3.1            
 win7                 | Microsoft Windows 7                                | 6.1      | http://microsoft.com/win/7              
 win8                 | Microsoft Windows 8                                | 6.2      | http://microsoft.com/win/8              
 win8.1               | Microsoft Windows 8.1                              | 6.3      | http://microsoft.com/win/8.1            
 win95                | Microsoft Windows 95                               | 4.0      | http://microsoft.com/win/95             
 win98                | Microsoft Windows 98                               | 4.1      | http://microsoft.com/win/98             
 winme                | Microsoft Windows Millennium Edition               | 4.9      | http://microsoft.com/win/me             
 winnt3.1             | Microsoft Windows NT Server 3.1                    | 3.1      | http://microsoft.com/winnt/3.1          
 winnt3.5             | Microsoft Windows NT Server 3.5                    | 3.5      | http://microsoft.com/winnt/3.5          
 winnt3.51            | Microsoft Windows NT Server 3.51                   | 3.51     | http://microsoft.com/winnt/3.51         
 winnt4.0             | Microsoft Windows NT Server 4.0                    | 4.0      | http://microsoft.com/winnt/4.0          
 winvista             | Microsoft Windows Vista                            | 6.0      | http://microsoft.com/win/vista          
 winxp                | Microsoft Windows XP                               | 5.1      | http://microsoft.com/win/xp             
[staf@vicky ~]$ 

import

We need to import the disk image as IDE device since we don’t have the virtio driver in our windows disk image (yet).

1
2
3
4
5
[root@vicky ~]# virt-install --name "mywin" --ram 8192 --cpu host --os-variant win10 --vcpu 8 --disk /var/lib/libvirt/images/mywin_combined.qcow2,bus=ide --network bridge=virbr0 --import

Starting install...

(virt-viewer:3361): GSpice-WARNING **: 16:49:26.546: Warning no automount-inhibiting implementation available

Install the virtio drivers and QXL graphics drivers

Get them…

Type of virtio drivers

The following virtio windows drivers are available.

  • block (disk drivers)
  • network
  • baloon ((dynamic memory management)

The fedoraproject provides pre compiled iso images containig all the virtio drivers and installation images for windows XP.

ISO contents

  • NetKVM/ - Virtio network driver
  • viostor/ - Virtio block driver
  • vioscsi/ - Virtio Small Computer System Interface (SCSI) driver
  • viorng/ - Virtio RNG driver
  • vioser/ - Virtio serial driver
  • Balloon/ - Virtio memory balloon driver
  • qxl/ - QXL graphics driver for Windows 7 and earlier. (build virtio-win-0.1.103-1 and later)
  • qxldod/ - QXL graphics driver for Windows 8 and later. (build virtio-win-0.1.103-2 and later)
  • pvpanic/ - QEMU pvpanic device driver (build virtio-win-0.1.103-2 and later)
  • guest-agent/ - QEMU Guest Agent 32bit and 64bit MSI installers
  • qemupciserial/ - QEMU PCI serial device driver
  • *.vfd VFD floppy images for using during install of Windows XP

Download

The virtio windows driver images are available from https://docs.fedoraproject.org/quick-docs/en-US/creating-windows-virtual-machines-using-virtio-drivers.html

I use arch linux and download virtio-win AUR package with pacaur. You can download the images directly or use the installation packages for your Linux distribution.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[staf@vicky ~]$ pacaur -S virtio-win
:: Package virtio-win not found in repositories, trying AUR...
:: resolving dependencies...
:: looking for inter-conflicts...

AUR Packages  (1) virtio-win-0.1.149.2-1  

:: Proceed with installation? [Y/n] 
<snip>
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: virtio-win 0.1.149.2-1 (Sat Jun 16 20:00:22 2018)
==> Cleaning up...
:: Installing virtio-win package(s)...
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) virtio-win-0.1.149.2-1

Total Installed Size:  314.84 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                         [#######################################] 100%
(1/1) checking package integrity                                       [#######################################] 100%
(1/1) loading package files                                            [#######################################] 100%
(1/1) checking for file conflicts                                      [#######################################] 100%
(1/1) checking available disk space                                    [#######################################] 100%
:: Processing package changes...
(1/1) installing virtio-win                                            [#######################################] 100%
Optional dependencies for virtio-win
    qemu [installed]
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[staf@vicky ~]$ ls -l /var/li

This install virtio images to /usr/share/virtio/

1
2
3
4
5
6
[staf@vicky ~]$  ls -l /usr/share/virtio/
total 321308
-rw-r--r-- 1 root root 324233216 Jun 16 19:58 virtio-win.iso
-rw-r--r-- 1 root root   2949120 Jun 16 19:58 virtio-win_x86_32.vfd
-rw-r--r-- 1 root root   2949120 Jun 16 19:58 virtio-win_x86_64.vfd
[staf@vicky ~]$ 

virtio-win.iso is the ISO cdrom image containing all the drivers.

Installation

mount the iso image

"mount_cdrom_000.png"

Make sure that the cdrom is mounted in windows.

"mount_cdrom_000.png"

Install

Open Device Manager

Open device Manager in the control panel or type devmgmt.msc on the command prompt.

"mount_cdrom_000.png"

Update the drivers

  • balloon, the balloon driver affects the PCI device
  • vioserial, affects the PCI simple communication controler
  • NetKVM, the network driver affects the Network adapters.
  • viostor, the block driver affects the Disk drives.
Update the PCI drivers

In windows 10 the PCI device and the PCI Simple Communications Controller have the missing driver icon. Right click on the PCI device and select update driver -> click on Browse my computer for driver software Specify the cdrom as the search location and click Next, this will install the Balloon driver.

Do the same for the PCI Simple Communications Controller this will install the “VirtIO Serial Driver”

"update_pci_000.png" "update_pci_001.png" "update_pci_002.png" "update_pci_003.png"

install the VioStor driver

Add a temporary disk to the virtual machine and use VirtIO as the Bus Type In the Device Manager you’ll get a new device SCSI Controller right click it and update the driver. This will install the Red Hat VirtIO SCSI controller

"install_viostor_000.png" "install_viostor_001.png" "install_viostor_002.png"

Go to the device settings of your virtual machine and change the Disk bus to VirtIO and shutdown you virtual machine.

"install_viostor_003.png"

You can remove the temporary disk now or leave it if you can find some use for it…

Make sure that you disk is selected as the bootable device.

"install_viostor_004.png"

Start the virtual machine and make sure that the system is bootable.

install the netKVM driver

Update the Device model to virtio.

"use_virtio_net_000.png"

Start devmgmt.msc and update the driver as we did before….

"install_netkvm_000.png" "install_netkvm_001.png"

And verify that you network card works correctly.

"install_netkvm_002.png"

install the QXL graphical driver

Update the Microsoft Basic Display Adapter

"install_qxl_000.png" "install_qxl_001.png" "install_qxl_002.png"

After the installation you can change the the display resolution.

"install_qxl_003.png"

If you want to use higher screen resolutions you need to increase the video ram

Have fun!

Links

Nested Virtualization in KVM

KVM

Kernel-based Virtual Machine (KVM) has become the defacto hypervisor on GNU/Linux systems it works with great performance as it utilizes the CPU virtualization extensions Inetl VT-x or AMD-V). KVM doesn’t emulate hardware but uses QEMU for this.

Nested Virtual guest

It’s possible to use nested virtualization this make it possible to run a hypervisor inside a KVM virtual machine.

Enabling nested virtualization in KVM

Verify

To verify if nested virtualization is enabled on your system can check /sys/module/kvm_intel/parameters/nested on Intal systems or /sys/module/kvm_amd/parameters/nested

1
2
3
[staf@frija ~]$ cat /sys/module/kvm_intel/parameters/nested
N
[staf@frija ~]$ 

Enable

Shutdown all virtual machines

Make sure that there no virtual machines running.

1
2
3
4
5
6
7
8
9
10
11
[root@frija ~]# virsh 
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list
 Id    Name                           State
----------------------------------------------------

virsh # 

Unload KVM

Unload the KVM kernel module.

1
2
[root@frija ~]# modprobe -r kvm_intel
[root@frija ~]# 

Load KVM and activate nested

Reload the KVM with the nested feature enabled.

1
2
[root@frija ~]# modprobe kvm_intel nested=1
[root@frija ~]# 

Verify

1
2
3
[root@frija ~]# cat /sys/module/kvm_intel/parameters/nested
Y
[root@frija ~]# 

To enable the nested feature permanently create /etc/modprobe.d/kvm.conf

1
[root@frija ~]# vi /etc/modprobe.d/kvm.conf

and enable the nested option.

1
options kvm_intel nested=1

Enabling nested virtialization in the virtual machine

When you logon to a virtual machine and verify the virtualization extensions on the cpu the flags aren’t available.

1
2
[staf@centos7 ~]$ cat /proc/cpuinfo | grep  -i -E "vmx|svm"
[staf@centos7 ~]$ 

To enable nested virtualization in a vritual machine you can

  • start virsh and and edit the the virtual machine and change the CPU line to <cpu mode='host-model' check='partial'/>
  • Open virt-manager and select Copy host CPU configuration on the CPU configuration
1
2
3
4
5
6
7
8
9
10
11
12
root@frija ~]# virsh 
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list
 Id    Name                           State
----------------------------------------------------
 1     centos7.0                      running

virsh # edit centos7.0 

Change the cpu settings

1
2
3
4
5
6
7
8
  <features>
    <acpi/>
    <apic/>
    <vmport state='off'/>
  </features>
  <cpu mode='host-model' check='partial'>
    <model fallback='allow'/>
  </cpu>

Shutdown the virtual machine

1
2
3
4
virsh # reboot centos7.0 
Domain centos7.0 is being rebooted

virsh # 

Start the virtual machine

1
2
virsh # start centos7.0  
Domain centos7.0 started

Verify that the feature policies on the cpu are updated.

1
virsh # dumpxml centos7.0 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
 <cpu mode='custom' match='exact' check='full'>
    <model fallback='forbid'>Haswell-noTSX-IBRS</model>
    <vendor>Intel</vendor>
    <feature policy='require' name='vme'/>
    <feature policy='require' name='ss'/>
    <feature policy='require' name='f16c'/>
    <feature policy='require' name='rdrand'/>
    <feature policy='require' name='hypervisor'/>
    <feature policy='require' name='arat'/>
    <feature policy='require' name='tsc_adjust'/>
    <feature policy='require' name='xsaveopt'/>
    <feature policy='require' name='pdpe1gb'/>
    <feature policy='require' name='abm'/>
    <feature policy='require' name='ibpb'/>
 </cpu>

Logon to the virtual machine and verify the cpu flags;

1
2
3
4
5
6
7
[staf@centos7 ~]$ cat /proc/cpuinfo | grep -i vmx
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt ibpb ibrs arat spec_ctrl
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt ibpb ibrs arat spec_ctrl
[staf@centos7 ~]$ cat /proc/cpuinfo | grep  -i "vmx|svm"
[staf@centos7 ~]$ cat /proc/cpuinfo | grep  -i -E "vmx|svm"
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt ibpb ibrs arat spec_ctrl
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt ibpb ibrs arat spec_ctrl

Execute the virt-host-validate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[staf@centos7 ~]$ virt-host-validate
  QEMU: Checking for hardware virtualization                                 : PASS
  QEMU: Checking if device /dev/kvm exists                                   : PASS
  QEMU: Checking if device /dev/kvm is accessible                            : PASS
  QEMU: Checking if device /dev/vhost-net exists                             : PASS
  QEMU: Checking if device /dev/net/tun exists                               : PASS
  QEMU: Checking for cgroup 'memory' controller support                      : PASS
  QEMU: Checking for cgroup 'memory' controller mount-point                  : PASS
  QEMU: Checking for cgroup 'cpu' controller support                         : PASS
  QEMU: Checking for cgroup 'cpu' controller mount-point                     : PASS
  QEMU: Checking for cgroup 'cpuacct' controller support                     : PASS
  QEMU: Checking for cgroup 'cpuacct' controller mount-point                 : PASS
  QEMU: Checking for cgroup 'cpuset' controller support                      : PASS
  QEMU: Checking for cgroup 'cpuset' controller mount-point                  : PASS
  QEMU: Checking for cgroup 'devices' controller support                     : PASS
  QEMU: Checking for cgroup 'devices' controller mount-point                 : PASS
  QEMU: Checking for cgroup 'blkio' controller support                       : PASS
  QEMU: Checking for cgroup 'blkio' controller mount-point                   : PASS
  QEMU: Checking for device assignment IOMMU support                         : WARN (No ACPI DMAR table found, IOMMU either disabled in BIOS or not supported by this hardware platform)
   LXC: Checking for Linux >= 2.6.26                                         : PASS
   LXC: Checking for namespace ipc                                           : PASS
   LXC: Checking for namespace mnt                                           : PASS
   LXC: Checking for namespace pid                                           : PASS
   LXC: Checking for namespace uts                                           : PASS
   LXC: Checking for namespace net                                           : PASS
   LXC: Checking for namespace user                                          : PASS
   LXC: Checking for cgroup 'memory' controller support                      : PASS
   LXC: Checking for cgroup 'memory' controller mount-point                  : PASS
   LXC: Checking for cgroup 'cpu' controller support                         : PASS
   LXC: Checking for cgroup 'cpu' controller mount-point                     : PASS
   LXC: Checking for cgroup 'cpuacct' controller support                     : PASS
   LXC: Checking for cgroup 'cpuacct' controller mount-point                 : PASS
   LXC: Checking for cgroup 'cpuset' controller support                      : PASS
   LXC: Checking for cgroup 'cpuset' controller mount-point                  : PASS
   LXC: Checking for cgroup 'devices' controller support                     : PASS
   LXC: Checking for cgroup 'devices' controller mount-point                 : PASS
   LXC: Checking for cgroup 'blkio' controller support                       : PASS
   LXC: Checking for cgroup 'blkio' controller mount-point                   : PASS
   LXC: Checking if device /sys/fs/fuse/connections exists                   : FAIL (Load the 'fuse' module to enable /proc/ overrides)
[staf@centos7 ~]$ 

Have fun

Links

32 Bits Matters!

"32bits_opnsense.jpg"

pfsense 2.3

My firewall is a pcengines alix.

It was running pfsense and was quite happy about it. Pfsense dropped support for 32 bits in their pfsense 2.4 release.

This would left me with a unsupported firewall which was one of the reasons to use pfsense instead of a closed source commercial router.

I could have moved to a new firewall like the pcengines apu but there is no reason to replace hardware that works fine.

The nice thing about opensource software is that we’ve options to choose from if software doesn’t match your usecase we’ve other options to choose from.

OPNsense

So I decided to give opnsense a try. OPNsense is a fork of pfsense, both are a fork of m0n0wall.

"opnsense_swapspace.png"

swapspace

My firewall only has 256 MB of memory which is a bit low even for a firewall.

The OPNsense developers made it very easy to add swapspace from the GUI. To add swap space go to [ System ] > [ Miscellaneous ] and activate the [ Add a 2 GB swap file to the system ] checkbox.

I’m verify satisfied with the upgrade from pfsense to OPNsense, OPNsense has a new release very month which is nice to get the latest security updates and it’s possible to audit the systems for security updates from the GUI.

"duckdns"

DuckDns

I move my ADSL with a fixed ip address to a VDSL line with a dynamic ip address so I was looking a good free dynamic dns provider and settled with duckdns.

Have fun

How to Start DLM Monitoring on a VDSL Line in Belgium

In Belgium/Flanders we have two main internet line providers;

  • telenet the cablenet network provider.
  • proximus is the telephone network provider.

On telephone network there are alternative internet providers but they use the network of proximus.

I switched my internet connection from ADSL to VDSL and switched to a new provider ( edpnet). The internet speed was below the expectations and my modem reported errors on the line. After fixing the internal phone cabbeling in my appartment I wanted the retrigger the DLM monitoring.

The process is explained in the this post https://userbase.be/forum/viewtopic.php?t=48767 at usebase.be

To start the DLM monitoring in Belgium you need to call 0800 22 424 and type in your line number. If you don’t have a proximus phone number the line number is not the same as your phone number. To get your line number you need to connect an analog phone to our line and call 1924 this will read aloud your line number.

Have fun

High Screen Resolution on a KVM Virtual Machine With QXL

When you create an new virtual KVM virtual system the video ram is limited to 16MB by default to use a higer screen resolution you need to increase the video ram. The available resolution reported by the virtual screen may also not include the resolution that you want to utilize.

You’ll find my journey to enable higher screen resolutions in my KVM (qemu) virtual systems below.

Ubuntu 16.04

There is an issue with Ubuntu 16.04 and the latest HWE kernel https://wiki.ubuntu.com/Kernel/LTSEnablementStack. Even a full HD resultion (1920 x 1080 ) if you have the latest HWE kernel on your system.

To resolve this issue your can uninstall the latest kernel or install the LTS kernel.

Install the LTS Kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
staf@ubuntu:~$ sudo apt-get install linux-generic-lts-xenial
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  linux-generic linux-headers-4.4.0-119 linux-headers-4.4.0-119-generic linux-headers-generic
  linux-image-4.4.0-119-generic linux-image-extra-4.4.0-119-generic linux-image-generic
Suggested packages:
  fdutils linux-doc-4.4.0 | linux-source-4.4.0 linux-tools
The following NEW packages will be installed:
  linux-generic linux-generic-lts-xenial linux-headers-4.4.0-119 linux-headers-4.4.0-119-generic
  linux-headers-generic linux-image-4.4.0-119-generic linux-image-extra-4.4.0-119-generic linux-image-generic
0 upgraded, 8 newly installed, 0 to remove and 0 not upgraded.
Need to get 69,3 MB of archives.
After this operation, 301 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
<snip>
Setting up linux-image-generic (4.4.0.119.125) ...
Setting up linux-headers-4.4.0-119 (4.4.0-119.143) ...
Setting up linux-headers-4.4.0-119-generic (4.4.0-119.143) ...
Setting up linux-headers-generic (4.4.0.119.125) ...
Setting up linux-generic (4.4.0.119.125) ...
Setting up linux-generic-lts-xenial (4.4.0.119.125) ...
staf@ubuntu:~$ 

Remove the HWE kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
staf@ubuntu:~$ sudo apt-get purge linux-image-4.13*
Reading package lists... Done
Building dependency tree       
Reading state information... Done
<snip>
done
The link /vmlinuz.old is a damaged link
Removing symbolic link vmlinuz.old 
 you may need to re-run your boot loader[grub]
The link /initrd.img.old is a damaged link
Removing symbolic link initrd.img.old 
 you may need to re-run your boot loader[grub]
Purging configuration files for linux-image-4.13.0-38-generic (4.13.0-38.43~16.04.1) ...
Examining /etc/kernel/postrm.d .
run-parts: executing /etc/kernel/postrm.d/initramfs-tools 4.13.0-38-generic /boot/vmlinuz-4.13.0-38-generic
run-parts: executing /etc/kernel/postrm.d/zz-update-grub 4.13.0-38-generic /boot/vmlinuz-4.13.0-38-generic

Cleanup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
staf@ubuntu:~$ sudo apt autoremove
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  linux-headers-4.13.0-36 linux-headers-4.13.0-36-generic linux-headers-generic-hwe-16.04
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 83,1 MB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 234149 files and directories currently installed.)
Removing linux-headers-4.13.0-36-generic (4.13.0-36.40~16.04.1) ...
Removing linux-headers-4.13.0-36 (4.13.0-36.40~16.04.1) ...
Removing linux-headers-generic-hwe-16.04 (4.13.0.38.57) ...
staf@ubuntu:~$ 

Reboot

After a reboot higher resolutions are possible on ubuntu 16.04

Increase the video RAM

Required video ram

When you create a new KVM virtual machine it has 16MB of video RAM. Below you’ll the calculation for the required video RAM for a 4k resolution ( 3840 x 2160 ).

3840 x 2160 = 8294400
8294400 x 32 = 265420800
265420800 / 8 = 33177600
33177600 / (1024*1024) = 31.640625 MB

So 32 MB video ram is enough for a 4k resolution, to take some overhead into account we’ll increase the video ram to 64 MB.

list the domains

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[swagemakers@staflaptop ~]$ sudo virsh
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     centos7.0                      shut off
 -     debian                         shut off
 -     fedora27                       shut off

virsh # 

edit the domain settings

1
virsh # edit --domain debian
update the memory settings
1
2
3
4
5
<video>
  <model type='qxl' ram='65536' vram='65536' vgamem='16384' heads='1' primary='yes'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>

to

1
2
3
4
<video>
  <model type='qxl' ram='65536' vram='65536' vgamem='65536' heads='1' primary='yes'/>
  <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</video>

xrandr

Even with the additional RAM higer resolution aren’t possible (yet), the virtual screen doesn’t report the higer screen resolution. It’s possible to add the higher screen resolution with xrandr.

display current settings
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
staf@debian:~$ xrandr 
Screen 0: minimum 320 x 200, current 1920 x 1080, maximum 8192 x 8192
Virtual-0 connected primary 1920x1080+0+0 0mm x 0mm
   1024x768      59.95 +
   1920x1200     59.95  
   1920x1080     60.00* 
   1600x1200     59.95  
   1680x1050     60.00  
   1400x1050     60.00  
   1280x1024     59.95  
   1440x900      59.99  
   1280x960      59.99  
   1280x854      59.95  
   1280x800      59.96  
   1280x720      59.97  
   1152x768      59.95  
   800x600       59.96  
   848x480       59.94  
   720x480       59.94  
   640x480       59.94  
Virtual-1 disconnected
Virtual-2 disconnected
Virtual-3 disconnected
staf@debian:~$ 
get the modeline
1
2
3
4
staf@debian:~$ cvt 2560 1440 
# 2560x1440 59.96 Hz (CVT 3.69M9) hsync: 89.52 kHz; pclk: 312.25 MHz
Modeline "2560x1440_60.00"  312.25  2560 2752 3024 3488  1440 1443 1448 1493 -hsync +vsync
staf@debian:~$ 
# create the new mode line
1
2
staf@debian:~$ xrandr --newmode "2560x1440_60.00"  312.25  2560 2752 3024 3488  1440 1443 1448 1493 -hsync +vsync
staf@debian:~$ 
# add the mode to your screen
1
2
staf@debian:~$ xrandr --addmode Virtual-0 2560x1440_60.00
staf@debian:~$ 
# use the new mode
1
2
staf@debian:~$ xrandr --output Virtual-0 --mode 2560x1440_60.00
staf@debian:~$ 
## 4k

To use a 4k resolution you can use the commands

1
2
3
4
5
6
7
staf@debian:~$  cvt 3840 2160
# 3840x2160 59.98 Hz (CVT 8.29M9) hsync: 134.18 kHz; pclk: 712.75 MHz
Modeline "3840x2160_60.00"  712.75  3840 4160 4576 5312  2160 2163 2168 2237 -hsync +vsync
staf@mydevolo:~$ xrandr --newmode "3840x2160_60.00"  712.75  3840 4160 4576 5312  2160 2163 2168 2237 -hsync +vsync
staf@mydevolo:~$ xrandr --addmode Virtual-0 3840x2160_60.00
staf@mydevolo:~$ xrandr --output Virtual-0 --mode 3840x2160_60.00
staf@mydevolo:~$ 

Add the new screen resolution permanently

Debian & Co

Create a monitor configuration file in /usr/share/X11/xorg.conf.d

1
root@mydevolo:/usr/share/X11/xorg.conf.d# vi 10-monitor.conf

And add the modeline fgor your screen resolution. With the Option “PreferredMode” you can set the prferred resolution.

1
2
3
4
5
6
section "Monitor"
    Identifier "Virtual-0 "
    Modeline "2560x1440_60.00"  312.25  2560 2752 3024 3488  1440 1443 1448 1493 -hsync +vsync
    Modeline "3840x2160_60.00"  712.75  3840 4160 4576 5312  2160 2163 2168 2237 -hsync +vsync
    Option "PreferredMode" "2560x1440_60.00"
EndSection

Other GNU/Linux distros

Most other GNU/Linux distribution use /etc/X11/xorg.conf.d/

Have fun

Links

Postfix Smarthost With Authentication

"postfix"

I used the relay host of my internet provider but this was causing issues since my email was getting mark as SPAM in gmail.
 
It was already on my to-do list to move my outgoing mail to my mail provider also to make it easier to move to another ISP or to implement SPF but was not on the top of my to-do list.
 
My email provider requires authentication, so I needed to reconfigure postfix in my FreeBSD mail jail to use a relay host with authentication.

Install postfix-sasl

To use authentication with postfix the postfix-sasl package is required. If postfix is already installed it’ll be replace by postfix-sasl.

1
root@stafmail:/root # pkg install postfix-sasl

Configuration

Update the relay host

main.cf

1
2
3
4
5
6
7
relayhost = [smtp.mailprovider.domain]:465
smtp_use_tls=yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/relay_pass
smtp_sasl_security_options =
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

relay_pass

The credentials are in the relay_pass file the password is in the file as plain-text so we it with the correct file permissions.

1
2
3
root@stafmail:/usr/local/etc/postfix # touch relay_pass
root@stafmail:/usr/local/etc/postfix # chmod 600 relay_pass
root@stafmail:/usr/local/etc/postfix # vi relay_pass
1
[smtp.mailprovider.domain]:465 user:password

Create the hash file.

1
root@stafmail:/usr/local/etc/postfix # postmap relay_pass

Verify the file permissions.

1
2
3
4
root@stafmail:/usr/local/etc/postfix # ls -l relay_pass*
-rw-------  1 root  wheel      60 Feb 23 22:43 relay_pass
-rw-------  1 root  wheel  131072 Feb 23 22:43 relay_pass.db
root@stafmail:/usr/local/etc/postfix # 

Restart

We replaced postfix with postfix-sasl a restart is required.

1
root@stafmail:/usr/local/etc/postfix # /usr/local/etc/rc.d/postfix restart

Have fun

Update Your CPU Microcode on Arch Linux

Meltdown & spectre

With Meldown https://nvd.nist.gov/vuln/detail/CVE-2017-5754, Spectre Variant 1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 and Spectre Variant 2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 out in the wild there is a lot of confusing going about updating microcode.

There is a “Spectre & Meltdown Checker” available at https://github.com/speed47/spectre-meltdown-checker

Usage is very easy just clone the git repository and run the script.

Microcode

Microcode isn’t uploaded to the CPU but loaded during the boot strap of the CPU. Normally the BIOS upload the microcode to the CPU but this can also be done by the by the bootloader, or the operating system kernel.

Grub

Normally you get an updated bios for your motherboard or computer vendor to get new microcode for your CPU.

But when your vendor hasn’t released a new Bios yet or when you are using old hardware you might not get a new BIOS with updated microcode.

Lucky microcode can also loaded by bootloader this way you can get new microcode without a BIOS update if the new microcode cuase issues you disable it in the bootloader.

The process for Arch Linux is describe at the Arch Wiki https://wiki.archlinux.org/index.php/Microcode

You’ll find journey how to update the microcode on my Arch GNU/Linux system below.

Current microcode

1
2
3
4
[staf@frija ~]$ dmesg | grep -i microcode
[    2.102649] microcode: sig=0x40661, pf=0x20, revision=0xa
[    2.102981] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
[staf@frija ~]$ 

Install intel-ucode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@vicky ~]# pacman -Syy intel-ucode
:: Synchronizing package databases...
 core                     126.8 KiB  12.4M/s 00:00 [######################] 100%
 extra                   1629.4 KiB  11.4M/s 00:00 [######################] 100%
 community                  4.1 MiB  11.0M/s 00:00 [######################] 100%
 multilib                 167.2 KiB  8.16M/s 00:00 [######################] 100%
resolving dependencies...
looking for conflicting packages...

Packages (1) intel-ucode-20180108-1

Total Download Size:   1.12 MiB
Total Installed Size:  1.55 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 intel-ucode-2018010...  1145.0 KiB   916K/s 00:01 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) installing intel-ucode                       [######################] 100%
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[root@vicky ~]# 

Verify the available microcode for your CPU

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
[staf@frija ~]$ yaourt  iucode-tool
1 aur/iucode-tool 2.2-1 (59) (4.87)
    Tool to manipulate Intel® IA-32/X86-64 microcode bundles
==> Enter n° of packages to be installed (e.g., 1 2 3 or 1-3)
==> ----------------------------------------------------------
==> 1


==> Downloading iucode-tool PKGBUILD from AUR...
x .SRCINFO
x PKGBUILD
oxe commented on 2017-10-01 17:50          
issue with pgp key and have tried various times and not sure what I might be doing wrong but why do you have so many self-signed sigs?

gpg --keyserver hkps.pool.sks-keyservers.net  --recv-keys C467A717507BBAFED3C160920BD9E81139CB4807

uid  Henrique de Moraes Holschuh hmh@debian.org
sig!3        0BD9E81139CB4807 2012-06-26  [self-signature]
uid  Henrique de Moraes Holschuh hmh@hmh.eng.br
sig!3        0BD9E81139CB4807 2012-06-26  [self-signature]
sub  A4B9D9AFC03142CD
sig!         0BD9E81139CB4807 2012-06-26  [self-signature]
sub  981C05C79F47CF26
sig!         0BD9E81139CB4807 2012-06-26  [self-signature]
sub  9137FBD3DE6F0A93
sig!         0BD9E81139CB4807 2014-03-23  [self-signature]
sub  FFDB99C00EABDE2E
sig!         0BD9E81139CB4807 2014-03-23  [self-signature]
sub  FE11BFA68B158E98
sig!         0BD9E81139CB4807 2016-03-26  [self-signature]
sub  A4B1618F7F267286
sig!         0BD9E81139CB4807 2016-03-26  [self-signature]
key 0BD9E81139CB4807:
6 duplicate signatures removed
45 signatures not checked due to missing keys
gpg: key 0BD9E81139CB4807: "Henrique de Moraes Holschuh hmh@hmh.eng.br" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

please advise

progandy commented on 2017-10-01 18:19             
@oxe: I am not Henrique, so I don't know what he did with his key that it looks this strange, but it doesn't affect the package. The build works, and the signature is properly validated.

Cbhihe commented on 2017-10-10 19:12           
Hi:
During install with '$ makepkg -sric ' I got: a PGP signature error: 

A simplified output follows because I am typing (not copy/pasting) this on a different box than the one (4.13.4.-1-ARCH) where the install took place:

== making package: iucode-tool 2.2-1 (Tue Oct 10...2017)
== Checking runtime dependencies...
== Checking buildtime dependencies...
== Retrieving sources...
downloads ok [...]
== Validating source files with sha256sums...
passed [...]
== Verifying source files with gpg...
iucode-tool_2.2.tar.xz ... FAILED (unknown public key FE11BFA68B158E98)
== ERROR: One or more PGP signatures could not be verified !

Can you explain that unknown PGP public key error ? 
Is it a problem on my side ? 
Please advise. I will be waiting for your response before I actually execute that code. Cheers.

progandy commented on 2017-10-13 15:28             
@Cbhihe: I did not have time and then forgot, sorry. Still, it should be obvious from the previous comments that you need to import the key in your gpg keyring with gpg, as described in the wiki for makepkg [1],[2]

gpg --recv-keys FE11BFA68B158E98
or
gpg --recv-keys C467A717507BBAFED3C160920BD9E81139CB4807
or
gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys C467A717507BBAFED3C160920BD9E81139CB4807

[1]: https://wiki.archlinux.org/index.php/Makepkg#Signature_checking
[2]: https://wiki.archlinux.org/index.php/GnuPG#Use_a_keyserver

Cbhihe commented on 2017-10-14 17:40           
Thank you. Yes it WAS obvious and I had tried 
gpg --recv-keys FE11BFA68B158E98
already, but for some reason I do not get, either the keyring did not register correctly or I screwed up something, or both. 

I have reinstalled the Gnome keyring, re-imported my saved signatures and  
gpg --keyserver hkps.pool.sks-keyservers.net --recv-keys C467A717507BBAFED3C160920BD9E81139CB4807
worked this time. :-)
Cheers.

iucode-tool 2.2-1  (2017-09-13 07:49)
( Unsupported package: Potentially dangerous ! )
==> Edit PKGBUILD ? [Y/n] ("A" to abort)
==> ------------------------------------
==> n

==> iucode-tool dependencies:


==> Continue building iucode-tool ? [Y/n]
==> -------------------------------------
==> 

==> Building and installing package
==> Making package: iucode-tool 2.2-1 (Sun Jan 21 12:48:37 CET 2018)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Downloading iucode-tool_2.2.tar.xz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  146k  100  146k    0     0  74948      0  0:00:02  0:00:02 --:--:-- 63193
  -> Downloading iucode-tool_2.2.tar.xz.asc...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   833  100   833    0     0    833      0  0:00:01  0:00:01 --:--:--   478
==> Validating source files with sha256sums...
    iucode-tool_2.2.tar.xz ... Passed
    iucode-tool_2.2.tar.xz.asc ... Skipped
==> Verifying source file signatures with gpg...
    iucode-tool_2.2.tar.xz ... Passed
==> Extracting sources...
  -> Extracting iucode-tool_2.2.tar.xz with bsdtar
==> Starting build()...
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether configure.ac should try to override CFLAGS... no
checking whether configure.ac should try to override LDFLAGS... no
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ISO C89... (cached) none needed
checking whether gcc understands -c and -o together... (cached) yes
checking dependency style of gcc... (cached) gcc3
checking for ANSI C header files... (cached) yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking for stdint.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking cpuid.h usability... yes
checking cpuid.h presence... yes
checking for cpuid.h... yes
checking whether byte ordering is bigendian... no
checking for inline... inline
checking for int32_t... yes
checking for size_t... yes
checking for ssize_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint8_t... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible realloc... yes
checking whether lstat correctly handles trailing slash... yes
checking whether stat accepts an empty string... no
checking for memset... yes
checking for strcasecmp... yes
checking for strdup... yes
checking for strerror... yes
checking for strrchr... yes
checking for strtoul... yes
checking for timegm... yes
checking for library containing argp_parse... none required
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for flockfile... yes
checking for fgets_unlocked... yes
configure: project-wide base CPPFLAGS: -D_FORTIFY_SOURCE=2
configure: project-wide base CFLAGS:   -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt
configure: project-wide base LDFLAGS:  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating iucode_tool.8
config.status: creating iucode_tool_config.h
config.status: executing depfiles commands
make  all-am
make[1]: Entering directory '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/src/iucode-tool-2.2'
gcc -DHAVE_CONFIG_H -I.   -D_FORTIFY_SOURCE=2  -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -MT intel_microcode.o -MD -MP -MF .deps/intel_microcode.Tpo -c -o intel_microcode.o intel_microcode.c
gcc -DHAVE_CONFIG_H -I.   -D_FORTIFY_SOURCE=2  -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -MT iucode_tool.o -MD -MP -MF .deps/iucode_tool.Tpo -c -o iucode_tool.o iucode_tool.c
mv -f .deps/intel_microcode.Tpo .deps/intel_microcode.Po
mv -f .deps/iucode_tool.Tpo .deps/iucode_tool.Po
gcc  -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt  -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -o iucode_tool intel_microcode.o iucode_tool.o  
make[1]: Leaving directory '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/src/iucode-tool-2.2'
==> Entering fakeroot environment...
==> Starting package()...
make[1]: Entering directory '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/src/iucode-tool-2.2'
 /usr/bin/mkdir -p '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/pkg/iucode-tool//usr/bin'
 /usr/bin/mkdir -p '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/pkg/iucode-tool//usr/share/man/man8'
  /usr/bin/install -c iucode_tool '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/pkg/iucode-tool//usr/bin'
 /usr/bin/install -c -m 644 iucode_tool.8 '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/pkg/iucode-tool//usr/share/man/man8'
make[1]: Leaving directory '/home/staf/tmp/yaourt-tmp-staf/aur-iucode-tool/src/iucode-tool-2.2'
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issue...
==> Creating package "iucode-tool"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: iucode-tool 2.2-1 (Sun Jan 21 12:48:44 CET 2018)
==> Cleaning up...

==> Continue installing iucode-tool ? [Y/n]
==> [v]iew package contents [c]heck package with namcap
==> ---------------------------------------------------
==> y

loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) iucode-tool-2.2-1

Total Installed Size:  0.06 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring                                   [####################################] 100%
(1/1) checking package integrity                                 [####################################] 100%
(1/1) loading package files                                      [####################################] 100%
(1/1) checking for file conflicts                                [####################################] 100%
(1/1) checking available disk space                              [####################################] 100%
:: Processing package changes...
(1/1) installing iucode-tool                                     [####################################] 100%
ldconfig: File /usr/lib/libmlt.so.6.4.0 is empty, not checked.
ldconfig: File /usr/lib/libmlt++.so.6.4.0 is empty, not checked.
ldconfig: File /usr/lib32/libmng.so.2 is empty, not checked.
ldconfig: File /usr/lib32/libmng.so is empty, not checked.
ldconfig: File /usr/lib32/libmng.so.2.0.2 is empty, not checked.
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[staf@frija ~]$ 
1
2
3
4
5
6
[root@frija ~]# bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -lS - 
iucode_tool: system has processor(s) with signature 0x00040661
microcode bundle 1: (stdin)
selected microcodes:
  001/143: sig 0x00040661, pf_mask 0x32, 2017-11-20, rev 0x0018, size 25600
[root@frija ~]# 

Recreate grub.cfg

grub-mkconfig will detect the microcode and add it the grub configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@vicky ~]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux-lts
Found initrd image(s) in /boot: intel-ucode.img initramfs-linux-lts.img
Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-lts-fallback.img
Found linux image: /boot/vmlinuz-linux-hardened
Found initrd image(s) in /boot: intel-ucode.img initramfs-linux-hardened.img
Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-hardened-fallback.img
Found linux image: /boot/vmlinuz-linux-ck
Found initrd image(s) in /boot: intel-ucode.img initramfs-linux-ck.img
Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-ck-fallback.img
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: intel-ucode.img initramfs-linux.img
Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-fallback.img
done
[root@vicky ~]# 

When take a look at the newly created grub.cfg you see that microcode image is added to the initrd image. If you new micro code cause issue you can just remove the entry in grub configuration

1
2
3
4
5
6
7
8
9
10
[root@vicky ~]# cat /boot/grub/grub.cfg | grep initrd
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-lts.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-lts-fallback.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-hardened.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-hardened-fallback.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-ck.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-ck-fallback.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux.img
  initrd  /__active/rootvol/boot/intel-ucode.img /__active/rootvol/boot/initramfs-linux-fallback.img
[root@vicky ~]# 

Reboot your system and verify

1
2
3
4
5
[staf@frija ~]$ dmesg | grep -i microcode
[    0.000000] microcode: microcode updated early to revision 0x18, date = 2017-11-20
[    1.852726] microcode: sig=0x40661, pf=0x20, revision=0x18
[    1.853029] microcode: Microcode Update Driver: v2.2.
[staf@frija ~]$ 

Have fun

Bacula on FreeBSD (Part 3 Storage Setup)

"bacula setup"

I finally got the time to continue with my bacula backup setup. See my previous posts about the start of my bacula setup.

Storage setup

I created a new zfs pool “bigpool” with some old harddisks I probably need to replace them with bigger harddisk in the further.

zfs filesystem

First we create a zfs filesystem for our bacula storage.

1
2
root@rataplan:~ # zfs create bigpool/bacula
root@rataplan:~ # 

delegate to jail

jailed

We want to use the zfs dataset in the bacula jail so we need to delegate the control to the dataset into the bacula jail.

1
2
root@rataplan:~ # zfs set jailed=on bigpool/bacula
root@rataplan:~ # zfs jail stafbacula bigpool/bacula

verify

When we logon to the jail we see that the zfs dateset is available.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@rataplan:~ # ezjail-admin console stafbacula
Last login: Wed Dec 27 10:52:27 on pts/2
FreeBSD 11.1-RELEASE-p4 (GENERIC) #0: Tue Nov 14 06:12:40 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You have new mail.
root@stafbacula:~ # zfs list
NAME             USED  AVAIL  REFER  MOUNTPOINT
bigpool         1.14M   433G    23K  /bigpool
bigpool/bacula    23K   433G    23K  /bigpool/bacula
root@stafbacula:~ # 

When we restart the jail we see that the dataset isn’t available anymore in the jail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@stafbacula:~ # logout
root@rataplan:~ # /usr/local/etc/rc.d/ezjail restart stafbacula
Stopping jails: stafbacula.
Starting jails: stafbacula.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
root@rataplan:~ # ezjail-admin console stafbacula
Last login: Wed Dec 27 10:58:33 on pts/2
FreeBSD 11.1-RELEASE-p4 (GENERIC) #0: Tue Nov 14 06:12:40 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You have new mail.
root@stafbacula:~ # zfs list
no datasets available
root@stafbacula:~ # 

make persistent

enable zfs in the jail

When the jail is booted it need to bring the zfs filesystem online. We need to add zfs_enable=YES to the jail rc.conf

1
root@rataplan:~ # vi /usr/jails/stafbacula/etc/rc.conf
1
2
3
bacula_dir="start"
bacula_dir_enable="yes"
zfs_enable="YES"

update the ezjail configuration

ezjail needs to jail the zfs dataset to the jail when it’s start the jail.

1
root@rataplan:~ # vi /usr/local/etc/ezjail/stafbacula

We need to add the dataset to the jail’s zfs_datasets. By default a jail isn’t allowed to mount the zfs dataset so need to update jail’s parmeters.

1
2
export jail_stafbacula_zfs_datasets="bigpool/bacula"
export jail_stafbacula_parameters="enforce_statfs=0 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 allow.mount.devfs=1"

Restart the jail and verify that the zfs filesystem is available inside the jail

1
2
3
4
5
root@rataplan:~ # ezjail-admin restart stafbacula
Stopping jails: stafbacula.
Starting jails: stafbacula.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
root@rataplan:~ # 

Verify that dataset is mounted

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@rataplan:~ # ezjail-admin console stafbacula
Last login: Wed Dec 27 11:36:04 on pts/2
FreeBSD 11.1-RELEASE-p4 (GENERIC) #0: Tue Nov 14 06:12:40 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You have new mail.
root@stafbacula:~ # zfs list
NAME             USED  AVAIL  REFER  MOUNTPOINT
bigpool         1.14M   433G    23K  /bigpool
bigpool/bacula    23K   433G    23K  /bigpool/bacula
root@stafbacula:~ # df -h /bigpool/bacula
Filesystem                    Size    Used   Avail Capacity  Mounted on
zroot/usr/jails/stafbacula    2.6T    618M    2.6T     0%    /usr/jails/stafbacula
root@stafbacula:~ # 

Links

Model-m Tux Update...

"modelm_tux_only.jpg"

I own a Unicomp model-m keyboard. The keyboard has a nice key feel but it has windows super key(s).


I don’t use super key(s), and would prefer to have a keyboard without it. But when it has super keys I’d rather have it without the windows logo on it so it was time to replace them with the tux version

Pictures

modelm_tux_package.jpg modelm_all_keys.jpg modelm_tux_only.jpg modelm_with_tux_keys.jpg