In a traditional environment, systems are installed from a CDROM. The configuration is executed by the system administrator through the installer. This soon becomes a borning and unpractical task when we need to set up a lot of systems also it is important that systems are configured in same - and hopefully correct - way.
In a traditional environment, this can be automated by booting via BOOTP/PXE boot and configured is by a system that “feeds” the installer. Examples are:
In a cloud environment, we use images to install systems. The system automation is generally done by cloud-init. Cloud-init was originally developed for Ubuntu GNU/Linux on the Amazon EC2 cloud. It has become the de facto installation configuration tool for most Unix like systems on most cloud environments.
Cloud-init uses a YAML file to configure the system.
Images
Most GNU/Linux distributions provide images that can be used to provision a new system.
You can find the complete list on the OpenStack website
[staf@centos7 iso]$ gpg --verify sha256sum.txt.asc
gpg: Signature made Thu 31 Jan 2019 04:28:30 PM CET using RSA key ID F4A80EB5
gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
[staf@centos7 iso]$
The key fingerprint must match the one of RPM-GPG-KEY-CentOS-7.
Verify the iso file
1234
[staf@centos7 iso]$ xz -d CentOS-7-x86_64-GenericCloud-1901.qcow2.xz
[staf@centos7 iso]$ sha256sum -c sha256sum.txt.asc 2>&1 | grep OK
CentOS-7-x86_64-GenericCloud-1901.qcow2: OK
[staf@centos7 iso]$
Image
info
The image we download is a normal qcow2 image, we can see the image information with qemu-info
123456789
[root@centos7 iso]# qemu-img info CentOS-7-x86_64-GenericCloud-1901.qcow2
image: CentOS-7-x86_64-GenericCloud-1901.qcow2
file format: qcow2
virtual size: 8.0G (8589934592 bytes)
disk size: 895M
cluster_size: 65536
Format specific information:
compat: 0.10
[root@centos7 iso]#
Copy & resize
The default image is small - 8GB - we might be using the image to provision other systems so it better to leave it untouched.
Copy the image to the location where we’ll run the virtual system.
We’ll create a simple cloud-init configuration file and generate an iso image with cloud-localds. This iso image holds the cloud-init configuration and will be used to setup the system during the bootstrap.
Install cloud-utils
It’s important to NOT install cloud-init on your KVM host machine. This creates a cloud-init service that runs during the boot and tries to reconfigure your host. Something that you probably don’t want on your KVM hypervisor host.
The cloud-util package has all the tool we need to convert the cloud-init configuration files to an iso image.
We’ll create a cloud-init configuration file to update all the packages - which is always a good idea - and to add a user to the system.
A cloud-init configuration file has to start with #cloud-config, remember this is YAML so only use spaces…
We’ll create a password hash that we’ll put into your cloud-init configuration, it’s also possible to use a plain-text password in the configuration with chpasswd or to set the password for the default user. But it’s better to use a hash so nobody can see the password. Keep in mind that is still possible to brute-force the password hash.
Some GNU/Linux distributions have the mkpasswd utility this is not available on centos. The mkpasswd utility is part of the expect package and is something else…
I used a python one-liner to generate the SHA512 password hash
Actually, I got it a couple of months back but I didn’t have time to play with it and it took some time to get some parts from Aliexpress.
The Thinkpad W500 is probably the most powerful system that is compatible with Libreboot, it has a nice high-resolution display with a 1920 x 1200 resolution which is even a higher screen resolution than the Full HD resolution used on most new laptops today.
Binary blobs are bad. Having a closed source binary-only piece of software on your system is not only unacceptable for Free Software activists it also makes it more difficult to review what it really does and makes it more difficult to review it for security concerns.
Having your system vulnerable is also a bad thing of course. Can’t wait to get a computer system with an open CPU architecture like RISC-V.
Preparation
Thinkpad
MAC address
Your MAC address is stored in your BIOS since you’ll overwite the BIOS with Libreboot we need to have the MAC address. Your MAC address is written on Laptop however I recommend to boot from GNU/Linux and copy/paste it from the ifconfig or the ip a command.
EC update
It’s recommended to update your current BIOS to get the latest EC firmware. My system has a CDROM drive I updated the BIOS with a CDROM.
Prepare the Raspberry-pi
It isn’t possible to flash the BIOS with software only on a Lenovo W500/T500, it’s required to put a clip on your BIOS chip and flash the new BIOS with flashrom. I used a Raspberry Pi 1 model B with Raspbian to flash Libreboot .
Enable the SPI port
The SPI port isn’t enabled by default on Raspbian, so we’ll need to enable it.
Open /boot/config.txt in your favorite text editor.
pi@raspberrypi:~ $ sudo apt install git
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
git-man liberror-perl
Suggested packages:
git-daemon-run | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch git-cvs
git-mediawiki git-svn
The following NEW packages will be installed:
git git-man liberror-perl
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,849 kB of archives.
After this operation, 26.4 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf liberror-perl all 0.17024-1 [26.9 kB]
Get:2 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf git-man all 1:2.11.0-3+deb9u4 [1,433 kB]
Get:3 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf git armhf 1:2.11.0-3+deb9u4 [3,390 kB]
Fetched 4,849 kB in 3s (1,517 kB/s)
Selecting previously unselected package liberror-perl.
(Reading database ... 35178 files and directories currently installed.)
Preparing to unpack .../liberror-perl_0.17024-1_all.deb ...
Unpacking liberror-perl (0.17024-1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../git-man_1%3a2.11.0-3+deb9u4_all.deb ...
Unpacking git-man (1:2.11.0-3+deb9u4) ...
Selecting previously unselected package git.
Preparing to unpack .../git_1%3a2.11.0-3+deb9u4_armhf.deb ...
Unpacking git (1:2.11.0-3+deb9u4) ...
Setting up git-man (1:2.11.0-3+deb9u4) ...
Setting up liberror-perl (0.17024-1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up git (1:2.11.0-3+deb9u4) ...
pi@raspberrypi:~ $
root@raspberrypi:~# apt install flashrom
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libftdi1-2 libpci3
The following NEW packages will be installed:
flashrom libftdi1-2 libpci3
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 454 kB of archives.
After this operation, 843 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf libpci3 armhf 1:3.5.2-1 [50.9 kB]
Get:2 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf libftdi1-2 armhf 1.3-2 [26.8 kB]
Get:3 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf flashrom armhf 0.9.9+r1954-1 [377 kB]
Fetched 454 kB in 4s (108 kB/s)
Selecting previously unselected package libpci3:armhf.
(Reading database ... 34656 files and directories currently installed.)
Preparing to unpack .../libpci3_1%3a3.5.2-1_armhf.deb ...
Unpacking libpci3:armhf (1:3.5.2-1) ...
Selecting previously unselected package libftdi1-2:armhf.
Preparing to unpack .../libftdi1-2_1.3-2_armhf.deb ...
Unpacking libftdi1-2:armhf (1.3-2) ...
Selecting previously unselected package flashrom.
Preparing to unpack .../flashrom_0.9.9+r1954-1_armhf.deb ...
Unpacking flashrom (0.9.9+r1954-1) ...
Setting up libftdi1-2:armhf (1.3-2) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up libpci3:armhf (1:3.5.2-1) ...
Setting up flashrom (0.9.9+r1954-1) ...
Processing triggers for libc-bin (2.24-11+deb9u3) ...
root@raspberrypi:~#
Wiring
Wire diagram
It’s useful to get correct flash chip specs, I used a magnifying loupe and a photo camera to get my chip type. After searching the internet I found a very nice blog post from p1trsonhttps://p1trson.blogspot.com/2017/01/journey-to-freedom-part-ii.html about flashing Libreboot on a Thinkpad T400 with the same Flash chip, I used his wiring diagram. Thanks P1trson!
Power off & wiring
Power off your raspberry-pi and wire your flash clip to the raspberry-pi with the above diagram.
1234
root@raspberrypi:~# poweroff
Connection to pi2 closed by remote host.
Connection to pi2 closed.
[staf@vicky ~]$
flashing
test
Test the connection to your flash chip with flashrom. I needed to specify the spispeed=512 to get the connection established.
123456789101112
root@raspberrypi:~# flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512
flashrom v0.9.9-r1954 on Linux 4.14.79+ (armv6l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6406E/MX25L6408E" (8192 kB, SPI) on linux_spi.
Found Macronix flash chip "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E" (8192 kB, SPI) on linux_spi.
Multiple flash chip definitions match the detected chip(s): "MX25L6405", "MX25L6405D", "MX25L6406E/MX25L6408E", "MX25L6436E/MX25L6445E/MX25L6465E/MX25L6473E"
Please specify which chip definition to use with the -c <chipname> option.
root@raspberrypi:~#
read old bios
read
Read the original flash twice
1234567891011121314151617
pi@raspberrypi:~ $ sudo flashrom -c "MX25L6405D" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r w500bios.rom
flashrom v0.9.9-r1954 on Linux 4.14.79+ (armv6l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on linux_spi.
Reading flash... done.
pi@raspberrypi:~ $ ls
flashrom test.rom w500bios.rom
pi@raspberrypi:~ $ sudo flashrom -c "MX25L6405D" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r w500bios2.rom
flashrom v0.9.9-r1954 on Linux 4.14.79+ (armv6l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on linux_spi.
Reading flash... done.
pi@raspberrypi:~ $
It always a good idea to verify the gpg signature…
Download the gpg key
1234
pi@raspberrypi:~ $ gpg --recv-keys 0x969A979505E8C5B2
gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory
gpg: connecting dirmngr at '/run/user/1000/gnupg/S.dirmngr' failed: No such file or directory
gpg: keyserver receive failed: No dirmngr
I needed to install dirmgr separately on my Raspbian installation.
1234567891011121314151617181920
pi@raspberrypi:~ $ sudo apt-get install dirmngr
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
dbus-user-session pinentry-gnome3 tor
The following NEW packages will be installed:
dirmngr
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 547 kB of archives.
After this operation, 963 kB of additional disk space will be used.
Get:1 http://mirror.nl.leaseweb.net/raspbian/raspbian stretch/main armhf dirmngr armhf 2.1.18-8~deb9u3 [547 kB]
Fetched 547 kB in 9s (58.3 kB/s)
Selecting previously unselected package dirmngr.
(Reading database ... 36051 files and directories currently installed.)
Preparing to unpack .../dirmngr_2.1.18-8~deb9u3_armhf.deb ...
Unpacking dirmngr (2.1.18-8~deb9u3) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up dirmngr (2.1.18-8~deb9u3) ...
pi@raspberrypi:~ $
Try it again…
123456789
pi@raspberrypi:~ $ gpg --recv-keys 0x969A979505E8C5B2
key 969A979505E8C5B2:
1 signature not checked due to a missing key
gpg: /home/pi/.gnupg/trustdb.gpg: trustdb created
gpg: key 969A979505E8C5B2: public key "Leah Rowe (Libreboot signing key) <info@minifree.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
pi@raspberrypi:~ $
Verify the signature of the checksum file…
123456789
pi@raspberrypi:~ $ gpg --verify SHA512SUMS.sig
gpg: assuming signed data in 'SHA512SUMS'
gpg: Signature made Wed 07 Sep 2016 23:15:17 BST
gpg: using RSA key 969A979505E8C5B2
gpg: Good signature from "Leah Rowe (Libreboot signing key) <info@minifree.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDC9 CAE3 2CB4 B7FC 84FD C804 969A 9795 05E8 C5B2
pi@raspberrypi:~ $
Compare the checksum…
1234567
pi@raspberrypi:~/libreboot $ sha512sum libreboot_r20160907_grub_t500_8mb.tar.xz
5325aef526ab6ca359d6613609a4a2345eee47c6d194094553b53996c413431bccdc345838299b347f47bcba8896dd0a6ed3f9b4c88606ead61c3725b580983b libreboot_r20160907_grub_t500_8mb.tar.xz
pi@raspberrypi:~/libreboot $ grep sha512sum 5325aef526ab6ca359d6613609a4a2345eee47c6d194094553b53996c413431bccdc345838299b347f47bcba8896dd0a6ed3f9b4c88606ead61c3725b580983b
grep: 5325aef526ab6ca359d6613609a4a2345eee47c6d194094553b53996c413431bccdc345838299b347f47bcba8896dd0a6ed3f9b4c88606ead61c3725b580983b: No such file or directory
pi@raspberrypi:~/libreboot $ grep 5325aef526ab6ca359d6613609a4a2345eee47c6d194094553b53996c413431bccdc345838299b347f47bcba8896dd0a6ed3f9b4c88606ead61c3725b580983b SHA512SUMS
5325aef526ab6ca359d6613609a4a2345eee47c6d194094553b53996c413431bccdc345838299b347f47bcba8896dd0a6ed3f9b4c88606ead61c3725b580983b ./rom/grub/libreboot_r20160907_grub_t500_8mb.tar.xz
pi@raspberrypi:~/libreboot $
pi@raspberrypi:~/libreboot $ ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
You selected to change the MAC address in the Gbe section. This has been done.
The modified gbe region has also been dumped as src files: mkgbe.c, mkgbe.h
To use these in ich9gen, place them in src/ich9gen/ and re-build ich9gen.
descriptor and gbe successfully written to the file: ich9fdgbe_4m.bin
Now do: dd if=ich9fdgbe_4m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)
descriptor and gbe successfully written to the file: ich9fdgbe_8m.bin
Now do: dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)
descriptor and gbe successfully written to the file: ich9fdgbe_16m.bin
Now do: dd if=ich9fdgbe_16m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
(in other words, add the modified descriptor+gbe to your ROM image)
descriptor successfully written to the file: ich9fdnogbe_4m.bin
Now do: dd if=ich9fdnogbe_4m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)
descriptor successfully written to the file: ich9fdnogbe_8m.bin
Now do: dd if=ich9fdnogbe_8m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)
descriptor successfully written to the file: ich9fdnogbe_16m.bin
Now do: dd if=ich9fdnogbe_16m.bin of=yourrom.rom bs=1 count=4k conv=notrunc
(in other words, add the modified descriptor to your ROM image)
Insert the mac into your rom
1234567
pi@raspberrypi:~/libreboot $ dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=12k count=1 conv=notrunc
1+0 records in
1+0 records out
12288 bytes (12 kB, 12 KiB) copied, 0.00883476 s, 1.4 MB/s
pi@raspberrypi:~/libreboot $ ls -lh libreboot.rom
-rw-r--r-- 1 pi pi 8.0M Jan 27 09:38 libreboot.rom
pi@raspberrypi:~/libreboot $
## flash it
Flash your Libreboot image to your BIOS.
Make sure that you get the Verifying flash... VERIFIED message, if you don’t get this message try it again until you get it. I needed to do it twice…
1234567891011121314151617181920212223
pi@raspberrypi:~/libreboot $ sudo flashrom -c "MX25L6405D" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w libreboot.rom
flashrom v0.9.9-r1954 on Linux 4.14.79+ (armv6l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... FAILED at 0x000c9f01! Expected=0x6b, Found=0xe9, failed byte count from 0x00000000-0x007fffff: 0x2
Your flash chip is in an unknown state.
Please report this on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org, thanks!
pi@raspberrypi:~/libreboot $
pi@raspberrypi:~/libreboot $ sudo flashrom -c "MX25L6405D" -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -w libreboot.rom
flashrom v0.9.9-r1954 on Linux 4.14.79+ (armv6l)
flashrom is free software, get the source code at https://flashrom.org
Calibrating delay loop... OK.
Found Macronix flash chip "MX25L6405D" (8192 kB, SPI) on linux_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.
pi@raspberrypi:~/libreboot $
The intel wifi card that Lenovo uses on the W500 isn’t supported without a binary blob. With the original Lenovo BIOS you are forced to use certified PCI card. Libreboot doesn’t have this restriction this is another advantage of using an alternative BIOS like Libreboot or Coreboot . I replaced wifi an Atheros from ebay
The Intel core duo is still a captable CPU. Even video playback in Full-HD is possible but it takes already a lot of the CPU and the temperature is increasing during the playback.
I installed thinkfan with a more aggresive cooling profile to keep the CPU temperature under control.
Install thinkfan
1234567891011
[staf@snuffel ~]$ yay -S thinkfan
warning: thinkfan-0.9.3-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) thinkfan-0.9.3-1
Total Installed Size: 0.11 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n]
I use a Centos 7 virtual system running as a KVM instance with nested KVM virtualasation enabled. The system requiremensts
The minimun requiremenst are:
8 CPU cores
50 GB of free diskspace
8GB RAM
update ….
Make sure that your system is up-to-update
1234567891011121314151617181920
[staf@openstack ~]$ sudo yum update -y
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for staf:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: distrib-coffee.ipsl.jussieu.fr
* extras: mirror.in2p3.fr
* updates: centos.mirror.fr.planethoster.net
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
No packages marked for update
[staf@openstack ~]$
Install git
We’ll need git to install the ansible playbooks and the Openstack-Ansible installation scripts.
123456789101112
[staf@openstack ~]$ yum install git
Loaded plugins: fastestmirror
You need to be root to perform this command.
[staf@openstack ~]$ sudo yum install git
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.in2p3.fr
* extras: mirror.in2p3.fr
* updates: centos.mirror.fr.planethoster.net
Package git-1.8.3.1-20.el7.x86_64 already installed and latest version
Nothing to do
[staf@openstack ~]$
Ansible….
This is a bit of a pitfail… The Openstack-Ansible bootstrap script will download and install his own version of ansible and create a link to /usr/local/bin. So /usr/local/bin must be in your $PATH. Ansible shouldn’t be installed on your system or if it is installed it shouln’t be executed instead of the ansible version that is builded with Openstack-Ansible.
On most GNU/Linux distributions have /usr/local/bin and /usr/local/sbin is in the $PATH but not on centos, so we’ll need to add it.
[root@openstack ~]# cd /opt/openstack-ansible
[root@openstack openstack-ansible]#
choose you Openstack releases
Openstack has release shedule about every 6 months the current stable release is Rocky. Every Openstack release has his own branch in the git repo. Each Openstack-Ansible release is tagged in the git repo. So either you’ll need checkout Openstack-Ansible release tag or the bracnh. We’ll checkout the Rocky branch.
[root@openstack openstack-ansible]# git checkout stable/rocky
Branch stable/rocky set up to track remote branch stable/rocky from origin.
Switched to a new branch 'stable/rocky'
[root@openstack openstack-ansible]#
Bootstrap ansible
Execute scripts/bootstrap-ansible.sh this will install the required packages and ansible playbooks.
Stubby is a small dns resolver to encrypt your dns traffic, which makes it perfect to increase end-user privacy. Stubby can be integrated into existing dns setups.
DNSmasq is small dns resolver that can cache dns queries and forward dns traffic to other dns servers.
Unbound is fast validating, caching DNS resolver that supports DNS-over-TLS.
Unbound or dnsmaq are not full feature dns servers like BIND.
The main difference beteen Unbound and DNSmasq is that Unbound can talk the the root servers directly while dnsmasq always needs to forward your dns queries to another dns server - your ISP dns server or a public dns servicve like (Quad9, cloudfare, google, …) -
Unbound has build-in support for DNS-over-TLS. DNSmasq needs an external DNS-over-TLS resolver like Stubby.
Which one to use?
It depends - as always -, Stubby can integrating easily in existing dns setups like dnsmasq. Unbound is one package that does it all and is more feature rich compared to DNSmasq.
OPNsense
I use OPNsense as my firewall. Unbound is the default dns resolver on OPNsense so it makes (OPN)sense to use Unbound.
Choose your upstream DNS service
There’re a few public DNS providers that supports DNS-over-tls the best known are Quad9, cloudfare. Quad9 will block malicious domains on the default dns servers 9.9.9.9/149.112.112.10 while 9.9.9.10 has no security blocklist.
In this article we’ll use Quad9 but you could also with cloudfare or another dns provider that you trust and has support for DNS-over-tls.
Enable DNS-over-TLS
You need to configure your firewall to use your upstream dns provider. You also want to make sure your isp dns servers aren’t used.
Sniffing
If you snif the DNS traffic on your firewall tcpdump -i wan_interface udp port 53 you’ll see that the DNS traffic is unencrypted.
Configuration
To enable DNS-over-TLS we’ll need to reconfigure unbound.
Go to [ Services ] -> [Unbound DNS ] -> [General]
And copy/paste the setting below
to Custom options these settings will reconfigure Unbound to forward the dns for the upstream dns servers Quad9 over ssl.
Verify
If you snif the udp traffic on you firewall with tcpdump -i wan_interface udp port 53 you’ll not see any unencrypted traffic anymore - unless not all your clients are configured to use your firewall as the dns server -.
If your snif TCP PORT 853 tcpdump -i vr1 tcp port 853 we’ll see your encrypted dns-over-tls traffic.
General DNS settings
You also want to make sure that your firewall isn’t configure to use an unecrypted DNS server.
Configuration
Go to [ system ] -> [ settings ] -> [ general ] and set the dns servers also make sure that [ ] Allow DNS server list to be overridden by DHCP/PPP on WAN is unchecked.
Verify
You can verify the configuration by logging on to your firewall over ssh and reviewing the contents of /etc/resolv.conf.
In my previous blog article we install on GNU/Linux which is my main desktop operation system. My NAS and the services that are required to be always running are on FreeBSD.
In this arcticle we will setup Stubby - the DNS Privacy Daemon - on FreeBSD.
Jails
FreeBSD jails are verify nice to keep services separated in a secure way.
ezjail
ezjail is a very nice tool for managing FreeBSD jails.
1
root@rataplan:~ # pkg install ezjail
To loopback or not to loopback….
The loopback ip address is mapped to the jail ip address on FreeBSD by default.
There are two options
use the jail ip address, make sure that you setup a firewall rule if you want disable traffic from external.
use a cloned loopback interface; keep in mind that with a cloned interface this interface is shared between your jails.
We’ll use the jail ip address.
create the jail
We create a new jail and we assign the cloned loop interface with a loopback ip address - this loopback ip address must be unique for each for each jail - and outside interface and ip address.
root@rataplan:/usr/local/etc/ezjail # ezjail-admin start stafdns
Starting jails: stafdns.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf.
root@rataplan:/usr/local/etc/ezjail #
console login and install pkg
Logon to the jail and install pkg we might need to configure a dns server or use a proxy sever to install pkg.
1234567891011121314
root@rataplan:/usr/local/etc/ezjail # ezjail-admin console stafdns
root@stafdns:~ # echo "nameserver 9.9.9.9" > /etc/resolv.conf
root@stafdns:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[stafdns] Installing pkg-1.10.5_1...
[stafdns] Extracting pkg-1.10.5_1: 100%
pkg: not enough arguments
Usage: pkg [-v] [-d] [-l] [-N] [-j <jail name or id>|-c <chroot path>|-r <rootdir>] [-C <configuration file>] [-R <repo config dir>] [-o var=value] [-4|-6] <command> [<args>]
For more information on available commands and options see 'pkg help'.
root@stafdns:~ #
Install stubby
Stubby available in the FreeBSD Ports in the getdns package, …but it isn’t installed when you install the binary package. To install stubby we need to it from source.
dig
To debug dns issues dig a handy tool to have….
12345678910111213141516171819
root@rataplan:/usr/ports/dns/getdns # pkg install bind-tools
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
The following 4 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
bind-tools: 9.12.2P1
idnkit: 1.0_7
py27-ply: 3.11
json-c: 0.13
Number of packages to be installed: 4
The process will require 42 MiB more space.
4 MiB to be downloaded.
Proceed with this action? [y/N]: y
Update your ports tree
Physical system
On a physical FreeBSD system execute portsnap fetch and portsnap extract
123456789101112131415
root@rataplan:~ # portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... 6 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
Updating from Sat Sep 8 09:31:35 CEST 2018 to Sun Sep 9 09:51:49 CEST 2018.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 44 patches.
(44/44) 100.00% done.
done.
Applying patches...
done.
Fetching 2 new ports or files... done.
root@rataplan:~ #
12345678910111213141516171819202122232425
root@rataplan:~ # portsnap extract
/usr/ports/.arcconfig
/usr/ports/.gitattributes
/usr/ports/.gitauthors
/usr/ports/.gitignore
/usr/ports/.gitmessage
/usr/ports/CHANGES
/usr/ports/CONTRIBUTING.md
/usr/ports/COPYRIGHT
/usr/ports/GIDs
/usr/ports/Keywords/desktop-file-utils.ucl
/usr/ports/Keywords/fc.ucl
/usr/ports/Keywords/fcfontsdir.ucl
<snip>
/usr/ports/x11/xzoom/
/usr/ports/x11/yad/
/usr/ports/x11/yakuake-kde4/
/usr/ports/x11/yakuake/
/usr/ports/x11/yalias/
/usr/ports/x11/yeahconsole/
/usr/ports/x11/yelp/
/usr/ports/x11/zenity/
Building new INDEX files... done.
Jail
I use ezjail to manage my FreeBSD jails. Execute the ezjail-admin update -P to update the ports tree inside your jails.
root@stafproxy:/usr/ports/dns/getdns # make
===> License BSD3CLAUSE accepted by the user
===> getdns-1.4.2 depends on file: /usr/local/sbin/pkg - found
=> getdns-1.4.2.tar.gz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch https://getdnsapi.net/dist/getdns-1.4.2.tar.gz
getdns-1.4.2.tar.gz 100% of 1034 kB 1092 kBps 00m01s
===> Fetching all distfiles required by getdns-1.4.2 for building
===> Extracting for getdns-1.4.2
=> SHA256 Checksum OK for getdns-1.4.2.tar.gz.
<snip>
/usr/bin/install -c -m 644 getdns_service_sync.3 /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/install -c -m 644 getdns_validate_dnssec.3 /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/man/man3
/usr/bin/strip /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/lib/libgetdns*.so.*
/usr/bin/strip /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/bin/getdns_*
/usr/bin/strip /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/bin/stubby
/bin/mv /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/etc/stubby/stubby.yml /var/ports/basejail/usr/ports/dns/getdns/work/stage/usr/local/etc/stubby/stubby.yml.sample
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
root@stafproxy:/usr/ports/dns/getdns # make install
===> Installing for getdns-1.4.2
===> Checking if getdns already installed
===> Registering installation for getdns-1.4.2
[stafproxy] Installing getdns-1.4.2...
***
*** !!! IMPORTANT !!!! libgetdns needs a DNSSEC trust anchor!
***
*** For the library to be able to perform DNSSEC, the root
*** trust anchor needs to be present in presentation format
*** in the file:
*** /usr/local/etc/unbound/root.key
***
*** We recomend using unbound-anchor to retrieve and install
*** the root trust anchor like this:
*** su -m unbound -c /usr/local/sbin/unbound-anchor
***
===> SECURITY REPORT:
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/lib/libgetdns.a(stub.o)
/usr/local/lib/libgetdns.so.10.0.2
/usr/local/lib/libgetdns.a(server.o)
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/stubby
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
https://getdnsapi.net/
root@stafproxy:/usr/ports/dns/getdns #
Lock the package to avoid that the package gets replaced by a getdns package without stubby.
1234
root@stafproxy:/usr/ports/dns/getdns # pkg lock getdns
getdns-1.4.2: lock this package? [y/N]: y
Locking getdns-1.4.2
root@stafproxy:/usr/ports/dns/getdns #
Configure stubby
Enable the stubby service
Use sysrc to enable the stubby service…
1234567891011
root@stafproxy:/usr/local/etc # service stubby start
Cannot 'start' stubby. Set stubby_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
root@stafproxy:/usr/local/etc # service stubby rcvar
# stubby
#
stubby_enable="NO"
# (default: "")
root@stafproxy:/usr/local/etc # sysrc stubby_enable="YES"
stubby_enable: -> YES
root@stafproxy:/usr/local/etc #
choose your upstream dns provider
Edit the stubby.yml file and uncomment the upstream dns server that you want the use. Stubby will loadbalance the dns traffic to all configured upstream dns servers by default. This is configured with the round_robin_upstreams directive, if set to 1 the traffic is loadbalanced, if set 0 stubby will use the first configured dns server.
1
root@rataplan:/usr/local/etc # vi stubby/stubby.yml
Change the port
We’ll setup dnsmasq to cache our dns requests modify the listen_addresses directive and set the port 53000
123
listen_addresses:
- 127.0.0.1@53000
- 0::1@53000
Start it
1234
root@stafproxy:/usr/local/etc # service stubby start
Starting stubby.
[07:51:37.865826] STUBBY: Read config from file /usr/local/etc/stubby/stubby.yml
root@stafproxy:/usr/local/etc #
root@stafproxy:/root # pkg install dnsmasq
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
dnsmasq: 2.79,1
Number of packages to be installed: 1
329 KiB to be downloaded.
Proceed with this action? [y/N]: y
[stafproxy] [1/1] Fetching dnsmasq-2.79,1.txz: 100% 329 KiB 336.4kB/s 00:01
Checking integrity... done (0 conflicting)
[stafproxy] [1/1] Installing dnsmasq-2.79,1...
[stafproxy] [1/1] Extracting dnsmasq-2.79,1: 100%
Message from dnsmasq-2.79,1:
*** To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
*** set dnsmasq_enable="YES" in /etc/rc.conf[.local]
***
*** Further options and actions are documented inside
*** /usr/local/etc/rc.d/dnsmasq
root@stafproxy:/root #
Installing and configuring an encrypted dns server is straightforward, there is no reason to use an unencrypted dns service.
DNS is not secure or private
DNS traffic is insecure and runs over UDP port 53 (TCP for zone transfers ) unecrypted by default.
This make your unencrypted DNS traffic a privacy risk and a security risk:
anyone that is able to sniff your network traffic can collect a lot information from your leaking DNS traffic.
with a DNS spoofing attack an attacker can trick you let go to malicious website or try to intercept your email traffic.
Encrypt your dns traffic
Encrypting your network traffic is always a good idea for privacy and security reasons - we encrypt, because we can! - .
More information about dns privacy can be found at https://dnsprivacy.org/
[root@vicky ~]# pacman -S stubby
resolving dependencies...
looking for conflicting packages...
Packages (5) fstrm-0.4.0-1 getdns-1.4.2-1 protobuf-c-1.3.0-3 unbound-1.7.3-4
stubby-0.2.3-1
Total Download Size: 1.09 MiB
Total Installed Size: 5.68 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 88476 100 88476 0 0 403k 0 --:--:-- --:--:-- --:--:-- 403k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 62480 100 62480 0 0 1271k 0 --:--:-- --:--:-- --:--:-- 1271k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 632k 100 632k 0 0 750k 0 --:--:-- --:--:-- --:--:-- 749k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 302k 100 302k 0 0 1615k 0 --:--:-- --:--:-- --:--:-- 1606k
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 34052 100 34052 0 0 831k 0 --:--:-- --:--:-- --:--:-- 831k
(5/5) checking keys in keyring [###########################] 100%
(5/5) checking package integrity [###########################] 100%
(5/5) loading package files [###########################] 100%
(5/5) checking for file conflicts [###########################] 100%
(5/5) checking available disk space [###########################] 100%
:: Processing package changes...
(1/5) installing fstrm [###########################] 100%
(2/5) installing protobuf-c [###########################] 100%
(3/5) installing unbound [###########################] 100%
Optional dependencies for unbound
expat: unbound-anchor [installed]
(4/5) installing getdns [###########################] 100%
(5/5) installing stubby [###########################] 100%
:: Running post-transaction hooks...
(1/4) Reloading system manager configuration...
(2/4) Creating system user accounts...
(3/4) Creating temporary files...
(4/4) Arming ConditionNeedsUpdate...
[root@vicky ~]#
choose your upstream dns provider
Edit the stubby.yml file and uncomment the upstream dns server that you want the use.
Stubby will loadbalance the dns traffic to all configured upstream dns servers by default.
This is configured with the round_robin_upstreams directive, if set to 1 the traffic is loadbalanced, if set 0 stubby will use the first configured dns server.
[root@vicky ~]# dig @127.0.0.1 www.wagemakers.be
; <<>> DiG 9.13.2 <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18226
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: fe9d3618b821614f174436385b7acb64a4f4cc6657e14626 (good)
;; QUESTION SECTION:
;www.wagemakers.be. IN A
;; ANSWER SECTION:
www.wagemakers.be. 86000 IN CNAME wagemakers.be.
wagemakers.be. 86000 IN A 95.215.185.144
;; Query time: 128 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 20 16:08:36 CEST 2018
;; MSG SIZE rcvd: 147
[root@vicky ~]#
Local dns cache with dnsmasq
Change the stubby port.
Edit /etc/stubby/stubby.yml
1
[root@vicky ~]# vi /etc/stubby/stubby.yml
And change the port by modifing the listen_addresses directive
123
listen_addresses:
- 127.0.0.1@53000
- 0::1@53000
restart stubby
1
[root@vicky ~]# systemctl restart stubby.service
and verify that the dns on 127.0.0.1:53 doesn’t work anymore.
1234567
[root@vicky ~]# dig @127.0.0.1 www.wagemakers.be
; <<>> DiG 9.13.2 <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@vicky ~]#
ensure that stubby does work on port 53000
123456789101112131415161718192021222324
[root@frija etc]# dig @127.0.0.1 -p 53000 www.wagemakers.be
; <<>> DiG 9.13.2 <<>> @127.0.0.1 -p 53000 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27173
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65535
;; QUESTION SECTION:
;www.wagemakers.be. IN A
;; ANSWER SECTION:
www.wagemakers.be. 43200 IN CNAME wagemakers.be.
wagemakers.be. 43200 IN A 95.215.185.144
;; Query time: 250 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Tue Aug 21 13:26:37 CEST 2018
;; MSG SIZE rcvd: 119
[root@frija etc]#
Install dnsmasq
1234567891011121314151617181920212223
[root@vicky ~]# pacman -S dnsmasq
warning: dnsmasq-2.79-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...
Packages (1) dnsmasq-2.79-1
Total Installed Size: 0.70 MiB
Net Upgrade Size: 0.00 MiB
:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [###########################] 100%
(1/1) checking package integrity [###########################] 100%
(1/1) loading package files [###########################] 100%
(1/1) checking for file conflicts [###########################] 100%
(1/1) checking available disk space [###########################] 100%
:: Processing package changes...
(1/1) reinstalling dnsmasq [###########################] 100%
:: Running post-transaction hooks...
(1/3) Reloading system manager configuration...
(2/3) Creating system user accounts...
(3/3) Arming ConditionNeedsUpdate...
[root@vicky ~]#
Configure dnsmasq
123
[root@vicky etc]# cd /etc
[root@vicky etc]# mv /etc/dnsmasq.conf /etc/dnsmasq.conf_org
[root@vicky etc]# vi dnsmasq.conf
It is import to configure stubby to listen the localhost interface only.
If you use Linux KVM you probably have a dns serivce running on your bridge interfaces for your virtual machines.
If you networkmanager you can use nmcli, nmtui or the GUI network configuration in your desktop environment.
GNU/Linux is GNU/Linux
The configuration on other GNU/Linux distributions is the same as on Arch apart from the installation process.
The same method can be use if your (favorite) Linux distribution doesn’t have a stubby package, the installation method of the required package will be different of course.
Debian
Current testing release Debian “buster”
1
$ sudo apt install stubby dnsmasq
Current stable Debian 9 “strech”
Stubby in the getdns-utils in Debian stretch, it’s an older version.
Therefor I ended up with building stubby from the source code.
Verify the lastest release tag. The current stable release 1.4.2
1234567891011121314
staf@stretch:~/github/getdns$ git tag
TNW2015
list
v0.1.0
v0.1.1
v0.1.2
<snip>
v1.4.0
v1.4.0-rc1
v1.4.1
v1.4.1-rc1
v1.4.2
v1.4.2-rc1
staf@stretch:~/github/getdns$
checkout the latest stable release.
1234567891011121314
staf@stretch:~/github/getdns$ git checkout v1.4.2
Note: checking out 'v1.4.2'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:
git checkout -b <new-branch-name>
HEAD is now at e481273... Last minute update
staf@stretch:~/github/getdns$
staf@stretch:~/github/getdns/build$ sudo make install
[sudo] password for staf:
cd src && make install
make[1]: Entering directory '/home/staf/github/getdns/build/src'
<snip>
make[1]: Leaving directory '/home/staf/github/getdns/build/doc'
***
*** !!! IMPORTANT !!!!
***
*** From release 1.2.0, getdns comes with built-in DNSSEC
*** trust anchor management. External trust anchor management,
*** for example with unbound-anchor, is no longer necessary
*** and no longer recommended.
***
*** Previously installed trust anchors, in the default location -
***
*** /usr/local/etc/unbound/getdns-root.key
***
*** - will be preferred and used for DNSSEC validation, however
*** getdns will fallback to trust-anchors obtained via built-in
*** trust anchor management when the anchors from the default
*** location fail to validate the root DNSKEY rrset.
***
*** To prevent expired DNSSEC trust anchors to be used for
*** validation, we strongly recommend removing the trust anchors
*** on the default location when there is no active external
*** trust anchor management keeping it up-to-date.
***
staf@stretch:~/github/getdns/build$ sudo make install
systemd service
Stubby comes with a systemd service definition. Copy it to the correct location.
123
staf@stretch:~/github/getdns/build$ cd ..
staf@stretch:~/github/getdns$ cd stubby/systemd/
staf@stretch:~/github/getdns/stubby/systemd$ sudo cp stubby.service /lib/systemd/system/
Update the path to /usr/local
1
staf@stretch:~/github/getdns/stubby/systemd$ sudo vi /lib/systemd/system/stubby.service
root@stretch:/etc# systemctl enable dnsmasq
Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dnsmasq
root@stretch:/etc# systemctl restart dnsmasq
Verify
123456789101112131415161718192021222324
root@stretch:/etc# dig @127.0.0.1 www.wagemakers.be
; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 www.wagemakers.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57295
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.wagemakers.be. IN A
;; ANSWER SECTION:
www.wagemakers.be. 48645 IN CNAME wagemakers.be.
wagemakers.be. 80756 IN A 95.215.185.144
;; Query time: 72 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 02 10:51:32 CEST 2018
;; MSG SIZE rcvd: 119
root@stretch:/etc#
[staf@vicky vboxes]$ sudo mv mywin_combined.qcow2 /var/lib/libvirt/images/
[sudo] password for staf:
Import the disk image to KVM
We’ll inport the disk image with virt-install it’s also posible to import the images with virt-manager if you prefer a graphical interface or or just being lazy :-)
Available os options
To list the supported operation system you can use the osinfo-query os command
1234567891011
[staf@vicky ~]$ osinfo-query os | head
Short ID | Name | Version | ID
----------------------+----------------------------------------------------+----------+-----------------------------------------
alpinelinux3.5 | Alpine Linux 3.5 | 3.5 | http://alpinelinux.org/alpinelinux/3.5
alpinelinux3.6 | Alpine Linux 3.6 | 3.6 | http://alpinelinux.org/alpinelinux/3.6
alpinelinux3.7 | Alpine Linux 3.7 | 3.7 | http://alpinelinux.org/alpinelinux/3.7
altlinux1.0 | Mandrake RE Spring 2001 | 1.0 | http://altlinux.org/altlinux/1.0
altlinux2.0 | ALT Linux 2.0 | 2.0 | http://altlinux.org/altlinux/2.0
altlinux2.2 | ALT Linux 2.2 | 2.2 | http://altlinux.org/altlinux/2.2
altlinux2.4 | ALT Linux 2.4 | 2.4 | http://altlinux.org/altlinux/2.4
altlinux3.0 | ALT Linux 3.0 | 3.0 | http://altlinux.org/altlinux/3.0
123456789101112131415161718192021222324252627
[staf@vicky ~]$ osinfo-query os | grep -i windows
win1.0 | Microsoft Windows 1.0 | 1.0 | http://microsoft.com/win/1.0
win10 | Microsoft Windows 10 | 10.0 | http://microsoft.com/win/10
win2.0 | Microsoft Windows 2.0 | 2.0 | http://microsoft.com/win/2.0
win2.1 | Microsoft Windows 2.1 | 2.1 | http://microsoft.com/win/2.1
win2k | Microsoft Windows 2000 | 5.0 | http://microsoft.com/win/2k
win2k12 | Microsoft Windows Server 2012 | 6.3 | http://microsoft.com/win/2k12
win2k12r2 | Microsoft Windows Server 2012 R2 | 6.3 | http://microsoft.com/win/2k12r2
win2k16 | Microsoft Windows Server 2016 | 10.0 | http://microsoft.com/win/2k16
win2k3 | Microsoft Windows Server 2003 | 5.2 | http://microsoft.com/win/2k3
win2k3r2 | Microsoft Windows Server 2003 R2 | 5.2 | http://microsoft.com/win/2k3r2
win2k8 | Microsoft Windows Server 2008 | 6.0 | http://microsoft.com/win/2k8
win2k8r2 | Microsoft Windows Server 2008 R2 | 6.1 | http://microsoft.com/win/2k8r2
win3.1 | Microsoft Windows 3.1 | 3.1 | http://microsoft.com/win/3.1
win7 | Microsoft Windows 7 | 6.1 | http://microsoft.com/win/7
win8 | Microsoft Windows 8 | 6.2 | http://microsoft.com/win/8
win8.1 | Microsoft Windows 8.1 | 6.3 | http://microsoft.com/win/8.1
win95 | Microsoft Windows 95 | 4.0 | http://microsoft.com/win/95
win98 | Microsoft Windows 98 | 4.1 | http://microsoft.com/win/98
winme | Microsoft Windows Millennium Edition | 4.9 | http://microsoft.com/win/me
winnt3.1 | Microsoft Windows NT Server 3.1 | 3.1 | http://microsoft.com/winnt/3.1
winnt3.5 | Microsoft Windows NT Server 3.5 | 3.5 | http://microsoft.com/winnt/3.5
winnt3.51 | Microsoft Windows NT Server 3.51 | 3.51 | http://microsoft.com/winnt/3.51
winnt4.0 | Microsoft Windows NT Server 4.0 | 4.0 | http://microsoft.com/winnt/4.0
winvista | Microsoft Windows Vista | 6.0 | http://microsoft.com/win/vista
winxp | Microsoft Windows XP | 5.1 | http://microsoft.com/win/xp
[staf@vicky ~]$
import
We need to import the disk image as IDE device since we don’t have the virtio driver in our windows disk image (yet).
I use arch linux and download virtio-win AUR package with pacaur. You can download the images directly or use the installation packages for your Linux distribution.
[staf@vicky ~]$ pacaur -S virtio-win
:: Package virtio-win not found in repositories, trying AUR...
:: resolving dependencies...
:: looking for inter-conflicts...
AUR Packages (1) virtio-win-0.1.149.2-1
:: Proceed with installation? [Y/n]
<snip>
-> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: virtio-win 0.1.149.2-1 (Sat Jun 16 20:00:22 2018)
==> Cleaning up...
:: Installing virtio-win package(s)...
loading packages...
resolving dependencies...
looking for conflicting packages...
Packages (1) virtio-win-0.1.149.2-1
Total Installed Size: 314.84 MiB
:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring [#######################################] 100%
(1/1) checking package integrity [#######################################] 100%
(1/1) loading package files [#######################################] 100%
(1/1) checking for file conflicts [#######################################] 100%
(1/1) checking available disk space [#######################################] 100%
:: Processing package changes...
(1/1) installing virtio-win [#######################################] 100%
Optional dependencies for virtio-win
qemu [installed]
:: Running post-transaction hooks...
(1/1) Arming ConditionNeedsUpdate...
[staf@vicky ~]$ ls -l /var/li
This install virtio images to /usr/share/virtio/
123456
[staf@vicky ~]$ ls -l /usr/share/virtio/
total 321308
-rw-r--r-- 1 root root 324233216 Jun 16 19:58 virtio-win.iso
-rw-r--r-- 1 root root 2949120 Jun 16 19:58 virtio-win_x86_32.vfd
-rw-r--r-- 1 root root 2949120 Jun 16 19:58 virtio-win_x86_64.vfd
[staf@vicky ~]$
virtio-win.iso is the ISO cdrom image containing all the drivers.
Installation
mount the iso image
Make sure that the cdrom is mounted in windows.
Install
Open Device Manager
Open device Manager in the control panel or type devmgmt.msc on the command prompt.
Update the drivers
balloon, the balloon driver affects the PCI device
vioserial, affects the PCI simple communication controler
NetKVM, the network driver affects the Network adapters.
viostor, the block driver affects the Disk drives.
Update the PCI drivers
In windows 10 the PCI device and the PCI Simple Communications Controller have the missing driver icon.
Right click on the PCI device and select update driver -> click on Browse my computer for driver software
Specify the cdrom as the search location and click Next, this will install the Balloon driver.
Do the same for the PCI Simple Communications Controller this will install the “VirtIO Serial Driver”
install the VioStor driver
Add a temporary disk to the virtual machine and use VirtIO as the Bus Type
In the Device Manager you’ll get a new device SCSI Controller right click it and update the driver.
This will install the Red Hat VirtIO SCSI controller
Go to the device settings of your virtual machine and change the Disk bus to VirtIO
and shutdown you virtual machine.
You can remove the temporary disk now or leave it if you can find some use for it…
Make sure that you disk is selected as the bootable device.
Start the virtual machine and make sure that the system is bootable.
install the netKVM driver
Update the Device model to virtio.
Start devmgmt.msc and update the driver as we did before….
And verify that you network card works correctly.
install the QXL graphical driver
Update the Microsoft Basic Display Adapter
After the installation you can change the the display resolution.
Kernel-based Virtual Machine (KVM) has become the defacto hypervisor on GNU/Linux systems it works with great performance as it utilizes the CPU virtualization extensions Inetl VT-x or AMD-V). KVM doesn’t emulate hardware but uses QEMU for this.
Nested Virtual guest
It’s possible to use nested virtualization this make it possible to run a hypervisor inside a KVM virtual machine.
Enabling nested virtualization in KVM
Verify
To verify if nested virtualization is enabled on your system can check /sys/module/kvm_intel/parameters/nested on Intal systems or /sys/module/kvm_amd/parameters/nested
123
[staf@frija ~]$ cat /sys/module/kvm_intel/parameters/nested
N
[staf@frija ~]$
Enable
Shutdown all virtual machines
Make sure that there no virtual machines running.
1234567891011
[root@frija ~]# virsh
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # list
Id Name State
----------------------------------------------------
virsh #
To enable nested virtualization in a vritual machine you can
start virsh and and edit the the virtual machine and change the CPU line to <cpu mode='host-model' check='partial'/>
Open virt-manager and select Copy host CPU configuration on the CPU configuration
123456789101112
root@frija ~]# virsh
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # list
Id Name State
----------------------------------------------------
1 centos7.0 running
virsh # edit centos7.0
It was running pfsense and was quite happy about it. Pfsense dropped support for 32 bits in their pfsense 2.4 release.
This would left me with a unsupported firewall which was one of the reasons to use pfsense instead of a closed source commercial router.
I could have moved to a new firewall like the pcengines apu but there is no reason to replace hardware that works fine.
The nice thing about opensource software is that we’ve options to choose from if software doesn’t match your usecase we’ve other options to choose from.
OPNsense
So I decided to give opnsense a try. OPNsense is a fork of pfsense, both are a fork of m0n0wall.
swapspace
My firewall only has 256 MB of memory which is a bit low even for a firewall.
The OPNsense developers made it very easy to add swapspace from the GUI. To add swap space go to [ System ] > [ Miscellaneous ] and activate the [ Add a 2 GB swap file to the system ] checkbox.
I’m verify satisfied with the upgrade from pfsense to OPNsense, OPNsense has a new release very month which is nice to get the latest security updates and it’s possible to audit the systems for security updates from the GUI.
DuckDns
I move my ADSL with a fixed ip address to a VDSL line with a dynamic ip address so I was looking a good free dynamic dns provider and settled with duckdns.
