tag:blogger.com,1999:blog-45993648824528637192024-02-07T19:31:53.233-08:00Peter Manton :: Tech NotesPeterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.comBlogger757125tag:blogger.com,1999:blog-4599364882452863719.post-34800477068233776352023-08-28T09:50:00.000-07:002023-08-28T09:50:10.858-07:00ArgoCD: Namespace deletion stuck on deleting<p>This scenario reared its head when it looked like all of the recourses within the offending namespace were deleted but the actual deletion of the namespace had hung.</p><p>Firstly try to delete forcefully with: </p><p>kubectl delete ns ns-example --force --grace-period=0</p><p>If this fails...</p><p>Check for active finalizers if a namespace is failing to delete:</p><p>kubectl get namespace ns-example -o json</p><p>If so, we can empty it with:</p><p>kubectl get ns ns-example -o json | jq '.spec.finalizers = []' | kubectl replace --raw "/api/v1/namespaces/ns-example/finalize" -f -</p><p>The app deletion in ArgoCD should now have (hopefully) been successful. </p>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-56504408511257515792021-07-07T09:36:00.003-07:002021-07-07T09:36:43.351-07:00.NET Core: Reset Entity Framework Migrations<p>Open your project folder and issue the following:</p><p><br /></p><p>dotnet tool install --global dotnet-ef</p><p>dotnet ef database drop -f -v</p><p>dotnet ef migrations add Initial</p><p>dotnet ef database update </p>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-58635317109298652912020-11-18T02:25:00.009-08:002020-11-18T02:26:43.534-08:00Vertiv Avocent ACS800 / ACS8000 Series LTE Dongle / Modem Setup<p><b>Forewarning: </b>The below is not officially supported and should not be used in a production environment. It's here to simply demonstrate that it's possible to configure 'unsupported' LTE modems on Avocent units.</p><p>Since there is next to no documentation for this I thought I'd provide some (hopefully) useful information for anyone else trying to get a LTE modem / dongle setup with the unit.</p><p>Firstly ensure you are running the latest firmware as more recent Linux kernels have greatly improved support for LTE modems.</p><p>For this exercise I am using a 'D-Link DWM-222 4G LTE USB Adapter'</p><p>We'll need to set the 'Moderate' security profile (System >> Security >> Security Profile) firstly (as we'll need root access over SSH)</p><p>Firstly define the APN for our mobile operator (Smarty Mobile in this case):</p><p>echo "APN=mob.asm.net" >/etc/qmi-network.conf</p><p>Ensure 802.3 is set:</p><p>qmicli -d /dev/cdc-wdm0 --wda-set-data-format=802-3</p><p>Start the modem driver:</p><p>qmi-network /dev/cdc-wdm0 start</p><p>Ensure the interface is automatically started and the cdc-wdm interface is started before bringing the interface up:</p><p>vi /etc/network/interfaces</p><p></p><blockquote><p>auto lo eth0 eth2 <b>wwan0</b></p><p>iface wwan0 inet dhcp</p><p> pre-up /usr/bin/qmi-network /dev/cdc-wdm0 start</p></blockquote><p></p><p>If the interface does not come up automatically despite 'auto wwan0' being set you can create startup script instead:</p><p>vi /etc/init.d/S99lteconfig</p><p></p><blockquote><p>sleep 15</p><p>echo "Bringing up LTE interface..."</p><p>/sbin/ifup wwan0</p><p>/sbin/ip route add 0.0.0.0/0 dev wwan0</p></blockquote><p>chmod 755 /etc/init.d/S99lteconfig</p><p>ln -s /etc/init.d/S99lteconfig /etc/rcS.d/S99lteconfig</p><p>Restart the device and check whether the interface has come up:</p><p>ip addr</p><p>Lastly ensure we put the 'Security Profile' back to 'Secure' mode.</p>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-42914020439435847042020-08-22T08:44:00.002-07:002020-08-22T08:44:45.993-07:00Recovering from a replication failure in a MariaDB Master/Master replication setup<p>For the purposes of this post I'll assume we are working with two MariaDB servers that have been configured to perform master/master replication and one of them has failed. In this case Server01 is healthy while Server02 has stop replicating.</p><p>We need to firstly ensure that no queries are hitting Server02 / the failed server - this will typically be a case of stopping services / blocking network access to services that hit it. e.g. stopping httpd.</p><p>We'll also want to ensure replication is stopped on the failed server (Server02):</p><p>SERVER02> stop slave;</p><p>Now on Server01 / the working server issue:</p><p>SERVER01> stop slave;</p><p>SERVER01> flush tables with read lock; (This will temporarily stop it updating)</p><p>SERVER01> show master status;</p><p>We'll make a note of the above command - it should read something like:</p><p>File: mysql-bin.123456</p><p>Position 123</p><p>Binlog_Do_DB: <replicated_database></p><p>Then on Server01 / the working server take a backup of the database:</p><p>SERVER01> mysqldump -u<username> -p --lock-tables --databases <database-name[s]> > export.sql</p><p>and on Server02 / the failed server - restore the backup:</p><p>SERVER02> mysql -u root -p < export.sql</p><p>Now on Server01 / the working server issue the following command to start processing changes again:</p><p>SERVER01> UNLOCK TABLES;</p><p>Then on Server02 / the failed server issue the following to repoint the logs (use the information above we recorded from Server01):</p><p>SERVER02> CHANGE MASTER TO master_log_file='mysql-bin.xxxxxx', master_log_pos=yy;</p><p>SERVER02> START SLAVE;</p><p>To verify we can issue:</p><p>SERVER02> show slave status \G</p><p>Now we need to do the reverse by ensuring Server01 / working server replicates from Server02 / failed server. On Server02 issue:</p><p>SERVER02> show master status \G</p><p>Record the output again.</p><p>Now on Server01 / the working server set the logs:</p><p>SERVER01> CHANGE MASTER TO master_log_file='mysql-bin.xxxxxx', master_log_pos=yy;</p><p>SERVER01> START SLAVE;</p><p>and then to verify replication issue:</p><p>SERVER01> SHOW SLAVE STATUS \G</p><p>Finally reverse anything you performed at the start to block comms with Server02 / the bad server e.g. start services, update firewall etc.</p><div><br /></div>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-79097820678304364312020-07-10T02:14:00.002-07:002020-07-10T02:14:24.458-07:00Reverting to a previous git commitFortunately it's pretty easy to do:<br />
<br />
<blockquote class="tr_bq">
git revert --no-commit <commit-version>..HEAD<br />git commit<br />git push</blockquote>
<div>
<br /></div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-23156115541527083622020-03-16T08:49:00.004-07:002020-03-16T08:50:20.084-07:00Invoking sysprep (Generalising a Windows install) on AWS EC2<ol style="box-sizing: border-box; color: #333333; font-family: AmazonEmber, "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; margin: 0px 0px 15px 21px; padding: 0px;">
<li style="box-sizing: border-box; margin: 0px 0px 15px;"><i>From the Windows <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Start</span> menu:<br style="box-sizing: border-box;" />For <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Windows Server 2008 through Windows Server 2012 R</span>2, open <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">EC2ConfigService Setting</span>s, and then choose the <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Image</span> tab.<br style="box-sizing: border-box;" />For <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Windows Server 2016</span> or later, open <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">EC2 Launch Settings</span>.</i></li>
<li style="box-sizing: border-box; margin: 0px 0px 15px;"><i>For <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Administrator Password</span>, choose <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Random</span>.</i></li>
<li style="box-sizing: border-box; margin: 0px 0px 15px;"><i>Choose <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Shutdown with Sysprep</span>.</i></li>
<li style="box-sizing: border-box; margin: 0px 0px 15px;"><i>Choose <span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Yes</span>.<br style="box-sizing: border-box;" /><span style="box-sizing: border-box; font-family: "amazonemberbold" , "helvetica neue bold" , "helvetica neue" , "helvetica" , "arial" , sans-serif;">Note:</span> You must retrieve the new password from the EC2 console at the next service start.</i></li>
</ol>
<div>
<span style="color: #333333; font-family: "amazonember" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 14px;"><i><br /></i></span></span></div>
<div>
<i><span style="color: #333333; font-family: "amazonember" , "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 14px;">Source: </span></span><a href="https://aws.amazon.com/premiumsupport/knowledge-center/sysprep-create-install-ec2-windows-amis/">https://aws.amazon.com/premiumsupport/knowledge-center/sysprep-create-install-ec2-windows-amis/</a></i></div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-53915331896007908602020-03-13T08:31:00.000-07:002020-03-13T08:31:08.780-07:00Instruct AWS EC2 'User Data' to be invoked on startup (Server 2016+) When launching Amazon EC2 images 'user-data' (effectively a bootstrapper) is invoked on first launch. However if you create a custom AMI from one of these images you'll need to run the following to ensure user data is invoked (as the task that invokes it gets disabled prior) with:<div>
<br /></div>
<div>
C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 –Schedule</div>
<div>
<br /></div>
<div>
Shutdown the instance and then create AMI again.</div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-18840807237841853872020-03-01T08:13:00.002-08:002020-03-01T08:30:34.062-08:00Quick Start: Upgrading Juniper SRX DevicesOnce you've obtained the relevant firmware from Juniper you can either download it via https:<br />
<br />
file copy https://cdn.juniper.net/software/junos/XX/XX.tgz /tmp XX.tgz<br />
<br />
or alternatively if you need to download it from a named routing instance you'll need to download it over ftp firstly:<br />
<br />
ftp routing-instance <instance-name> <ftp-host><br />
<br />
start shell<br />
md5 /tmp/<firmware>.tgz<br />
<br />
request system software add validate /tmp/<firmware>.tgz<br />
<br />
The system will then extract the firmware and reboot immediately.<br />
<br />
To verify the Junos firmware version after reload issue:<br />
<br />
show versionPeterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-89006493848586586922020-02-18T07:48:00.003-08:002020-02-18T07:48:51.371-08:00[Solved] Snort: ERROR: Can't initialize DAQ pfring (-1) -I came across this error after performing a regular system update on CentOS 7. Although it's a rather generic looking error message it turned out to be quite a trivial problem.<br />
<br />
The pfring driver (provided by daq_pfring) had been compiled against the latest kernel version - however for whatever reason an older kernel was being loaded by default by the bootloader.<br />
<br />
This can be evidenced by running:<br />
<br />
uname -r<br />
<br />
and a rpm -qa | grep kernel<br />
<br />
To correct this issue:<br />
<br />
grub2-set-default 0 # presuming menu item 0 is the kernel you want listed in: /boot/efi/EFI/centos/grub.cfg (which is usually the case.)<br />
<br />
and then confirm with:<br />
<br />
grub2-editenv list<br />
<br />
Restart the machine and then check the kernel / test snort again:<br />
<br />
shutdown -r now<br />
<br />
sudo service snort status<br />
<br />
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-55067308838164865022020-01-14T07:09:00.001-08:002020-01-14T07:09:14.698-08:00Visualising data from iperf with rrd<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
The purpose of this test was to test the availability of bandwidth on a leased line while ensuring that the test itself didn't saturate the line.</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
We'll firstly run our iperf server in daemon mode:</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
iperf3 --server --daemon --logfile iperf_stdout.txt --pidfile iperf3.pid</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
Since this will be a long term test we'll ensure that there is no timeout on the test and that intervals of 1 second are reported (since we'll be using this for rrd input):</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
iperf3 -b 20M -c hlxscript01.hlx.int -i 1 -t 0 -V --logfile log.txt &</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
In the above example I'm sending a stream traffic equalling 20Mbits. If you wish to saturate the line you will need to remove this and also likely tweak with threads and the TCP window size in order to get optimum results.</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
Now in order to use our client log (log.txt) for use with rrd we'll need to extract the timestamp along with the recorded speed, feed it into the rrd file and finally generate the graph. I've created a simple shell script to do just that:</div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">#!/bin/bash</em></strong><br /><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">epoc=$(date "+%s")</em></strong><br /><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">IFS=$'\n'</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">iperf_results=( $(cat log.txt | grep -o '[0-9]\+\.[0-9]\+ Mbits\/sec' | cut -d " " -f 1) )</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">results_count="${#iperf_results[@]}"</em></strong><br /><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">rrdtool create iperf.rrd --step=1 --start=$epoc-$results_count DS:ds1:GAUGE:1:U:U RRA:AVERAGE:0.5:1:$results_count</em></strong><br /><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">START=$(expr $epoc - $results_count)</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">COUNT=$results_count</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">for (( i = 0; i < ${COUNT}; i++ )); do</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">VALUE=${iperf_results[i]}</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">rrdtool update iperf.rrd ${START}:${VALUE}</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">START=$(expr ${START} + 1)</em></strong><br /><strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">done</em></strong></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<strong style="line-height: 1.57143em;"><em style="border: 0px; line-height: 1.57143em; margin: 0px; padding: 0px;">rrdtool graph iperf.png --start $epoc-$results_counts --end now DEF:ds1a=iperf.rrd:ds1:AVERAGE LINE1:ds1a#FF0000:"Sinus line"</em></strong></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<br data-mce-bogus="1" /></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<i><u>Sources</u></i></div>
<div style="border: 0px; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Fira Sans", "Droid Sans", "Helvetica Neue", sans-serif; font-size: 14px; line-height: 1.57143em; margin: 0px; padding: 0px;">
<a href="https://blog.tinned-software.net/understand-the-basics-of-rrdtool-to-create-a-simple-graph/">https://blog.tinned-software.net/understand-the-basics-of-rrdtool-to-create-a-simple-graph/</a></div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-58420562946772016822019-09-10T02:36:00.002-07:002019-09-10T02:36:17.816-07:00Locking down ISAKMP / IPSec (UDP 500 , 4500 and IP 50) on the ASA 5500 SeriesBy default when enabling ISAKMP / IPSec on an interface the ASA permits access to the service (UDP 500, 4500 and IPSec) to everyone. However in some circumstances where you can reliably predict the source of VPN initiaitors you should ideally lock down access. Unfortuantely this can't be performed via apply an ACL to the interface and instead needs to be performed via the control pane.<br />
<br />
We'll firstly need to obtain a list of the IP's in tunnel groups and add them to an ACL e.g.:<br />
<br />
access-list outside-control-plane extended permit udp host <REMOTE PEER #1> host <ASA-VPN-ENABLED-INTERFACE> eq 500<br />
access-list outside-control-plane extended permit udp host <REMOTE PEER #2> host <ASA-VPN-ENABLED-INTERFACE> eq 500<br />
access-list outside-control-plane extended deny udp any any eq 500<br />
<br />
access-list outside-control-plane extended permit udp host <REMOTE PEER #1> host <ASA-VPN-ENABLED-INTERFACE> eq 4500<br />
access-list outside-control-plane extended permit udp host <REMOTE PEER #2> host <ASA-VPN-ENABLED-INTERFACE> eq 4500<br />
access-list outside-control-plane extended deny udp any any eq 4500<br />
<br />
access-list outside-control-plane extended permit ipsec host <REMOTE PEER #1> host <ASA-VPN-ENABLED-INTERFACE><br />
access-list outside-control-plane extended permit ipsec host <REMOTE PEER #2> host <ASA-VPN-ENABLED-INTERFACE><br />
access-list outside-control-plane extended deny ipsec any any<br />
<br />
access-group outside-control-plane in interface outside-pri control-plane<br />
<br />
Note: The above examples presume you do NOT have any IPSec VPN servers behind the firewall.<br />
<br />
We can also perform the same for SSL VPNs:<br />
<br />
access-list outside-control-plane extended permit tcp host <REMOTE PEER #1> host <ASA-VPN-ENABLED-INTERFACE> eq 443<br />
access-list outside-control-plane extended permit tcp host <REMOTE PEER #2> host <ASA-VPN-ENABLED-INTERFACE> eq 443<br />
access-list outside-control-plane extended deny tcp any <ASA-VPN-ENABLED-INTERFACE> eq 443Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-58637484463776268362019-08-08T06:35:00.003-07:002019-08-08T06:35:45.745-07:00Setting up bonding with LACP using the ip command in LinuxThis can be accomplished quite quickly with the IP command if you only need it temporarily:<br />
<br />
ip link add bond0 type bond<br />
ip link set bond0 down<br />
ip link set bond0 type bond mode 802.3ad<br />
ip link set enp1s0 down<br />
ip link set enp1s0 master bond0<br />
ip link set enp2s0 down<br />
ip link set enp2s0 master bond0<br />
ip link set bond0 up<br />
<br />
and to remove the bonding we can issue:<br />
<br />
ip link del bond0<br />
ip link set enp1s0 up<br />
ip link set enp2s0 up<br />
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-58194408950212853602019-08-08T04:45:00.001-07:002019-08-08T06:15:21.994-07:00Quickstart: Installing Arch Linux 2019.XFirstly download the latest iso image from one of the mirrors below:<br />
<br />
https://www.archlinux.org/download<br />
<blockquote class="tr_bq">
wget https://www.mirrorservice.org/sites/ftp.archlinux.org/iso/2019.08.01/archlinux-xxxx.xx.xx-x86_64.iso</blockquote>
and then write it to your preferred media:<br />
<blockquote class="tr_bq">
dd bs=8M if=archlinux-xxxx.xx.xx-x86_64.iso of=/dev/sdX | sync</blockquote>
Upon booting the image select the default selection to boot Arch.<br />
<br />
This will get you into the system under the root user.<br />
<br />
The setup portion is a Gentoo style approach of efffectively 'assembling' the system yourself.<br />
<br />
From here we'll firstly partition the disks:<br />
<blockquote class="tr_bq">
lsblk</blockquote>
<i>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT</i><br />
<i>sdX 8:0 0 1000G 0 disk </i><br />
<br />
In this example we'll create three partitions - one for the root fs, another for our home fs and finally one for swap.<br />
<blockquote class="tr_bq">
parted -a optimal /dev/sdXhyu<br />
mktable gpt<br />
mkpart ESP boot fat32 0% 500MB<br />
mkpart root ext4 500MB 250000MB<br />
mkpart home ext4 250GB 750GB<br />
mkpart swap ext4 750GB 800GB<br />
set 1 boot on</blockquote>
Create the filesystems with:<br />
<blockquote class="tr_bq">
mkfs.msdos /dev/sdX1<br />
mkfs.ext4 /dev/sdX2<br />
mkfs.ext4 /dev/sdX3<br />
mkfs.ext4 /dev/sdX4<br />
mkswap /dev/sdX4<br />
swapon /dev/sdX4</blockquote>
Proceed by mounting the file systems:<br />
<blockquote class="tr_bq">
mount -t auto /dev/sdX2 /mnt<br />
mkdir -P /mnt/boot/EFI && mount -t auto /dev/SdX1 /mnt/boot/EFI<br />
mkdir /mnt/home && mount -t auto /dev/SdX3 /mnt/home</blockquote>
We'll need the network setup at this point so we can access the arch repo's:<br />
<blockquote class="tr_bq">
dhclient</blockquote>
and then pull down all the nessasery compontents for the root fs:<br />
<blockquote class="tr_bq">
pacstrap /mnt base base-devel</blockquote>
Once complete we'll need to generate the fstab for the new system:<br />
<blockquote class="tr_bq">
genfstab -U /mnt >> /mnt/etc/fstab</blockquote>
and then change our root password by chrooting into the new system along with the hostname:<br />
<blockquote class="tr_bq">
arch-chroot /mnt<br />
hostname arch-box<br />
passwd</blockquote>
We'll also configure regional and time settings with:<br />
<blockquote class="tr_bq">
ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime<br />
hwclock --systohc<br />
locale-gen<br />
printf "LANG=en_GB.UTF-8" > /etc/locale.conf<br />
export LANG=en_GB.UTF-8</blockquote>
I'm going to use KDE Plasma for the desktop environment:<br />
<blockquote class="tr_bq">
pacman -S xorg xorg-server xorg-xinit plasma-meta sddm</blockquote>
Finally we will configure grub:<br />
<blockquote class="tr_bq">
pacman -S grub efibootmgr dosfstools os-prober mtools<br />
grub-install --target=x86_64-efi --efi-directory=/boot/EFI --bootloader-id=grub_uefi --recheck<br />
grub-mkconfig -o /boot/grub/grub.cfg</blockquote>
Exit the jail:<br />
<blockquote class="tr_bq">
exit</blockquote>
and restart:<br />
<blockquote class="tr_bq">
shutdown -r now</blockquote>
Once booted into the new OS we'll setup the network configuration - for this example I'll be setting up DHCP.<br />
<br />
With Arch we have a few options for network configuration - either netctl or networkd (a newer component.)<br />
<blockquote class="tr_bq">
vi /etc/netctl/enp2s0</blockquote>
<blockquote class="tr_bq">
Description=LAN interface<br />
Interface=enp2s0<br />
Connection=ethernet<br />
IP=dhcp</blockquote>
Ensure the interface will come up on boot by issuing:<br />
<blockquote class="tr_bq">
netctl enable enp2s0</blockquote>
Enable and start the DHCP service with:<br />
<blockquote class="tr_bq">
systemctl enable dhcpcd<br />
systemctl start dhcpcd</blockquote>
and then attempt to start the interface with:<br />
<blockquote class="tr_bq">
netctl start enp2s0</blockquote>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-88504283410613481932019-07-12T01:26:00.003-07:002019-07-12T01:27:05.962-07:00Using Juniper SRX devices as routersThe SRX series are part of Junipers security line of products and provide firewall among a host of other security features such as IDS and IPS.<br />
<div>
<br /></div>
<div>
However you can effectively use the SRX range as a traditional router by changing the forwarding mode from flow based (stateful inspected) to packet based (stateless per packet inspection.)</div>
<div>
<br /></div>
<div>
You can verify the forwarding mode by issuing:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
show security flow status</blockquote>
</div>
<div>
<br /></div>
<div>
We should firstly ensure we remove any existing security configuration from the device with:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
delete security</blockquote>
</div>
<div>
<br /></div>
<div>
and then ensure the forwarding mode is set to 'packet based':</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
set security forwarding-options family mpls mode packet-based</blockquote>
</div>
<div>
<br /></div>
<div>
commit it and then reboot:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
commit<br />run request system reboot</blockquote>
</div>
<div>
<br /></div>
<div>
Upon restart check the forwarding mode again with:</div>
<div>
<br /></div>
<div>
<blockquote class="tr_bq">
show security flow status</blockquote>
</div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-22272020979570512192019-07-04T06:41:00.004-07:002019-07-12T06:44:25.131-07:00Configuring an Etherchannel (with LACP) between JunOS and Cisco IOS<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><b>Juniper JunOS</b></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">Firstly create the aggregated interface:</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">edit chassis</span></span><br />
<span style="font-family: helvetica neue, helvetica, arial, sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">set aggregated-devices ethernet device-count 2</span></span><br />
<span style="font-family: helvetica neue, helvetica, arial, sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">top</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">edit interfaces</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">set ae0 aggregated-ether-options</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">and define the LACP interval period (i.e. the rate at which the device will send / receive LACP protocol messages):</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">set aex aggregated-ether-options lacp periodic fast</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">By default the 'lacp periodic fast' sets the transmission rate to 1 second.</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">Note: It's important that the rate is matched on the other end as well.</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">We'll now associate our interfaces with the aggregated link we've just configured:</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">edit interfaces</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">edit ge-0/0/1</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">set ether-options 802.3ad ae0</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">exit</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">edit ge-0/0/2</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">set ether-options 802.3ad ae0</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><b>Cisco IOS</b></span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">conf t</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">int range gi1/0/1-2</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">channel-protocol lacp</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">channel-group 1 mode active</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">lacp rate fast</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">no shut</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">int po1</span></span><br />
<span style="font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif;"><span style="font-size: 18px; white-space: pre-wrap;">description etherchannel</span></span>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-53523919728251621212019-07-02T04:12:00.002-07:002019-07-02T04:12:38.041-07:00Base Junos ConfigurationThe following template will get the fundamental features setup in Junos and act as a base for building more advanced configurations:<br />
<br />
# Enter configuration mode<br />
cli<br />
configure exclusive<br />
<br />
# Configure root user key / password<br />
set system root-authentication load-key-file<br />
<b>[OR]</b><br />
set system root-authentication plain-text-password<br />
<br />
# Enable remote management<br />
edit system services<br />
active ssh<br />
ativate web-management https<br />
set web-management https port 443<br />
set web-management https system-generated-certificate<br />
set web-management https interface fxp0.0<br />
<br />
# Disable insecure services<br />
deactivate telnet<br />
decativate web-management http<br />
<br />
# Setup hostname<br />
top<br />
set system host-name "host01"<br />
<br />
# Setup time / date / ntp<br />
set system time-zone Europe/London<br />
exit<br />
set date ntp 1.uk.pool.ntp.org<br />
set cli idle-timeout 10<br />
<br />
# Setup new user and assign login class<br />
edit<br />
edit system login<br />
edit user jbloggs<br />
set authentication plain-text-password<br />
set full-name "Joe Bloggs"<br />
set class operator | read-only | super-user<br />
<br />
# Create custom login class<br />
set system login class test-class permissions [interface interface-control]<br />
set system login class test-class idle-timeout 10<br />
<b>[OR]</b><br />
# Configure RADIUS<br />
set system radius-server 10.11.12.254 source-address 10.11.12.1<br />
edit system radius-server 10.11.12.254<br />
set secret <pass-phrase><br />
set port 1845<br />
# Ensure radius requests originate from the mgmt interface<br />
routing-instance mgmt_junos<br />
exit<br />
set system authentication-order [radius password]<br />
# Assign a default class for remote users<br />
set system login user remote class super-user<br />
<br />
### Setup Layer 3 Interface<br />
# Change physical properties<br />
edit interfaces ge-0/0/1<br />
set speed 10m<br />
set link-mode full-duplex<br />
<br />
### Create VLAN<br />
set vlans testvlan vlan-id 123<br />
set vlans testvlan2 vlan-id 456<br />
<br />
# Change logical properties<br />
edit interfaces ge-0/0/1 unit 0<br />
set vlan-id 50<br />
edit family inet<br />
set address 1.2.3.254/24<br />
<br />
### Setup Access Port<br />
# Change logical properties<br />
edit interfaces ge-0/0/2 unit 0<br />
set family ethernet-switching interface-mode access<br />
set family ethernet-switching vlan members 123<br />
<br />
### Setup Trunk Port<br />
edit interfaces ge-0/0/3 unit 0<br />
set family ethernet-switching port-mode trunk vlan members [testvlan testvlan2]<br />
<br />
### Syslog Forwarding<br />
* This is performed via the local syslog server rather than the Juniper CLI (messages found in /var/log/messages)<br />
* To edit the configuration from the CLI use 'edit system syslog'.<br />
<br />
### Commit changes<br />
commit<br />
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-34242191166686143342019-05-29T08:36:00.002-07:002019-05-29T08:40:40.243-07:00Configuring Auto QoS on Cisco SwitchesAuto QoS is a great feature included with the majority of switches running at least the LAN Base feature set. It will likely require some further tweaking after it's setup however it's a great base for applying QoS.<br />
<br />
Cisco provides support for it's own telephony devices (surprise, surprise!) through CDP broadcasts. However in my case I am working with a different vendor and since not all switches will provide classification of packets I'm relying on the tagging being performed by the downstream devices.<br />
<br />
It's very simple to setup - simply apply the following to the switch ports in scope (i.e. the ones connected to the telephony devices):<br />
<br />
conf t<br />
int range gi1/0/1-10<br />
auto qos trust dscp<br />
end<br />
<br />
This will instruct the switch ports in scope to trust DSCP markings applied by the downstream devices (as I'm sure you're aware by default DSCP marking are typically stripped.)<br />
<br />
The 'auto qos trust dscp' also enables qos globally for us and also applies a few other directives on the interface - so in reality a lot of the setup is performed for you - however in reality it's still crucial that you understand what each directives means!<br />
<br />
do show run int gi1/0/1<br />
<br />
interface GigabitEthernet1/0/1<br />
switchport access vlan 2000<br />
switchport mode access<br />
speed auto<br />
srr-queue bandwidth share 1 30 35 5<br />
priority-queue out<br />
mls qos trust dscp<br />
auto qos trust dscp<br />
spanning-tree portfast<br />
spanning-tree bpduguard enable<br />
<br />
To verify QoS is turned on globally we can review:<br />
<br />
show mls qos<br />
<br />
and to review interface specific QoS information:<br />
<br />
show mls qos interface gi1/0/1<br />
<br />
We can also test QoS is successfully prioritising packets with iperf (tagging the traffic with a non zero DSCP value) e.g.:<br />
<br />
iperf -c 10.11.12.13 -i 1 -S 0xB8 -t 0<br />
<br />
'0xB8' is the hexadecimal equivalent of TOS's 184 - which equates to DSCP's 'ef' / 46. According to the man page (at least in mine) the value must be in hexadecimal TOS form. There is an list of all of them available <a href="https://www.tucny.com/Home/dscp-tos">here</a>.<br />
<br />
We can then review the QoS counters for the interface with:<br />
<br />
show mls qos interface gi1/0/1 stat<br />
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-72875855780812791352019-05-23T04:30:00.001-07:002019-05-23T04:30:32.349-07:00Cross compile packages for OpenWRT / LEDEFor this tutorial I'll be using Fedora 29 for the build host.<br />
<br />
We'll install the necessary dependencies firstly:<br />
<br />
sudo dnf install asciidoc binutils bzip2 flex git gawk intltool zlib gmake ncurses openssl-devel patchutils p5-extutils-makemaker unzip wget gettext libxslt zlib-devel boost-jam perl-XML-Parser libusb-devel dev86 sharutils java-1.7.0-openjdk-devel b43-fwcutter<span style="white-space: pre;"> </span> zip<br />
<br />
The next step is to obtain the OpenWRT SDK which will allows us to cross-compile packages that we require on OpenWRT.<br />
<br />
I'll be using a BT Home Hub 5A for this exercise - so I browse the releases:<br />
<br />
<blockquote class="tr_bq">
https://downloads.openwrt.org/releases/17.01.4/targets/lantiq/xrx200/</blockquote>
<br />
Under the supplementary section you should find the SDK e.g.<br />
<br />
<blockquote class="tr_bq">
lede-sdk-<version-number>-<vendor>-<model>_gcc-<version number>_musl-<version number>.Linux-<architecure>.tar.xz</blockquote>
<br />
We'll proceed by downloading and extracting it:<br />
<br />
<blockquote class="tr_bq">
wget https://downloads.openwrt.org/releases/17.01.4/targets/lantiq/xrx200/lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64.tar.xz</blockquote>
<br />
<blockquote class="tr_bq">
tar xvf lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64.tar.xz && cd lede-sdk-17.01.4-lantiq-xrx200_gcc-5.4.0_musl-1.1.16.Linux-x86_64</blockquote>
<br />
The default feeds will be targeted at 17.01.4 and hence be missing fping - however the current master branch has fping available - so we'll add the following line to feeds.conf.default ensure it's indexed / available:<br />
<br />
<blockquote class="tr_bq">
src-git fping https://github.com/openwrt/packages.git</blockquote>
<br />
Update the feeds (as defined in feeds.conf.default):<br />
<br />
<blockquote class="tr_bq">
./scripts/feeds update -a</blockquote>
<br />
and grab fping with:<br />
<br />
<blockquote class="tr_bq">
./scripts/feeds install fping</blockquote>
<br />
We'll generate our config file:<br />
<br />
<blockquote class="tr_bq">
make menuconfig</blockquote>
<br />
Select 'Network' and ensure the fping package is marked with an 'M' and then save the changes to '.config'<br />
<br />
Also make sure that cryptographic signing is disabled (otherwise the build process will fail): 'Global build settings' > Untick 'Cryptographically sign package lists' and hit Save.<br />
<br />
We'll now attempt to compile fping:<br />
<br />
<blockquote class="tr_bq">
make -j1 V=s</blockquote>
<br />
The binary is created in the following directory:<br />
<br />
<blockquote class="tr_bq">
bin/packages/mips_24kc/fping/</blockquote>
<br />
Finally upload the package via SFTP/SCP to the router and install it with opkg:<br />
<br />
<blockquote class="tr_bq">
opkg install fping_4.2-1_mips_24kc.ipk</blockquote>
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-61703978727999017712019-05-08T01:28:00.000-07:002019-05-08T01:40:25.421-07:00Linux: Backup OptionsThere are countless ways to backup disks easily with Linux - however I'm going to demonstrate some of the more commonly used methods.<br />
<br />
<b>Forenote: </b>Always ensure the discs are not in use / mounted while performing the below operations otherwise it is likely that new / changed files will be corrupted and will run into problems with the file system.<br />
<br />
<b>Backing up a disk with dd </b><br />
<b><br /></b>
sudo dd if=/dev/xvda of=/mnt/usbdrive | sync<br />
<br />
or better yet we can use a <b>sane block size</b> (dd uses 512 bytes by default):<br />
<br />
sudo dd bs=16M if=/dev/xvda of=/mnt/usbdrive | sync<br />
<br />
<b>Backing up a disk with dd over ssh</b><br />
<br />
Utilising SSH provides us with encryption - ideal for remote backups e.g. over public networks:<br />
<br />
sudo ssh user@remote "dd if=/dev/xvda1 " | dd of=backup.gz<br />
<div>
<br /></div>
However it does introduce an <b>overhead due to the encryption</b> - so we can pipe it into gzip in order to speed things up:<br />
<br />
sudo ssh user@remote "dd if=/dev/xvda1 | gzip -1 -" | dd of=backup.gz<br />
<br />
<b>Backing up a mounted system with rsync</b><br />
<div>
<br /></div>
<div>
If the system is currently mounted we can use rsync to perform a backup (ensuring we exclude certain directories such as /dev, /mnt etc):</div>
<div>
<br /></div>
<div>
sudo rsync -aAXv / --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt</div>
<div>
<br /></div>
<div>
In the above command we employ 'archive' mode that ensures symbolic links, devices, permissions, ownerships, modification times, ACLs, and extended attributes are preserved.<br />
<br />
<b>and over rsync over SSH</b><br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
</div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
sudo rsync -aAXve ssh user@remote:/ --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt</div>
</div>
<br />
There are of course many other ways to skin a cat e.g. using netcat (which is significantly faster than dd over SSH - however lacks encryption.) </div>
<div>
<br /></div>
<div>
<b>Sources</b></div>
<div>
<b><br /></b></div>
<div>
<a href="https://www.ostechnix.com/backup-entire-linux-system-using-rsync/">https://www.ostechnix.com/backup-entire-linux-system-using-rsync/</a></div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-19257032825388316132019-04-18T03:37:00.002-07:002019-04-18T03:37:36.227-07:00Uploading ISO's to storage domains in oVirtoVirt currently doesn't allow you to upload ISO's over its web interface - you'll need to use the cli to do this.<br />
<br />
If you wish to upload an ISO to an ISO storage domain you should issue you should issue:<br />
<br />
engine-iso-uploader --iso-domain <storage-domain-name> upload <path-to-iso><br />
<br />
<br />Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-7783593419021765622019-04-10T08:08:00.001-07:002019-04-10T08:08:11.141-07:00[CENTOS] Displaying messages in the mail queue and manually flushing themThe mail queue can be checked with simply:<br />
<br />
<blockquote class="tr_bq">
mailq</blockquote>
<br />
Alternatively if you are after a count of messages that have been deffered for what ever reason you can issue:<br />
<br />
<blockquote class="tr_bq">
find /var/spool/postfix/deferred -type f | wc -l</blockquote>
<br />
and to attempt to resend them we can issue:<br />
<br />
<blockquote class="tr_bq">
postqueue -f</blockquote>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-78089407450118393052019-04-09T02:35:00.002-07:002019-04-09T02:35:59.778-07:00Preventing kernel modules from being loaded at the bootloader / grub in CentOS 7 / RHELAlthough this will typically done with the mod probe there are situations where the need to disable specific kernel modules before loading the kernel are necessary. One such situation is while I was installing a fresh instance of CentOS on an older server.<br />
<br />
At the CentOS bootloader select the relevant entry and hit tab. You should now be able to edit the Linux kernel (vmlinuz) boot parameters.<br />
<br />
Simply append:<br />
<br />
<blockquote class="tr_bq">
module_blacklist=<module_name></blockquote>
<br />
and hit enter.<br />
<br />
This should theoretically work on all modern kernels / distros - so is not just limited to CentOS / RHEL.<br />
<br />
<b>Source: https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt</b>Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-43139505539576365552019-03-16T12:03:00.006-07:002019-03-16T12:04:32.044-07:00Using yum to download a package and all it's associated dependencies This tutorial will demonstrate how to do a download-only of a package and <b>all </b>of it's dependancies.<br />
<br />
To elaborate - I recently installed Fedora 29 on a Macbook, but unfortunately there was no native support for the WLAN driver.<br />
<br />
However it was available from RPMFusion - packaged under 'akmod-wl' - however downloading this and all of it's dependancies would have taken a long time - so instead we can use plugin for yum called 'yum-downloadonly':<br />
<br />
yum install yum-downloadonly<br />
<br />
We can then issue something like follows to download the required packages on a working computer which is running Fedora 29 (though ensure it is running exactly the same minor version as well!):<br />
<br />
sudo yum install --downloadonly --downloaddir=/tmp akmod-wl<br />
<br />
However this is not ideal largely due to the fact that it will download all <b>required </b>packages that the system needs. If some of these packages are already installed on the system they will be omitted.<br />
<br />
So instead I came up with the idea of quickly building a jail with the basic packages to get yum up and running (this would mimic the newly installed OS):<br />
<br />
mkdir -p /chroot/fedora29/var/lib/rpm<br />
<br />
rpm --root /chroot/fedora29 --initdb<br />
<br />
yumdownloader --destdir=/var/tmp fedora-release<br />
cd /var/tmp<br />
rpm --root /chroot/fedora29 -ivh --nodeps fedora-release*rpm<br />
<br />
sudo yum install --installroot=/chroot/fedora29 --downloadonly --downloaddir=/tmp akmod-wl<br />
<br />
Then copy everything from the temp folder onto the new workstation and issue:<br />
<br />
rpm -i *Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-58446715160802447982019-03-15T07:43:00.001-07:002019-03-15T07:43:07.354-07:00Generating a new UUID for XFS/EXT2/3/4 filesystemsAlthough very rare there will be circumstances were you encounter duplicate filesystem UUIDs.<br />
<br />
Upon mounting one e.g.:<br />
<br />
mount -t auto /dev/sdb1<br />
<br />
<i>mount: wrong fs type, bad option, bad superblock on /dev/sdb1</i><br />
<div>
<br /></div>
<div>
Tailing dmesg provides the clue as to what has gone wrong:</div>
<div>
<br /></div>
<div>
<div>
<i>[ 1103.580854] XFS (xvdp1): Filesystem has duplicate UUID xxxxxx-yyyyyy-zzzzz-aaaa-bbbbbbbbbbb - can't mount</i></div>
</div>
<div>
<br /></div>
<div>
So we'll need to change the UUID of one of disks - to do this with an <b>XFS filesystem</b> we can use:</div>
<div>
<br /></div>
<div>
xfs_admin -U generate /dev/sdb1</div>
<div>
<br /></div>
<div>
and with the <b>EXT family</b> we can use:</div>
<div>
<br /></div>
<div>
uuidgen</div>
<div>
<br /></div>
<div>
<i><generated UUID></i></div>
<div>
<br /></div>
<div>
tune2fs /dev/xvdp1 -U <i><</i>generated UUID></div>
<div>
<br /></div>
<div>
Finally attempt to remount:</div>
<div>
<br /></div>
<div>
mount -t auto /dev/sdb1</div>
Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0tag:blogger.com,1999:blog-4599364882452863719.post-40857773013772445712019-03-12T09:49:00.004-07:002019-03-12T09:49:46.381-07:00Checking switch port bandwidth utilisation with SNMP / NagiosIn order to monitor port bandwidth utilization on Cisco switches via SNMP we'll firstly need to install a plugin from the Nagios Exchange called '<a href="https://exchange.nagios.org/directory/Plugins/Network-Connections%2C-Stats-and-Bandwidth/iftraffic2/details">iftraffic2</a>':<br />
<br />
Download and install the plugin:<br />
<br />
cd /usr/local/nagios/libexec<br />
curl https://exchange.nagios.org/components/com_mtree/attachment.php?link_id=1720&cf_id=24 -O check_iftraffic<br />
chmod +x check_iftraffic<br />
<br />
The usage for the plugin is as follows:<br />
<br />
./check_iftraffic -H <hostname> -C <community-string> -r -i <interface-name> -b <interface-capacity> -u <interface-unit> -w <warning-limit-percentage> -c <critical-limit-percentage><br />
<br />
We'll need to obtain the interface name of the interface we wish to poll - we can use snmpwalk to do this for us:<br />
<br />
yum -y install net-snmp-utils<br />
snmpwalk -v 2c -c <community-string> <hostname> 1.3.6.1.2.1.2.2.1.2<br />
<br />
> IF-MIB::ifDescr.67 = STRING: Port-channel1<br />
> IF-MIB::ifDescr.68 = STRING: Port-channel2<br />
> IF-MIB::ifDescr.69 = STRING: Port-channel3<br />
> IF-MIB::ifDescr.70 = STRING: Port-channel4<br />
...<br />
<br />
Note: '1.3.6.1.2.1.2.2.1.2' is the OID for interface descriptions - more information can be found <a href="http://cric.grenoble.cnrs.fr/Administrateurs/Outils/MIBS/?oid=1.3.6.1.2.1.2.2.1.2">here</a>.<br />
<br />
We'll also need the interface capacity:<br />
<br />
snmpwalk -v 2c -c <community-string> <hostname> 1.3.6.1.2.1.2.2.1.5<br />
<br />
> IF-MIB::ifSpeed.67 = Gauge32: 2000000000<br />
> IF-MIB::ifSpeed.68 = Gauge32: 2000000000<br />
> IF-MIB::ifSpeed.69 = Gauge32: 2000000000<br />
> IF-MIB::ifSpeed.70 = Gauge32: 2000000000<br />
<br />
Now note that the OID '1.3.6.1.2.1.2.2.1.5' returns the interface capacity in bits per second - so we'll need to convert this to gigabits per second (as the plugin doesn't support bits per second) - so we do:<br />
<br />
2000000000 / 1000000000 = 2 (Gigabits)<br />
<br />
For this example we'll use 'Port-channel1' - so the plugin would be executed as follows:<br />
<br />
./check_iftraffic -H <hostname> -C <community-string> -r -i Port-channel1 -b 2 -u g -w 70 -c 85<br />
<br />
The -b switch specifies our 2 Gbps and the -u switch instructs the plugin that we are giving the measurements in Gigabits.<br />
<br />
If successfull you should have something like the following:<br />
<br />
> Total RX Bytes: 1000.00 MB, Total TX Bytes: 2000.00 MB<br>Average Traffic: 5.75 MB/s (2.2%) in, 1.48 MB/s (0.6%) out| inUsage=2.2,50,70 outUsage=0.6,50,70 inAbsolut=10000000 outAbsolut=20000000<br />
<br />
Now we simply need to setup the respective command and service definitions in nagios e.g.:<br />
<br />
### commands.conf<br />
<br />
# check switch port bandwidth<br />
define command{<br />
command_name check_bandwidth<br />
command_line /usr/local/nagios/libexec/check_iftraffic -H $HOSTADDRESS$ -C $ARG1$ -r -i $ARG2$ -b $ARG3$ -u g -w 50 -c 70<br />
}<br />
<br />
### switches.conf<br />
<br />
define service{<br />
use generic-service<br />
host_name SWITCH-STACK<br />
service_description HHSVRSTK Uplink: Bandwidth Utilization<br />
check_command check_bandwidth!<community-string>!Port-channel1!2<br />
normal_check_interval 1<br />
retry_check_interval 1<br />
}Peterhttp://www.blogger.com/profile/08045125837839843951noreply@blogger.com0