Benutzer-Werkzeuge

Webseiten-Werkzeuge


know-how:linux

Inhaltsverzeichnis

btrfs

  • bei Pannonia IT produktiv im Einsatz seit Debian Jessie mit backports Kernel (4.6)

Anlegen

  • Durchgeführt auf Debian stretch 4.9er Kernel
apt-get install btrfs-tools
mkfs.btrfs -L storage /dev/vdb

fstab:
/dev/vdb /mnt/storage  btrfs  defaults 	0	2

mount /dev/vdb
btrfs quota enable /mnt/storage/
cd /mnt/storage
btrfs subvolume create shared

Pflege

  • Getestet auf Debian jessie mit 4.9er Kernel u. buster mit 4.19 / 5.2er Kernel
  • BTRFS Metadaten prüfen / Checksummen überprüfen
btrfs scrub start -B DEVICE 
#!/bin/bash

[[ ! -d $1 ]] && { echo Please pass mountpoint as first argument >&2 ;
exit 1 ; }

while read x i x g x x l x p
do
	    volName[i]=$p
    done < <(btrfs subvolume list $1)

    while read g r e f
    do
	        [[ -z $name ]] && echo -e "subvol\tqgroup\ttotal\tunshared\tmaximum"
		    group=${g##*/}
		        [[ ! -z ${volName[group]} ]] && name=${volName[group]} || name='(unknown)'
			    echo $name $g $r $e $f
		    done < <(btrfs qgroup show --human-readable $1 | tail -n+3) | column -t
  • QGroups löschen die nicht mehr benötigt werden /Cgroups clear-qgroups cron
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

00 20	1 * *	root	for e in $(btrfsQuota.sh /mnt/storage | grep unknown | awk '{ print $2 }') ; do btrfs qgroup destroy $e /mnt/storage ; done
  • Snapshots erstellen createSnapshot.sh
#!/bin/bash



btrfs subvolume snapshot -r $1 $1/.snapshots/@GMT_`date +%Y.%m.%d-%H.%M.%S`

exit $?
  • Snapshots löschen clearLastSnapshot.sh
#!/bin/bash


function usage 
{
	  echo "Usage Keep this Nr of Snapshots: $0 LocalMountPoint LocalSubvolumeName DesiredSnapshotCount"
	    echo "Usage Show Nr of Snapshots: $0 LocalMountPoint LocalSubvolumeName"
	      echo "Usage: e.g. $0 /mnt/storage daten 3"  
	        exit 1
	} 



	LOCAL_MOUNT_POINT=$1
	LOCAL_SUBVOLUME=$2
	DESIRED_SNAPSHOTS=$3

	[[ $# != 3 && $# != 2 ]] && usage


	[[ ! -d $LOCAL_MOUNT_POINT ]] && echo "Couldn't validate local btrfs subvolume mountpoint: $LOCAL_MOUNT_POINT" && exit 2


	CURRENT_NR_SNAPSHOTS=$(btrfs subvolume list $LOCAL_MOUNT_POINT/$LOCAL_SUBVOLUME/.snapshots -r -o --sort=+gen  | wc -l )


	[[  "$CURRENT_NR_SNAPSHOTS" == 0 ]] &&  echo "Couldn't aquire number of snapshots from $LOCAL_MOUNT_POINT/$LOCAL_SUBVOLUME/.snapshots" && exit 2 


	[[ $# == 2 ]] && echo -e "Mount Point: $LOCAL_MOUNT_POINT\nSubvolume: $LOCAL_SUBVOLUME\nCurrent Snapshots: $CURRENT_NR_SNAPSHOTS" && exit 0


	REGEX_NUMBER='^[0-9]+$'

	[[ ! $DESIRED_SNAPSHOTS =~ $REGEX_NUMBER ]] && echo "That's not a valid number: $NR_SNAPSHOTS" && exit 2


	[[  $(($CURRENT_NR_SNAPSHOTS-$DESIRED_SNAPSHOTS)) -le 0 ]] && echo -e "Deletion not needed\nMount Point: $LOCAL_MOUNT_POINT\nSubvolume: $LOCAL_SUBVOLUME\nCurrent Snapshots: $CURRENT_NR_SNAPSHOTS\nDesired: $DESIRED_SNAPSHOTS" && exit 0

	NR_SNAPSHOTS_REMOVE=$(($CURRENT_NR_SNAPSHOTS-$DESIRED_SNAPSHOTS))

	CURRENT_SNAPSHOTS=$(btrfs subvolume list $LOCAL_MOUNT_POINT/$LOCAL_SUBVOLUME/.snapshots -r -o --sort=+gen | head -n $NR_SNAPSHOTS_REMOVE | cut -d' ' -f 9 )


	for snap in $CURRENT_SNAPSHOTS 
	do
		btrfs subvolume delete --commit-after $LOCAL_MOUNT_POINT/$snap

	done

	btrfs filesystem  sync $LOCAL_MOUNT_POINT

Deduplizierung

  • Getestet auf Debian buster mit 4.19 Kernel
  • Kann bei größeren Datenmengen sehr lange dauern / cannot allocate memory bug
jdupes -B -r  PFAD_BTRFS_VOLUME
  • Getestet auf Debian buster mit 5.2 backports Kernel
  • Der Speicher ist ihm beim Test (3GB RAM /4GB SWAP/ >600k Dateien) ausgegangen und der oom killer beendete den Prozess
duperemove  -r -d --hashfile=PFAD/btrfs_hashes.hashes PFAD_BTRFS_VOLUME

Apache2 - external Auth Helper mit Skript

  • Getestet auf Raspbian Buster
  • exit Code 0 → Authentifizierung erfolgreich
  • exit Code != 0 → Authentifizierung fehlerhaft
  • Apache2 Vhost Konfiguration Auszug:
<VirtualHost *:80>
         ....
         ....
	DocumentRoot /var/www/administration

        <Directory /var/www/administration/>
        AuthType Basic
        AuthName "Bitte Passwort eingeben"
        AuthBasicProvider external
	AuthExternal pwauth
	require valid-user 
	</Directory>


       AddExternalAuth pwauth /usr/local/bin/check_kids_auth.php
       SetExternalAuthMethod pwauth pipe
          .....
          .....
</VirtualHost>
  • check_kids_auth.php
#!/usr/bin/php

<?php

require_once("/var/www/config.php");


#Pipe Username\n and Password\n to php
$auth_data = file("php://stdin");




if(count($auth_data) != 2)
{
	exit(1);
}



$USERNAME=trim($auth_data[0]);
$PASSWORD=trim($auth_data[1]);

#We assume it's system initalization
if(!is_readable(LOCATION_PASSWD_FILE))
{
	exit(0);
}

$passwd_hash=file_get_contents(LOCATION_PASSWD_FILE);


if($USERNAME==USERNAME_LOGIN && password_verify($PASSWORD,$passwd_hash))
 {
      exit(0);
 }
 exit(1);


?>

Nvidia Optimus / Nvidia Karte aktivieren (Kali Linux)

2017-03-23 #1
TiGER511
TiGER511 is offline Junior Member

Join Date
    2017-Mar
Posts
    22	

Cool [TUTORIAL] Installing official NVIDIA driver in Optimus laptop

    After spending 4 days in a row,i was finally able to install and run Official NVIDIA driver on my HP Envy 15 laptop.Here is my specs:

    CPU: Intel core i7-4510U CPU
    GPU #1: Intel HD Graphics 4400
    GPU #2: NVIDIA GeForce GTX 850M

    My system:
    Code:

    root@linux:~# uname -a
    Linux linux 4.9.0-kali3-amd64 #1 SMP Debian 4.9.13-1kali3 (2017-03-13) x86_64 GNU/Linux

    Code:

    root@linux:~# cat /etc/*release*
    DISTRIB_ID=Kali
    DISTRIB_RELEASE=kali-rolling
    DISTRIB_CODENAME=kali-rolling
    DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling"
    PRETTY_NAME="Kali GNU/Linux Rolling"
    NAME="Kali GNU/Linux"
    ID=kali
    VERSION="2016.2"
    VERSION_ID="2016.2"
    ID_LIKE=debian
    ANSI_COLOR="1;31"
    HOME_URL="http://www.kali.org/"
    SUPPORT_URL="http://forums.kali.org/"
    BUG_REPORT_URL="http://bugs.kali.org/"

    Before we begin,couple of notes:

    ***USE AT YOUR OWN RISK***
    *This tutorial is for official NVIDIA Driver not Bumblebee
    *Tutorial found on official Kali website is BROKEN! It never works for optimus/hybrid Graphics enabled laptop

    1. Verify you have hybrid graphics

    Code:

    lspci | grep -E "VGA|3D"

    00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 0b)
    0a:00.0 3D controller: NVIDIA Corporation GM107M [GeForce GTX 850M] (rev a2)

    2.Disable nouveau
    Code:

    echo -e "blacklist nouveau\noptions nouveau modeset=0\nalias nouveau off" > /etc/modprobe.d/blacklist-nouveau.conf

    update-initramfs -u && reboot

    3.system will reboot and nouveau should be disabled.verify if nouveau is disabled:
    Code:

    lsmod |grep -i nouveau

    If shows nothing,means nouveau successfully disabled.

    4.Install nvidia driver from kali repo:

    Code:

    apt-get install  nvidia-driver nvidia-xconfig

    You can also download latest .run file from nvidia website.execute and procceed with installation.whether its from kali repo or nvidia website,procedure is same.

    5.Now we have to find bus id of our nvidia card:
    Code:

    nvidia-xconfig --query-gpu-info | grep 'BusID : ' | cut -d ' ' -f6

    it should show something like this:
    Code:

    PCI:10:0:0

    This is our Bus ID.
    6.Now we generate /etc/X11/xorg.conf file with this bus ID according to nvidia guide http://us.download.nvidia.com/XFree8...E/randr14.html:
    Code:

    Section "ServerLayout"
        Identifier "layout"
        Screen 0 "nvidia"
        Inactive "intel"
    EndSection

    Section "Device"
        Identifier "nvidia"
        Driver "nvidia"
        BusID "PCI:10:0:0"
    EndSection

    Section "Screen"
        Identifier "nvidia"
        Device "nvidia"
        Option "AllowEmptyInitialConfiguration"
    EndSection

    Section "Device"
        Identifier "intel"
        Driver "modesetting"
    EndSection

    Section "Screen"
        Identifier "intel"
        Device "intel"
    EndSection

    Replace the bold string with your Bus ID and save it to /etc/X11/xorg.conf

    7.Now we have to create some scripts according to our display manager https://wiki.archlinux.org/index.php...splay_Managers.Since im using default Kali linux which is GDM,i created two files:
    /usr/share/gdm/greeter/autostart/optimus.desktop
    /etc/xdg/autostart/optimus.desktop
    with the following content:
    Code:

    [Desktop Entry]
    Type=Application
    Name=Optimus
    Exec=sh -c "xrandr --setprovideroutputsource modesetting NVIDIA-0; xrandr --auto"
    NoDisplay=true
    X-GNOME-Autostart-Phase=DisplayServer

    8. Now reboot and you should be using Nvidia Driver.Verify if everything is ok:
    Code:

    root@kali:~# glxinfo | grep -i "direct rendering"

    direct rendering: Yes

    Optional: you can now install your cuda toolkits:
    Code:

    apt-get install ocl-icd-libopencl1 nvidia-cuda-toolkit

    FIXING SCREEN TEARING ISSUE:
    After you successfully boot up with Nvidia Driver, you most probably experiencing screen tearing issue eg: playing videos in VLC,youtube video on Chrome/Firefox etc.Luckily,we can fix this by enabling PRIME Sync.

    1.Verify if PRIME is disabled
    Code:

    xrandr --verbose|grep PRIME

    it should output something like this:
    PRIME Synchronization: 0
    PRIME Synchronization: 1

    First one is our connected display.So PRIME sync is disabled.
    2. Edit /etc/default/grub and append nvidia-drm.modeset=1 in GRUB_CMDLINE_LINUX_DEFAULT after quiet.Like the following:
    Code:

    ....
    GRUB_CMDLINE_LINUX_DEFAULT="quiet nvidia-drm.modeset=1"
    ...

    3.Save the changes.Update grub
    Code:

    update-grub

    4.Reboot your system.
    5.Verify if PRIME is enabled:
    Code:

    xrandr --verbose|grep PRIME

    Now it should output:
    PRIME Synchronization: 1
    PRIME Synchronization: 1

    If it still shows 0 for you,then there is probably something wrong with your system config/kernel.Since this is still an experimental feature from Nvidia,you are out of luck.

    ***IF YOU STUCK IN BOOT SCREEN***
    Revert what we have done so far:
    Press CTRL+ALT+F2 or CTRL+ALT+F3 ,login with your password.
    Code:

    apt-get remove --purge nvidia*
    rm -rf /etc/X11/xorg.conf

    Remove those display manager files we created earlier (for GDM):
    Code:

    rm -rf /usr/share/gdm/greeter/autostart/optimus.desktop
    rm -rf /etc/xdg/autostart/optimus.desktop

    Now reboot.you should be able get back to your old system. 

    Last edited by TiGER511; 2017-04-04 at 17:59. Reason: Screen tearing fix added. 

  • Damit hashcat funktioniert !!
  • Mit clinfo erscheint danach auch die CUDA Karte!
apt-get install nvidia-cuda-doc nvidia-opencl-icd

Google Chrome Repository (Debian,Ubuntu)

Content: ### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main

"Default" Programm auswählen zB: java JRE

  • update-alternatives –display java
  • update-alternatives –config java
root@mrChief:/home/urnilxfgbez# update-alternatives --display java
java - manual mode
  link best version is /usr/lib/jvm/java-11-openjdk-amd64/bin/java
  link currently points to /usr/lib/jvm/jdk-8-oracle-x64/jre/bin/java
  link java is /usr/bin/java
  slave java.1.gz is /usr/share/man/man1/java.1.gz
/usr/lib/jvm/java-10-openjdk-amd64/bin/java - priority 1101
  slave java.1.gz: /usr/lib/jvm/java-10-openjdk-amd64/man/man1/java.1.gz
/usr/lib/jvm/java-11-openjdk-amd64/bin/java - priority 1111
  slave java.1.gz: /usr/lib/jvm/java-11-openjdk-amd64/man/man1/java.1.gz
/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java - priority 1081
  slave java.1.gz: /usr/lib/jvm/java-8-openjdk-amd64/jre/man/man1/java.1.gz
/usr/lib/jvm/java-9-openjdk-amd64/bin/java - priority 1091
  slave java.1.gz: /usr/lib/jvm/java-9-openjdk-amd64/man/man1/java.1.gz
/usr/lib/jvm/jdk-8-oracle-x64/jre/bin/java - priority 318
  slave java.1.gz: /usr/lib/jvm/jdk-8-oracle-x64/man/man1/java.1.gz

root@mrChief:/home/urnilxfgbez# /usr/lib/jvm/jdk-8-oracle-x64/jre/bin/java -version
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)

root@mrChief:/home/urnilxfgbez# java -version
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)


root@mrChief:/home/urnilxfgbez# update-alternatives --config java
There are 5 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                            Priority   Status
------------------------------------------------------------
  0            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      auto mode
  1            /usr/lib/jvm/java-10-openjdk-amd64/bin/java      1101      manual mode
  2            /usr/lib/jvm/java-11-openjdk-amd64/bin/java      1111      manual mode
  3            /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   1081      manual mode
  4            /usr/lib/jvm/java-9-openjdk-amd64/bin/java       1091      manual mode
* 5            /usr/lib/jvm/jdk-8-oracle-x64/jre/bin/java       318       manual mode

Press <enter> to keep the current choice[*], or type selection number: 0
update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/java to provide /usr/bin/java (java) in auto mode


root@mrChief:/home/urnilxfgbez# java -version
openjdk version "11.0.3" 2019-04-16
OpenJDK Runtime Environment (build 11.0.3+1-Debian-1)
OpenJDK 64-Bit Server VM (build 11.0.3+1-Debian-1, mixed mode, sharing


-> gleiche mit javaws für web start

XFCE4

  • Sollte Desktop nicht „nachgezeichnet“ werden und keine Icons u.a. rm -rf ~/.cache/sessions/*

CA Zertifikat hinzufügen (Debian,Ubuntu)

  • Getestet auf Debian stretch
  • CA Zertifikat im PEM Format
  • Bei dpkg-reconfigure ca-certificates → ASK → Zertifikat auswählen und OK - bei der Ausgabe sollte erscheinen , dass er eines hinzugefügt hat
  • Getestet werden kann zB: mit wget auf entsprechende Seite wo ein Zertifikat existiert das von CA unterschrieben wurde
root@mrAdblock:/tmp# mkdir /usr/share/ca-certificates/extra
root@mrAdblock:/tmp# vim /usr/share/ca-certificates/extra/pannoniait.crt
root@mrAdblock:/tmp# dpkg-reconfigure ca-certificates

xfreerdp-helper-freerdp2

  • Quick and dirty
    • Hostname entweder direkt über cli oder zenity
    • Username und Passwort immer über zenity
  • rdpc.sh
#!/bin/bash


infoCodes=$(cat << EOF
/* section 0-15: protocol-independent codes */
XF_EXIT_SUCCESS = 0,
XF_EXIT_DISCONNECT = 1,
XF_EXIT_LOGOFF = 2,
XF_EXIT_IDLE_TIMEOUT = 3,
XF_EXIT_LOGON_TIMEOUT = 4,
XF_EXIT_CONN_REPLACED = 5,
XF_EXIT_OUT_OF_MEMORY = 6,
XF_EXIT_CONN_DENIED = 7,
XF_EXIT_CONN_DENIED_FIPS = 8,
XF_EXIT_USER_PRIVILEGES = 9,
XF_EXIT_FRESH_CREDENTIALS_REQUIRED = 10,
XF_EXIT_DISCONNECT_BY_USER = 11,
/* section 16-31: license error set */
XF_EXIT_LICENSE_INTERNAL = 16,
XF_EXIT_LICENSE_NO_LICENSE_SERVER = 17,
XF_EXIT_LICENSE_NO_LICENSE = 18,
XF_EXIT_LICENSE_BAD_CLIENT_MSG = 19,
XF_EXIT_LICENSE_HWID_DOESNT_MATCH = 20,
XF_EXIT_LICENSE_BAD_CLIENT = 21,
XF_EXIT_LICENSE_CANT_FINISH_PROTOCOL = 22,
XF_EXIT_LICENSE_CLIENT_ENDED_PROTOCOL = 23,
XF_EXIT_LICENSE_BAD_CLIENT_ENCRYPTION = 24,
XF_EXIT_LICENSE_CANT_UPGRADE = 25,
XF_EXIT_LICENSE_NO_REMOTE_CONNECTIONS = 26,
/* section 32-127: RDP protocol error set */
XF_EXIT_RDP = 32,
/* section 128-254: xfreerdp specific exit codes */
XF_EXIT_PARSE_ARGUMENTS = 128,
XF_EXIT_MEMORY = 129,
XF_EXIT_PROTOCOL = 130,
XF_EXIT_CONN_FAILED = 131,
XF_EXIT_AUTH_FAILURE = 132,
XF_EXIT_UNKNOWN = 255,
EOF)



[[ -n "$1" ]] && HOSTNAME="$1" 

[[ -z "$1" ]] && HOSTNAME=$(zenity --entry --title="Hostname:" --text="Hostname:")

USERNAME=$(zenity --entry --title="Username ($HOSTNAME):" --text="Username ($HOSTNAME):")
PASSWORD=$(zenity  --text="Password ($HOSTNAME):" --password --title="Password ($HOSTNAME):")



xfreerdp /u:$USERNAME /p:"$PASSWORD"  /v:$HOSTNAME /drive:tmp,/tmp /dynamic-resolution /h:600 /w:1280 /encryption-methods:128,FIPS /network:auto


returnFree="$?"


[[ $returnFree != "0" ]] && zenity --error --text="Error Code: $returnFree\n$infoCodes"

integrity-check-boot service

  • Quick and dirty um folgenden Fall abzudecken: Das Notebook wird ohne Kenntnis des Besitzers entwendet initramfs verändert um das Boot Passwort aufzuzeichenn und abermals das Notebook zu entwenden
  • Beim Herunterfahren werden die Hashes aller Dateien in /boot erstellt, die beim Hochfahren überprüft werden
  • Die Verifikationsdateien befinden sich auf dem verschlüsselten Teil des Systems
  • Skript: /usr/local/bin/integ.sh
#!/bin/bash

function usage {

echo "Usage: $0 [c|v]"
echo "c...create hashes"
echo "v...veriy hashes"

exit 0

}


HASH_DIRECTORY="/boot"
HASH_VERIFICATION_FILE="/usr/local/bin/hashes.sha256"
HASH_COUNT_VERIFICATION_FILE="/usr/local/bin/hashes.sha256.count"



function verifyDirectoryHashes {

echo "verify"


[[ ! -f $HASH_VERIFICATION_FILE ]] && echo "Hashes: $HASH_VERIFICATION_FILE not found" && exit 2

[[ ! -f $HASH_COUNT_VERIFICATION_FILE ]] && echo "Hashes Count: $HASH_COUNT_VERIFICATION_FILE not found" && exit 2

date1=$(date -u +"%s")

sha256sum --strict --quiet  -c $HASH_VERIFICATION_FILE

retCode=$?

date2=$(date -u +"%s")
diff=$(($date2-$date1))
amount=$(find $HASH_DIRECTORY -type f |  wc -l  | cut -d " " -f 1)

amountStored=$(cat $HASH_COUNT_VERIFICATION_FILE )

echo "$(($diff / 60)) minutes and $(($diff % 60)) seconds elapsed."
echo "Hashes verified: $amountStored"
echo "Files actually found: $amount"

echo "done"

[[ $retCode != "0" ]] && echo "Stored files in: $HASH_DIRECTORY do NOT LOOK OK" && zenity --error --text "Stored files in $HASH_DIRECTORY do NOT LOOK OK - ATTENTION"

[[ $retCode == "0" ]] && echo "Stored files in: $HASH_DIRECTORY look OK" && zenity --info --text "Stored files in: $HASH_DIRECTORY look OK"

[[ $amount != $amountStored ]] && echo "File Count in: $HASH_DIRECTORY is NOT OK Current Count: $amount , Count previously saved: $amountStored " && zenity --error --text "File Count in: $HASH_DIRECTORY is NOT OK Current Count: $amount , Count previously saved: $amountStored - ATTENTION"

exit $retCode

}

function createDirectoryHashes {
echo "create hashes"


echo -n > $HASH_VERIFICATION_FILE


date1=$(date -u +"%s")

find $HASH_DIRECTORY  -type f  -exec sha256sum {} >> $HASH_VERIFICATION_FILE \;

date2=$(date -u +"%s")
diff=$(($date2-$date1))

amount=$(wc -l $HASH_VERIFICATION_FILE | cut -d " " -f 1)
echo "$(($diff / 60)) minutes and $(($diff % 60)) seconds elapsed."
echo "Hashes created: $amount"

echo $amount > $HASH_COUNT_VERIFICATION_FILE 

echo "done"
exit 0
}



ACTION="$1"


[[  $ACTION != "c" && $ACTION != "v" ]] && echo "Either verify or create" && usage


[[ $ACTION == "c" ]] && createDirectoryHashes

[[ $ACTION == "v" ]] && verifyDirectoryHashes
  • Systemd Startup:
root@mrChief:/home/urnilxfgbez# cat /lib/systemd/system/integ-boot.service 
[Unit]
Description=integrity boot service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/integ.sh v
ExecStop=/usr/local/bin/integ.sh c
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

root@mrChief:/home/urnilxfgbez# systemctl enable integ-boot
  • Graphical Startup:

openwrt/lede

802.11s Mesh Wifi

  • Ziel: Performante WLAN Brücke über 2GHZ und 5GHZ
  • Hardware: TP-Link AC1750 C7 2.0
  • Firmware: OpenWrt 18.06-SNAPSHOT, r7724-6c3ca1d , Eigenbau
root@router1:~# opkg list-installed 
ath10k-firmware-qca4019 - 2018-05-12-952afa49-1
ath10k-firmware-qca6174 - 2018-05-12-952afa49-1
ath10k-firmware-qca9887 - 2018-05-12-952afa49-1
ath10k-firmware-qca9888 - 2018-05-12-952afa49-1
ath10k-firmware-qca988x - 2018-05-12-952afa49-1
ath10k-firmware-qca9984 - 2018-05-12-952afa49-1
ath10k-firmware-qca99x0 - 2018-05-12-952afa49-1
base-files - 194.2-r7724-6c3ca1d
busybox - 1.28.4-3
dnsmasq-full - 2.80-1.4
dropbear - 2017.75-7.1
ethtool - 4.19-1
firewall - 2018-08-13-1c4d5bcd-1
fstools - 2018-12-28-af93f4b8-3
fwtool - 1
hostapd-common - 2018-05-21-62566bc2-5
htop - 2.2.0-1
ip-tiny - 4.16.0-8
ip6tables - 1.6.2-1
iperf - 2.0.12-2
iptables - 1.6.2-1
iw - 4.14-1
iwinfo - 2018-07-31-65b8333f-1
jshn - 2018-07-25-c83a84af-2
jsonfilter - 2018-02-04-c7e938d6-1
kernel - 4.9.164-1-3f5d65b8ac169a2b710fb39d45f1492e
kmod-ath - 4.9.164+2017-11-01-10
kmod-ath10k - 4.9.164+2017-11-01-10
kmod-ath9k - 4.9.164+2017-11-01-10
kmod-ath9k-common - 4.9.164+2017-11-01-10
kmod-cfg80211 - 4.9.164+2017-11-01-10
kmod-gpio-button-hotplug - 4.9.164-2
kmod-hwmon-core - 4.9.164-1
kmod-ip6tables - 4.9.164-1
kmod-ipt-conntrack - 4.9.164-1
kmod-ipt-core - 4.9.164-1
kmod-ipt-ipset - 4.9.164-1
kmod-ipt-nat - 4.9.164-1
kmod-ipt-nat6 - 4.9.164-1
kmod-mac80211 - 4.9.164+2017-11-01-10
kmod-mii - 4.9.164-1
kmod-nf-conntrack - 4.9.164-1
kmod-nf-conntrack-netlink - 4.9.164-1
kmod-nf-conntrack6 - 4.9.164-1
kmod-nf-ipt - 4.9.164-1
kmod-nf-ipt6 - 4.9.164-1
kmod-nf-nat - 4.9.164-1
kmod-nf-nat6 - 4.9.164-1
kmod-nf-reject - 4.9.164-1
kmod-nf-reject6 - 4.9.164-1
kmod-nfnetlink - 4.9.164-1
kmod-nls-base - 4.9.164-1
kmod-tun - 4.9.164-1
kmod-usb-core - 4.9.164-1
kmod-usb-ehci - 4.9.164-1
kmod-usb-ledtrig-usbport - 4.9.164-1
kmod-usb-net - 4.9.164-1
kmod-usb-net-cdc-ether - 4.9.164-1
kmod-usb-ohci - 4.9.164-1
kmod-usb2 - 4.9.164-1
libblobmsg-json - 2018-07-25-c83a84af-2
libc - 1.1.19-1
libgcc - 7.3.0-1
libgmp - 6.1.2-1
libip4tc - 1.6.2-1
libip6tc - 1.6.2-1
libiwinfo - 2018-07-31-65b8333f-1
libiwinfo-lua - 2018-07-31-65b8333f-1
libjson-c - 0.12.1-2
libjson-script - 2018-07-25-c83a84af-2
liblua - 5.1.5-1
liblucihttp - 2018-05-18-cb119ded-1
liblucihttp-lua - 2018-05-18-cb119ded-1
liblzo - 2.10-1
libmnl - 1.0.4-1
libncurses - 6.1-1
libnetfilter-conntrack - 2017-07-25-e8704326-1
libnettle - 3.4-1
libnfnetlink - 1.0.1-1
libnl-tiny - 0.1-5
libopenssl - 1.0.2q-1
libpthread - 1.1.19-1
libubox - 2018-07-25-c83a84af-2
libubus - 2018-10-06-221ce7e7-1
libubus-lua - 2018-10-06-221ce7e7-1
libuci - 2018-08-11-4c8b4d6e-1
libuclient - 2018-11-24-3ba74ebc-1
libxtables - 1.6.2-1
logd - 2018-02-14-128bc35f-2
lua - 5.1.5-1
luci - git-19.079.57770-b99e77d-1
luci-app-firewall - git-19.079.57770-b99e77d-1
luci-base - git-19.079.57770-b99e77d-1
luci-lib-ip - git-19.079.57770-b99e77d-1
luci-lib-jsonc - git-19.079.57770-b99e77d-1
luci-lib-nixio - git-19.079.57770-b99e77d-1
luci-mod-admin-full - git-19.079.57770-b99e77d-1
luci-proto-ipv6 - git-19.079.57770-b99e77d-1
luci-proto-ppp - git-19.079.57770-b99e77d-1
luci-theme-bootstrap - git-19.079.57770-b99e77d-1
mtd - 23
netifd - 2019-01-31-a2aba5c7-2.1
odhcp6c - 2018-07-14-67ae6a71-15
openvpn-openssl - 2.4.5-4.2
openwrt-keyring - 2018-05-18-103a32e9-1
opkg - 2019-01-18-7708a01a-1
procd - 2018-03-28-dfb68f85-1
rpcd - 2018-11-28-3aa81d0d-1
rpcd-mod-rrdns - 20170710
swconfig - 11
terminfo - 6.1-1
uboot-envtools - 2018.03-1
ubox - 2018-02-14-128bc35f-2
ubus - 2018-10-06-221ce7e7-1
ubusd - 2018-10-06-221ce7e7-1
uci - 2018-08-11-4c8b4d6e-1
uclibcxx - 0.2.4-3
uclient-fetch - 2018-11-24-3ba74ebc-1
uhttpd - 2018-11-28-cdfc902a-2
usign - 2015-07-04-ef641914-1
wireless-regdb - 2017-10-20-4343d359
wpad-mesh-openssl - 2018-05-21-62566bc2-5
  • /etc/config/wireless
root@router1:~#  cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
        option country '00'
	option channel '1'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT40+'
	option disabled '0'

config wifi-device 'radio1'
        option country '00'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '0'

config wifi-iface 'mesh5'
	option device 'radio1'
	option network 'lan'
	option mode 'mesh'
	option mesh_id 'foo5'
	option encryption 'psk2/aes'
	option key 'PSK_MESH_KEY_HERE'


config wifi-iface 'mesh2'                           
        option device 'radio0'                     
        option network 'lan'                       
        option mode 'mesh'                         
        option mesh_id 'foo2'                       
        option encryption 'psk2/aes'               
        option key 'PSK_MESH_KEY_HERE'


config wifi-iface 'clients'
       option device 'radio0'
       option network 'lan'
       option mode 'ap'
       option encryption 'psk2'
       option key 'PSK_ADDITIONAL_WLAN_HERE'
       option ssid 'SSID_ADDITIONAL_WLAN_HERE'
  • /etc/config/network
root@router1:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1 eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
        option stp '1'


config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
  • Performance Iperf Notebook1 (192.168.1.10) ↔ router1 ↔MESH 2/5GHZ↔router2↔ Notebook2 (192.168.1.5)
  • ~230Mbit sind möglich
iperf -c 192.168.1.5 -t 7200 -i 300
------------------------------------------------------------
Client connecting to 192.168.1.5, TCP port 5001
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.1.10 port 44742 connected with 192.168.1.5 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-300.0 sec  8.39 GBytes   240 Mbits/sec
[  3] 300.0-600.0 sec  8.83 GBytes   253 Mbits/sec
[  3] 600.0-900.0 sec  8.92 GBytes   255 Mbits/sec
[  3] 900.0-1200.0 sec  8.23 GBytes   236 Mbits/sec
[  3] 1200.0-1500.0 sec  8.08 GBytes   231 Mbits/sec
[  3] 1500.0-1800.0 sec  7.96 GBytes   228 Mbits/sec
[  3] 1800.0-2100.0 sec  8.06 GBytes   231 Mbits/sec
[  3] 2100.0-2400.0 sec  8.17 GBytes   234 Mbits/sec
[  3] 2400.0-2700.0 sec  8.76 GBytes   251 Mbits/sec
[  3] 2700.0-3000.0 sec  8.83 GBytes   253 Mbits/sec
[  3] 3000.0-3300.0 sec  8.84 GBytes   253 Mbits/sec
[  3] 3300.0-3600.0 sec  8.78 GBytes   251 Mbits/sec
[  3] 3600.0-3900.0 sec  8.07 GBytes   231 Mbits/sec
  • Empfangsqualität
root@router2:~# iw wlan0 station dump
Station c4:6e:1f:73:4e:dc (on wlan0)
	inactive time:	10 ms
	rx bytes:	198828976381
	rx packets:	127736272
	tx bytes:	5907694319
	tx packets:	53180353
	tx retries:	0
	tx failed:	62
	rx drop misc:	174
	signal:  	-56 [-64, -59, -60] dBm
	signal avg:	-56 [-64, -58, -60] dBm
	Toffset:	18446744073242107607 us
	tx bitrate:	6.0 MBit/s
	rx bitrate:	975.0 MBit/s VHT-MCS 7 80MHz short GI VHT-NSS 3
	rx duration:	2583998012 us
	mesh llid:	0
	mesh plid:	0
	mesh plink:	ESTAB
	mesh local PS mode:	ACTIVE
	mesh peer PS mode:	ACTIVE
	mesh non-peer PS mode:	ACTIVE
	authorized:	yes
	authenticated:	yes
	associated:	yes
	preamble:	long
	WMM/WME:	yes
	MFP:		yes
	TDLS peer:	no
	DTIM period:	2
	beacon interval:100
	connected time:	6145 seconds



root@router1:~# iw wlan0 station dump
Station d4:6e:0e:36:1f:18 (on wlan0)
	inactive time:	0 ms
	rx bytes:	5875172367
	rx packets:	52915454
	tx bytes:	197338102690
	tx packets:	126668449
	tx retries:	0
	tx failed:	52
	rx drop misc:	57340
	signal:  	-61 [-67, -62, -73] dBm
	signal avg:	-60 [-66, -61, -72] dBm
	Toffset:	467444260 us
	tx bitrate:	6.0 MBit/s
	rx bitrate:	585.0 MBit/s VHT-MCS 4 80MHz short GI VHT-NSS 3
	rx duration:	699504416 us
	mesh llid:	0
	mesh plid:	0
	mesh plink:	ESTAB
	mesh local PS mode:	ACTIVE
	mesh peer PS mode:	ACTIVE
	mesh non-peer PS mode:	ACTIVE
	authorized:	yes
	authenticated:	yes
	associated:	yes
	preamble:	long
	WMM/WME:	yes
	MFP:		yes
	TDLS peer:	no
	DTIM period:	2
	beacon interval:100
	connected time:	6101 seconds

Upgrades von älteren Versionen

  • TP-Link 841n v8.2 Barrier Breaker r35421 Upgrade auf OpenWrt 18.06-SNAPSHOT, r7724-6c3ca1d funktioniert
  • TP-Link 841n 9.1 CHAOS CALMER (15.05, r46767) Upgrade auf OpenWrt 18.06-SNAPSHOT, r7724-6c3ca1d funktioniert
  • zB: V8 des WLAN Routers:
root@mrMicrobox-1:/tmp# sysupgrade -v openwrt-ar71xx-tiny-tl-wr841-v8-squashfs-s
ysupgrade.bin
Saving config files...
etc/sysctl.conf
etc/shells
etc/shadow
etc/rc.local
etc/profile
etc/passwd
etc/inittab
etc/hosts
etc/group
etc/dropbear/dropbear_rsa_host_key
etc/dropbear/dropbear_dss_host_key
etc/dropbear/authorized_keys
etc/dnsmasq.conf
etc/config/wireless
etc/config/ubootenv
etc/config/system
etc/config/openvpn
etc/config/network
etc/config/dropbear
etc/config/dhcp
Sending TERM to remaining processes ... dnsmasq openvpn openvpn ntpd syslogd klogd hotplug2 procd ubusd netifd 
Sending KILL to remaining processes ... 
Switching to ramdisk...
Performing system upgrade...
Unlocking firmware ...

Writing from <stdin> to firmware ...     
Appending jffs2 data from /tmp/sysupgrade.tgz to firmware...TRX header not found
Error fixing up TRX header
    
Upgrade completed
Rebooting system...


root@mrMicrobox-1:~# cat /proc/version 
Linux version 4.9.164 (dev@develop-openwrt) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7724-6c3ca1d) ) #0 Mon Mar 25 09:51:50 2019

Welche Branches gibt es ?

16 hours ago 	master 	shortlog | log | tree
28 hours ago 	openwrt-18.06 	shortlog | log | tree
2 weeks ago 	lede-17.01 	shortlog | log | tree

feeds aktualsieren

  • Im Root der Build Umgebung
  • ./scripts/feeds update -a / ./scripts/feeds install -a

git / sources hinzufügen branch auswählen

git / pakete aktualisieren

"anomeome, post:6, topic:9646"]
#!/bin/sh
#
#CDBU=$(date +"%F_%H%M%S")
#BAK="../abu/$CDBU"
#cp .config "$BAK"
# or set aside the config diff after it is generated, whatever
#make clean (dir/dist)
# i tend to the following rather than the previous, YMMV
# rm -rf bin build_dir tmp
#git pull
#./scripts/feeds update -a
#./scripts/feeds install -a
#./scripts/diffconfig.sh &gt; configdiff
#cp configdiff .config
#make defconfig;make oldconfig

Debian 8 to Debian 9 Upgrade

Nagios3 - Icinga

--- /usr/share/pnp4nagios/html/templates.dist/default.php.old	2018-04-03 14:32:42.698461380 +0200
+++ /usr/share/pnp4nagios/html/templates.dist/default.php	2018-04-03 14:33:40.851404388 +0200
@@ -47,7 +47,7 @@
 		$crit_min = $VAL['CRIT_MIN'];
 	}
 	if ( $VAL['MIN'] != "" && is_numeric($VAL['MIN']) ) {
-		$lower = " --lower=" . $VAL['MIN'];
+		$lower = " --lower-limit=" . $VAL['MIN'];
 		$minimum = $VAL['MIN'];
 	}
 	if ( $VAL['MAX'] != "" && is_numeric($VAL['MAX']) ) {
@@ -56,7 +56,7 @@
 	if ($VAL['UNIT'] == "%%") {
 		$vlabel = "%";
 		$upper = " --upper=101 ";
-		$lower = " --lower=0 ";
+		$lower = " --lower-limit=0 ";
 	}
 	else {
$vlabel = $VAL['UNIT'];

Ubuntu 14.04 to Ubuntu 16.04 Upgrade

OpenVPN Bug systemd ?

  • Sollte OpenVPN über service openvpn start nicht starten oder über pgrep die OpenVPN Prozesse nicht sichtbar sein / Fehler im syslog dass er openvpn service nicht starten kann
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819919

einfach aus der Datei

 /lib/systemd/system/openvpn@.service

den Eintrag

LimitNPROC=1

auskommentieren und systemd neu laden ggf. neustart zum check ob openvpn hoch kommt

Nagios3 - Icinga

  • pnp4nagios wurde entfernt
  • Achtung php5 wurde entfernt - libapache2-mod-php - installiert php7.0 - überprüfen ob nach Upgrade PHP aktiv
  • nagios3 wurde entfernt
  • Alternative ohne große Syntax Änderungen „icinga“ nicht „icinga2“
apt-get install icinga
  • Bestehende Konfigurationen aus /etc/nagios3/conf.d nach /etc/icinga/objects
  • pnp4nagios manuell installieren & kompilieren
  wget "https://sourceforge.net/projects/pnp4nagios/files/PNP-0.6/pnp4nagios-0.6.26.tar.gz/download"
  mv download pnp4nagios-0.6.26.tar.gz
  gunzip pnp4nagios-0.6.26.tar.gz
  mkdir pnp4nagios-manual-install
  tar -xvf pnp4nagios-0.6.26.tar -C pnp4nagios-manual-install/
  ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-httpd-conf=/etc/apache2/conf-enabled
  make all
  make install
  make install-webconf
  make install-config
  make install-init
  update-rc.d npcd defaults
  service npcd start
  service npcd status
  vim /etc/apache2/conf-enabled/pnp4nagios.conf -> auf **/etc/icinga/htpasswd.users** Pfad anpassen 
  apt-get install php-xml php-gd rrdtool
  Anpassen von /usr/local/pnp4nagios/etc/config_local.php
  Anpassen von /etc/icinga/icinga.cfg - performance data
  Anpassen der Templates unter /etc/icinga/objects/ - die action URLS damit zu php4nagios ein Link gebaut wird
  Testen von pnp4nagios unter zB: http://localhost/pnp4nagios -> dann kann die install Datei gelöscht werden wenn alles grün
  Neustart von icinga / Apache2
7 - Modify config_local.php for Naemon

vi /usr/local/pnp4nagios/etc/config_local.php

edit row: $conf[‘nagios_base’] = “/nagios/cgi-bin”;

replace with: $conf[‘nagios_base’] = “/icinga/cgi-bin”;
8 - Enable Naemon performance data

vi /etc/icinga/icinga.cfg

edit row: process_performance_data=0”

replace with: process_performance_data=1”

Add the following entries at the bottom of /etc/icinga/icinga.cfg to
setup performance data settings

#
# service performance data
#
service_perfdata_file=/usr/local/pnp4nagios/var/service-perfdata
service_perfdata_file_template=DATATYPE::SERVICEPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tSERVICEDESC::$SERVICEDESC$\tSERVICEPERFDATA::$SERVICEPERFDATA$\tSERVICECHECKCOMMAND::$SERVICECHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$\tSERVICESTATE::$SERVICESTATE$\tSERVICESTATETYPE::$SERVICESTATETYPE$
service_perfdata_file_mode=a
service_perfdata_file_processing_interval=15
service_perfdata_file_processing_command=process-service-perfdata-file

#
#
#
host_perfdata_file=/usr/local/pnp4nagios/var/host-perfdata
host_perfdata_file_template=DATATYPE::HOSTPERFDATA\tTIMET::$TIMET$\tHOSTNAME::$HOSTNAME$\tHOSTPERFDATA::$HOSTPERFDATA$\tHOSTCHECKCOMMAND::$HOSTCHECKCOMMAND$\tHOSTSTATE::$HOSTSTATE$\tHOSTSTATETYPE::$HOSTSTATETYPE$
host_perfdata_file_mode=a
host_perfdata_file_processing_interval=15
host_perfdata_file_processing_command=process-host-perfdata-file

9 - Add process performance commands

vi /etc/naemon/conf.d/commands.cfg

Add the following entries at the bottom of /etc/naemon/conf.d/commands.cfg

define command{
       command_name    process-service-perfdata-file
       command_line    /bin/mv
/usr/local/pnp4nagios/var/service-perfdata
/usr/local/pnp4nagios/var/spool/service-perfdata.$TIMET$
}

define command{
       command_name    process-host-perfdata-file
       command_line    /bin/mv /usr/local/pnp4nagios/var/host-perfdata
/usr/local/pnp4nagios/var/spool/host-perfdata.$TIMET$
}

10 - Add host performance template

vi /etc/naemon/conf.d/templates/hosts.cfg

Add the following entries at the bottom of
/etc/naemon/conf.d/templates/hosts.cfg

define host {
   name host-pnp
   process_perf_data 1
   action_url /pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=_HOST_'
class='tips' rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=_HOST_
   register 0
}

11 - Add service performance template

vi /etc/naemon/conf.d/templates/services.cfg

Add the following entries at the bottom of
/etc/naemon/conf.d/templates/services.cfg

define service {
   name service-pnp
   process_perf_data 1
   action_url
/pnp4nagios/index.php/graph?host=$HOSTNAME$&srv=$SERVICEDESC$'
class='tips'
rel='/pnp4nagios/index.php/popup?host=$HOSTNAME$&srv=$SERVICEDESC$
   register 0
}

Ubuntu 14.04 to Ubuntu 18.04 Upgrade

Bring back ntp daemon / will kein systemd NTP

  • Offenbar ab 16.04 - ein „FEATURE“
systemctl disable systemd-timesyncd.service
systemctl enable ntp.service
service ntp start
ntpq -> peers

Major Upgrades

  • Mit dem do-release-upgrade tool von Ubuntu !!
  • Manuelles Upgrade wie bei Debian mit ändern der sources hatte Chaos im ubuntu System verursacht

ipsec eap-radius backend geht nimma

  • Achtung apt-get install libcharon-extra-plugins muss installiert sein
  • Status vom alten Paket nämlich: strongswan-plugin-eap-radius deinstall

Systemd Resolver deaktivieren

  • dnsmasq läuft auf meinem System
https://askubuntu.com/questions/907246/how-to-disable-systemd-resolved-in-ubuntu

Caution! Be aware that disabling systemd-resolvd might break name resolution in VPN for some users. See this bug on launchpad (Thanks, Vincent).

Disable the systemd-resolved service and stop it:

sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop

Put the following line in the [main] section of your /etc/NetworkManager/NetworkManager.conf:

dns=default

Delete the symlink /etc/resolv.conf

rm /etc/resolv.conf

Restart network-manager

sudo service network-manager restart

syslog-ng

  • Zeile 58 entfernen mit „Some 'catch-all' logfiles. - vim /etc/syslog-ng/syslog-ng.conf +58

php

  • PHP5 ist obsolete
  • apt-get install libapache2-mod-php → installiert PHP7.2

netstat is gone

  • apt-get install net-tools

Netzwerkinterfaces

...

GRUB_CMDLINE_LINUX="net.ifnames=0"
...

rc.local gone

root@arbitrator:~# systemctl status rc-local
● rc-local.service - /etc/rc.local Compatibility
   Loaded: loaded (/lib/systemd/system/rc-local.service;
enabled-runtime; vendor preset: enabled)
  Drop-In: /lib/systemd/system/rc-local.service.d
           └─debian.conf
   Active: failed (Result: exit-code) since Mon 2018-06-11 16:53:47
CEST; 1min 53s ago
     Docs: man:systemd-rc-local-generator(8)
  Process: 1182 ExecStart=/etc/rc.local start (code=exited, status=203/EXEC)

Jun 11 16:53:46 arbitrator systemd[1]: Starting /etc/rc.local
Compatibility...
Jun 11 16:53:47 arbitrator systemd[1182]: rc-local.service: Failed to
execute command: Exec format error
Jun 11 16:53:47 arbitrator systemd[1182]: rc-local.service: Failed at
step EXEC spawning /etc/rc.local: Exec format error
Jun 11 16:53:47 arbitrator systemd[1]: rc-local.service: Control process
exited, code=exited status=203
Jun 11 16:53:47 arbitrator systemd[1]: rc-local.service: Failed with
result 'exit-code'.
Jun 11 16:53:47 arbitrator systemd[1]: Failed to start /etc/rc.local
Compatibility.
  • /etc/rc.local still works in Ubuntu 18.04, when
    1) it exists
    2) is executable
    3) Starts with a valid shell e.g. #!/bin/bash

Notification mail nach Login via SSH

root@firewall:~# cat /etc/ssh/sshrc
ip=$(echo $SSH_CONNECTION | cut -d " " -f 1)
date=$(date)
echo "User $USER just logged in at $date from $ip" | mail  -s "SSH Login Firewall" MAIL_ADRESSE_RECIPIENT

XRDP Remote Desktop Server mit Kerberos im AD - terminalserver

  • Wir wollen in einer Active Directory Umgebung einen Open Source Remote Desktop Server bei dem sich alle Mitglieder der Domäne mit ihren gewohnten Zugangsdaten einloggen können
  • Es soll den Usern die Möglichkeit geboten werden mit ihren Windows Maschinen per nativem Remote Desktop Client (mstsc.exe) auf eine Linux XFCE Umgebung zuzugreifen um den Einstieg in die Open Source Welt zu erleichtern bzw. leicht zu ermöglichen
  • Den eingeloggten Usern sollen automatisch die richtigen Proxy Einstellungen für die Infrastruktur zugewiesen werden & es soll ihnen nicht möglich sein den Server herunterzufahren / neu zu starten oder zu suspendieren

Domäne: firma.intern

  Zielserver: terminalserver.firma.intern / Debian stretch + xfce4 Oberfläche + xrdp 

Anforderungen Zielserver

  • Achtung
    • Bei der Debian Installation wurde die grafische Oberfläche gleich über den Installer ausgewählt - xfce
  • Erforderliche Pakete
apt-get install krb5-user krb5-config msktutil xrdp sssd-ad sssd-ad-common sssd-common sssd-krb5 sssd-krb5-common
  • Anforderungen innerhalb Infrastruktur
    • Forward und Reverse Lookup wurden konfiguriert auf AD Server bzw. DNS Server zB: terminalserver.firma.intern → 192.168.0.11 u. 192.168.0.11 → terminalserver.firma.intern
    • Forward und Reverse Lookup funktionieren auch auf Zielserver entsprechend d.h. richtige DNS Server wurden eingetragen /etc/resolv.conf
    • Zeit wird synchronisiert mit zB: AD Server - Zeit darf nicht um mehr als 5 Minuten vom AD Server abweichen , mit openntpd oder ntp

Zielserver dem AD hinzufügen mit msktutil

  • Kerberos Konfiguration
root@terminalserver:/# cat /etc/krb5.conf 
[libdefaults]
	default_realm = FIRMA.INTERN

# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true

[realms]
        FIRMA.INTERN = {
		kdc = dc.firma.intern
                admin_server = dc.firma.intern
		default_domain = firma.intern
	}

[domain_realm]
	.firma.intern = FIRMA.INTERN
         firma.intern = FIRMA.INTERN
  • Kerberos Ticket holen
root@terminalserver:/# kinit Administrator
Password for Administrator@FIRMA.INTERN: 
root@terminalserver:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@FIRMA.INTERN

Valid starting       Expires              Service principal
06/18/2019 09:46:16  06/18/2019 19:46:16  krbtgt/FIRMA.INTERN@FIRMA.INTERN
	renew until 06/19/2019 09:46:11
  • Kerberos Keytab für Terminalserver erstellen
root@terminalserver:/# msktutil  -c -b "CN=COMPUTERS" -s AUTH/terminalserver.firma.intern -h terminalserver.firma.intern -k /etc/krb5.keytab --computer-name terminal --upn AUTH/terminalserver.firma.intern --server dc.firma.intern --verbose
  • Keytab Location für SSSD
root@terminalserver:/# ls -al /etc/krb5.keytab 
-rw------- 1 root root 2156 Jun 12 11:50 /etc/krb5.keytab
  • Account Secret automatisch aktualisieren
root@terminalserver:/etc/sssd# cat /etc/cron.d/msktutil 
00 00     * * * root   /usr/sbin/msktutil --auto-update -k /etc/krb5.keytab --computer-name terminal | logger -t "msktutil"

User Mapping konfigurieren mit SSSD-AD

  • Folgende SSSD Pakete sind installiert:
  • FIXME herausfinden ob alle benötigt werden
root@terminalserver:/etc/sssd#  dpkg --get-selections | grep -i sssd
sssd						install
sssd-ad						install
sssd-ad-common					install
sssd-common					install
sssd-dbus					install
sssd-ipa					install
sssd-krb5					install
sssd-krb5-common				install
sssd-ldap					install
sssd-proxy					install
sssd-tools					install
  • Nach der Installation kann er den Daemon nicht starten da er nicht konfiguriert wurde/ist
root@terminalserver:/etc/sssd# cat sssd.conf
# Configuration for the System Security Services Daemon (SSSD)
[sssd]

# Syntax of the config file; always 2
config_file_version = 2

# Services that are started when sssd starts
services = nss, pam

# List of domains in the order they will be queried
domains = firma.intern

# Configuration for the AD domain
[domain/firma.intern]

# Use the Active Directory Provider
id_provider = ad

# Use Active Directory for access control
access_provider = ad

# Turn off sudo support in sssd - we're doing it directly in /etc/sudoers.d/
# and leaving this enabled results in spurious emails being sent to root
sudo_provider = none

# UNIX and Windows use different mechanisms to identify groups and users.
# UNIX uses integers for both; the challenge is to generate these consistently
# across all machines from the objectSID.
#
# Active Directory provides an objectSID for every user and group object in
# the directory. This objectSID can be broken up into components that represent
# the Active Directory domain identity and the relative identifier (RID) of the
# user or group object.
#
# The SSSD ID-mapping algorithm takes a range of available UIDs and divides it into
# equally-sized component sections - called "slices"-. Each slice represents
# the space available to an Active Directory domain.
#
# The default configuration results in configuring 10,000 slices, each capable
# of holding up to 200,000 IDs, starting from 10,001 and going up to
# 2,000,100,000. This should be sufficient for most deployments.
ldap_id_mapping = true

# Define some defaults for accounts that are not already on this box.
# We appear to need these settings as well as the PAM configuration.
fallback_homedir = /home/%u
default_shell = /bin/bash
skel_dir = /etc/skel


ad_gpo_map_interactive = +xrdp-sesman
  • Check ob Daemon läuft:
root@terminalserver:/etc/sssd# systemctl restart sssd
root@terminalserver:/etc/sssd# systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-06-18 09:51:05 CEST; 11s ago
 Main PID: 4022 (sssd)
    Tasks: 4 (limit: 9830)
   CGroup: /system.slice/sssd.service
           ├─4022 /usr/sbin/sssd -i -f
           ├─4023 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain firma.intern --uid 0 --gid 0 --debug-to-files
           ├─4024 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─4025 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Jun 18 09:51:05 terminalserver systemd[1]: Starting System Security Services Daemon...
Jun 18 09:51:05 terminalserver sssd[4022]: Starting up
Jun 18 09:51:05 terminalserver sssd[be[4023]: Starting up
Jun 18 09:51:05 terminalserver sssd[4024]: Starting up
Jun 18 09:51:05 terminalserver sssd[4025]: Starting up
Jun 18 09:51:05 terminalserver systemd[1]: Started System Security Services Daemon
  • Automatisch Home Verzeichnisse erstellen lassen beim 1. Login
root@terminalserver:/# cat /usr/share/pam-configs/active-directory-homes
Name: Guestline AD user home management
Default: yes
Priority: 127

Session-Type: Additional
Session-Interactive-Only: yes
Session:
        required pam_mkhomedir.so skel=/etc/skel/ umask=0077
        
root@terminalserver:/#  /usr/sbin/pam-auth-update --package     

Remote Desktop Server mit xrdp

  • Konfiguration für RDP Server
root@terminalserver:/# grep -v ^[\;] /etc/xrdp/xrdp.ini 
[Globals]
ini_version=1

fork=true
port=3389
tcp_nodelay=true
tcp_keepalive=true
#tcp_send_buffer_bytes=32768
#tcp_recv_buffer_bytes=32768

security_layer=tls

crypt_level=high

certificate=/etc/xrdp/terminalserver.firma.intern.crt
key_file=/etc/xrdp/terminalserver.firma.intern.key


disableSSLv3=true
tls_ciphers=HIGH

autorun=

allow_channels=true
allow_multimon=true
bitmap_cache=true
bitmap_compression=true
bulk_compression=true
#hidelogwindow=true
max_bpp=32
new_cursors=true
use_fastpath=both
#require_credentials=true
#pamerrortxt=change your password according to policy at http://url

blue=009cb5
grey=dedede
#black=000000
#dark_grey=808080
#blue=08246b
#dark_blue=08246b
#white=ffffff
#red=ff0000
#green=00ff00
#background=626c72


ls_title=terminalserver.firma.intern

ls_top_window_bg_color=009cb5

ls_width=350
ls_height=430

ls_bg_color=dedede

#ls_background_image=

ls_logo_filename=
ls_logo_x_pos=55
ls_logo_y_pos=50

ls_label_x_pos=30
ls_label_width=60

ls_input_x_pos=110
ls_input_width=210

ls_input_y_pos=220

ls_btn_ok_x_pos=142
ls_btn_ok_y_pos=370
ls_btn_ok_width=85
ls_btn_ok_height=30

ls_btn_cancel_x_pos=237
ls_btn_cancel_y_pos=370
ls_btn_cancel_width=85
ls_btn_cancel_height=30

[Logging]
LogFile=xrdp.log
LogLevel=DEBUG
EnableSyslog=true
SyslogLevel=DEBUG

[Channels]
rdpdr=true
rdpsnd=true
drdynvc=true
cliprdr=true
rail=true
xrdpvr=true
tcutils=true

#port=/var/run/xrdp/sockdir/xrdp_display_10

#chansrvport=/var/run/xrdp/sockdir/xrdp_chansrv_socket_7210



[Xorg]
name=Linux
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20


#channel.rdpdr=true
#channel.rdpsnd=true
#channel.drdynvc=true
#channel.cliprdr=true
#channel.rail=true
#channel.xrdpvr=true
root@terminalserver:/# grep -v ^[\;] /etc/xrdp/sesman.ini 
[Globals]
ListenAddress=127.0.0.1
ListenPort=3350
EnableUserWindowManager=true
UserWindowManager=startwm.sh
DefaultWindowManager=startwm.sh

[Security]
AllowRootLogin=false
MaxLoginRetry=4
TerminalServerUsers=tsusers
TerminalServerAdmins=tsadmins
AlwaysGroupCheck=false

[Sessions]
X11DisplayOffset=10

MaxSessions=50

KillDisconnected=false

IdleTimeLimit=0

DisconnectedTimeLimit=0

Policy=Default

[Logging]
LogFile=xrdp-sesman.log
LogLevel=DEBUG
EnableSyslog=1
SyslogLevel=DEBUG

[Xorg]
param=Xorg
param=-config
param=xrdp/xorg.conf
param=-noreset
param=-nolisten
param=tcp

[Xvnc]
param=Xvnc
param=-bs
param=-nolisten
param=tcp
param=-localhost
param=-dpi
param=96

[Chansrv]
FuseMountName=thinclient_drives

[SessionVariables]
PULSE_SCRIPT=/etc/xrdp/pulse/default.pa
  • Xorg Server Anpassungen
root@terminalserver:/# cat /etc/X11/Xwrapper.config
# Xwrapper.config (Debian X Window System server wrapper configuration file)
#
# This file was generated by the post-installation script of the
# xserver-xorg-legacy package using values from the debconf database.
#
# See the Xwrapper.config(5) manual page for more information.
#
# This file is automatically updated on upgrades of the xserver-xorg-legacy
# package *only* if it has not been modified since the last upgrade of that
# package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command as root:
#   dpkg-reconfigure xserver-xorg-legacy
#allowed_users=console
allowed_users=anybody
  • Achtung Berechtigungen für Zertifikat und Keyfile
root@terminalserver:/# ls -al /etc/xrdp/terminalserver.firma.intern*
-rwxr--r-- 1 root root 2602 Jun 12 17:01 /etc/xrdp/terminalserver.firma.intern.crt
-rwxr----- 1 root xrdp 3272 Jun 12 17:01 /etc/xrdp/terminalserver.firma.intern.key

Gesonderte System Anpassungen

Proxy Einstellungen zuteilen

  • Variante 1 - der aktuelle User selbst / ohne Firefox Einstellungen zu editieren
  • Ermitteln ob Systemproxy gesetzt wurde:
christian.czeczil@terminalserver:~$ gsettings get org.gnome.system.proxy mode
'none'
  • Systemproxy über cli setzen:
christian.czeczil@terminalserver:~$ gsettings set org.gnome.system.proxy mode 'manual'
christian.czeczil@terminalserver:~$ gsettings set org.gnome.system.proxy.http host 'firewall.firma.intern'
christian.czeczil@terminalserver:~$ gsettings set org.gnome.system.proxy.http port 8080
  • Variante 2 - Für jeden neuen User werden die Einstellungen gesetzt:
root@terminalserver:~#  apt-get install dconf-cli

root@terminalserver:~#  mkdir -p /etc/dconf/db/site.d
root@terminalserver:~#  mkdir /etc/dconf/profile

root@terminalserver:/# cat /etc/dconf/db/site.d/00_proxy 
[system/proxy]
mode='manual'
[system/proxy/http]
host='firewall.firma.intern'
port=8080
enabled=true

root@terminalserver:/# cat /etc/dconf/profile/user 
user-db:user
system-db:site


root@terminalserver:~#  dconf update

root@terminalserver:~# dconf dump /

[system/proxy/http]
host='firewall.firma.intern'
port=8080
enabled=true

[system/proxy]
mode='manual'

Home-Verzeichnis vom Windows Server mounten

  • Installation pam Modul und keyutils
apt-get install libpam-mount  keytuils
  • /etc/security/pam_mount.conf.xml
    • In diesem Beispiel befinden sich die Home Verzeichnisse der User auf FILESERVER und es existiert jeweils ein verstecktes Share mit username$
  <!-- Example using CIFS -->
    <volume
        fstype="cifs"
        server="FILESERVER"
        path="%(USER)$"
        mountpoint="~/Documents"
        options="sec=krb5,seal,vers=3.0,cruid=%(USERUID)"
       />
  • /etc/pam.d/common-session
root@terminalserver:/etc/pam.d# cat common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session	[default=1]			pam_permit.so
# here's the fallback if no module succeeds
session	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
session	required	pam_unix.so 
session	optional			pam_sss.so 
session	required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session	optional	pam_mount.so
session	optional	pam_systemd.so 
# end of pam-auth-update config

Hibernate/Reboot/Shutdown deaktivieren für User

root@terminalserver:/# cat /etc/polkit-1/localauthority/50-local.d/disable-shutdown.pkla
[Disable shutdown/whatever]
Identity=unix-user:*
Action=org.freedesktop.consolekit.system.stop;org.freedesktop.consolekit.system.restart;org.freedesktop.upower.suspend;org.freedesktop.upower.hibernate
ResultAny=no
ResultInactive=no
ResultActive=no
root@terminalserver:/# cat /etc/polkit-1/localauthority/50-local.d/restrict-login-powermgmt.pkla 
[Disable lightdm PowerMgmt]
Identity=unix-user:*
Action=org.freedesktop.login1.reboot;org.freedesktop.login1.reboot-multiple-sessions;org.freedesktop.login1.power-off;org.freedesktop.login1.power-off-multiple-sessions;org.freedesktop.login1.suspend;org.freedesktop.login1.suspend-multiple-sessions;org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultAny=no
ResultInactive=no
ResultActive=no

Bug - Schwarzer Screen

  • Unter bestimmten Voraussetzungen ( user war bereits eingeloggt und loggt sich nach einiger Zeit wieder ein) bleibt der „Bildschirm“ schwarz
  • Maximale BPP ändern
    • /etc/xrdp/xrdp.ini → max_bpp=16
  • Power Management anpassen ?

  • XRDP Server aus den backports für stretch installiert

SSO - Apache mit Kerberos + Dokuwiki

  • Wir wollen in einer Active Directory Umgebung SSO für Dokuwiki
  • Bestimmten Gruppen soll es ermöglicht werden Einträge zu ändern bzw. Superuser zu sein und andere Gruppen sollen nur Leserechte bekommen
  • Bei den Clients muss Integrierte Windows Authentifizierung bei den Einstellungen der „Internetoptionen“ aktiviert sein (Default Einstellung)
  • Falls SSO nicht funktioniert wird ein Fallback durchgeführt auf Basic Authentifizierung in der der User zu Username und Passwort aufgefordert wird - Achtung hier auf SSL/TLS setzen für den Webserver
  • Domäne: firma.intern
  • Zielserver: webserver.firma.intern / Debian stretch minimal

Anforderungen Zielserver

  • Erforderliche Pakete
apt-get install krb5-user krb5-config libapache2-mod-auth-kerb msktutil
  • Anforderungen innerhalb Infrastruktur
    • Forward und Reverse Lookup wurden konfiguriert auf AD Server bzw. DNS Server zB: webserver.firma.intern → 192.168.0.20 u. 192.168.0.20 → webserver.firma.intern
    • Forward und Reverse Lookup funktionieren auch auf Zielserver entsprechend d.h. richtige DNS Server wurden eingetragen /etc/resolv.conf
    • Zeit wird synchronisiert mit zB: AD Server - Zeit darf nicht um mehr als 5 Minuten vom AD Server abweichen , mit openntpd oder ntp

Zielserver dem AD hinzufügen /Kerberos

  • Zuerst Kerberos konfigurieren & Ticket holen mit Administrator User (kinit Administrator@FIRMA.INTERN) oder User der die Rechte besitzt ein Gerät hinzuzufügen (FIXME)
  • Im Anschluss mit msktutil den Server dem Active Directory hinzufügen - er erscheint am AD Server als Computer Objekt unter der OU „COMPUTERS“
  • Kerberos Konfiguration
cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5.log


[libdefaults]
	default_realm = FIRMA.INTERN

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true


[realms]

         FIRMA.INTERN = {
		kdc = adserver.firma.intern
                admin_server = adserver.firma.intern
		default_domain = firma.intern
         }


[domain_realm]
 .firma.intern = FIRMA.INTERN
 firma.intern = FIRMA.INTERN

root@webserver:~# kinit Administrator@FIRMA.INTERN
Password for Administrator@FIRMA.INTERN: 
root@webserver:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@FIRMA.INTERN

Valid starting     Expires            Service principal
03/04/19 10:54:48  03/04/19 20:54:48  krbtgt/FIRMA.INTERN@FIRMA.INTERN
	renew until 04/04/19 10:54:43
root@webserver:~# msktutil  -c -b "CN=COMPUTERS" -s HTTP/webserver.FIRMA.INTERN -h webserver.FIRMA.INTERN -k /etc/apache2/HTTP.keytab --computer-name web-http --upn HTTP/webserver.FIRMA.INTERN --server adserver.FIRMA.INTERN --verbose
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 85
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-AZ8Cv8
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: web-http$
 -- try_machine_keytab_princ: Trying to authenticate for web-http$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for WEB-HTTP$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/webserver.FIRMA.INTERN from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for web-http$ with password.
 -- create_default_machine_password: Default machine password for web-http$ is web-http
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: adserver.FIRMA.INTERN
SASL/GSSAPI authentication started
SASL username: Administrator@FIRMA.INTERN
SASL SSF: 56
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=FIRMA,dc=INTERN
 -- ldap_check_account: Checking that a computer account for web-http$ exists
 -- ldap_create_account: Computer account not found, create the account
No computer account for web-http found, creating a new one.
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_check_account_strings: Found userPrincipalName = 
 -- ldap_check_account_strings: userPrincipalName should be HTTP/webserver.FIRMA.INTERN@FIRMA.INTERN
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
 -- ldap_get_kvno: KVNO is 1
 -- ldap_add_principal: Checking that adding principal HTTP/webserver.FIRMA.INTERN to web-http$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/webserver.FIRMA.INTERN to LDAP entry
 -- ldap_add_principal: Checking that adding principal host/webserver.FIRMA.INTERN to web-http$ won't cause a conflict
 -- ldap_add_principal: Adding principal host/webserver.FIRMA.INTERN to LDAP entry
 -- execute: Updating all entries for webserver.FIRMA.INTERN in the keytab WRFILE:/etc/apache2/HTTP.keytab
 -- update_keytab: Updating all entries for web-http$
 -- add_principal_keytab: Adding principal to keytab: web-http$
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: WEB-HTTP$
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/webserver.FIRMA.INTERN
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/web-http
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- update_keytab: Entries for SPN HTTP/webserver.FIRMA.INTERN have already been added. Skipping ...
 -- add_principal_keytab: Adding principal to keytab: host/webserver.FIRMA.INTERN
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of FIRMA.INTERNhostweb-http.FIRMA.INTERN
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- ~KRB5Context: Destroying Kerberos Context
  • Cron job hinzufügen damit Keytab aktualisiert wird ( per Default müssen alle „Computer“ alle 30 Tage das „Passwort“ wechseln in Windows AD)
root@webserver:/etc/cron.d# cat msktutil 
00 00     * * * root   /usr/sbin/msktutil --auto-update -k /etc/apache2/keytab/HTTP.keytab --computer-name web-http | logger -t "msktutil"

Apache2 Keytab konfigurieren - Directory ACLs

  • Keytab wurde unter /etc/apache2/keytab kopiert
root@webserver:/etc/apache2/keytab# ls -al
total 12
dr-x------  2 www-data root 4096 Apr  3 10:56 .
drwxr-xr-x 10 root     root 4096 Apr  3 11:06 ..
-r--------  1 www-data root 1192 Apr  3 10:54 HTTP.keytab
  • Apache2 Beispielkonfiguration für Vhost
...
         <Directory /var/www/howto.firma.intern>
        AllowOverride all
        Order allow,deny
        allow from all

        AuthType Kerberos
        AuthName "Firmenlogin zB: vorname.nachname"
        KrbAuthRealm FIRMA.INTERN
        Krb5Keytab /etc/apache2/keytab/HTTP.keytab
        KrbMethodK5Passwd On
        Require valid-user
 	</Directory>


...

Dokukwiki konfigurieren

  • authad Plugin wird verwendet
  • Benutzer für Dokuwiki muss erstellt werden damit die Gruppenzugehörigkeit überprüft werden kann - es reicht ein User mit Standardrechten d.h. Domänen User
  • Superuser wird wer Mitglied zB: der Gruppe „Dokuadmins“ und „admin“ ist
  • Dokuwiki Installation liegt unter /var/www/howto.firma.intern/ entspricht dem DocumentRoot für den virtuellen Vhost und dieser ist innerhalb der Firma unter https://howto.firma.intern erreichbar
root@webserver:/var/www/howto.firma.intern/conf# cat local.php
<?php
/*
 * Dokuwiki's Main Configuration File - Local Settings
 * Auto-generated by config plugin
 * Run for user: christian.czeczil
 * Date: Wed, 03 Apr 2019 12:52:41 +0200
 */

$conf['authtype'] = 'authad';
$conf['superuser'] = '@admin,@Dokuadmins';
$conf['disableactions'] = 'register';
$conf['plugin']['authad']['account_suffix'] = '@firma.intern';
$conf['plugin']['authad']['base_dn'] = 'DC=firma,DC=intern';
$conf['plugin']['authad']['domain_controllers'] = 'adserver.firma.intern';

  • local.protected.php → damit die Einstellungen nicht editiert werden können
root@webserver:/var/www/howto.firma.intern/conf# cat local.protected.php 
<?php
$conf['plugin']['authad']['sso'] = 1;

$conf['plugin']['authad']['admin_username'] = 'DOKUWIKI_USER';
$conf['plugin']['authad']['admin_password'] = 'DOKUWIKI_PASSWORT';
//
//
?>
  • Alle User dürfen das Dokuwiki grundsätzlich lesen
root@webserver:/var/www/howto.firma.intern/conf# cat acl.auth.php
# acl.auth.php
# <?php exit()?>
# Don't modify the lines above
#
# Access Control Lists
#
# Auto-generated by install script
# Date: Wed, 03 Apr 2019 10:01:09 +0000
*	@ALL	1
*	@user	1

unattended-upgrades

  • Bei Debian jessie/stretch reicht für die Installation von security Upgrades:
apt-get install unattended-upgrades
  • Achtung wird per cronjob aufgerufen auch manuell möglich über unattended-upgrade oder mit -d für debug
  • Bei Linux Mint Sarah 18 und Linux Mint 19 funktioniert die Erkennung der Distribution nicht automatisch für die Updates
  • Auf einer Workstation mit google chrome repository zB: bei Linux Mint Sarah 18
  • /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
        "Google LLC:stable";
        "Ubuntu:xenial-security";
        "Ubuntu:xenial-updates";
        "Ubuntu:xenial-partner";
};

SQUID logging - mit goaccess fancy logs

  • Durchgeführt auf Debian stretch
  • Möchte längerfristig die Logs - Logs pro Monat und die Aktuellen
  • Aufgrund der DSGVO werden nur so wenig persistente Logs wie sinnvoll gespeichert zB: 7 Tage
  • Repository von goaccess da goaccess in den offiziellen debian repos keine persistente Datenbank unterstützt

CRON - konfigurieren

  • Die Logs werden täglich rotiert
  • Jeder Monat bekommt in Summe ein eigenes File im format YYYYMM.html
  • Aktuelle Statistiken befinden sich im index.html File werden im /var/www/stats abgelegt Webserver entsprechend konfigurieren
  • /etc/cron.d/goaccess
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

45 8	1 * *	root	cp /var/www/stats/fancy/index.html /var/www/stats/$(date +\%Y\%m --date "now -1 days").html && rm /var/lib/goaccess/*.tcb

45 7	* * * root  ( [[ $(date +\%d) == "02" ]] && zcat /var/log/squid/combined.log.1.gz | goaccess - --keep-db-files --config-file /etc/goaccess/goaccess.conf > /var/www/stats/index.html ) || ( zcat /var/log/squid/combined.log.1.gz | goaccess - --keep-db-files --load-from-disk --config-file /etc/goaccess/goaccess.conf > /var/www/stats/index.html )

LOGROTATE - konfigurieren

  • /etc/logrotate.d/squid
/var/log/squid/*.log
{
        rotate 7
        daily
        missingok
        notifempty
        compress
        sharedscripts
        postrotate
                invoke-rc.d syslog-ng reload > /dev/null
        endscript

SYSLOG-NG- konfigurieren

  • /etc/syslog-ng/syslog-ng.conf
...
filter f_squid_combined { program("squid") and facility("local7"); };
destination d_squid_combined { file("/var/log/squid/combined.log" template("${MESSAGE}\n")); };
log { source(s_src); filter(f_squid_combined); destination(d_squid_combined); flags(final);};
....

SQUID - konfigurieren

  • /etc/squid/squid.conf
...
access_log syslog:local7.info  combined
..

GOACCESS - konfigurieren

  • /etc/apt/sources.list.d/goaccess.list
deb http://deb.goaccess.io/ stretch main
  • Key hinzufügen zu trusted repo keys
wget -O - https://deb.goaccess.io/gnugpg.key | sudo apt-key add -
  • Repos aktualisieren und goaccess mit Persistenz Support installieren
 apt-get install goaccess-tcb
  • Beispielkonfiguration: /etc/goaccess/goaccess.conf
time-format %H:%M:%S


date-format %d/%b/%Y

log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"

log-format COMBINED

config-dialog false

hl-header true


html-prefs {"theme":"bright","perPage":10,"layout":"vertical","showTables":true,"visitors":{"plot":{"chartType":"bar"}}}


json-pretty-print false

no-color false

no-column-names false

no-csv-summary false

no-progress false

no-tab-scroll false

with-mouse true

agent-list false

with-output-resolver false


http-method yes

http-protocol yes


no-query-string false

no-term-resolver false

444-as-404 false

4xx-to-unique-count false

accumulated-time true

all-static-files false


double-decode false


ignore-crawlers false

crawlers-only false


ignore-panel KEYPHRASES
ignore-panel GEO_LOCATION

real-os true

static-file .css
static-file .js
static-file .jpg
static-file .png
static-file .gif
static-file .ico
static-file .jpeg
static-file .pdf
static-file .csv
static-file .mpeg
static-file .mpg
static-file .swf
static-file .woff
static-file .woff2
static-file .xls
static-file .xlsx
static-file .doc
static-file .docx
static-file .ppt
static-file .pptx
static-file .txt
static-file .zip
static-file .ogg
static-file .mp3
static-file .mp4
static-file .exe
static-file .iso
static-file .gz
static-file .rar
static-file .svg
static-file .bmp
static-file .tar
static-file .tgz
static-file .tiff
static-file .tif
static-file .ttf
static-file .flv

db-path /var/lib/goaccess
  • Persistente Location für Datenbank /var/lib/goaccess
 mkdir /var/lib/goaccess

SQUID bauen/konfigurieren - mit SSL intercept support

  • Durchgeführt auf RPI3 mit Debian stretch (Raspian) / zum Teil mit Kali Linux

SQUID bauen

  • Build Umgebung wird benötigt
  • e.g. auf einem Kali Linux (leider keine history vom rpi3)
  • SQUID 3.1.x
apt-get update
apt-get install openssl
apt-get install devscripts build-essential libssl-dev
apt-get source squid3
apt-get build-dep squid3
cd squid3-3.1.14
vi debian/rules
->rules änderungen
debuild -us -uc
  • SQUID 3.5
Achtung:
NOTE: Squid-3.5 requries --with-openssl instead of --enable-ssl  und --enable-ctrdl 


Now with debian stretch i see libssl1.0-dev and libssl1.1 in the tree.
I can still use libssl1.0-dev to build squid with ssl support?
Even when debian stretch installs openssl 1.1.0?

On stretch Squid-3 builds with libssl1.0-dev and Squid-4 builds with
libssl-dev. 

CA erstellen und directory intialisieren

  • CA Directory initialisieren , Achtung richtige Verzeichnisse wählen
  • zB:
 
  155  2017-09-23 08:57:55 openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem
  156  2017-09-23 08:57:55 openssl x509 -in myCA.pem -text -noout
  163  2017-09-23 08:57:55 /usr/lib/squid/ssl_crtd -c -s certs/

SQUID konfigurieren

  • SQUID 3.5:
  • zB:
acl lan src 10.0.23.0/24
acl ssl_targets ssl::server_name_regex -i google.at google.com www.google.at www.google.com pannoniait.at
#http_access allow  lan ssl_targets
http_access allow lan
http_access deny all
#http_port 3128 intercept ssl-bump
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /etc/squid/ssl/certs -M 4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1  all
ssl_bump splice  step3 ssl_targets
ssl_bump terminate step2 !ssl_targets

coredump_dir /var/spool/squid

Firewall anpassen

  • iptables Testkonfiguration (man kanns auch lokal testen durch das Redirect der Output Chains):
iptables -t nat -F
iptables -t nat -A OUTPUT  -m owner --uid proxy -j RETURN
iptables -t nat -A OUTPUT -p tcp --dport  443 -j REDIRECT --to 3129
iptables -t nat -A PREROUTING -p tcp --syn --dport 443 -j REDIRECT --to 3129
iptables -t nat -A POSTROUTING -j MASQUERADE

cifs mounts hängen in der GUI (e.g. thunar)

  • System: Kali Linux / Linux Mint
  • Mehrere cifs mounts werden unter /mnt gemounted
  • Sobald über die grafische Oberfläche zB: thunar im XFCE zugegriffen wird bleibt alles hängen / Desktopsymbole verschwinden
  • AutoMount=true auf AutoMount=false → reboot
root@mrWhiteGhost:/home/urnilxfgbez# cat /usr/share/gvfs/mounts/trash.mount
[Mount]
Type=trash
Exec=/usr/lib/gvfs/gvfsd-trash
AutoMount=false

gphotos-sync - install pip3

  • Getestet auf Debian Buster
  • Installiert wird auf „mrCloud“ für User „cloud-urnilxfgbez“ mit Home Verzeichnis unter “/mnt/storage/urnilxfgbez„
  • Installation:
root@mrCloud:~# apt-get install python3-setuptools
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  dh-python libfile-copy-recursive-perl libgmime-2.6-0 libicu57 libnotmuch4 libperl5.24 libpython3.5-minimal
  libpython3.5-stdlib linux-image-4.9.0-4-amd64 python3.5 python3.5-minimal sgml-base tcpd update-inetd xml-core
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  python3-pkg-resources
Suggested packages:
  python-setuptools-doc
The following NEW packages will be installed:
  python3-pkg-resources python3-setuptools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 458 kB of archives.
After this operation, 1,900 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.at.debian.org/debian buster/main amd64 python3-pkg-resources all 40.8.0-1 [153 kB]
Get:2 http://ftp.at.debian.org/debian buster/main amd64 python3-setuptools all 40.8.0-1 [306 kB]
Fetched 458 kB in 2s (268 kB/s)         
Selecting previously unselected package python3-pkg-resources.
(Reading database ... 39986 files and directories currently installed.)
Preparing to unpack .../python3-pkg-resources_40.8.0-1_all.deb ...
Unpacking python3-pkg-resources (40.8.0-1) ...
Selecting previously unselected package python3-setuptools.
Preparing to unpack .../python3-setuptools_40.8.0-1_all.deb ...
Unpacking python3-setuptools (40.8.0-1) ...
Setting up python3-pkg-resources (40.8.0-1) ...
Setting up python3-setuptools (40.8.0-1) ...
root@mrCloud:~# pip3 install https://codeload.github.com/gilesknap/gphotos-sync/zip/master
Collecting https://codeload.github.com/gilesknap/gphotos-sync/zip/master
  Downloading https://codeload.github.com/gilesknap/gphotos-sync/zip/master (11.1MB)
    100% |████████████████████████████████| 11.1MB 142kB/s 
....
....
Successfully installed PyYaml-5.1.2 appdirs-1.4.3 certifi-2019.6.16 chardet-3.0.4 enum34-1.1.6 exif-0.8.1 gphotos-sync-2.10 idna-2.8 oauthlib-3.1.0 requests-2.22.0 requests-oauthlib-1.2.0 selenium-3.141.0 urllib3-1.25.3

  • API - „Photos Library API“ aktivieren für das Projekt

  • „Create Credentials“ um API benützen zu dürfen

  • Credentials als „json“ File herunterladen

  • Verzeichnisse für User auf Server vorbereiten
root@mrCloud:/mnt/storage/urnilxfgbez# mkdir -p .config/gphotos-sync
root@mrCloud:/mnt/storage/urnilxfgbez# chown cloud-urnilxfgbez:cloud-urnilxfgbez .config/gphotos-sync
root@mrCloud:/mnt/storage/urnilxfgbez# chmod 700 .config/gphotos-sync
  • JSON Credentials herunterladen und umbenennen auf client_secret.json und kopieren nach /mnt/storage/urnilxfgbez/.config/gphotos-sync
  • Synchronisiation erstmalig autorisieren und starten - Aufruf der Seite die unter „Please go here and authorize,“ angezeigt wird
cloud-urnilxfgbez@mrCloud:~$ gphotos-sync "/mnt/storage/urnilxfgbez/Google Photos"
Please go here and authorize, https://accounts.google.com/o/oauth2/v2/auth?.... 

Paste the response token here:RESPONSE_TOKEN_DER_ANGEZEIGT_WIRD
09-10 11:56:44 Indexing Google Photos Files ...
  • zB: cron job anlegen zum Aktualisieren
root@mrCloud:~# cat /etc/cron.d/gphotos-sync 
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/sbin



00 15          * * *           cloud-urnilxfgbez    gphotos-sync "/mnt/storage/urnilxfgbez/Google Photos" |& logger -t "gphotos-sync"

systemd service beim shutdown bis zum Ende ausführen (systemd case)

  • Anforderungen - Ich möchte dass mein Service beim shutdown bis zum Ende durchgeführt wird und nicht durch ein Timeout oder SIGTERM/SIGKILL von systemd abgeschossen wird
  • Beispiel: systemd unit file für die Tests mit borg Backup , Zusätzlich möchte ich die Ausgabe des Service auf tty1
  • Getestet mit systemd 242 (242) (Kali Linux / 5.2er Kernel)
  • cat /lib/systemd/system/borg-backup.service
[Unit]
Description=BORG Backup of local machine

[Service]
Type=oneshot
RemainAfterExit=true
ExecStop=/usr/bin/borg create --one-file-system --numeric-owner --stats --progress --exclude /swap.img --exclude '/home/*/*.iso' --exclude '/home/*/*.ISO' --exclude '/home/urnilxfgbez/Downloads/'  --compression lz4 /mnt/backup/mrWhiteGhost::{now} / /boot
ExecStart=/usr/bin/borg prune --stats --keep-last 4 /mnt/backup/mrWhiteGhost/
KillMode=none
TimeoutStopSec=infinity
StandardOutput=tty
StandardError=tty
TTYPath=/dev/tty1

[Install]
WantedBy=multi-user.target
  • systemctl status borg-backup
● borg-backup.service - BORG Backup of local machine
   Loaded: loaded (/lib/systemd/system/borg-backup.service; enabled; vendor pre>
   Active: active (exited) since Sun 2019-10-20 11:07:44 CEST; 14min ago
  Process: 698 ExecStart=/usr/bin/borg prune --stats --keep-last 4 /mnt/backup/>
 Main PID: 698 (code=exited, status=0/SUCCESS)

Oct 20 11:07:27 mrWhiteGhost systemd[1]: Starting BORG Backup of local machine.>
Oct 20 11:07:44 mrWhiteGhost systemd[1]: Started BORG Backup of local machine.

udev trigger für mount funktioniert nicht mehr (systemd case)


This is a systemd feature. The original udev command has been replaced by systemd-udevd (see its man page). One of the differences is that it creates its own filesystem namespace, so your mount is done, but it is not visible in the principal namespace. (You can check this by doing systemctl status systemd-udevd to get the Main PID of the service, then looking through the contents of /proc/<pid>/mountinfo for your filesystem).

If you want to go back to having a shared instead of private filesystem namespace, then create a file /etc/systemd/system/systemd-udevd.service with contents

.include /usr/lib/systemd/system/systemd-udevd.service
[Service]
MountFlags=shared 

or a new directory and file /etc/systemd/system/systemd-udevd.service.d/myoverride.conf with just the last 2 lines, i.e.

[Service]
MountFlags=shared

and restart the systemd-udevd service. I haven't found the implications of doing this.

desinfect 201920 per PXE booten

  • Auszug aus den Logs von meinem Server:
mount -o loop /mnt/iso/hb_2019_03.iso /mnt/tmp
cd /mnt/tmp/software/
mount -o loop desinfect-201920-amd64.iso /mnt/tmp2/
cd /mnt/tmp2/
cp -a casper/ isolinux/ preseed/ /mnt/storage/nfs/desinfect/
cd casper/
cp vmlinuz /mnt/storage/nfs/tftp/vmlinuz64-desinfect 
cp initrd.lz /mnt/storage/nfs/tftp/initrd64-desinfect.lz 
  • pxelinux.cfg/default
default menu.c32
prompt 1
timeout 50
....
....
label desinfect 201920
   menu label Desinfect 201920
   kernel vmlinuz64-desinfect
   append nfsroot=192.168.10.1:/mnt/storage/nfs/desinfect/ netboot=nfs ro BOOT_IMAGE=casper/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper initrd=initrd64-desinfect.lz debian-installer/language=de console-setup/layoutcode=de 

label desinfect 201920 easy
   menu label Desinfect 201920 easy
   kernel vmlinuz64-desinfect
   append nfsroot=192.168.10.1:/mnt/storage/nfs/desinfect/ netboot=nfs ro BOOT_IMAGE=casper/vmlinuz file=/cdrom/preseed/ubuntu.seed boot=casper initrd=initrd64-desinfect.lz easymode debian-installer/language=de console-setup/layoutcode=de

....
....
 
  • /etc/exports
...
/mnt/storage/nfs/desinfect 192.168.10.0/24(ro,sync,insecure,no_subtree_check)
...
Cookies helfen bei der Bereitstellung von Inhalten. Diese Website verwendet Cookies. Mit der Nutzung der Website erklären Sie sich damit einverstanden, dass Cookies auf Ihrem Computer gespeichert werden. Außerdem bestätigen Sie, dass Sie unsere Datenschutzerklärung gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website. Weitere Information
know-how/linux.txt · Zuletzt geändert: 2019/11/22 15:08 von cc