1. SSH with YubiKey NEO on Fedora made easy

    Your private SSH key is the key for the kingdom. This means always having a password on the key. With YubiKey, you can keep your secret key outside your machine too.

    Excerpt from Wikipedia: The YubiKey allows users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.

    This is a short how-to to get startet with using Yubikey to SSH into your servers.

    YubiKey as private SSH key

    Pre requests

    1. Install the YubiKey management software.

      sudo dnf install yubikey-manager
      
    2. Insert YubiKey

    3. Check that OpenPGP is enabled on your YubiKey.

      ykman info
      

      Expected output should include the following.

          OPGP:      Enabled
      

      If you get an error, restart your computer and goto 2. Yes, I know this is Linux, but we're just doing it the easy way. It should work the second time around.

    4. Set preferred number of retries when entering PIN on YubiKey. Default is 3 for user pin, 3 for unlock user pin (reset), 3 for admin pin. In the example admin retries is increased to 5.

      ykman openpgp set-pin-retries 3 3 5
      

    Generate OpenPGP key on YubiKey

    Use gpg2 for the rest.

    1. Generate PGP certificate on the key.

      gpg2 --edit-card
      gpg/card> admin
      gpg/card> generate
      
    2. Follow the instructions.

    3. Optionally set login, lang and sex.

    4. Enter the password menu.

      gpg/card> passwd
      
    5. Change user PIN, menu 1.

    6. Change admin PIN, menu 3. The easiest is to keep to numbers to avoid accidentally locking you YubiKey. If that happens you need to reset it with …

    Read more...


  2. zram: Compressed RAM based block devices

    From zram documentation: The zram module creates RAM based block devices named /dev/zram<id> (<id> = 0, 1, ...). Pages written to these disks are compressed and stored in memory itself. These disks allow very fast I/O and compression provides good amounts of memory savings. Some of the usecases include /tmp storage, use as swap disks, various caches under /var and maybe many more :)

    Example of compressed swap in memory

    Write this commands in /etc/rc.local to create a 2G compressed swap partition in memory.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    # Load the module and create one zram device, /dev/zram0
    modprobe zram num_devices=1
    
    # Maximum of compressed streams (keep same as CPUs)
    echo 4 > /sys/devices/virtual/block/zram0/max_comp_streams
    
    # Size of zram0 device in k/m/g
    echo 2g > /sys/devices/virtual/block/zram0/disksize
    
    # Comression compression algorithm to use
    echo lzo > /sys/devices/virtual/block/zram0/comp_algorithm
    
    # Create the swap file system
    mkswap /dev/zram0
    
    # Enable the swap partition with high priority
    swapon /dev/zram0 -p 10
    

    Read more...


  3. Record a PulseAudio sound stream

    Ever wondered on how to record the audio from one application? Either the browser or a streaming application that don't have the option to save audio to a file.

    The PulseAudio sound server in your desktop makes this quite easy.

    I've created a small script that captures the current playing sound stream and redirects it to FLAC audio file. After the capture is started, you can start playing sound from other programs. It won't interfere with the current capture.

    Capture audio

    Pre requests

    You have to install a couple of programs, if you don't have them from before, to make the bash script work.

    apt-get install pulseaudio-utils flac coreutils
    

    The script

    This is my record-app.sh script.

    #!/bin/bash
    
    BN=$(basename $0)
    SI=$(pacmd list-sink-inputs | grep -m 1 index | egrep -o "[[:digit:]]+")
    
    if [[ "$1" == "" ]]; then
      echo "usage: $BN filename"
      exit 1
    fi
    
    if [[ "$SI" == "" ]]; then
      echo "error: no input sinks found"
      exit 2
    fi
    
    N="$1"
    
    echo $BN recording:
    echo · Found sink index «$SI»
    echo · Loading module-null-sink
    MI=$(pactl load-module module-null-sink sink_name=rec)
    trap "{ echo · Trying to delete null sink «rec»; pactl unload-module $MI; }" EXIT
    echo · Moving sink «$SI» to null sink «rec»
    pactl move-sink-input $SI rec
    echo · Saving sound data to «$N.flac» 
    parec -d rec.monitor | flac --endian=little --sign=signed --channels=2 --bps=16n --sample-rate=44100 -o "$1.flac" - 2>/dev/null
    

    Usage

    usage: record-app.sh filename
    

    Example 1

    ./record-app.sh firefox-sound
    

    Will start to record the current playing audio in Firefox. The audio is saved int …

    Read more...


  4. Vagrant with OpenStack

    If you want to use Vagrant with OpenStack, you need to prepare Vagrant with installing the vagrant-openstack-plugin. I had some problems installing it directly through vagrant plugin install. I had to clone it from Github and install it manually.

    One time configuration

    Install OpenStack plugin in Vagrant

    cd /tmp
    git clone https://github.com/cloudbau/vagrant-openstack-plugin
    cd vagrant-openstack-plugin
    gem build vagrant-openstack-plugin.gemspec
    vagrant plugin install vagrant-openstack-plugin-*.gem
    

    Add a dummy box to Vagrant thats needed by the plugin.

    vagrant box add dummy https://github.com/cloudbau/vagrant-openstack-plugin/raw/master/dummy.box
    

    Download OpenStack RC file

    • Log into OpenStack
    • Download OpenStack API RC file
    • Go to Project -> Compute -> Access & Security -> API Access
    • Down RC file by hitting Download OpenStack RC File
    • Put $USER-openrc.sh in your ~/ or somewhere you prefer

    Configure a Vagrant VM

    Vagrantfile

    This is a default generic Vagrant file which starts a m1.tiny flavor image of Ubuntu Utopic. It requires that you already have added your ssh key to OpenStack. Please add your ssh key with the name $USER_ssh_key.

    require 'vagrant-openstack-plugin'
    
    Vagrant.configure("2") do |config|
      config.vm.box = "dummy"
      config.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__exclude: ".git/"
    
      # Make sure the private key from the key pair is provided
      config.ssh.private_key_path = "~/.ssh/id_rsa"
    
      config.vm.provider :openstack do |os|
        os.username     = "#{ENV['OS_USERNAME']}"
        os.api_key      = "#{ENV['OS_PASSWORD']}"
        os.flavor       = /m1.tiny/
        os.image        = "Ubuntu CI utopic 2014-09-18"
        os.endpoint     = "#{ENV['OS_AUTH_URL']}/tokens"
        os.keypair_name = "#{ENV['OS_USERNAME']}_ssh_key"
        os.ssh_username = "ubuntu"
    
        # The tenant have two networks, so …

    Read more...


  5. fio - flexible I/O tester

    From man page: fio is a tool that will spawn a number of threads or processes doing a particular type of I/O action as specified by the user. The typical use of fio is to write a job file matching the I/O load one wants to simulate.

    This example only show how to use fio to make reproduceable test on a file system. For me it's been useful to catch changes in I/O throughput before and after a system has gone into production. Buy running the same tests on all systems the numbers are comparable.

    All parameter numbers are examples, define your own test according to what you want to measure.

    Installing fio

    apt-get install fio
    

    Running fio

    • Change bsrange to the block size range you want to test.
    • numjobs is the number of simultanious read/write threads.
    • size is the working file size.
    • If you want to test a read heavy load, use rwmixread with a percentage of reads versus writes..
    for i in read write readwrite randread randwrite randrw; do fio --name=fio  --write_bw_log=$i --write_iops_log=$i --write_lat_log=$i --ioengine=sync --size=10G --runtime=60 --rw=$i --norandommap --refill_buffers --randrepeat=0  --iodepth=1 --direct=1 --numjobs=8 --group_reporting --bsrange=4k-4k; done
    

    Generating I/O plots

    fio2gnuplot -i -g
    

    For me is the most interesting plot is compare-result-2Dsmooth.png.

    Generating bandwidth plots

    Testing bandwidth is better to do with a larger block size. I usually set a block size between 64k to 1m.

    for i in …

    Read more...


  6. Power saving on laptop

    Notes for power saving on my i5 laptop.

    /etc/rc.local

    #  SATA power save
    echo medium_power | tee /sys/class/scsi_host/host*/link_power_management_policy > /dev/null
    
    # Set minimum performance to 30% of CPU MHz 
    echo 30 > /sys/devices/system/cpu/intel_pstate/min_perf_pct
    
    # Set CPU governor to power save since we run on a laptop
    # Valid values: powersave performance
    echo powersave | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor > /dev/null
    
    # Increase for CrashPlan so unlocking gnome-shell lock screen works
    echo 1048576 > /proc/sys/fs/inotify/max_user_watches
    

    /etc/default/grub

    # Make my back light buttons work correctly
    # Full power save for GPU
    GRUB_CMDLINE_LINUX="video.use_native_backlight=1 i915.enable_rc6=7 i915.enable_fbc=1 i915.lvds_downclock=1"
    
    vim: set spell spl=en syn=markdown:

    Read more...


  7. View Google Earth in the browser

    Google now supports Google Earth in Google Maps. As far as I know it works in Chrome and Chromium. If Google Earth isn't available where the satellite view options is, your graphic card is in the browsers blacklist.

    To force enabling WebGL in the browser start it with the following options

    chromium-browser --enable-webgl --ignore-gpu-blacklist
    

    Now you can use Google Earth in maps.google.com.

    Read more...


  8. Vagrant, development environments made easy

    Prototyping and testing configurations and system installations is time consuming on traditional hardware. That is why I started using Vagrant for nearly all development, prototyping and testing. It's free and really easy to use. If you install VirtualBox sudo apt-get install virtualbox first, you'll be up and running in no time.

    Vagrant do profile itself for developers, but sysadmins has much to gain by using such tools to make life easier for themselves. Automation and reproducibility is key concepts in modern system administration. We need to think more and more like developers, as much as developers need to think more and more like sysadmins.

    Excerpt: Create and configure lightweight, reproducible, and portable development environments.

    Read more...


  9. Only Firefox is safe post Heartblead

    Steve Gibson have a nice round-up where he explains how certificate revocation does work and why Chrome and Chromiums certificate revocation scheme doesn't work. I recommend to read both Steve Gibson's article on An Evaluation of the Effectiveness of Chrome's CRLSets and Adam Langley's in my opinion a bit missplaced answer Revocation still doesn't work.

    How to be safe

    1. Use Firefox until Chrome is fixed.

    2. In Firefox enable hard fail on OCSP errors.

      Goto PreferencesAdvancedCertificatesValidation.

      Check When an OSCP server connection failes, treat the certificate as invalid.

    Read more...


  10. Flashing a custom rom on Nexus 4

    Flashing a custom image on an Android mobile could be just fun. But if you don't know why you want to do it, or do it just because it's a challenge. Then don't!

    The bad and the good

    I'm only pointing out some of the cons and the pros here.

    Negative sides

    • An OS image could contain malware; only use community trusted images.
    • If you don't pay attention you can get malware running as root. That's B A D !
    • May not have all the phones vendor functionality.
    • The image may be buggy.

    Consequences of a buggy image

    • Lock up your phone when you least expect it.
    • Drain the battery quicker.
    • Suddenly reboot.

    Positive sides

    • You can get a newer more secure operating system.
    • Use less battery.
    • No crapware.
    • Extra security functions.

    Flashing CyanogenMod

    One of the custom Android images based on AOSP is CyanogenMod. As I know, it's one of the more used ones. Quite stable if you keep away from the nightlies and rich on functionality but not bloated.

    Preparations

    1. Install adb and fastboot to help manage your Nexus phone.

      sudo apt-get install android-tools-adb android-tools-fastboot
      
    2. Download custom a recovery image. Personally I prefer ClockworkMod and the touch recovery. Note, this image is compiled for the Nexus 4 phone. Other phones use other images.

      wget http://download2.clockworkmod.com/recoveries/recovery-clockwork-touch-6.0.4.7-mako.img
      
    3. Download the latest M snapshot from CyanogenMod on download.cyanogenmod.org. The model name for Nexus 4 is mako.

      wget http://download.cyanogenmod.org/get …

    Read more...


Page 1 / 3 »