Difference between revisions of "User talk:ReetP"
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
My talk page (whatever that means) | My talk page (whatever that means) | ||
+ | |||
+ | |||
+ | ==RPM building== | ||
+ | RPM building | ||
+ | https://www.redhat.com/sysadmin/create-rpm-package | ||
+ | |||
+ | dnf install git rpmdevtools rpmlint | ||
+ | |||
+ | rpmlint is handy! | ||
+ | |||
+ | db yum_repositories setprop Rocky-Devel MirrorList "https://mirrors.rockylinux.org/mirrorlist?arch=\$basearch&repo=Devel-\$releasever" Name "Rocky Linux \$releasever - Devel" EnableGroups yes GPGCheck no Visible yes status disabled | ||
+ | |||
+ | Set up the RPM tree | ||
+ | rpmdev-setuptree | ||
+ | |||
+ | |||
+ | ==Other stuff== | ||
phatch - not supported for years but still excellent | phatch - not supported for years but still excellent | ||
Line 15: | Line 32: | ||
<nowiki>grep '^[[:blank:]]*[^[:blank:]#;]' smb.conf | <nowiki>grep '^[[:blank:]]*[^[:blank:]#;]' smb.conf | ||
− | + | grep -vxE '[[:blank:]]*([#;].*)?' smb.conf | |
− | + | awk '$1 ~ /^[^;#]/' smb.conf | |
− | + | cat /etc/samba/smb.conf | grep ^[^#\;] | |
− | + | grep -v "^\s*[#\;]\|^\s*$" smb.conf | |
− | + | grep -v "^\s*[#;]" any.conf | grep -v "^\s*$" | |
− | </nowiki> | + | </nowiki> |
Line 47: | Line 64: | ||
== TFTP Notes == | == TFTP Notes == | ||
− | === Menu system === | + | ===Menu system=== |
This uses syslinux available from here | This uses syslinux available from here | ||
Line 131: | Line 148: | ||
− | # If you install the smeserver-nfs contrib and export a mount you can use something like the following : | + | #If you install the smeserver-nfs contrib and export a mount you can use something like the following : |
label Bitdefender 2 | label Bitdefender 2 | ||
Line 148: | Line 165: | ||
append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000 | append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000 | ||
− | == smeserver-openswan notes == | + | ==smeserver-openswan notes == |
smeserver-openswan-0.6 | smeserver-openswan-0.6 | ||
Line 223: | Line 240: | ||
keyingtries| Default Empty | 0 is default - 'forever' | keyingtries| Default Empty | 0 is default - 'forever' | ||
− | # Future | + | #Future |
− | # certname: Default Empty | Your certificate name | + | #certname: Default Empty | Your certificate name |
− | # leftcert | + | #leftcert |
# rightca: Default %same | # rightca: Default %same | ||
− | *** For a basic connection you need this as a bare minimum *** | + | ***For a basic connection you need this as a bare minimum *** |
config setprop ipsec status enabled access public | config setprop ipsec status enabled access public | ||
Line 260: | Line 277: | ||
− | *** For a rsasig connection *** | + | ***For a rsasig connection *** |
Please see the section on generating rsa Signatures. | Please see the section on generating rsa Signatures. | ||
Line 292: | Line 309: | ||
− | *** For a rsasig connection with dynamic IP *** | + | ***For a rsasig connection with dynamic IP *** |
This will set your local 'left' rsasig | This will set your local 'left' rsasig | ||
Line 322: | Line 339: | ||
db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast | db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast | ||
− | == smeserver-libreswan notes == | + | ==smeserver-libreswan notes== |
smeserver-libreswan-0.5 | smeserver-libreswan-0.5 | ||
Line 397: | Line 414: | ||
keyingtries| Default Empty | 0 is default - 'forever' | keyingtries| Default Empty | 0 is default - 'forever' | ||
− | # Future | + | #Future |
− | # certname: Default Empty | Your certificate name | + | #certname: Default Empty | Your certificate name |
− | # leftcert | + | #leftcert |
− | # rightca: Default %same | + | #rightca: Default %same |
− | *** For a basic connection you need this as a bare minimum *** | + | ***For a basic connection you need this as a bare minimum *** |
config setprop ipsec status enabled access public | config setprop ipsec status enabled access public | ||
Line 434: | Line 451: | ||
− | *** For a rsasig connection *** | + | ***For a rsasig connection *** |
Please see the section on generating rsa Signatures. | Please see the section on generating rsa Signatures. | ||
Line 466: | Line 483: | ||
− | *** For a rsasig connection with dynamic IP *** | + | ***For a rsasig connection with dynamic IP *** |
This will set your local 'left' rsasig | This will set your local 'left' rsasig | ||
Line 495: | Line 512: | ||
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 | Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 | ||
db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast | db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast | ||
+ | |||
+ | == Package modification with Git == | ||
+ | |||
+ | ==Server Setup== | ||
+ | |||
+ | Packages: | ||
+ | |||
+ | To pull and read | ||
+ | mock,git, git-lfs | ||
+ | |||
+ | To commit | ||
+ | koji | ||
+ | |||
+ | ==For anonymous access and test building locally== | ||
+ | |||
+ | ===Setup Mock=== | ||
+ | |||
+ | Install /etc/mock/smeserver-11-x86_64-base.cfg | ||
+ | |||
+ | Set up the mock files: | ||
+ | |||
+ | mock -r smeserver-11-x86_64-base --init | ||
+ | |||
+ | ===Clone your repo=== | ||
+ | |||
+ | mkdir git; cd git | ||
+ | git clone https://src.koozali.org/smeserver/ulogd.git | ||
+ | cd ulogd | ||
+ | git clone https://src.koozali.org/smeserver/common.git common | ||
+ | |||
+ | Do some stuff. | ||
+ | |||
+ | Update the spec file | ||
+ | Bump the version | ||
+ | Add your changelog entry | ||
+ | |||
+ | ===Test build=== | ||
+ | This will overwrite your changes and build the EXISTING version. | ||
+ | How do we build with the fixes? | ||
+ | |||
+ | make clean;prep;make mockbuild | ||
+ | |||
+ | You should now have a rpm that you can install | ||
+ | |||
+ | |||
+ | ==For user access, test building locally and committing== | ||
+ | |||
+ | ===Setup Koji=== | ||
+ | |||
+ | Drop the supplied Koji files into ~/.koji | ||
+ | |||
+ | ===Setup Mock=== | ||
+ | |||
+ | Install /etc/mock/smeserver-11-x86_64-base.cfg | ||
+ | |||
+ | Set up the mock files: | ||
+ | |||
+ | mock -r smeserver-11-x86_64-base --init | ||
+ | |||
+ | ===Clone your repo=== | ||
+ | |||
+ | mkdir git; cd git | ||
+ | git clone ssh://src.koozali.org/smeserver/ulogd.git | ||
+ | cd ulogd | ||
+ | git clone ssh://src.koozali.org/smeserver/common.git common | ||
+ | |||
+ | Do some stuff. | ||
+ | |||
+ | Hack files | ||
+ | Update the spec file, bump the version, add your changelog entry | ||
+ | |||
+ | ===Test build=== | ||
+ | This will overwrite your changes and build the EXISTING version. | ||
+ | How do we build with the fixes? | ||
+ | |||
+ | make clean;make prep;make mockbuild | ||
+ | |||
+ | You should now have a rpm that you can install | ||
+ | |||
+ | ===Committing=== | ||
+ | |||
+ | See what has changed | ||
+ | git status | ||
+ | |||
+ | Only add the required files. Beware of adding common. Should we have a .gitignore for that? | ||
+ | |||
+ | git add your.modifiedfiles | ||
+ | make commit && make tag && make build | ||
+ | |||
+ | Note. | ||
+ | If you have made a mistake make sure the builder has completed the build before starting a new one. | ||
+ | You cannot rebuild the existing tag. | ||
+ | You will need to bump the version and commit/tag/build again. |
Latest revision as of 13:58, 12 April 2024
My talk page (whatever that means)
RPM building
RPM building https://www.redhat.com/sysadmin/create-rpm-package
dnf install git rpmdevtools rpmlint
rpmlint is handy!
db yum_repositories setprop Rocky-Devel MirrorList "https://mirrors.rockylinux.org/mirrorlist?arch=\$basearch&repo=Devel-\$releasever" Name "Rocky Linux \$releasever - Devel" EnableGroups yes GPGCheck no Visible yes status disabled
Set up the RPM tree
rpmdev-setuptree
Other stuff
phatch - not supported for years but still excellent http://photobatch.wikidot.com/ Not so easy on Windows. Doddle on Linux.
Some alternatives. http://www.highmotionsoftware.com/products/imbatch https://www.faststone.org/FSResizerDetail.htm https://www.saashub.com/compare-image-resizer-for-windows-vs-multiple-image-resizer-net
Grep without comments
https://unix.stackexchange.com/questions/60994/how-to-grep-lines-which-does-not-begin-with-or
grep '^[[:blank:]]*[^[:blank:]#;]' smb.conf grep -vxE '[[:blank:]]*([#;].*)?' smb.conf awk '$1 ~ /^[^;#]/' smb.conf cat /etc/samba/smb.conf | grep ^[^#\;] grep -v "^\s*[#\;]\|^\s*$" smb.conf grep -v "^\s*[#;]" any.conf | grep -v "^\s*$"
systemd notes
normally the 49-koozali.preset should work with the db config. so you have nothing to do except:
- having a systemd service unit named with the same key as the db - removing any link in rc7.d
you need to create a /usr/Lib/systemd/system/bandwithd.service.d/50koozali.conf with (the - after ExecStartPre= is not a typo)
[Unit] After=wan.service After=networking.service [Service] ExecStartPre=-/sbin/e-smith/expand-template /etc/bandwidthd.conf [Install] wantedBy=sme-server.target
this file will be owned by smeserver-b... package
TFTP Notes
Menu system
This uses syslinux available from here
http://www.syslinux.org/wiki/index.php?title=Download
I used a fairly old version but cannot remember what it is.
copy pxelinux.0 to /tftpboot
copy vesamenu.c32 to /tftpboot/com32
I have a menu system as follows
in /tftpboot create a directory called pxelinux.cfg
cd /tftpboot/pxelinux.cfg
make a file called default
touch default
Sample default file - add you own submenus
[root@home pxelinux.cfg]# cat default
menu title --== SME Linux, PXE Main Menu ==-- menu background graphics/background.png menu tabmsgrow 22 menu cmdlinerow 22 menu endrow 24 menu color title 1;34;49 #eea0a0ff #cc333355 std menu color sel 7;37;40 #ff000000 #bb9999aa all menu color border 30;44 #ffffffff #00000000 std menu color pwdheader 31;47 #eeff1010 #20ffffff std menu color hotkey 35;40 #90ffff00 #00000000 std menu color hotsel 35;40 #90000000 #bb9999aa all menu color timeout_msg 35;40 #90ffffff #00000000 none menu color timeout 31;47 #eeff1010 #00000000 none prompt 0 noescape 1 allowoptions 0 timeout 0 default com32/vesamenu.c32 label linuxmenu menu label ^Linux Boot Disks Menu kernel com32/vesamenu.c32 append pxelinux.cfg/linux_boot_disks
You need to get your distro image and extract the relevant files and put them in /tftpboot/images/distroName
typically this will be
vmlinuz initrd.img
However there could be other names. YMMV.
Now create a file called linux_boot_disks
Here are some samples (need to confirm if they all work):
label Slitaz 4 Std menu label SlitaZ ^4 kernel images/slitaz_4_0/bzImage append initrd=images/slitaz_4_0/rootfs4.gz,images/slitaz_4_0/rootfs3.gz,images/slitaz_4_0/rootfs2.gz,images/slitaz_4_0/rootfs1.gz rw root=/dev/null vga=normal autologin
label Clonezilla-live MENU LABEL Clonezilla Live (Ramdisk) KERNEL images/clonezilla/vmlinuz APPEND initrd=images/clonezilla/initrd.img boot=live username=user union=overlay config components quiet noswap edd=on nomodeset nodmraid locales=en_GB.UTF-8 keyboard-layouts=uk keyboard-layouts= ocs_live_run="ocs-live-general" ocs_live_extra_param="" ocs_live_batch=no net.ifnames=0 nosplash noprompt fetch=tftp://192.168.10.1//images/clonezilla/filesystem.squashfs
label SME8 Install menu label ^SME8 Install kernel images/SME8/vmlinuz append initrd=images/SME8/initrd.img
DEFAULT pmagic # Boot the kernel and initramfs over PXE. LABEL pmagic LINUX images/pmagic/bzImage INITRD images/pmagic/initramfs APPEND edd=on vga=normal vmalloc=384MiB
- If you install the smeserver-nfs contrib and export a mount you can use something like the following :
label Bitdefender 2 menu label ^Bitdefender kernel images/bitdefender_2/vmlinuz append boot=casper netboot=nfs nfsroot=192.168.0.1:/home/e-smith/files/ibays/computer/files/bitdefender_2 initrd=images/bitdefender_2/initrd.gz lang=gb
label Kaspersky 10 - Rescue menu label ^Kaspersky 10 - Rescue kernel images/kaspersky_10/rescue append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/kaspersky_10 initrd=images/kaspersky_10/rescue.igz lang=gb ramdisk_size=1000000
label Fsecure 3.11 - Rescue menu label ^Fsecure 3.11 - Rescue kernel images/fsecure_311/linux append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000
smeserver-openswan notes
smeserver-openswan-0.6
Config settings
For other options see here http://linux.die.net/man/5/ipsec.html
We have a new action
signal-event ipsec-update
This will process the required templates and create some files. When a ipsec and a connection is enabled it will open the relevant ports on the firewall It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled access: Default private | public UDPPort: Default 500 | Variable auto: Default start | add (do not use ondemand or ignore) debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private (all generates a large amount of logging so use with care)
Overall settings - can be in main config db or in ipsec_connections as per connection
ikelifetime: Default 3600s | Variable salifetime: Default 28800s | Variable dpdaction: Default restart | Variable dpddelay: Default 30 | Variable dpdtimeout: Default 10 | Variable pfs: Default yes | Variable connectiontype: Default secret | rassig, certificate ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
Per connection only settings
Automatically modified - do not change this PreviousState: Denotes previous connection state
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts connectiontype: Default tunnel | transport/passthrough/drop/reject leftrsasig: Default Empty | Your Local rsasignature key rightrsasig: Default Empty | Your Remote rsasignature key ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed phase2: aes-sha1 | Various mtu: Default Empty | Various left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP leftid: Default Empty | Variable leftsourceip: Default Empty | This server local IP leftsubnet: Default Empty | This server local subnet right: Default Empty | Destination WAN IP rightid: Default Empty | Variable rightsubnet: Default Empty | Destination subnet passwd| Default Empty | Variable keyingtries| Default Empty | 0 is default - 'forever'
- Future
- certname: Default Empty | Your certificate name
- leftcert
- rightca: Default %same
- For a basic connection you need this as a bare minimum ***
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Bare minimum config for ipsec with static hosts (ike is automatically added)
MyConnection=ipsec
ike=aes-sha1 leftsourceip=192.168.50.1 leftsubnet=192.168.50.0/24 passwd=SomeLongAndComplicatedPassword right=1.2.3.4 rightsubnet=192.68.60.0/24 status=enabled
signal-event ipsec-update
Check /var/log/pluto/pluto.log ipsec whack --status ipsec verify (may be some warnings - severity depends on what they are)
- For a rsasig connection ***
Please see the section on generating rsa Signatures.
The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.
ipsec initnss
ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets
When you copy the key it MUST be in one long line.
Remember
East leftrsasig=PUBLIC key of East rightrsasig=PUBLIC key of West
West leftrsasig=PUBLIC key of West rightrsasig=PUBLIC key of East
You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
- For a rsasig connection with dynamic IP ***
This will set your local 'left' rsasig
db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`
Then Extract the public key for the far end. When you copy the key it MUST be in one long line.
cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'
East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East
Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security
We set the static server to: auto 'add' so it only listens for incoming connections dpdaction 'clear' so the route is cleared if the connection is dropped iptype stattodyn - sets right = %any (allow all hosts to
We set the dynamic server to: auto 'start' so it immediately attempts to connect iptype dyntostat
Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
smeserver-libreswan notes
smeserver-libreswan-0.5
Config settings
For other options see here https://libreswan.org/man/ipsec.conf.5.html
We have a new action
signal-event ipsec-update
This will process the required templates and create some files. When a ipsec and a connection is enabled it will open the relevant ports on the firewall It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled access: Default private | public UDPPort: Default 500 | Variable auto: Default start | add (do not use ondemand or ignore) debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private (all generates a large amount of logging so use with care)
Overall settings - can be in main config db or in ipsec_connections as per connection
ikelifetime: Default 3600s | Variable salifetime: Default 28800s | Variable dpdaction: Default restart | Variable dpddelay: Default 30 | Variable dpdtimeout: Default 10 | Variable pfs: Default yes | Variable connectiontype: Default secret | rassig, certificate ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
Per connection only settings
Automatically modified - do not change this PreviousState: Denotes previous connection state
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts connectiontype: Default tunnel | transport/passthrough/drop/reject leftrsasig: Default Empty | Your Local rsasignature key rightrsasig: Default Empty | Your Remote rsasignature key ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed phase2: aes-sha1 | Various mtu: Default Empty | Various left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP leftid: Default Empty | Variable leftsourceip: Default Empty | This server local IP leftsubnet: Default Empty | This server local subnet right: Default Empty | Destination WAN IP rightid: Default Empty | Variable rightsubnet: Default Empty | Destination subnet passwd| Default Empty | Variable keyingtries| Default Empty | 0 is default - 'forever'
- Future
- certname: Default Empty | Your certificate name
- leftcert
- rightca: Default %same
- For a basic connection you need this as a bare minimum ***
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Bare minimum config for ipsec with static hosts (ike is automatically added)
MyConnection=ipsec
ike=aes-sha1 leftsourceip=192.168.50.1 leftsubnet=192.168.50.0/24 passwd=SomeLongAndComplicatedPassword right=1.2.3.4 rightsubnet=192.68.60.0/24 status=enabled
signal-event ipsec-update
Check /var/log/pluto/pluto.log ipsec whack --status ipsec verify (may be some warnings - severity depends on what they are)
- For a rsasig connection ***
Please see the section on generating rsa Signatures.
The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.
ipsec initnss
ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets
When you copy the key it MUST be in one long line.
Remember
East leftrsasig=PUBLIC key of East rightrsasig=PUBLIC key of West
West leftrsasig=PUBLIC key of West rightrsasig=PUBLIC key of East
You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
- For a rsasig connection with dynamic IP ***
This will set your local 'left' rsasig
db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`
Then Extract the public key for the far end. When you copy the key it MUST be in one long line.
cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'
East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East
Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security
We set the static server to: auto 'add' so it only listens for incoming connections dpdaction 'clear' so the route is cleared if the connection is dropped iptype stattodyn - sets right = %any (allow all hosts to
We set the dynamic server to: auto 'start' so it immediately attempts to connect iptype dyntostat
Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
Package modification with Git
Server Setup
Packages:
To pull and read mock,git, git-lfs
To commit koji
For anonymous access and test building locally
Setup Mock
Install /etc/mock/smeserver-11-x86_64-base.cfg
Set up the mock files:
mock -r smeserver-11-x86_64-base --init
Clone your repo
mkdir git; cd git git clone https://src.koozali.org/smeserver/ulogd.git cd ulogd git clone https://src.koozali.org/smeserver/common.git common
Do some stuff.
Update the spec file Bump the version Add your changelog entry
Test build
This will overwrite your changes and build the EXISTING version. How do we build with the fixes?
make clean;prep;make mockbuild
You should now have a rpm that you can install
For user access, test building locally and committing
Setup Koji
Drop the supplied Koji files into ~/.koji
Setup Mock
Install /etc/mock/smeserver-11-x86_64-base.cfg
Set up the mock files:
mock -r smeserver-11-x86_64-base --init
Clone your repo
mkdir git; cd git git clone ssh://src.koozali.org/smeserver/ulogd.git cd ulogd git clone ssh://src.koozali.org/smeserver/common.git common
Do some stuff.
Hack files Update the spec file, bump the version, add your changelog entry
Test build
This will overwrite your changes and build the EXISTING version. How do we build with the fixes?
make clean;make prep;make mockbuild
You should now have a rpm that you can install
Committing
See what has changed
git status
Only add the required files. Beware of adding common. Should we have a .gitignore for that?
git add your.modifiedfiles make commit && make tag && make build
Note. If you have made a mistake make sure the builder has completed the build before starting a new one. You cannot rebuild the existing tag. You will need to bump the version and commit/tag/build again.