859
edits
Changes
From SME Server
Jump to navigationJump to search→Committing
My talk page (whatever that means)
My talk page (whatever that means)
==RPM building==
RPM building
https://www.redhat.com/sysadmin/create-rpm-package
dnf install git rpmdevtools rpmlint
rpmlint is handy!
db yum_repositories setprop Rocky-Devel MirrorList "https://mirrors.rockylinux.org/mirrorlist?arch=\$basearch&repo=Devel-\$releasever" Name "Rocky Linux \$releasever - Devel" EnableGroups yes GPGCheck no Visible yes status disabled
Set up the RPM tree
rpmdev-setuptree
==Other stuff==
phatch - not supported for years but still excellent
http://photobatch.wikidot.com/
Not so easy on Windows. Doddle on Linux.
Some alternatives.
http://www.highmotionsoftware.com/products/imbatch
https://www.faststone.org/FSResizerDetail.htm
https://www.saashub.com/compare-image-resizer-for-windows-vs-multiple-image-resizer-net
Grep without comments
https://unix.stackexchange.com/questions/60994/how-to-grep-lines-which-does-not-begin-with-or
<nowiki>grep '^[[:blank:]]*[^[:blank:]#;]' smb.conf
grep -vxE '[[:blank:]]*([#;].*)?' smb.conf
awk '$1 ~ /^[^;#]/' smb.conf
cat /etc/samba/smb.conf | grep ^[^#\;]
grep -v "^\s*[#\;]\|^\s*$" smb.conf
grep -v "^\s*[#;]" any.conf | grep -v "^\s*$"
</nowiki>
==systemd notes==
normally the 49-koozali.preset should work with the db config. so you have nothing to do except:
- having a systemd service unit named with the same key as the db
- removing any link in rc7.d
you need to create a /usr/Lib/systemd/system/bandwithd.service.d/50koozali.conf
with (the - after ExecStartPre= is not a typo)
[Unit]
After=wan.service
After=networking.service
[Service]
ExecStartPre=-/sbin/e-smith/expand-template /etc/bandwidthd.conf
[Install]
wantedBy=sme-server.target
this file will be owned by smeserver-b... package
== TFTP Notes ==
== TFTP Notes ==
== Menu system ==
===Menu system===
This uses syslinux available from here
This uses syslinux available from here
copy pxelinux.0 to /tftpboot
copy pxelinux.0 to /tftpboot
copy vesamenu.c32 to /tftpboot/com32
copy vesamenu.c32 to /tftpboot/com32
[root@home pxelinux.cfg]# cat default
[root@home pxelinux.cfg]# cat default
menu title --== SME Linux, PXE Main Menu ==--
menu title --== SME Linux, PXE Main Menu ==--
menu background graphics/background.png
menu background graphics/background.png
menu tabmsgrow 22
menu tabmsgrow 22
menu cmdlinerow 22
menu cmdlinerow 22
menu endrow 24
menu endrow 24
menu color title 1;34;49 #eea0a0ff #cc333355 std
menu color title 1;34;49 #eea0a0ff #cc333355 std
menu color sel 7;37;40 #ff000000 #bb9999aa all
menu color sel 7;37;40 #ff000000 #bb9999aa all
menu color border 30;44 #ffffffff #00000000 std
menu color border 30;44 #ffffffff #00000000 std
menu color pwdheader 31;47 #eeff1010 #20ffffff std
menu color pwdheader 31;47 #eeff1010 #20ffffff std
menu color hotkey 35;40 #90ffff00 #00000000 std
menu color hotkey 35;40 #90ffff00 #00000000 std
menu color hotsel 35;40 #90000000 #bb9999aa all
menu color hotsel 35;40 #90000000 #bb9999aa all
menu color timeout_msg 35;40 #90ffffff #00000000 none
menu color timeout_msg 35;40 #90ffffff #00000000 none
menu color timeout 31;47 #eeff1010 #00000000 none
menu color timeout 31;47 #eeff1010 #00000000 none
prompt 0
noescape 1
prompt 0
allowoptions 0
noescape 1
timeout 0
allowoptions 0
default com32/vesamenu.c32
timeout 0
default com32/vesamenu.c32
label linuxmenu
label linuxmenu
menu label ^Linux Boot Disks Menu
menu label ^Linux Boot Disks Menu
append pxelinux.cfg/linux_boot_disks
append pxelinux.cfg/linux_boot_disks
You need to get your distro image and extract the relevant files and put them in /tftpboot/images/distroName
typically this will be
vmlinuz
initrd.img
However there could be other names. YMMV.
Now create a file called linux_boot_disks
Now create a file called linux_boot_disks
# If you install the smeserver-nfs contrib and export a mount you can use something like the following :
#If you install the smeserver-nfs contrib and export a mount you can use something like the following :
label Bitdefender 2
label Bitdefender 2
kernel images/fsecure_311/linux
kernel images/fsecure_311/linux
append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000
append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000
==smeserver-openswan notes ==
smeserver-openswan-0.6
Config settings
For other options see here
http://linux.die.net/man/5/ipsec.html
We have a new action
signal-event ipsec-update
This will process the required templates and create some files.
When a ipsec and a connection is enabled it will open the relevant ports on the firewall
It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with
db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled
access: Default private | public
UDPPort: Default 500 | Variable
auto: Default start | add (do not use ondemand or ignore)
debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
(all generates a large amount of logging so use with care)
Overall settings - can be in main config db or in ipsec_connections as per connection
ikelifetime: Default 3600s | Variable
salifetime: Default 28800s | Variable
dpdaction: Default restart | Variable
dpddelay: Default 30 | Variable
dpdtimeout: Default 10 | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
Per connection only settings
Automatically modified - do not change this
PreviousState: Denotes previous connection state
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
connectiontype: Default tunnel | transport/passthrough/drop/reject
leftrsasig: Default Empty | Your Local rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed
phase2: aes-sha1 | Various
mtu: Default Empty | Various
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty | Variable
leftsourceip: Default Empty | This server local IP
leftsubnet: Default Empty | This server local subnet
right: Default Empty | Destination WAN IP
rightid: Default Empty | Variable
rightsubnet: Default Empty | Destination subnet
passwd| Default Empty | Variable
keyingtries| Default Empty | 0 is default - 'forever'
#Future
#certname: Default Empty | Your certificate name
#leftcert
# rightca: Default %same
***For a basic connection you need this as a bare minimum ***
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Bare minimum config for ipsec with static hosts (ike is automatically added)
MyConnection=ipsec
ike=aes-sha1
leftsourceip=192.168.50.1
leftsubnet=192.168.50.0/24
passwd=SomeLongAndComplicatedPassword
right=1.2.3.4
rightsubnet=192.68.60.0/24
status=enabled
signal-event ipsec-update
Check /var/log/pluto/pluto.log
ipsec whack --status
ipsec verify (may be some warnings - severity depends on what they are)
***For a rsasig connection ***
Please see the section on generating rsa Signatures.
The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.
ipsec initnss
ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets
When you copy the key it MUST be in one long line.
Remember
East
leftrsasig=PUBLIC key of East
rightrsasig=PUBLIC key of West
West
leftrsasig=PUBLIC key of West
rightrsasig=PUBLIC key of East
You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
***For a rsasig connection with dynamic IP ***
This will set your local 'left' rsasig
db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`
Then Extract the public key for the far end. When you copy the key it MUST be in one long line.
cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'
East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East
Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs.
We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security
We set the static server to:
auto 'add' so it only listens for incoming connections
dpdaction 'clear' so the route is cleared if the connection is dropped
iptype stattodyn - sets right = %any (allow all hosts to
We set the dynamic server to:
auto 'start' so it immediately attempts to connect
iptype dyntostat
Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
==smeserver-libreswan notes==
smeserver-libreswan-0.5
Config settings
For other options see here
https://libreswan.org/man/ipsec.conf.5.html
We have a new action
signal-event ipsec-update
This will process the required templates and create some files.
When a ipsec and a connection is enabled it will open the relevant ports on the firewall
It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F
https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F
These settings are generic and can be overwritten on a per connection basis
config ipsec show
Only set with
db configuration setprop ipsec $key $property
Setting status enabled/disabled will modify access to private/public
status: Default disabled | enabled
access: Default private | public
UDPPort: Default 500 | Variable
auto: Default start | add (do not use ondemand or ignore)
debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private
(all generates a large amount of logging so use with care)
Overall settings - can be in main config db or in ipsec_connections as per connection
ikelifetime: Default 3600s | Variable
salifetime: Default 28800s | Variable
dpdaction: Default restart | Variable
dpddelay: Default 30 | Variable
dpdtimeout: Default 10 | Variable
pfs: Default yes | Variable
connectiontype: Default secret | rassig, certificate
ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options
Per connection only settings
Automatically modified - do not change this
PreviousState: Denotes previous connection state
Manual keys
db ipsec_connections show
db ipsec_connections setprop ConnectionName $key $property
iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts
connectiontype: Default tunnel | transport/passthrough/drop/reject
leftrsasig: Default Empty | Your Local rsasignature key
rightrsasig: Default Empty | Your Remote rsasignature key
ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed
phase2: aes-sha1 | Various
mtu: Default Empty | Various
left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP
leftid: Default Empty | Variable
leftsourceip: Default Empty | This server local IP
leftsubnet: Default Empty | This server local subnet
right: Default Empty | Destination WAN IP
rightid: Default Empty | Variable
rightsubnet: Default Empty | Destination subnet
passwd| Default Empty | Variable
keyingtries| Default Empty | 0 is default - 'forever'
#Future
#certname: Default Empty | Your certificate name
#leftcert
#rightca: Default %same
***For a basic connection you need this as a bare minimum ***
config setprop ipsec status enabled access public
Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd
Bare minimum config for ipsec with static hosts (ike is automatically added)
MyConnection=ipsec
ike=aes-sha1
leftsourceip=192.168.50.1
leftsubnet=192.168.50.0/24
passwd=SomeLongAndComplicatedPassword
right=1.2.3.4
rightsubnet=192.68.60.0/24
status=enabled
signal-event ipsec-update
Check /var/log/pluto/pluto.log
ipsec whack --status
ipsec verify (may be some warnings - severity depends on what they are)
***For a rsasig connection ***
Please see the section on generating rsa Signatures.
The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this.
ipsec initnss
ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets
When you copy the key it MUST be in one long line.
Remember
East
leftrsasig=PUBLIC key of East
rightrsasig=PUBLIC key of West
West
leftrsasig=PUBLIC key of West
rightrsasig=PUBLIC key of East
You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end.
Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
***For a rsasig connection with dynamic IP ***
This will set your local 'left' rsasig
db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'`
Then Extract the public key for the far end. When you copy the key it MUST be in one long line.
cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//'
East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East
Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs.
We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security
We set the static server to:
auto 'add' so it only listens for incoming connections
dpdaction 'clear' so the route is cleared if the connection is dropped
iptype stattodyn - sets right = %any (allow all hosts to
We set the dynamic server to:
auto 'start' so it immediately attempts to connect
iptype dyntostat
Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24
db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest
Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24
db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast
== Package modification with Git ==
==Server Setup==
Packages:
To pull and read
mock,git, git-lfs
To commit
koji
==For anonymous access and test building locally==
===Setup Mock===
Install /etc/mock/smeserver-11-x86_64-base.cfg
Set up the mock files:
mock -r smeserver-11-x86_64-base --init
===Clone your repo===
mkdir git; cd git
git clone https://src.koozali.org/smeserver/ulogd.git
cd ulogd
git clone https://src.koozali.org/smeserver/common.git common
Do some stuff.
Update the spec file
Bump the version
Add your changelog entry
===Test build===
This will overwrite your changes and build the EXISTING version.
How do we build with the fixes?
make clean;prep;make mockbuild
You should now have a rpm that you can install
==For user access, test building locally and committing==
===Setup Koji===
Drop the supplied Koji files into ~/.koji
===Setup Mock===
Install /etc/mock/smeserver-11-x86_64-base.cfg
Set up the mock files:
mock -r smeserver-11-x86_64-base --init
===Clone your repo===
mkdir git; cd git
git clone ssh://src.koozali.org/smeserver/ulogd.git
cd ulogd
git clone ssh://src.koozali.org/smeserver/common.git common
Do some stuff.
Hack files
Update the spec file, bump the version, add your changelog entry
===Test build===
This will overwrite your changes and build the EXISTING version.
How do we build with the fixes?
make clean;make prep;make mockbuild
You should now have a rpm that you can install
===Committing===
See what has changed
git status
Only add the required files. Beware of adding common. Should we have a .gitignore for that?
git add your.modifiedfiles
make commit && make tag && make build
Note.
If you have made a mistake make sure the builder has completed the build before starting a new one.
You cannot rebuild the existing tag.
You will need to bump the version and commit/tag/build again.
