Line 1: |
Line 1: |
| My talk page (whatever that means) | | My talk page (whatever that means) |
| + | |
| + | |
| + | ==RPM building== |
| + | RPM building |
| + | https://www.redhat.com/sysadmin/create-rpm-package |
| + | |
| + | dnf install git rpmdevtools rpmlint |
| + | |
| + | rpmlint is handy! |
| + | |
| + | db yum_repositories setprop Rocky-Devel MirrorList "https://mirrors.rockylinux.org/mirrorlist?arch=\$basearch&repo=Devel-\$releasever" Name "Rocky Linux \$releasever - Devel" EnableGroups yes GPGCheck no Visible yes status disabled |
| + | |
| + | Set up the RPM tree |
| + | rpmdev-setuptree |
| + | |
| + | |
| + | ==Other stuff== |
| + | |
| + | phatch - not supported for years but still excellent |
| + | http://photobatch.wikidot.com/ |
| + | Not so easy on Windows. Doddle on Linux. |
| + | |
| + | Some alternatives. |
| + | http://www.highmotionsoftware.com/products/imbatch |
| + | https://www.faststone.org/FSResizerDetail.htm |
| + | https://www.saashub.com/compare-image-resizer-for-windows-vs-multiple-image-resizer-net |
| + | |
| + | Grep without comments |
| + | |
| + | https://unix.stackexchange.com/questions/60994/how-to-grep-lines-which-does-not-begin-with-or |
| + | |
| + | <nowiki>grep '^[[:blank:]]*[^[:blank:]#;]' smb.conf |
| + | grep -vxE '[[:blank:]]*([#;].*)?' smb.conf |
| + | awk '$1 ~ /^[^;#]/' smb.conf |
| + | cat /etc/samba/smb.conf | grep ^[^#\;] |
| + | grep -v "^\s*[#\;]\|^\s*$" smb.conf |
| + | grep -v "^\s*[#;]" any.conf | grep -v "^\s*$" |
| + | </nowiki> |
| + | |
| + | |
| + | |
| + | |
| + | ==systemd notes== |
| + | |
| + | normally the 49-koozali.preset should work with the db config. so you have nothing to do except: |
| + | |
| + | - having a systemd service unit named with the same key as the db |
| + | - removing any link in rc7.d |
| + | |
| + | you need to create a /usr/Lib/systemd/system/bandwithd.service.d/50koozali.conf |
| + | with (the - after ExecStartPre= is not a typo) |
| + | [Unit] |
| + | After=wan.service |
| + | After=networking.service |
| + | [Service] |
| + | ExecStartPre=-/sbin/e-smith/expand-template /etc/bandwidthd.conf |
| + | [Install] |
| + | wantedBy=sme-server.target |
| + | |
| + | this file will be owned by smeserver-b... package |
| + | |
| | | |
| == TFTP Notes == | | == TFTP Notes == |
| | | |
− | == Menu system == | + | ===Menu system=== |
| | | |
| This uses syslinux available from here | | This uses syslinux available from here |
Line 87: |
Line 148: |
| | | |
| | | |
− | # If you install the smeserver-nfs contrib and export a mount you can use something like the following : | + | #If you install the smeserver-nfs contrib and export a mount you can use something like the following : |
| | | |
| label Bitdefender 2 | | label Bitdefender 2 |
Line 104: |
Line 165: |
| append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000 | | append nfsdir=192.168.0.1:/home/e-smith/files/ibays/computer/files/fsecure_311 initrd=images/fsecure_311/minirt.gz nodhcp lang=gb ramdisk_size=1000000 |
| | | |
− | == smeserver-openswan notes == | + | ==smeserver-openswan notes == |
| | | |
| smeserver-openswan-0.6 | | smeserver-openswan-0.6 |
Line 179: |
Line 240: |
| keyingtries| Default Empty | 0 is default - 'forever' | | keyingtries| Default Empty | 0 is default - 'forever' |
| | | |
− | # Future | + | #Future |
− | # certname: Default Empty | Your certificate name | + | #certname: Default Empty | Your certificate name |
− | # leftcert | + | #leftcert |
| # rightca: Default %same | | # rightca: Default %same |
| | | |
| | | |
− | *** For a basic connection you need this as a bare minimum *** | + | ***For a basic connection you need this as a bare minimum *** |
| | | |
| config setprop ipsec status enabled access public | | config setprop ipsec status enabled access public |
Line 216: |
Line 277: |
| | | |
| | | |
− | *** For a rsasig connection *** | + | ***For a rsasig connection *** |
| | | |
| Please see the section on generating rsa Signatures. | | Please see the section on generating rsa Signatures. |
Line 248: |
Line 309: |
| | | |
| | | |
− | *** For a rsasig connection with dynamic IP *** | + | ***For a rsasig connection with dynamic IP *** |
| | | |
| This will set your local 'left' rsasig | | This will set your local 'left' rsasig |
Line 277: |
Line 338: |
| Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 | | Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast | | db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast |
| + | |
| + | ==smeserver-libreswan notes== |
| + | |
| + | smeserver-libreswan-0.5 |
| + | |
| + | Config settings |
| + | |
| + | For other options see here |
| + | https://libreswan.org/man/ipsec.conf.5.html |
| + | |
| + | We have a new action |
| + | |
| + | signal-event ipsec-update |
| + | |
| + | This will process the required templates and create some files. |
| + | When a ipsec and a connection is enabled it will open the relevant ports on the firewall |
| + | It has to disable send redirects, accept redirects and rp_filter. Note that these are considered security features and you disabled them at your own risk |
| + | https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F |
| + | https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F |
| + | |
| + | These settings are generic and can be overwritten on a per connection basis |
| + | |
| + | config ipsec show |
| + | |
| + | Only set with |
| + | db configuration setprop ipsec $key $property |
| + | |
| + | Setting status enabled/disabled will modify access to private/public |
| + | |
| + | status: Default disabled | enabled |
| + | access: Default private | public |
| + | UDPPort: Default 500 | Variable |
| + | auto: Default start | add (do not use ondemand or ignore) |
| + | debug: none | all raw crypt parsing emitting contril controlmore lifecycle dns dpd klips pfkey natt oppo oppoinfo whackwatch private |
| + | (all generates a large amount of logging so use with care) |
| + | |
| + | Overall settings - can be in main config db or in ipsec_connections as per connection |
| + | |
| + | ikelifetime: Default 3600s | Variable |
| + | salifetime: Default 28800s | Variable |
| + | dpdaction: Default restart | Variable |
| + | dpddelay: Default 30 | Variable |
| + | dpdtimeout: Default 10 | Variable |
| + | pfs: Default yes | Variable |
| + | connectiontype: Default secret | rassig, certificate |
| + | ike: Default aes-sha1 | variable - see ipsec.conf readme file for more options |
| + | |
| + | |
| + | Per connection only settings |
| + | |
| + | Automatically modified - do not change this |
| + | PreviousState: Denotes previous connection state |
| + | |
| + | Manual keys |
| + | |
| + | db ipsec_connections show |
| + | |
| + | db ipsec_connections setprop ConnectionName $key $property |
| + | |
| + | iptype: Default Emtpy | stattodyn or dyntostat - are we a static host to dynamic client or vice versa ? - Only required for dynamic clients with static hosts |
| + | connectiontype: Default tunnel | transport/passthrough/drop/reject |
| + | leftrsasig: Default Empty | Your Local rsasignature key |
| + | rightrsasig: Default Empty | Your Remote rsasignature key |
| + | ipsecversion: Default Empty - v1 | If this is set v2 then only v2 will be allowed |
| + | phase2: aes-sha1 | Various |
| + | mtu: Default Empty | Various |
| + | left: Default Empty | If Empty then %defaultroute is set. Can be local WAN IP |
| + | leftid: Default Empty | Variable |
| + | leftsourceip: Default Empty | This server local IP |
| + | leftsubnet: Default Empty | This server local subnet |
| + | right: Default Empty | Destination WAN IP |
| + | rightid: Default Empty | Variable |
| + | rightsubnet: Default Empty | Destination subnet |
| + | passwd| Default Empty | Variable |
| + | keyingtries| Default Empty | 0 is default - 'forever' |
| + | |
| + | #Future |
| + | #certname: Default Empty | Your certificate name |
| + | #leftcert |
| + | #rightca: Default %same |
| + | |
| + | |
| + | ***For a basic connection you need this as a bare minimum *** |
| + | |
| + | config setprop ipsec status enabled access public |
| + | |
| + | Note for ipsec_connections we use 'set' when we create new connection. Thereafter you can modify it with setprop |
| + | |
| + | Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 passwd MyPassWd |
| + | |
| + | Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 passwd MyPassWd |
| + | |
| + | Bare minimum config for ipsec with static hosts (ike is automatically added) |
| + | |
| + | MyConnection=ipsec |
| + | ike=aes-sha1 |
| + | leftsourceip=192.168.50.1 |
| + | leftsubnet=192.168.50.0/24 |
| + | passwd=SomeLongAndComplicatedPassword |
| + | right=1.2.3.4 |
| + | rightsubnet=192.68.60.0/24 |
| + | status=enabled |
| + | |
| + | |
| + | signal-event ipsec-update |
| + | |
| + | Check /var/log/pluto/pluto.log |
| + | ipsec whack --status |
| + | ipsec verify (may be some warnings - severity depends on what they are) |
| + | |
| + | |
| + | ***For a rsasig connection *** |
| + | |
| + | Please see the section on generating rsa Signatures. |
| + | |
| + | The FIRST time you must run this command to setup the dbs. Thereafter if you delete them NSS will regenerate new dbs and you do not need to do this. |
| + | |
| + | ipsec initnss |
| + | |
| + | ipsec newhostkey --random /dev/random --output /etc/ipsec.d/rsa.secrets |
| + | |
| + | When you copy the key it MUST be in one long line. |
| + | |
| + | Remember |
| + | |
| + | East |
| + | leftrsasig=PUBLIC key of East |
| + | rightrsasig=PUBLIC key of West |
| + | |
| + | West |
| + | leftrsasig=PUBLIC key of West |
| + | rightrsasig=PUBLIC key of East |
| + | |
| + | |
| + | You MUST use IDs, ESPECIALLY if you have a dynamic IP at one end. |
| + | |
| + | Local - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 right 1.2.3.4 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest |
| + | |
| + | Remote - WAN IP 1.2.3.4 Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid West leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast |
| + | |
| + | |
| + | ***For a rsasig connection with dynamic IP *** |
| + | |
| + | This will set your local 'left' rsasig |
| + | |
| + | db ipsec_connections setprop East leftrsasig `cat rsa.secrets |grep pubkey |sed 's/.*key=//'` |
| + | |
| + | Then Extract the public key for the far end. When you copy the key it MUST be in one long line. |
| + | |
| + | cat /etc/ipsec.d/rsa.secrets |grep pubkey |sed 's/.*key=//' |
| + | |
| + | East needs to create a set of keys and send the public key to West. West needs to create a set of keys key and send the public key to East |
| + | |
| + | Note that with dynamic IPs we have to allow connections from anywhere which is not as safe as fixed IPs. |
| + | We therefore recommend setting security rsasig, ike v2, and use leftid/rightid to enhance security |
| + | |
| + | We set the static server to: |
| + | auto 'add' so it only listens for incoming connections |
| + | dpdaction 'clear' so the route is cleared if the connection is dropped |
| + | iptype stattodyn - sets right = %any (allow all hosts to |
| + | |
| + | We set the dynamic server to: |
| + | auto 'start' so it immediately attempts to connect |
| + | iptype dyntostat |
| + | |
| + | Local - MyEast - WAN IP 5.6.7.8 Local IP 192.168.20.1 Subnet 192.168.20.0/24 |
| + | db ipsec_connections set MyEast ipsec status enabled iptype stattodyn auto add dpdaction clear leftsourceip 192.168.20.1 leftsubnet 192.168.20.0/24 rightsubnet 10.0.0.0/24 security rsasig leftid East rightid West leftrsasig SomeLongPassFromEast rightrsasig SomeLongPasswordFromWest |
| + | |
| + | Remote MyWest - WAN IP %variable Local IP 10.0.0.1 Subnet 10.0.0.0/24 |
| + | db ipsec_connections set MyWest ipsec status enabled iptype dyntostat auto start leftsourceip 10.0.0.1 leftsubnet 10.0.0.0/24 right 5.6.7.8 rightsubnet 192.168.20.0/24 security rsasig leftid West rightid East leftrsasig SomeLongPassFromWest rightrsasig SomeLongEastPasswordFromEast |
| + | |
| + | == Package modification with Git == |
| + | |
| + | ==Server Setup== |
| + | |
| + | Packages: |
| + | |
| + | To pull and read |
| + | mock,git, git-lfs |
| + | |
| + | To commit |
| + | koji |
| + | |
| + | ==For anonymous access and test building locally== |
| + | |
| + | ===Setup Mock=== |
| + | |
| + | Install /etc/mock/smeserver-11-x86_64-base.cfg |
| + | |
| + | Set up the mock files: |
| + | |
| + | mock -r smeserver-11-x86_64-base --init |
| + | |
| + | ===Clone your repo=== |
| + | |
| + | mkdir git; cd git |
| + | git clone https://src.koozali.org/smeserver/ulogd.git |
| + | cd ulogd |
| + | git clone https://src.koozali.org/smeserver/common.git common |
| + | |
| + | Do some stuff. |
| + | |
| + | Update the spec file |
| + | Bump the version |
| + | Add your changelog entry |
| + | |
| + | ===Test build=== |
| + | This will overwrite your changes and build the EXISTING version. |
| + | How do we build with the fixes? |
| + | |
| + | make clean;prep;make mockbuild |
| + | |
| + | You should now have a rpm that you can install |
| + | |
| + | |
| + | ==For user access, test building locally and committing== |
| + | |
| + | ===Setup Koji=== |
| + | |
| + | Drop the supplied Koji files into ~/.koji |
| + | |
| + | ===Setup Mock=== |
| + | |
| + | Install /etc/mock/smeserver-11-x86_64-base.cfg |
| + | |
| + | Set up the mock files: |
| + | |
| + | mock -r smeserver-11-x86_64-base --init |
| + | |
| + | ===Clone your repo=== |
| + | |
| + | mkdir git; cd git |
| + | git clone ssh://src.koozali.org/smeserver/ulogd.git |
| + | cd ulogd |
| + | git clone ssh://src.koozali.org/smeserver/common.git common |
| + | |
| + | Do some stuff. |
| + | |
| + | Hack files |
| + | Update the spec file, bump the version, add your changelog entry |
| + | |
| + | ===Test build=== |
| + | This will overwrite your changes and build the EXISTING version. |
| + | How do we build with the fixes? |
| + | |
| + | make clean;make prep;make mockbuild |
| + | |
| + | You should now have a rpm that you can install |
| + | |
| + | ===Committing=== |
| + | |
| + | See what has changed |
| + | git status |
| + | |
| + | Only add the required files. Beware of adding common. Should we have a .gitignore for that? |
| + | |
| + | git add your.modifiedfiles |
| + | make commit && make tag && make build |
| + | |
| + | Note. |
| + | If you have made a mistake make sure the builder has completed the build before starting a new one. |
| + | You cannot rebuild the existing tag. |
| + | You will need to bump the version and commit/tag/build again. |