Named \ Bind9 example config

I came across this nice example of a bind9 config file that handles multiple subnet\vlans\zones and treats them differently

server:/var/named/etc/bind# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//

acl "lan" {
"localhost";
192.168.16.0/24;
};

acl "guest" {
192.168.0.0/16;
10.0.0.0/8;
};

options {
directory "/var/cache/bind";
listen-on { "localhost"; };

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.

// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

auth-nxdomain no; # conform to RFC1035

};

include "/etc/bind/rndc.key";

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

view "internal" {
match-clients { "lan"; };

recursion yes;

// forwarders { 192.168.1.254; };
forwarders { 8.8.8.8; 8.8.4.4; } ;

include "/etc/bind/named.conf.internal";

};

view "guest" {
match-clients { "guest"; };

recursion yes;

include "/etc/bind/named.conf.guest";

};

view "external" {
match-clients { any; };

recursion no;

include "/etc/bind/named.conf.external";

};


Keycloak + HAProxy

I would have though this to be a common deployment but I had quite a significant challenge in getting this setup to run

 

Here is my working config for Keycloak behind a reverse proxy

Traffic flow

Client keycloak.hawkless.id.au—>HTTPS—>HAProxy—>HTTPS—>Keycloak Container

 

haproxy.cfg

global
maxconn 4000
tune.ssl.default-dh-param 2048

listen stats
bind 0.0.0.0:9010
mode http
stats enable
stats uri /stats
stats realm HAProxy Statistics
stats auth statsadmin:passwd


frontend http
bind *:80
mode http

acl letsencrypt-acl path_beg -i /.well-known/acme-challenge/
http-request redirect scheme https if !letsencrypt-acl
use_backend letsencrypt if letsencrypt-acl

timeout client 1h


backend letsencrypt
mode http
server letsencrypt 127.0.0.1:8888
timeout connect 1h
timeout server 1h

backend kc
mode http
server cps01 127.0.0.1:8443 check ssl verify none
timeout connect 1h
timeout server 1h


frontend https
bind *:443 ssl crt /certs/dev-server4.pem
mode http
use_backend kc if { ssl_fc_sni -i kc.hawkless.id.au }
default_backend kc
timeout client 1h



 

PROXY_ADDRESS_FORWARDING = true seems to conflict with using “http-request add-header X-Forwarded-Proto: https” in HAProxy which is required for some services(OpenStack Horizon)
So use PROXY_ADDRESS_FORWARDING = false and have HAProxy pass the traffic to the SSL port on the Keycloak container instead of the HTTPS port

Docker commands for Keycloak and HAProxy

docker run -d -p 8080:8080 -p 8443:8443  -e DB_VENDOR=MYSQL -e DB_ADDR=192.168.2.1 -e DB_DATABASE=keycloak -e DB_USER=keycloak -e DB_PASSWORD=dbpass -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=kcpass -e PROXY_ADDRESS_FORWARDING=false --name keycloak jboss/keycloak
docker run -d -p 9010:9010 -p 80:80 -p 443:443 --net host --name haproxy -v /home/ubuntu/proxy/config:/usr/local/etc/haproxy:ro -v /home/ubuntu/proxy/certs:/certs:ro haproxy haproxy -f /usr/local/etc/haproxy/haproxy.cfg

Manually add a ceph-mon

mkdir /tmp/cephmon

ceph auth get mon. -o /tmp/cephmon/mon.key


ceph mon getmap -o /tmp/cephmon/monmap

sudo ceph-mon -i mon-hostname --mkfs --monmap /tmp/cephmon/monmap --keyring /tmp/cephmon/mon.key


ceph-mon -i mon-hostname --public-addr 10.50.1.71


ps ax | grep ceph-mon
kill {mon-pid}


chown ceph:ceph /var/lib/ceph/mon/ -R
systemctl enable ceph-mon@mon-hostname.service
systemctl start ceph-mon@mon-hostname.service
systemctl status ceph-mon@mon-hostname.service

Running mattermost in docker

Ive set this up a few times and the permissions issues get me every time
For reference this seems to be a winning recipe

git clone https://github.com/mattermost/mattermost-docker/
cd mattermost-docker
Edit the docker-compose.yml and change the UID and the GID to your current running user
IMPORTANT! docker-compose build to build the new image
mkdir -pv ./volumes/app/mattermost/{data,logs,config,plugins,client-
plugins}
You dont need to set the file/folder ownerships with chown now, as you used your current user
docker-compose up

 

Original article https://github.com/mattermost/mattermost-docker/issues/407#issuecomment-523006410

FreeOTP backup notes

Enabling Developer Options & USB Debugging

The following steps will require you to connect your mobile phone to a computer in order to send commands, and you’ll need to perform a few tasks before we can continue.

First, enable the developer options on your mobile phone:

Launch the Settings app on your phone
Locate the “About” phone option on the menu that appears. The option is usually found towards the bottom of the menu
Locate the “Build Number” option and tap it 7 times. A message will appear and inform you that developer mode has been enabled
Navigate back to the main settings screen and tap the “Developer Options” menu
Locate and enable the “USB Debugging” option.

Enabling the USB Debugging option allows your phone to respond to requests over a USB connection, and we’ll install a piece of software on your computer that will issue requests to the phone next.

adb shell
Once you see a device continue to next step

Backing up FreeOTP’s Data

With ADB installed and the necessary phone options in place, you’ll be able to back up FreeOTP’s configuration data with the following command:

adb backup -f ~/freeotp.ab -noapk org.fedorahosted.freeotp

The command will save the app’s data to a file on your computer, and I suggest that you perform all work in a clean directory to avoid any confusion. Running the command will cause a prompt to appear on your phone, asking you to confirm the backup – click “Back up my data” on your phone and the backup will begin:

Backup command and resulting backup file.

The backup process takes only a few seconds and once complete you’ll see the newly created file.
Making FreeOTP’s Data Usable

You now have a backup of FreeOTP’s data, but it isn’t in a usable state. Running the following commands will create a tar file, that when uncompressed, will reveal the app data – including your tokens.

dd if=freeotp.ab bs=1 skip=24 > compressed-data
printf “\x1f\x8b\x08\x00\x00\x00\x00\x00” | cat – compressed-data | gunzip -c > decompressed-data.tar

The first command uses the Unix dd utility to rewrite the new file, saving it as “compressed-data” and skipping the first 24 bytes of data from the source:

The second command appends new header information to the file and saves it as decompressed-data.tar:

The resulting tar file contains the usable FreeOTP configuration data, and the added header allows us to decompress its contents properly. Decompress the tar file with the following command:

tar -xvf decompressed-data.tar

Once the tar file has been decompressed, a listing of the files extracted will appear at your command prompt:

The “tokens.xml” file contains the configuration data we’ll need to import the 2FA tokens to a new phone. You can go ahead and view the file in any text editor; don’t alter the file in any way or it won’t work for the next step. It’s also worth securely storing this file in case you need it in the future:

I’m not talking about the future where we all have jetpacks, I’m talking about a few weeks from now when your phone slips from your hands and breaks. Phones get lost or damaged. It happens, and keeping a copy of this file for safekeeping will make things easier if you find yourself setting up a new phone. Be prepared.
Importing Your 2FA Tokens

Viljo Viitanen wrote a really handy Javascript-based tool that will generate QR codes from the tokens.xml file. The tool runs completely within your browser and does not transmit any sensitive information to a 3rd party, so there’s no concern of data leakage.

Select your tokens.xml file and the script will output QR codes that can be used to import your 2FA tokens to FreeOTP on your new mobile phone via the built-in QR code scanner.

While this may seem like a fairly involved process, it only takes a few minutes and will save tons of time vs. having new tokens issued or finding other workarounds to migrate FreeOTP’s data.

https://github.com/CoryHawkless/freeotp-export

 

tcpdump on each interface individually

Original article here: https://serverfault.com/questions/224698/how-to-display-interface-in-tcpdump-output-flow

#!/bin/bash
#===================================================================================
#
# FILE: dump.sh
# USAGE: dump.sh [-i interface] [tcpdump-parameters]
# DESCRIPTION: tcpdump on any interface and add the prefix [Interace:xy] in front of the dump data.
# OPTIONS: same as tcpdump
# REQUIREMENTS: tcpdump, sed, ifconfig, kill, awk, grep, posix regex matching
# BUGS: ---
# FIXED: - In 1.0 The parameter -w would not work without -i parameter as multiple tcpdumps are started.
# - In 1.1 VLAN's would not be shown if a single interface was dumped.
# NOTES: ---
# - 1.2 git initial
# AUTHOR: Sebastian Haas
# COMPANY: pharma mall
# VERSION: 1.2
# CREATED: 16.09.2014
# REVISION: 22.09.2014
#
#===================================================================================

# When this exits, exit all background processes:
trap 'kill $(jobs -p) &> /dev/null && sleep 0.2 && echo ' EXIT
# Create one tcpdump output per interface and add an identifier to the beginning of each line:
if [[ $@ =~ -i[[:space:]]?[^[:space:]]+ ]]; then
tcpdump -l $@ | sed 's/^/[Interface:'"${BASH_REMATCH[0]:2}"'] /' &
else
for interface in $(ifconfig | grep '^[a-z0-9]' | awk '{print $1}')
do
tcpdump -l -i $interface -nn $@ | sed 's/^/[Interface:'"$interface"'] /' &
done
fi
# wait .. until CTRL+C
wait

Converting a Generation 2 HyperV VM to boot in KVM\Openstack

Brining a HyperV Gen2 VM into Openstack

Convert the vhdx to raw and into ceph
qemu-img convert -f vpc -O raw AC-TS01-C.VHD rbd:volumes/AC-TS01.raw

Attach the old(Existing) disk and the new blank disk to a linux box
Install clonezilla from apt
On the new disk create a new partition(This will be an MBR partition not a GPT partition and is key to being able to boot in KVM)
Fdisk/dev/sdX
N
P
..
..
Clone the Windows volume(Just the big volume, ignore the small piss-ant recovery volumes)
Might then need to mount this volume on a windows box to check the NTFS partition is ok, if it’s not showing a drive letter I had some success with resizing the partition with Easus partition manger, which presumable re-wrote the ntfs partition headers and then the disk appeared in windows
THEN you need to boot the os, it’ll fail

Attach a windows server ISO, boot to recovery(Needs to be the correct OS recovery environment. I tried using a 2016 DVD to recover 2012 R2 and it didn’t work)
Run

bcdboot C:\windows
Or
bcdboot C:\windows /s c: /f ALL

BOOTREC /FIXMBR

BOOTREC /FIXBOOT

Then reboot and all good
If you haven’t preinstalled virtio might need to boot on sata then install virtio drivers

Fix sluggish mouse cursor

I find the cursor speed is sometimes to slow on my Ubuntu machine with a Logitech MX trackball

And for reasons I dont recall I wanted to set the speed with a script instead of the setting application

 

#!/bin/bash
xinput set-prop "pointer:Logitech MX Ergo" "libinput Accel Speed" 1