Writings losts in space and time.

2016-12-18
Install a FreeIPA infrastructure

Install a FreeIPA infrastructure

In order to make my infrastructure more easy to manage, I decide to install a FreeIPA server.
One of my ex-colleague and now friend talk me a lot about this product times ago.
So I decided to try it.
Thanks Djul(@JulienPorschen)

First objective is to install a functionnal FreeIPA server to manage users and groups

After I will expand the usage to various need

Doc is here

FreeIPA

2016-11-20
IT/Monitoring Notifications

Manage Notifications

Using a monitoring system introduce alert or notifications about a new issue or the end of it.

As I use multiple system (home, work, on the move), my big problem was to use a unique system to send alert to all plateform.

I previously used successfully Growl or Prowl to send / receive, but it has no desktop app on all plateform I stopped used it.

I finally discover PushOver.
It allow to have a native client to receive notification on desktop and mobile device (IOS, Android).
The sender apps can be curl or python.

It’s free until you reach 7500 Messages per month

2016-08-19
IT/Freebsd OpenVPN Server

** Setup a FreeBSD OpenVPN Server for site to site tunnel

Source

First, install openvpn from ports or from pkg


Commands starting with a # must be executed as root
Commands starting with a $ must be executed as an user
1
# mkdir /usr/local/etc/openvpn

create and edit /usr/local/etc/openvpn/openvpn.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
port XXXX # Your listening port
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/vpn.crt
key /usr/local/etc/openvpn/keys/vpn.key # This file should be kept secret
crl-verify /usr/local/etc/openvpn/keys/crl.pem
dh /usr/local/etc/openvpn/keys/dh.pem
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
server X.Y.Z.0 255.255.255.0 # your tunnel ip configuration
client-config-dir /usr/local/etc/openvpn/ccd
keepalive 10 30
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
cipher AES-128-CBC
route C.B.A.0 255.255.255.0 # Add the return route to remote end point

We need to configure OpenVPN’s certificate authority now:

1
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Edit /usr/local/etc/openvpn/easy-rsa/vars

Change the key size by modifying this line:

1
set_var EASYRSA_KEY_SIZE 4096

Now we will proceed to initialise the pki system

1
2
3
4
5
6
7
8
# cd /usr/local/etc/openvpn/easy-rsa
# export EASYRSA=${PWD}
# easyrsa init-pki
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Now we build the CA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# easyrsa build-ca
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating a 4096 bit RSA private key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Now the Diffie Helman file

1
2
3
4
5
6
7
8
# easyrsa gen-dh
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 4096 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Now the key for the vpn server identified as vpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# easyrsa gen-req vpn nopass
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Generating a 4096 bit RSA private key
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/vpn.key.HrSHTO16JN'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Keypair and certificate request completed. Your files are:
req: /usr/local/etc/openvpn/easy-rsa/pki/reqs/vpn.req
key: /usr/local/etc/openvpn/easy-rsa/pki/private/vpn.key

This key need to be signed by the CA, prepare the CA password

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# easyrsa sign server vpn
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = XXXXXXXX
Type the word 'yes' to continue, or any other input to abort.
Confirm request details:
(answer ‘yes’ and use password from CA step above)
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'XXXXXXXX'
Certificate is to be certified until Aug 17 15:56:57 2026 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/etc/openvpn/easy-rsa/pki/issued/vpn.crt

1
2
3
4
5
6
7
8
9
10
11
# easyrsa gen-crl
Note: using Easy-RSA configuration from: /usr/local/etc/openvpn/easy-rsa/vars
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /usr/local/etc/openvpn/easy-rsa/pki/crl.pem

Now we need to copy some files into the OpenVPN working directory:

1
2
3
4
# mkdir /usr/local/etc/openvpn/ccd
# cd /usr/local/etc/openvpn/easy-rsa/pki
# mkdir -p /usr/local/etc/openvpn/keys
# cp -p ca.crt crl.pem dh.pem index* serial* private/vpn.key issued/vpn.crt /usr/local/etc/openvpn/keys/

We’re now ready to add some users… repeat the following for each new client you want to create:

1
2
3
4
# easyrsa gen-req client1 nopass
# easyrsa sign client client1
# cd /usr/local/share/easy-rsa/pki
# cp -p private/client1.key issued/client1.crt /usr/local/etc/openvpn/keys/

and also create a file for each called /usr/local/etc/openvpn/ccd/client1 (where client1 is the username) containing:

1
iroute C.B.A 255.255.255.0

Ok from now everything is ok, just need to load the kernel module and start the service

1
2
3
4
# sysctl net.inet.ip.fw.default_to_accept="1"^
# kldload aesni crypto if_tap
# service openvpn start

Add the following lines to /boot/loader.conf

1
2
3
4
5
6
7
8
9
net.inet.ip.fw.default_to_accept="1"
aesni_load="YES"
crypto_load="YES"
if_bridge_load="YES"
if_tap_load="YES"
ipfw_load="YES"
ipfw_nat_load="YES"

2016-06-19
Linux bests practices

Linux best practices

Many time in my previous and actual job I was asked to make some recommendation about how to manage linux machines.

You will find an overview in this article that will be completed during time also.
This can also be applied to other Unix like Bsd.

Linux Best Practices

2016-02-29
Migration to hexo

Migration to hexo

Following another tech guy on twitter (@iMilnb) that talked about hexo, I give it a try.

My previous blog tools were simple and i didn’t take time to posts updates.

I need to store my action, my search on a place with a tool that could match my use.

More to come.

2013-06-13
LVM Move

Today I needed to move 3 lv inside a vg (named VG_NAME) with 3 disk to a new disk (NEW_DISK).

The operation is generaly easy, but if a lv is splited on multiples disks this could be more complicated.

Current map of the whole thing :

1
2
3
4
5
6
7
8
lvs -a -o+devices
LV VG Attr LSize Pool Origin Data% Move Log Cpy%Sync Convert Devices
lv_1 VG_NAME -wi-ao--- 5.00g /dev/disk1(2560)
lv_3 VG_NAME -wi-ao--- 97.43g /dev/disk2(0)
lv_3 VG_NAME -wi-ao--- 97.43g /dev/disk1(3840)
lv_3 VG_NAME -wi-ao--- 97.43g /dev/disk3(0)
lv_2 VG_NAME -wi-ao--- 10.00g /dev/disk1(0)

As you can see the lv_3 is split apart 3 disks.

If i don’t want to mix the order, i will have to move the lv in the right order

First, format the new disk with pvcreate, and add it to the VG :

1
2
pvcreate /dev/NEW_DISK
vgextend VG_NAME /dev/NEW_DISK

Now move the two easiest LV from disk1 to NEW_DISK

1
2
pvmove -n lv_1 /dev/disk1 /dev/NEW_DISK
pvmove -n lv_2 /dev/disk1 /dev/NEW_DISK

Now the more complicated :

1
lvdisplay -m /dev/VG_NAME/lv_3

Will display the information of the segment relative to the lv

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
--- Segments ---
Logical extent 0 to 17261:
Type linear
Physical volume /dev/disk2
Physical extents 0 to 17261
Logical extent 17262 to 19894:
Type linear
Physical volume /dev/disk1
Physical extents 3840 to 6472
Logical extent 19895 to 24941:
Type linear
Physical volume /dev/disk3
Physical extents 0 to 5046

So now I’ve to move them in the right order.

1
2
3
pvmove -n lv_3 /dev/disk2 /dev/NEW_DISK
pvmove -n lv_3 /dev/disk1 /dev/NEW_DISK
pvmove -n lv_3 /dev/disk3 /dev/NEW_DISK