🔍

CyberWorld 2017.1

by Alejandro Liu

Updated: 2024-03-19

in 2017

tagged alpine, application, backup, backups, boot, browser, centos, config, configuration, device, domain, drive, linux, network, partition, proxy, software, storage, windows

Development

  • travis cordova build

  • travis ionic build

  • owx

    • common
      • muninlite (can it support plugins?)
      • flock, pwgen, ifstat
    • ow1
      • diags&tools: usbutils, netstat-nat
      • sniffer: tcpdump[-mini] 317K/617K, libpcap 191K
    • owX
      • FW/NAT
      • DNSMASQ: DHCP + DNS
      • NTP server
      • Dynamic DNS updating (mushu porker)
      • NFS
      • IPv6 tunnel
      • Provisioning server: (PXE, TFTP, NFS, HTTP, rpmgot, syslog?)
      • TLR server: HTTP, file manipulation, HTTPS?
      • USB storage

  • owx - switches

  • cn1

    • data scrubbing
    • backups
    • boot cd mirroring
    • config backup to alvm1
    • NFS mounting installable iso images
    • alvm1 : Main file store
      • file sharing (NFS, Samba, http)
      • rsync backup target
      • undup, backup puller
    • alvm2 : Backup file store
      • snapshot server (NFS)
      • backuper
    • alvm3 : Transmission
      • Implemented as its own server because of the VPN
    • cvm1 : Main APP server
    • alvm4 : X10 server
      • Implemented as its own server because VM only runs if HW is available
    • alvm5: DMZ Server
      • reverse proxy
      • PocketMine
        • Muirfield
        • Niños
      • asterisk
    • alvm6 : Scan&Print server
      • Spin-off cvm1, because SELINUX exception. Shouldn't connect to DMZ, nor X10

DMZ Server Basic Alpine Linux install

  • Create dos partition on the data drive
  • mkdosfs on partition and mount
  • setup-alpine
  • apk update
  • lbu ci

Reverse Proxy

install nginx

  • apk add nginx ?php-fpm?
  • configure in /etc/nginx/nginx.conf (Reference)
  • apk apache2-utils : for htpasswd command
  • Add a proxy command:
    location / {
      proxy_pass http://$server/;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/_htpasswd;
      proxy_set_header X-Remote-User $remote_user;
      proxy_pass_request_headers      on;
    }

Variable Reference: NGINX Docs

WebServer

  • PHP checks headers (passed by the reverse proxy), otherwise,
  • use authd:
  • If using selinux we need to set this boolean:
    • setsebool -P httpd_can_network_connect on
  • PHP Function on server to determine user:
define('IDENT_PORT',113);

function identd_query($remote_ip,$remote_port,$local_port,$tout=3) {
  $remote_ip = 'localhost';
  $sock = @fsockopen($remote_ip,IDENT_PORT,$errno,$errstr,$tout);
  //print_r([$sock,$errno,$errstr]);
  if (!$sock) return FALSE;
  @fwrite($sock,$remote_port.','.$local_port."\r\n");
  $line = @fgets($sock,1000); // 1000 octets according to RFC1413
  fclose($socket);
  if (preg_match('/^\s*(\d+)\s*,\s*(\d+)\s*:\s*(\S+)\s*:\s*(\S+)\s*:\s*(\S+)\s*$/', $line,$mv)) {
    if ($mv[1] == $remote_port && $mv[2] == $local_port &&
    $mv[3] == 'USERID') {
      return $mv[5];
    }
  }
  return FALSE;
}

Web Browser

For archlinux, install oidentd

  • yum install authd
  • check firewall port
  • systemctl start authd.socket
  • Enable authd.socket
  • Add Override:
    • /etc/systemd/system/[email protected]/override.conf
      • [Service]
      • ExecStart=
      • ExecStart=-/usr/sbin/in.authd -t60 --xerror

https://wiki.alpinelinux.org/wiki/LXC https://wiki.alpinelinux.org/wiki/Setting_up_a_basic_vserver

browser -> guac -> xinetd|vncserver|x2go-client -> x2go-server browser -> revproxy -> guac -> xinetd|vncserver|x2go-client -> x2go-server

Check what Thin client software Tiny Core Linux supports otherwise Browser with Guacamole

Server script (haserl) on OW1 Show version and last update Options: Delete Entry Post update : Using wget

Create a local pastebin (to add notes from SONY PRS-T2) https://wiki.alpinelinux.org/wiki/Pastebin

Configure a Windows VM

./mxt.sh \
vmcfg \
vm=winvm1 \
rem="win7 system" \
-serial \
viridian=1 \
boot=d \
hd=1,16G \
cdrom=3,/xendat/installers/Win7AIO.x32-x64.preact.iso

Centos 7

Template preparation

Configure serial console:

  1. Modify /etc/default/grub
    • GRUB_TERMINAL_OUTPUT=serial
    • GRUB_CMDLINE_LINUX=console=ttyS0 --rhgb
  2. Run grub2-mkconfig -o $d/grub.cfg either on /boot/efi/EFI or /boot/grub2

Stop ssh and remove all ssh keys.

Modify rc.local to run something once:

  • change hostname (if possible?)
  • remove all SSH keys (and reboot)

Create a centos/xen template prep script. We pass it as a custom tar in xvdh. Another option:

We need to pass vm name.

rhel7 and systemd

Cfg script /etc/xen

  1. After block devices stanza
  2. Check if tar is there
  3. Append to the list

Better to do this

Notes

munin

Serial xen configuration

  • serial=/dev/ttyS0
    [Linux only] Use host tty, e.g. ‘/dev/ttyS0’. The host serial port parameters are set according to the emulated ones.
  • serial=unix:path[,server][,nowait]
    A unix domain socket is used instead of a tcp socket. The option works the same as if you had specified -serial tcp except the unix domain socket path is used for connections.
    The TCP Net Console has two modes of operation. It can send the serial I/O to a location or wait for a connection from a location. By default the TCP Net Console is sent to host at the port. If you use the server option QEMU will wait for a client socket application to connect to the port before continuing, unless the nowait option was specified. The nodelay option disables the Nagle buffering algorithm. If host is omitted, 0.0.0.0 is assumed. Only one TCP connection at a time is accepted. You can use telnet to connect to the corresponding character device.