Tag Archives: debian

Raspbian Jessie f2fs Raspberry PI 3

Hi

Short howto:

* install f2fs utils

pacman -S f2fs-tools

* create working directory

mkdir /root/raspbian
cd /root/raspbian

*Download and unzip your raspbian image

dd if=2017-04-10-raspbian-jessie-lite.img of=/dev/sdX bs=512k status=progress

* Put your SD-Card into your PI
* Let it setup everything

* install on your pi f2fs-tools

apt-get install f2fs-tools

* Shutdown your PI
* Insert your SD-Card to you PC
* Create directories

mkdir mnt
mkdir mnt/boot
mkdir mnt/root
mkdir boot
mkdir root

* mount raspbian SD-Card

mount /dev/sdX1 mnt/boot
mount /dev/sdX2 mnt/root

* make backup

rsync -av --numeric-ids mnt/boot/* boot/
rsync -av --numeric-ids mnt/root/* root/

* unmount raspbian SD-Card

umount mnt/boot
umount mnt/root

* recreate filesystems

mkfs.vfat /dev/sdX1
mkfs.f2fs /dev/sdX2

* mount raspbian SD-Card again

mount /dev/sdX1 mnt/boot
mount /dev/sdX2 mnt/root

* copy files to SD-Card

rsync -av --numeric-ids boot/* mnt/boot/
rsync -av --numeric-ids root/* mnt/root/

* edit cmdline.txt

sed -i 's/rootfstype=ext4/rootfstype=f2fs/' mnt/boot/cmdline.txt

* edit etc/fstab

sed -i 's/ext4/f2fs/' mnt/root/etc/fstab

* umount filesystemc

umount mnt/boot
umount mnt/root

Youre Done 🙂

Have fun!

Mikrotik RouterOS 6.38 IKEv2 Strongswan RSA Auth howto

Hi there,

a) setup clock of your routerboard

/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna

b) generate certificates

/certificate add common-name="paranoids.at Root CA" name=ca     
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca

c) configure your server

/export compact                                                      
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0

d) export client certificates

/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890

e) import client certificates to strongswan (file ending is important)

 scp admin@192.168.223.106:/cert_export_client1.crt .
 scp admin@192.168.223.106:/cert_export_client1.key .
 scp admin@192.168.223.106:/cert_export_client1.key .
 mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
 mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
 mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem

f) configure strongswan properly

/etc/ipsec.conf

conn test
 keyexchange=ikev2
 ike=aes256-sha256-modp2048
 esp=aes256-sha256-modp2048
 ikelifetime = 24h
 lifetime = 30m
 dpddelay = 120s
 left=%defaultroute
 leftsourceip=%config
 leftcert=cert_export_client1.pem
 leftid=client1@test.paranoids.at
 leftfirewall=yes
 right=192.168.223.106
 rightsubnet=192.168.99.0/24
 rightid="CN=test.paranoids.at" 
 auto=add

/etc/ipsec.secrets

: RSA cert_export_client1.pem "1234567890"

g) fire up your vpn

:~# systemctl restart strongswan
:~# ipsec up test

Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup

Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!

Have fun!

Debian on Barracuda NG F10 Firewall

Hi

While I was tearing down the firewall the CF-Slot jumped right into my eyes. Every Linux guy might think the same. 🙂

So i debootstraped a CF-card made it bootable and right after the first try, bam, working.
The Hardware got freed from the propritary Linux OS and crappy tools and … Yes the backdoors, bugs and security holes, because you won’t get any free downloadable firmware updates. This is really annoying on Barracuda firewalls. It’s a shitty firewall. Every crappy TP-Link does the same things in production.

Have fun!

Ubuntu 16.04 EFI Boot Software Raid

Hi

I tried to setup the “EFI System” partition at install time with software RAID1 array. I tried to avoid installing the bootloader to every disk. (I had an RAID1 with spare)

The ubuntu installer allows to set as partition type “EFI System” on the software RAID array. So I thought it would work.

After successful installation the BIOS of the Supermicro mainboard has not found any EFI-Boot partition.

So I destroyed the software RAID of the “EFI System” and installed the bootloader in chroot from a Debian-Live system. I had not to change the partition flag. It was already setup right to “EFI System”

mdadm -S /dev/mdX
mdadm --zero-superblock /dev/sda1
mdadm --zero-superblock /dev/sdb1
mdadm --zero-superblock /dev/sdc1


mkfs.vfat /dev/sda1
mkfs.vfat /dev/sdb1
mkfs.vfat /dev/sdc1

mount /dev/md[RootFileSystemWithBoot] /mnt
mount --bind /dev /mnt/dev
mount --bind /sys /mnt/sys
mount --bind /proc /mnt/proc

chroot /mnt

Now we remove the RAID array from config file

vim /etc/mdadm.conf

Edit your fstab

blkid /dev/sda1
vim /etc/fstab

And last but not least install grub

mount /dev/sda1 /boot/efi
grub-install /dev/sda1
umount /boot/efi

mount /dev/sdb1 /boot/efi
grub-install /dev/sdb1
umount /boot/efi

mount /dev/sdc1 /boot/efi
grub-install /dev/sdc1

update-grub

Hint: You have to use a install media or live system which is EFI Boot capable and force BIOS to boot from EFI. (You could use my USB Stick). Otherwise EFI support in Linux is disabled.

Have fun!

debian jessie as kvm guest high cpu load

Hi

I was wondering about the high cpu load of my debian jessie kvm guests.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+    COMMAND
 18 root 20 0     S           11,0      50:10.35 ksoftirqd/2
 28 root 20 0     S           11,0      49:45.90 ksoftirqd/4
 13 root 20 0     S           10,1      51:25.18 ksoftirqd/1
 23 root 20 0     S           10,1      55:42.26 ksoftirqd/3
 33 root 20 0     S           8,3       43:12.53 ksoftirqd/5
 3 root 20 0      S           7,4       43:19.93 ksoftirqd/0

The more load my kvm guest had the more cpu time was allocated by the kernel.
I was using 3.16.0-4-amd64.

My hostmachines were, ubuntu 14.04 and archlinux. Both same issue.

Simple solution was to install backports kernel 4.2.0-0.bpo.1-amd64 oder compile fresh vanilla kernel via make localyesconfig.

Seems to be a debian kernel bug.

Have fun!