Lukáš Zapletal: engineer in pyjama

Hidden feature of Fedora 20 - pass cli manager

When it comes to password management, I’ve always been happy user of KeepassX for many years. But when I stumbled upon new and simple tool called “pass” and I realized that I use mouse (trackball actually) with only two applications: Google Chrome and, of course, KeepassX in my workflow (i3, mutt, vim, ssh).

This tool is basically a shell wrapper around gpg, git and few other tools:

# yum install pass pinentry-gtk

It’s definitely not a monster tool, which I appreciate:

# rpm -ql pass
/etc/bash_completion.d/password-store
/usr/bin/pass
/usr/share/doc/pass
/usr/share/doc/pass/COPYING
/usr/share/doc/pass/README
/usr/share/man/man1/pass.1.gz

Let’s read the completion (or re-login to your shell):

# source /etc/bash_completion.d/password-store

What you want is to create separate gpg key for your passwords:

# gpg --gen-key

Give it a name (you can skip the e-mail) and comment. In my case this was “Lukas Zapletal (my passwords)”. You will not share this one at all. And make sure to use safe master password (passphrase).

Now you want to load gpg agent. Make sure you put this in your .bashrc as well, otherwise you would need to put your master password over and over again:

# eval "$(gpg-agent --daemon 2>/dev/null)"

In Fedora, do not miss the step of starting a gpg-agent, otherwise pass will not work as it spawns gpg with --batch parameter. If you do not like gpg-agent, you need to remove this option from /usr/bin/pass or upgrade to the latest upstream version 1.5+ which does not have this.

The (pass)[http://www.zx2c4.com/projects/password-store/] tool provides many helper scripts and importers including keepassx2pass.py which works great (you need to export your database to the XML format first). Setting up my database was matter of two minutes. A bit of warning - if you have multiline comments, note that the KeepassX importer only fetches the first comment (I’ll push a fix for that most likely).

Usage is simple enough:

# pass init "Lukas Zapletal (pass)"
# pass insert Business/cheese-whiz-factory
# pass -c Email/zx2c4.com
Copied Email/jason@zx2c4.com to clipboard. Will clear in 45 seconds.

Upgrade to “pass”, your whist will appreciate that.

Read on Comment
15 April 2014 | linux | fedora

SELinux Puppet update in Fedora 20 and Rawhide

We are rolling out update of Puppet to 3.4.3 in Fedora 20 and Rawhide that adds one important change. We have found that puppet master was running unconfined, therefore the Puppet SELinux policy was not effective in Fedoras.

The puppet package update fixes one little issue (missing runtime dependency) and corrects startup wrappers for systemd which puts Puppet Master into correct SELinux domain puppetmaster_t. Since this has low security impact, we have decided to backport this change into Fedora 20 too. Another reason is the change in selinux-policy package in Fedora 20 which allows us to backport the changes into EPEL7.

SELinux core puppet policy was refactored in paralel so we have now puppetmaster_t and puppetagent_t domains which reflects the state much better. Previously puppet agent was running under puppet_t confined domain, now it runs under puppetagent_t domain. Also the agent has loosed security rules which is great improvement too.

To update your host do the following:

yum --enablerepo=updates-testing makecache
yum --enablerepo=updates-testing update selinux-policy puppet puppet-server

When upgrading make sure you have the correct versions on the mirror:

  • puppet 3.4.3-3.fc20 or higher
  • policy 3.12.1-153.fc20 or higher

Restart puppetmaster, agent and watch for denials. Report success and failures in my comments or in the update comments.

grep AVC /var/log/audit/audit.log

Let’s make sure we have rock solid version of Puppet hardened with SELinux in the best quality possible in EPEL7. Thanks for help!

Read on Comment
10 April 2014 | linux | fedora | puppet | foreman

Get any GDI printer to work on RHEL6

I was happy enough to get an old Konica Minolta 163 copy machine and printer. These devices can deliver black and white printouts at low prices. But this one is GDI only printer without overpriced network/cpu extension PCL card. What to do now?

Well, I have one license of Windows XP running in libvirt in the house. Oh, by the way Microsoft support is ending this month, what will I do? :-) Seriously, how about connecting the machine to my host machine (RHEL6) and passing the USB device into Windows so I can share the printer and print (via Google Cloud Print as well). The plan is set.

And it works just like that. Using virt-manager, you can assign the USB device, install drivers (I’d recommend to install drivers FIRST after my experience) and start printing. Remember to download GDI drivers and not PCL for this one otherwise it will not work. But there is a snag.

If you turn off your printer, the connection is lost. When I turn on the printer back, Windows cannot see it online and the USB device is gone. The only solution is to detach and reattach the USB device in virt-manager. Okay. Let’s script this, first find the device and vendor USB ID:

# lsusb | grep Minolta
Bus 002 Device 004: ID 132b:204c Konica Minolta

Create a libvirt XML definition:

# cat /var/lib/libvirt/minolta.xml
<hostdev mode="subsystem" type="usb" managed="yes">
    <source>
        <vendor id="0x132b"/>
        <product id="0x204c"/>
    </source>
</hostdev>

And reattach with this:

# virsh detach-device GUEST_NAME /var/lib/libvirt/minolta.xml
# virsh attach-device GUEST_NAME /var/lib/libvirt/minolta.xml

Once you have this working and you are tired with typing command after you turn your printer on, then use udev to do this automatically. Warning: This is tuned for RHEL6/CentOS6 and it may not work on your Ubuntu/Debian depending of the version of your distribution:

# cat /etc/udev/rules.d/90-libvirt-usb.rules
ACTION=="add", \
    SUBSYSTEM=="usb", \
    ENV{ID_VENDOR_ID}=="132b", \
    ENV{ID_MODEL_ID}=="204c", \
    RUN+="/usr/bin/virsh attach-device GUEST_NAME /var/lib/libvirt/minolta.xml"
ACTION=="remove", \
    SUBSYSTEM=="usb", \
    ENV{ID_VENDOR_ID}=="132b", \
    ENV{ID_MODEL_ID}=="204c", \
    RUN+="/usr/bin/virsh detach-device GUEST_NAME /var/lib/libvirt/minolta.xml"
ACTION=="add", \
    SUBSYSTEM=="usb", \
    ENV{ID_VENDOR_ID}=="132b", \
    ENV{ID_MODEL_ID}=="204c", \
    RUN+="/bin/logger Attaching USB device to KVM guest"
ACTION=="remove", \
    SUBSYSTEM=="usb", \
    ENV{ID_VENDOR_ID}=="132b", \
    ENV{ID_MODEL_ID}=="204c", \
    RUN+="/bin/logger Detaching USB device to KVM guest"

After you create this file, do not forget to reload udev rules with

udevadm control --reload-rules

The two last add and remove commands in the file above are only for monitoring purposes. I want some clear messages in my syslog:

kernel: usb 2-1: USB disconnect, device number 3
logger: Detaching USB device to KVM guest
kernel: usb 2-1: new full speed USB device number 4 using uhci_hcd
kernel: usb 2-1: New USB device found, idVendor=132b, idProduct=204c
kernel: usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
kernel: usb 2-1: Product: KONICA MINOLTA 163
kernel: usb 2-1: Manufacturer: KONICA MINOLTA
kernel: usb 2-1: SerialNumber: 02145339
kernel: usb 2-1: configuration #1 chosen from 1 choice
logger: Attaching USB device to KVM guest

Of course you can see more detailed udev output using

udevadm monitor --property --kernel --udev

One additional remark - for this particular printer, I had troubles with USB 2.0, so I disabled it completely leaving USB 1.1. Transfer bandwidth does not matter much for GDI printing I guess. Maybe it was wrong cable (I tried two USB cables), anyway it works just fine.

Also, I turned off CUPS on my host system and disabled usblp driver (it was acquiring the device via udev which was useless - I don’t use LP on the host):

service cups stop
chkconfig cups off

# cat /etc/modprobe.d/blacklist.conf
blacklist ehci_hcd
blacklist usblp

That’s all. You can use this approach to get any winprinter working on Linux (RHEL6) via libvirt (kvm/qemu). All you really need is a valid Windows license and Linux box with libvirt.

Read on Comment
02 April 2014 | linux | fedora

Linux 3.13+ on Zyxel NSA 310

I have already written an article about this Marwell Kirkwood device. This time, we are going to compile Linus tree kernel. Yes, almost everything have been already merged. Except LEDs.

It’s super easy now.

# make mrproper
# make kirkwood_defconfig

Creates clean and minimal setup for Kirwkood devices. I needed to make two changes - u-Boot on my device is old and does not support DTS enabled kernels, so I had to concatenate it. Also, for some reason the kernel was ignoring my command line, so I burnt it into the kernel image itself.

# grep CMDLINE .config
CONFIG_CMDLINE="console=ttyS0,115200 root=/dev/sda3"

For your case, keep the console setting, but adjust our root to the proper device. If you know why the kernel was not picking up my command line (I was using 3.13 RC2), let me know under the article. If you need to change configuration and add more drivers, it’s the time now (e.g. USB WiFi sticks, printers etc.)

# make menuconfig

I usually write the configuration now and edit it via editor from now on which is faster. Let’s do the kernel now.

# make && make dtbs

Or if you selected some modules, do this instead:

# make && make dtbs && make modules && make modules_install

The final step is very important - we need to make an uImage with concatenated device tree for our NSA 310.

# cat arch/arm/boot/zImage arch/arm/boot/dts/kirkwood-nsa310.dtb \
    > /tmp/zImage-dtb-kirwood
# mkimage -A arm -O linux -T kernel -C none -a 0x00008000 -e 0x00008000 \
    -n Linux-kikrwood-nsa310.dtb -d /tmp/zImage-dtb-kirwood \
    /boot/uImage-3.13.0-rc2

Note there are two files:

  • arch/arm/boot/dts/kirkwood-nsa310.dtb
  • arch/arm/boot/dts/kirkwood-nsa310a.dtb

Because there are more hardware versions, try out both and find which one works best for you.

Boot the new kernel and note that everything works, except LEDs. Also the power button is working, which is great. I don’t need LEDs, actually I don’t like blinking LEDs at all so I am fine. If you need LEDs, there are couple of patches on the arm-list floating around - grab them.

I have created an ultra simple script which controls the fan. There are other ways of doing that (e.g. via lm-sensors), but I prefer this lightweight solution (written in Go).

In my house, NSA 310 is great cheap 2 TB NAS, file server, print server, backup server and WiFi AP ($10 Tenda USB stick - was working out-of-box).

Drop me a line in the comments bellow!

Read on Comment
08 December 2013 | linux | fedora

How to reach your Fedora/RHEL behind NAT

I am using an excellent open-source tunneling solution called PageKite for about an year now. It’s a small utility written in Python with almost zero dependencies (okay there is one) and it enables you to reach various ports behind NAT. More on the PageKite.net which also provides subscription-based service for those who do not want to run their own man-in-the-middle server (which is needed for this to operate). By the way they datacenters are spread over whole world with excellent Europe coverage.

After decent testing time, I pushed PageKite into EPEL 5 and 6 (it is already included in Fedora repos). Installation and setup is ultra easy:

# yum -y install pagekite

In the PageKite.net service, create your account and create new “kite”. That is basically a subdomain which will be used for your machine. Now edit this file:

# vim /etc/pagekite.d/10_account.rc

Set your ‘kitename’ (which you created recently) and ‘kitesecret’ token and delete ‘abort_not_configured’ line. We want to enable SSH tunneling:

# mv /etc/pagekite.d/80_sshd.rc.sample /etc/pagekite.d/80_sshd.rc

If you want to tunnel HTTP, do this:

# mv /etc/pagekite.d/80_httpd.rc.sample /etc/pagekite.d/80_httpd.rc

You can tunnel any other protocol, read PageKite documentation for more. Start the thing:

# service pagekite start

Logs are here:

# tail /var/log/pagekite/pagekite.log -f

It’s the time to connect via your new tunnel. It is not that straightforward as you may expect, but you need to tune your ssh client configuration a bit:

# vim ~/.ssh/config
...
Host *.pagekite.me
    CheckHostIP no
    ProxyCommand /usr/bin/corkscrew %h 443 %h %p
...

I am using corkscrew tool which is a TCP tunneling solution via HTTP, which works great with PageKite. There are other options, but this one is the easiest and the most reliable. You will need to install the corkscrew tool (I am on Fedora):

# yum -y install corkscrew

Work done!

# ssh yourkite-yourname.pagekite.me

Nice, isn’t it? Now, if you find out how to tunnel mosh protocol, let me know bellow.

Read on Comment
27 November 2013 | linux | fedora
twitter.com linkedin.com
google.com/+ facebook.com
flickr.com youtube.com