admin « Riaan's SysAdmin Blog

Author Archive

May 21

LVM resize root volume

Since this is a root/boot volume we are talking about anything on this page is VERY risky. Be warned this post may provide you with a strategy or hints but you are completely responsible for your system.

Of course the best route to extend a root volume in an unmounted state is to boot of a Live CD. In some cases and even more relevant a lot of cloud instances you do not have normal physical or virtualization methods to access server consoles.

I have been trying a couple ideas. First one is using dracut to resize the root volume on system bootup. I have had success with this method. The second method is using pivot_root. On this method it may be slightly easier on systemd servers but for my paritcular need I have an older Centos 6 flavor without systemd and so far I could not get pivot_root and resize online to work.

Below is notes on method 1 (dracut resize):

Specs:
VirtualBox VM CentOS6.4
Disk layout 15G
- /boot 200M ext4
- / LV 13G ext4
- /u01 LV 2G ext4

GOAL:
1. Resize / file system smaller without boot CD only SSH access. Using dracut bootup.
2. Extend /u01 with the additional space in the VG

	
[root@localhost ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroupSys-LogVolRoot
                       11G  2.1G  8.7G  20% /
tmpfs                 1.9G     0  1.9G   0% /dev/shm
/dev/sda1             194M   29M  155M  16% /boot
/dev/mapper/VolGroupSys-LogVolU01
                      2.1G   68M  2.0G   4% /u01
[root@localhost ~]# pvs
  PV         VG          Fmt  Attr PSize  PFree
  /dev/sda2  VolGroupSys lvm2 a--  14.80g 1.70g

[root@localhost ~]# vgs
  VG          #PV #LV #SN Attr   VSize  VFree
  VolGroupSys   1   2   0 wz--n- 14.80g 1.70g

[root@localhost ~]# lvs
  LV         VG          Attr      LSize  Pool Origin Data%  Move Log Cpy%Sync Convert
  LogVolRoot VolGroupSys -wi-ao--- 11.00g                                             
  LogVolU01  VolGroupSys -wi-ao---  2.11g    
  
# pwd
/usr/share/dracut/modules.d/95rootfs-block

# vi mount-root.sh
[..]
if [ -n "$root" -a -z "${root%%block:*}" ]; then
    ## custom code testing lvresize on root vol
    lvm vgchange -ay --config " global {locking_type=1} "
    rm -f /etc/lvm/lvm.conf
    e2fsck -C 0 -f /dev/VolGroupSys/LogVolRoot
    resize2fs -p -f /dev/VolGroupSys/LogVolRoot 8G
    lvm lvresize -f /dev/VolGroupSys/LogVolRoot -L 8G
    resize2fs -p -f /dev/VolGroupSys/LogVolRoot
    e2fsck -C 0 -f /dev/VolGroupSys/LogVolRoot

    mount -t ${fstype:-auto} -o "$rflags" "${root#block:}" "$NEWROOT" \
[..]
	
# dracut -f --install 'resize2fs e2fsck'

# reboot

Verify after the reboot

# pvs
  PV         VG          Fmt  Attr PSize  PFree
  /dev/sda2  VolGroupSys lvm2 a--  14.80g 4.70g

# vgs
  VG          #PV #LV #SN Attr   VSize  VFree
  VolGroupSys   1   2   0 wz--n- 14.80g 4.70g

# lvs
  LV         VG          Attr      LSize Pool Origin Data%  Move Log Cpy%Sync Convert
  LogVolRoot VolGroupSys -wi-ao--- 8.00g                                             
  LogVolU01  VolGroupSys -wi-ao--- 2.11g                                             

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroupSys-LogVolRoot
                      7.9G  2.1G  5.8G  26% /
tmpfs                 1.9G     0  1.9G   0% /dev/shm
/dev/sda1             194M   30M  155M  16% /boot
/dev/mapper/VolGroupSys-LogVolU01
                      2.1G   68M  2.0G   4% /u01

** remove custom code from mount-root.sh

# dracut -f
# reboot

#################################################################
### EXTEND u01
#################################################################

# lvextend -L+2G /dev/VolGroupSys/LogVolU01 
  Extending logical volume LogVolU01 to 4.11 GiB
  Logical volume LogVolU01 successfully resized

# resize2fs /dev/VolGroupSys/LogVolU01 
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/VolGroupSys/LogVolU01 is mounted on /u01; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 1
Performing an on-line resize of /dev/VolGroupSys/LogVolU01 to 1076224 (4k) blocks.
The filesystem on /dev/VolGroupSys/LogVolU01 is now 1076224 blocks long.

# vgs
  VG          #PV #LV #SN Attr   VSize  VFree
  VolGroupSys   1   2   0 wz--n- 14.80g 2.70g

# lvs
  LV         VG          Attr      LSize Pool Origin Data%  Move Log Cpy%Sync Convert
  LogVolRoot VolGroupSys -wi-ao--- 8.00g                                             
  LogVolU01  VolGroupSys -wi-ao--- 4.11g                                             

# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroupSys-LogVolRoot
                      7.9G  2.1G  5.8G  26% /
tmpfs                 1.9G     0  1.9G   0% /dev/shm
/dev/sda1             194M   29M  155M  16% /boot
/dev/mapper/VolGroupSys-LogVolU01
                      4.1G   69M  3.8G   2% /u01

#################################################################					  
### APPENDIX: 
#################################################################

** Use /var/messages/boot.log to check dracut failures on our custom code
[bash]
# more boot.log 
e2fsck 1.41.12 (17-May-2010)
Pass 1: Checking inodes, blocks, and sizes
_CentOS-6.4-x86_: |===                                             -  4.8%   
Pass 2: Checking directory structure                                           
Pass 3: Checking directory connectivity                                        
Pass 4: Checking reference counts
Pass 5: Checking group summary information
_CentOS-6.4-x86_: 76680/835584 files (0.1% non-contiguous), 578555/3328000 blocks
resize2fs 1.41.12 (17-May-2010)
Resizing the filesystem on /dev/VolGroupSys/LogVolRoot to 2621440 (4k) blocks.
Begin pass 3 (max = 102)
Scanning inode table          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/VolGroupSys/LogVolRoot is now 2621440 blocks long.

  Read-only locking type set. Write locks are prohibited.
  Can't get lock for VolGroupSys
resize2fs 1.41.12 (17-May-2010)
Resizing the filesystem on /dev/VolGroupSys/LogVolRoot to 3328000 (4k) blocks.
Begin pass 1 (max = 22)
Extending the inode table     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/VolGroupSys/LogVolRoot is now 3328000 blocks long.
[..]

** Howto check if lvm and resize2fs is in intramfs image

# lsinitrd /boot/initramfs-2.6.32-358.el6.x86_64.img | grep lvm
-rw-r--r--   1 root     root          657 Feb 22  2013 etc/udev/rules.d/64-lvm.rules
-r--r--r--   1 root     root         1286 Feb 22  2013 etc/udev/rules.d/11-dm-lvm.rules
drwxr-xr-x   2 root     root            0 May 21 13:27 etc/lvm
-rw-r--r--   1 root     root        37554 May 21 13:27 etc/lvm/lvm.conf
-rwxr-xr-x   1 root     root         2243 Feb 22  2013 sbin/lvm_scan
-r-xr-xr-x   1 root     root      1013336 May 21 13:27 sbin/lvm
[..]
-rwxr-xr-x   1 root     root          525 Feb 22  2013 cmdline/30parse-lvm.sh

# lsinitrd /boot/initramfs-2.6.32-358.el6.x86_64.img | grep resize2fs

#################################################################
#### Some links ...
#################################################################

Kernel panic on boot following "dracut Warning: LVM rootvg/rootlv not found": https://access.redhat.com/solutions/1282013
Rename LVM Volume Group Holding Root File System Volume: https://oraganism.wordpress.com/2013/03/09/rename-lvm-vg-for-root-fs-lv/
How to debug Dracut problems: https://fedoraproject.org/wiki/How_to_debug_Dracut_problems
Inject ephemeral disk into root disk: https://github.com/eucalyptus/eucalyptus/wiki/Inject-ephemeral-disk-into-root-disk
Convert an Existing System to Use Thin LVs: https://dustymabe.com/2013/09/07/convert-an-existing-system-to-use-thin-lvs/
Partition Resize fails on LVM: https://github.com/flegmatik/linux-rootfs-resize/issues/8
How to write a pre-mount startup script?: https://unix.stackexchange.com/questions/87814/how-to-write-a-pre-mount-startup-script

Is it possible to on-line shrink a EXT4 volume with LVM?: https://serverfault.com/questions/528075/is-it-possible-to-on-line-shrink-a-ext4-volume-with-lvm/528076
resize a Linux root partition while it's still mounted: http://www.ivarch.com/blogs/oss/2007/01/resize-a-live-root-fs-a-howto.shtml
How to shrink root filesystem without booting a livecd: https://unix.stackexchange.com/questions/226872/how-to-shrink-root-filesystem-without-booting-a-livecd?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

[/bash]

Comments Off on LVM resize root volume
comments

Posted in LVM

Mar 31

Borg Backup and Rclone to Object Storage

I recently used Borg for protecting some critical files and jotting down some notes here.

Borg exist in many distribution repos so easy to install. When not in a repo they have pre-compiled binaries that can easily be added to your Linux OS.

Pick a server to act like your backup server (repository). Pretty much any Linux server where you can direct your client to send their backups to. You want to make your backup folder big enough of course.

https://thisiscasperslife.wordpress.com/2017/11/28/using-borg-backup-across-ssh-with-sshkeys/
https://opensource.com/article/17/10/backing-your-machines-borg

# yum install borgbackup
# useradd borg
# passwd borg
# sudo su - borg 
$ mkdir /mnt/backups
$ cat /home/borg/.ssh/authorized_keys
ssh-rsa AAAAB3N[..]6N/Yw== root@server01
$ borg init /mnt/backups/repo1 -e none

**** CLIENT server01 with single binary(no repo for borgbackup on this server)

$ sudo su - root
# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/borg_key
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/borg_key.
Your public key has been saved in /root/.ssh/borg_key.pub.

# ./backup.sh 
Warning: Attempting to access a previously unknown unencrypted repository!
Do you want to continue? [yN] y
Synchronizing chunks cache...
Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
Done.
------------------------------------------------------------------------------
Archive name: server01-2018-03-29
Archive fingerprint: 79f91d82291db36be7de90c421c082d7ee4333d11ac77cd5d543a4fe568431e3
Time (start): Thu, 2018-03-29 19:32:45
Time (end):   Thu, 2018-03-29 19:32:47
Duration: 1.36 seconds
Number of files: 1069
Utilization of max. archive size: 0%
------------------------------------------------------------------------------
                       Original size      Compressed size    Deduplicated size
This archive:               42.29 MB             15.41 MB             11.84 MB
All archives:               42.29 MB             15.41 MB             11.84 MB

                       Unique chunks         Total chunks
Chunk index:                    1023                 1059
------------------------------------------------------------------------------
Keeping archive: server01-2018-03-29                     Thu, 2018-03-29 19:32:45 [79f91d82291db36be7de90c421c082d7ee4333d11ac77cd5d543a4fe568431e3]

*** RECOVER test. Done on BORG server directly but will test from client directly also. May need BORG_RSH variable.

$ borg list repo1
server01-2018-03-29                     Thu, 2018-03-29 19:32:45 [79f91d82291db36be7de90c421c082d7ee4333d11ac77cd5d543a4fe568431e3]

$ borg list repo1::server01-2018-03-29 | less

$ cd /tmp
$ borg extract /mnt/backups/repo1::server01-2018-03-29  etc/hosts

$ ls -l etc/hosts 
-rw-r--r--. 1 borg borg 389 Mar 26 15:50 etc/hosts

APPENDIX: client backup.sh cron and source

# crontab -l
0 0 * * * /root/scripts/backup.sh &amp;gt; /dev/null 2&amp;gt;&amp;amp;1

# sudo su - root
# cd scripts/
# cat backup.sh 
#!/usr/bin/env bash

##
## Set environment variables
##

## if you don't use the standard SSH key,
## you have to specify the path to the key like this
export BORG_RSH='ssh -i /root/.ssh/borg_key'

## You can save your borg passphrase in an environment
## variable, so you don't need to type it in when using borg
# export BORG_PASSPHRASE="top_secret_passphrase"

##
## Set some variables
##

LOG="/var/log/borg/backup.log"
BACKUP_USER="borg"
REPOSITORY="ssh://${BACKUP_USER}@10.1.1.2/mnt/backups/repo1"

#export BORG_PASSCOMMAND=''

#Bail if borg is already running, maybe previous run didn't finish
if pidof -x borg &amp;gt;/dev/null; then
    echo "Backup already running"
    exit
fi

##
## Output to a logfile
##

exec &amp;gt; &amp;gt;(tee -i ${LOG})
exec 2&amp;gt;&amp;amp;1

echo "###### Backup started: $(date) ######"

##
## At this place you could perform different tasks
## that will take place before the backup, e.g.
##
## - Create a list of installed software
## - Create a database dump
##

##
## Transfer the files into the repository.
## In this example the folders root, etc,
## var/www and home will be saved.
## In addition you find a list of excludes that should not
## be in a backup and are excluded by default.
##

echo "Transfer files ..."
/usr/local/bin/borg create -v --stats                   \
    $REPOSITORY::'{hostname}-{now:%Y-%m-%d}'    \
    /root                                \
    /etc                                 \
    /u01                                 \
    /home                                \
    --exclude /dev                       \
    --exclude /proc                      \
    --exclude /sys                       \
    --exclude /var/run                   \
    --exclude /run                       \
    --exclude /lost+found                \
    --exclude /mnt                       \
    --exclude /var/lib/lxcfs


# Use the `prune` subcommand to maintain 7 daily, 4 weekly and 6 monthly
# archives of THIS machine. The '{hostname}-' prefix is very important to
# limit prune's operation to this machine's archives and not apply to
# other machine's archives also.
/usr/local/bin/borg prune -v --list $REPOSITORY --prefix '{hostname}-' \
    --keep-daily=7 --keep-weekly=4 --keep-monthly=6

echo "###### Backup ended: $(date) ######"

In addition to using Borg this test was also about pushing backups to Oracle OCI object storage so below is some steps I followed. I had to use the newest rclone because v1.36 had weird issues with the Oracle OCI S3 interface.

# curl https://rclone.org/install.sh | sudo bash

# df -h | grep borg
/dev/mapper/vg01-vg01--lv01  980G  7.3G  973G   1% /mnt/backups

# sudo su - borg

[$ cat ~/.config/rclone/rclone.conf 
[s3_backups]
type = s3
env_auth = false
access_key_id = ocid1.credential.oc1..aaaa[snipped]
secret_access_key = KJFevw6s=
region = us-ashburn-1
endpoint = [snipped].compat.objectstorage.us-ashburn-1.oraclecloud.com
location_constraint = 
acl = private
server_side_encryption = 
storage_class = 

$ rclone  lsd s3_backups: 
          -1 2018-03-27 21:07:11        -1 backups
          -1 2018-03-29 13:39:42        -1 repo1
          -1 2018-03-26 22:23:35        -1 terraform
          -1 2018-03-27 14:34:55        -1 terraform-src

Initial sync. Note I am using sync but be warned you need to figure out if you want to use copy or sync. As far as I know sync may delete not only on target but also on source when syncing.

$ /usr/bin/rclone -v sync /mnt/borg/repo1 s3_backups:repo1
2018/03/29 22:37:00 INFO  : S3 bucket repo1: Modify window is 1ns
2018/03/29 22:37:00 INFO  : README: Copied (replaced existing)
2018/03/29 22:37:00 INFO  : hints.38: Copied (new)
2018/03/29 22:37:00 INFO  : integrity.38: Copied (new)
2018/03/29 22:37:00 INFO  : data/0/17: Copied (new)
2018/03/29 22:37:00 INFO  : config: Copied (replaced existing)
2018/03/29 22:37:00 INFO  : data/0/18: Copied (new)
2018/03/29 22:37:00 INFO  : index.38: Copied (new)
2018/03/29 22:37:59 INFO  : data/0/24: Copied (new)
2018/03/29 22:38:00 INFO  : 
Transferred:   1.955 GBytes (33.361 MBytes/s)
Errors:                 0
Checks:                 2
Transferred:            8
Elapsed time:        1m0s
Transferring:
 *                                     data/0/21: 100% /501.284M, 16.383M/s, 0s
 *                                     data/0/22: 98% /500.855M, 18.072M/s, 0s
 *                                     data/0/23: 100% /500.951M, 14.231M/s, 0s
 *                                     data/0/25:  0% /501.379M, 0/s, -

2018/03/29 22:38:00 INFO  : data/0/22: Copied (new)
2018/03/29 22:38:00 INFO  : data/0/23: Copied (new)
2018/03/29 22:38:01 INFO  : data/0/21: Copied (new)
2018/03/29 22:38:57 INFO  : data/0/25: Copied (new)
2018/03/29 22:38:58 INFO  : data/0/27: Copied (new)
2018/03/29 22:38:59 INFO  : data/0/26: Copied (new)
2018/03/29 22:38:59 INFO  : data/0/28: Copied (new)
2018/03/29 22:39:00 INFO  : 
Transferred:   3.919 GBytes (33.438 MBytes/s)
Errors:                 0
Checks:                 2
Transferred:           15
Elapsed time:        2m0s
Transferring:
 *                                     data/0/29:  0% /500.335M, 0/s, -
 *                                     data/0/30:  0% /500.294M, 0/s, -
 *                                     data/0/31:  0% /500.393M, 0/s, -
 *                                     data/0/32:  0% /500.264M, 0/s, -

2018/03/29 22:39:45 INFO  : data/0/29: Copied (new)
2018/03/29 22:39:52 INFO  : data/0/30: Copied (new)
2018/03/29 22:39:52 INFO  : S3 bucket repo1: Waiting for checks to finish
2018/03/29 22:39:55 INFO  : data/0/32: Copied (new)
2018/03/29 22:39:55 INFO  : S3 bucket repo1: Waiting for transfers to finish
2018/03/29 22:39:56 INFO  : data/0/31: Copied (new)
2018/03/29 22:39:57 INFO  : data/0/36: Copied (new)
2018/03/29 22:39:57 INFO  : data/0/37: Copied (new)
2018/03/29 22:39:57 INFO  : data/0/38: Copied (new)
2018/03/29 22:39:58 INFO  : data/0/1: Copied (replaced existing)
2018/03/29 22:40:00 INFO  : 
Transferred:   5.874 GBytes (33.413 MBytes/s)
Errors:                 0
Checks:                 3
Transferred:           23
Elapsed time:        3m0s
Transferring:
 *                                     data/0/33:  0% /500.895M, 0/s, -
 *                                     data/0/34:  0% /501.276M, 0/s, -
 *                                     data/0/35:  0% /346.645M, 0/s, -

2018/03/29 22:40:25 INFO  : data/0/35: Copied (new)
2018/03/29 22:40:28 INFO  : data/0/33: Copied (new)
2018/03/29 22:40:30 INFO  : data/0/34: Copied (new)
2018/03/29 22:40:30 INFO  : Waiting for deletions to finish
2018/03/29 22:40:30 INFO  : data/0/3: Deleted
2018/03/29 22:40:30 INFO  : index.3: Deleted
2018/03/29 22:40:30 INFO  : hints.3: Deleted
2018/03/29 22:40:30 INFO  : 
Transferred:   7.191 GBytes (34.943 MBytes/s)
Errors:                 0
Checks:                 6
Transferred:           26
Elapsed time:     3m30.7s

Run another sync showing nothing to do.

$ /usr/bin/rclone -v sync /mnt/borg/repo1 s3_backups:repo1
2018/03/29 22:43:13 INFO  : S3 bucket repo1: Modify window is 1ns
2018/03/29 22:43:13 INFO  : S3 bucket repo1: Waiting for checks to finish
2018/03/29 22:43:13 INFO  : S3 bucket repo1: Waiting for transfers to finish
2018/03/29 22:43:13 INFO  : Waiting for deletions to finish
2018/03/29 22:43:13 INFO  : 
Transferred:      0 Bytes (0 Bytes/s)
Errors:                 0
Checks:                26
Transferred:            0
Elapsed time:       100ms

Test script and check log

$ cd scripts/
$ ./s3_backup.sh 
$ more ../s3_backups.log 
2018/03/29 22:43:56 INFO  : S3 bucket repo1: Modify window is 1ns
2018/03/29 22:43:56 INFO  : S3 bucket repo1: Waiting for checks to finish
2018/03/29 22:43:56 INFO  : S3 bucket repo1: Waiting for transfers to finish
2018/03/29 22:43:56 INFO  : Waiting for deletions to finish
2018/03/29 22:43:56 INFO  : 
Transferred:      0 Bytes (0 Bytes/s)
Errors:                 0
Checks:                26
Transferred:            0
Elapsed time:       100ms

Check size used on object storage.

$ rclone size s3_backups:repo1
Total objects: 26
Total size: 7.191 GBytes (7721115523 Bytes)

APPENDIX: s3_backup.sh crontab and source

$ crontab -l
50 23 * * * /home/borg/scripts/s3_backup.sh

$ cat s3_backup.sh 
#!/bin/bash
set -e

#repos=( repo1 repo2 repo3 )
repos=( repo1 )

#Bail if rclone is already running, maybe previous run didn't finish
if pidof -x rclone &amp;gt;/dev/null; then
    echo "Process already running"
    exit
fi

for i in "${repos[@]}"
do
    #Lets see how much space is used by directory to back up
    #if directory is gone, or has gotten small, we will exit
    space=`du -s /mnt/backups/$i|awk '{print $1}'`

    if (( $space &amp;lt; 3450000 )); then echo "EXITING - not enough space used in $i" exit fi /usr/bin/rclone -v sync /mnt/backups/$i s3_backups:$i &amp;gt;&amp;gt; /home/borg/s3_backups.log 2&amp;gt;&amp;amp;1
done

Comments Off on Borg Backup and Rclone to Object Storage
comments

Posted in Backups, rclone

Mar 29

Rclone and OCI S3 Interface

I am testing rclone to the Oracle Cloud Interface object storage and recording what worked for me.

Note I could not get the swift interface to work with rclone, duplicity or swiftclient yet. Although straightforward curl does work to the swift interface.

rclone configuration generated with rclone config

# cat /root/.config/rclone/rclone.conf
[s3_backups]
type = s3
env_auth = false
access_key_id = ocid1.credential.oc1..a<redacted>ta
secret_access_key = K<redacted>6s=
region = us-ashburn-1
endpoint = <tenancy>.compat.objectstorage.us-ashburn-1.oraclecloud.com
location_constraint = 
acl = private
server_side_encryption = 
storage_class =

Issue with max-keys. This problem although very difficult to find was also preventing copy/sync of folders although a single file was working. rclone v1.36 was installed form Ubuntu repos and issue resolved with newer version.

# rclone ls s3_backups:repo1
2018/03/29 08:55:44 Failed to ls: InvalidArgument: The 'max-keys' parameter must be between 1 and 1000 (it was 1024) status code: 400, request id: fa704a55-44a8-1146-1b62-688df0366f63

Update and try again.

# curl https://rclone.org/install.sh | sudo bash
[..]
rclone v1.40 has successfully installed.

# rclone -V
rclone v1.40
- os/arch: linux/amd64
- go version: go1.10

# rclone ls s3_backups:repo1
      655 config
       38 hints.3

# rclone copy /root/backup/repo1 s3_backups:repo1

# rclone sync /root/backup/repo1 s3_backups:repo1

# rclone ls s3_backups:repo1
       26 README
      655 config
       38 hints.3
    82138 index.3
  5245384 data/0/1
  3067202 data/0/3

# rclone lsd s3_backups:
          -1 2018-03-27 21:07:11        -1 backups
          -1 2018-03-29 13:39:42        -1 repo1
          -1 2018-03-26 22:23:35        -1 terraform
          -1 2018-03-27 14:34:55        -1 terraform-src

References:
https://rclone.org/docs/
https://docs.us-phoenix-1.oraclecloud.com/api/#/en/s3objectstorage/20160918/
https://blog.selectel.com/rclone-rsync-cloud-storage/

In a future article I will add my testing around BorgBackup + rclone + OCI objectstorage from this interesting idea: https://opensource.com/article/17/10/backing-your-machines-borg

Comments Off on Rclone and OCI S3 Interface
comments

Posted in OCI, rclone

Mar 02

LVM Removing VG with missing disk

If you removed a disk from a server and forgot to cleanly remove the configuration you may experience something similar.

Below shows what happens with lvremove:

# lvremove --force --verbose /dev/vg02/u01
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
    There are 1 physical volumes missing.
    Archiving volume group "vg02" metadata (seqno 2).
    Releasing logical volume "u01"
  Aborting vg_write: No metadata areas to write to!

Some people seem to have success with vgreduce commands but I ended up making a fake device and extending the VG in order to cleanup the LV.

# lvs
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  LV   VG   Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  opt  vg01 -wi-ao---- 995.00g                                                    
  u01  vg02 -wi-----p- 248.00g                                                    

# dd if=/dev/zero of=/tmp/tmp.raw bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.0763176 s, 1.4 GB/s

# losetup -f
/dev/loop0

# losetup /dev/loop0 /tmp/tmp.raw 

# vgextend vg02 /dev/loop0
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  Physical volume "/dev/loop0" successfully created.
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  Volume group "vg02" successfully extended

# vgremove vg02 --force
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  Logical volume "u01" successfully removed
  Volume group "vg02" successfully removed

# pvremove /dev/loop0
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  Labels on physical volume "/dev/loop0" successfully wiped.

# losetup -d /dev/loop0  
# rm /tmp/tmp.raw 

# lvs
  LV   VG   Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  opt  vg01 -wi-ao---- 995.00g                                                    
# vgs
  VG   #PV #LV #SN Attr   VSize   VFree
  vg01   1   1   0 wz--n- 999.99g 4.99g
# pvs
  WARNING: Device for PV ore6TE-2ues-rc5q-mkCN-hEHE-C4Av-paaxEH not found or rejected by a filter.
  PV         VG   Fmt  Attr PSize   PFree
  /dev/sdb   vg01 lvm2 a--  999.99g 4.99g

Comments Off on LVM Removing VG with missing disk
comments

Posted in LVM

Feb 20

VNC over SSH Bastion host

You may ask why and the answer is just sometimes you have to do stupid things.

bastion == jump host

Setup a tunnel

$ ssh -f -N -p 22 -L 55901:10.35.5.6:5901 -i customer-priv-key opc@<bastion public IP>

Run vnc server

$ vncserver 
New 'ociserver:1 (opc)' desktop is ociserver:1
Starting applications specified in /home/opc/.vnc/xstartup
Log file is /home/opc/.vnc/ociserver:1.log

Note above vncserver also has a custom startup to bypass the systemwide xinit whihc was spawning gnome desktop.


$ pwd
/home/opc/.vnc

$ more xstartup 
#!/bin/sh
# unset SESSION_MANAGER
# unset DBUS_SESSION_BUS_ADDRESS
#exec /etc/X11/xinit/xinitrc
#!/bin/sh
xrdb $HOME/.Xresources
xsetroot -solid grey
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &

Connect

$ vncviewer localhost:55901
TigerVNC Viewer 64-bit v1.7.0
Tue Feb 20 13:14:43 2018
 DecodeManager: Detected 1 CPU core(s)
 DecodeManager: Decoding data on main thread
 CConn:       connected to host localhost port 55901
 CConnection: Server supports RFB protocol version 3.8
 CConnection: Using RFB protocol version 3.8
 CConnection: Choosing security type VeNCrypt(19)

Tue Feb 20 13:14:44 2018
 CVeNCrypt:   Choosing security type TLSVnc (258)

Tue Feb 20 13:14:51 2018
 X11PixelBuffer: Using default colormap and visual, TrueColor, depth 24.
 CConn:       Using pixel format depth 24 (32bpp) little-endian rgb888
 CConn:       Using Tight encoding
 CConn:       Enabling continuous updates

Comments Off on VNC over SSH Bastion host
comments

Posted in SSH, VNC

Feb 14

Python3 and pip

I am converting some scripts to python3 and noticed the pip modules in use for python2 need to be added for python3. I am not using virtualenv so below is my fix on Ubuntu 17.10.

Missing module oci.

$ python3 OCI_Details.py -t ocid1.tenancy.oc1..aa...mn55ca
Traceback (most recent call last):
  File "OCI_Details.py", line 14, in <module>
    import oci,optparse,os
ModuleNotFoundError: No module named 'oci'

Python2 module is there.

$ pip list --format=columns | grep oci
oci             1.3.14

Ubuntu has python3-pip

$ sudo apt install python3-pip
$ pip3 install oci
$ pip3 list --format=columns | grep oci
oci                   1.3.14

Check my converted script.

$ python3 OCI_Details.py -t ocid1.tenancy.oc1..aaaaaa...5ca
OCI Details: 0.9.7
..

Comments Off on Python3 and pip
comments

Posted in OCI, Python

Dec 16

OCI VPN Server PriTunl for clients

Sometimes you need more than a bastion for reaching your cloud resources. Bastions are great for SSH and RDP tunneling but really more limited to admins and administration. Of course site to site can be solved with OCI CPE and tunnels between colo/client networks.

There are several options for VPN servers and I use LibreSwan for testing site to site OCI tenancy VPN tunnels. LibreSwan could also work in a case of many users needing access to cloud resources but it is not easy to administer users etc.

So this time I tried a product called pritunl ( https://pritunl.com/ )

You should be able to use normal OpenVPN and I think even IPsec clients to connect. Pritunl also provide clients but ideally you should just be able to use anything generic.

Admin can easily add users and send an import file which includes your cert etc.. For me this worked well under Linux just using the generic network manager openvpn plugin but I need to verify Windows and Macs also.

https://docs.pritunl.com/docs/installation

$ sudo -s
# tee -a /etc/yum.repos.d/mongodb-org-3.4.repo << EOF
> [mongodb-org-3.4]
> name=MongoDB Repository
> baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/
> gpgcheck=1
> enabled=1
> gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc
> EOF
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc

# tee -a /etc/yum.repos.d/pritunl.repo << EOF
> [pritunl]
> name=Pritunl Repository
> baseurl=https://repo.pritunl.com/stable/yum/centos/7/
> gpgcheck=1
> enabled=1
> EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1

# yum -y install epel-release
[snip]
Complete!

# grep disabled /etc/selinux/config 
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

# gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
# gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
# yum -y install pritunl mongodb-org

# systemctl start mongod pritunl
# systemctl enable mongod pritunl
Created symlink from /etc/systemd/system/multi-user.target.wants/pritunl.service to /etc/systemd/system/pritunl.service.

Connect to web interface...

# firewall-cmd --zone=public --permanent --add-port=12991/udp
success
# systemctl restart firewalld

On VPN Server Removed 0.0.0.0/0 route and add 10.1.0.0/16
Install network-manager-openvpn on my Linux desktop and import file exported on vpn server
Connect to VPN server

# ping 10.1.1.7
PING 10.1.1.7 (10.1.1.7) 56(84) bytes of data.
64 bytes from 10.1.1.7: icmp_seq=1 ttl=63 time=46.4 ms

$ ssh -I /media/ssh-keys/OBMCS opc@10.1.1.7
Last login: Fri Dec 15 16:50:24 2017

Comments Off on OCI VPN Server PriTunl for clients
comments

Posted in OCI, Oracle, Oracle Bare Metal Cloud Services, VPN

Dec 16

Linux Routing Two Interfaces on Same Subnet

It's possible you will never need to do this and most likely there are experts that say avoid doing this. I recently had a challenge to do exactly this so I am recording my effort for future reference. This link helped me get it to work: https://access.redhat.com/solutions/30564

My setup is similar to the link above but a few more layers. My setup is a Centos7 VM under KVM. KVM using SR-IOV Network Virtual Functions. And to further complicate it the KVM hypervisor is an Oracle Cloud (OCI) bare metal server. OCI hands out additional public IP addresses using VNIC's which are added to the host via pass through. Out of scope here is adding VNIC's to KVM guests. Also note the public IP is natted to private IP's.

[root@centos7 opc]# cat /etc/iproute2/rt_tables 
[..]
100 t1
101 t2

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/route-ens3
10.1.0.0/16 dev ens3 src 10.1.1.12 table t1
default via 10.1.1.1 dev ens3 table t1

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/route-ens9
10.1.0.0/16 dev ens9 src 10.1.1.13 table t2
default via 10.1.1.1 dev ens9 table t2

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/rule-ens3
table t1 from 10.1.1.12

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/rule-ens9
table t2 from 10.1.1.13

Note may not need all below settings for example ens3 and ens9. Defaults may be enough.

[root@centos7 opc]# cat /etc/sysctl.d/99-sysctl.conf 
[..]
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.default.arp_announce = 2

net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.ens3.rp_filter = 2
net.ipv4.conf.ens9.rp_filter = 2

Had some issues with /etc/sysconfig/network-scripts/route-ens* script not working at reboots, but manually running /etc/sysconfig/network-scripts/route-ens3 and route-ens9 worked. Commented DEFROUTE and GATEWAY and added NM_CONTROLLED=no and then routes worked at boot up.

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/ifcfg-ens3
TYPE=Ethernet
BOOTPROTO=static
#DEFROUTE=yes
NAME=ens3
DEVICE=ens3
ONBOOT=yes
IPADDR=10.1.1.12
NETMASK=255.255.255.0
#GATEWAY=10.1.1.1
NM_CONTROLLED="no"

[root@centos7 opc]# cat /etc/sysconfig/network-scripts/ifcfg-ens9
TYPE=Ethernet
BOOTPROTO=static
#DEFROUTE=yes
NAME=ens9
DEVICE=ens9
ONBOOT=yes
IPADDR=10.1.1.13
NETMASK=255.255.255.0
#GATEWAY=10.1.1.1
NM_CONTROLLED="no"

Reboot

[opc@centos7 ~]$ sudo -s
[root@centos7 opc]# ip route show table t1
default via 10.1.1.1 dev ens3 
10.1.0.0/16 dev ens3 scope link src 10.1.1.12 

[root@centos7 opc]# ip route show table t2
default via 10.1.1.1 dev ens9 
10.1.0.0/16 dev ens9 scope link src 10.1.1.13 

[root@centos7 opc]# ip route show
10.1.1.0/24 dev ens3 proto kernel scope link src 10.1.1.12 
10.1.1.0/24 dev ens9 proto kernel scope link src 10.1.1.13 
169.254.0.0/16 dev ens3 scope link metric 1002 
169.254.0.0/16 dev ens9 scope link metric 1003 

[root@centos7 opc]# ping -I 10.1.1.12 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.1.1.12 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=10.6 ms

[root@centos7 opc]# ping -I 10.1.1.13 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 10.1.1.13 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=61 time=10.5 ms

Ping form hypervisor to VM IP's works now.

# ping 10.1.1.12
PING 10.1.1.12 (10.1.1.12) 56(84) bytes of data.
64 bytes from 10.1.1.12: icmp_seq=1 ttl=64 time=0.223 ms

# ping 10.1.1.13
PING 10.1.1.13 (10.1.1.13) 56(84) bytes of data.
64 bytes from 10.1.1.13: icmp_seq=1 ttl=64 time=0.189 ms

Comments Off on Linux Routing Two Interfaces on Same Subnet
comments

Posted in Linux

Nov 05

OCI (OBMCS) and Libreswan

Recently I wanted to test the Oracle Cloud Infrastructure(OCI) CPE(Customer Premises Equipment) networking; using an IPsec VPN tunnel. The online documentation covers quite a few popular vendors like Check Point, Cisco, Fortigate, Juniper, Palo Alto. Since I did not have quick access to any off the shelf VPN services I used the popular open source software Libreswan.

In addition I wanted to make this work to an OCI tenancy and not just a public VPN server. It may not necessarily apply to any real world use cases but I wanted to test it.

Link of OCI CPE/IPsec documentation: https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/configuringCPE.htm?Highlight=ipsec

Below are notes on getting the Libreswan config configured to match what the OCI tunnel requires. Note that once the VPN link is established you may still need to work on security lists, route tables, routes, DRG's to pass traffic behind the VPN endpoints.

Endpoint A: OCI tenancy with using CPE/IPsec setup
Endpoint B: OCI tenancy using a Libreswan server in a public subnet. Of course typically this will be a customer endpoint VPN server in their premises or colo's. Also note that an instance on OCI with a public address is not a true public server but hiding behind a firewall, your instance has a non routable address in the Operating System but no public interface. So the Libreswan is following a kind of NAT setup as you can see on right side being a 10. address.

Start off by setting up CPE(Public IP address), DRG and IPsec tunnel from the OCI console. In this case the public IP address for the CPE will be the Libreswan Linux server endpoint B. The OCI IPsec tunnel will provide you three IP addresses and shared secrets. We will just use one of the three for our test.

Install from standard repo:

[root@vpn01 opc]# yum install openswan lsof

Set some required kernel settings and firewall rules:

[root@vpn01 opc]# for s in /proc/sys/net/ipv4/conf/*; do echo 0 &gt; $s/send_redirects; echo 0 &gt; $s/accept_redirects; done
[root@vpn01 opc]# cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.ens3.rp_filter = 0
#IPSec
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0 
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0

[root@vpn01 opc]# sysctl -p
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=500/udp --permanent
success
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500/tcp --permanent
success
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500/udp --permanent
success
[root@vpn01 opc]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0/16
success

Test a reachable host on a private network behind endpoint B:

[root@vpn01 opc]# ping 10.0.5.7
PING 10.0.5.7 (10.0.5.7) 56(84) bytes of data.
64 bytes from 10.0.5.7: icmp_seq=1 ttl=64 time=0.164 ms

Per Oracle documentation IPsec tunnel requirements as follow:

ISAKMP Policy Options
ISAKMP Protocol version 1
Exchange type: Main mode
Authentication method: pre-shared-keys
Encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
Authentication algorithm: SHA-256, SHA-384
Diffie-Hellman group: group 1, group 2, group 5
IKE session key lifetime: 28800 seconds (8 hours)

IPSec Policy Options
IPSec protocol: ESP, tunnel-mode
Encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
Authentication algorithm: HMAC-SHA1-96
IPSec session key lifetime: 3600 seconds (1 hour)
Perfect Forward Secrecy (PFS): enabled, group 5

Setup a new conf and secrets file:

[root@vpn01 opc]# cat /etc/ipsec.d/U.conf
conn V-Testing
  authby=secret
  keyexchange=ike
  ike=aes_cbc256-sha1;modp1536
  ikelifetime=28800s
  #ike-frag=no
  ikev2=no
  #nat-ikev1-method=drafts
  phase2=esp
  phase2alg=aes_cbc256-sha1;modp1536
  pfs=yes
  salifetime=3600s
  sareftrack=no
  #dpdtimeout=10
  #dpddelay=3
  left=1.1.1.1
  leftid=1.1.1.1
  right=10.0.4.3
  rightid=2.2.2.2
  rightnexthop=2.2.2.2
  rightsourceip=10.0.4.3
  leftsubnet=10.60.0.0/16
  rightsubnet=10.0.0.0/16
  auto=start

[root@vpn01 opc]# cat /etc/ipsec.d/U.secrets
1.1.1.1 2.2.2.2 : PSK "place_your_shared_key_here"

[root@vpn01 opc]# systemctl start ipsec
[root@vpn01 opc]# systemctl enable ipsec
[root@vpn01 opc]# ipsec verify
Verifying installed system and configuration files
...

For reference some initial pluto.log entries used during debugging to get the options matched to OCI. Plus reference links:
https://libreswan.org/man/ipsec.conf.5.html
https://tools.ietf.org/html/rfc3526

initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#15 msgid:08137451 proposal=AES(12)_128-SHA1(2) pfsgroup=MODP1024}

000 "v6neighbor-hole-out":   policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;

000 "V-Testing":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO;
000 "V-Testing":   conn_prio: 30,30; interface: ens3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "V-Testing":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "V-Testing":   dpd: action:hold; delay:3; timeout:10; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:drafts
000 "V-Testing":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "V-Testing":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1024(2)
000 "V-Testing":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)-MODP1024(2)
000 "V-Testing":   ESP algorithms wanted: AES(12)_256-SHA1(2); pfsgroup=MODP1024(2)
000 "V-Testing":   ESP algorithms loaded: AES(12)_256-SHA1(2)

000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)

For reference some pluto.log entries used during debugging:

[root@vpn01 opc]# tail -f /var/log/pluto.log 
Nov  4 18:41:17: | setup callback for interface lo:500 fd 19
Nov  4 18:41:17: | setup callback for interface ens3:4500 fd 18
Nov  4 18:41:17: | setup callback for interface ens3:500 fd 17
Nov  4 18:41:17: loading secrets from "/etc/ipsec.secrets"
Nov  4 18:41:17: loading secrets from "/etc/ipsec.d/U.secrets"
Nov  4 18:41:17: "V-Testing": route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 10.60.0.0/16 via 2.2.2.2 dev ens3  src 10.0.4.3" failed (RTNETLINK answers: Network is unreachable)
Nov  4 18:41:17: "V-Testing" #1: initiating Main Mode
Nov  4 18:41:18: assign_holdpass() delete_bare_shunt() failed
Nov  4 18:41:18: initiate_ondemand_body() failed to install negotiation_shunt,
Nov  4 18:41:18: initiate on demand from 10.0.4.3:8 to 10.60.1.2:0 proto=1 because: acquire

Not sure if this route was necessary or not but showing for reference. Pretty sure do not need this:

root@vpn01 opc]# route add -net 10.60.0.0/16 gw 10.0.4.1
[root@vpn01 opc]# ip route
default via 10.0.4.1 dev ens3 
10.0.4.0/24 dev ens3 proto kernel scope link src 10.0.4.3 
10.60.0.0/16 via 10.0.4.1 dev ens3 
169.254.0.0/16 dev ens3 proto static scope link 
169.254.0.0/16 dev ens3 scope link metric 1002

Some ping tests for reference showing passing traffic:


[root@vpn01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.4.3  netmask 255.255.255.0  broadcast 10.0.4.255

[root@vpn01 opc]# ping 10.60.1.2
PING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.
64 bytes from 10.60.1.2: icmp_seq=1 ttl=64 time=0.460 ms

[root@gw01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000

[root@gw01 opc]# ping 10.0.4.3
PING 10.0.4.3 (10.0.4.3) 56(84) bytes of data.
64 bytes from 10.0.4.3: icmp_seq=1 ttl=64 time=0.424 ms

After tuning security lists, route tables, DRG's, routes etc some ping tests for reference showing passing traffic on private subnets behind endpoints:

[root@client01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.5.12  netmask 255.255.255.0  broadcast 10.0.5.255

[root@client01 opc]# ping 10.60.1.2
PING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.
64 bytes from 10.60.1.2: icmp_seq=1 ttl=63 time=0.566 ms

[root@gw01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.60.1.2  netmask 255.255.255.0  broadcast 10.60.1.255

[root@gw01 opc]# ping 10.0.5.12
PING 10.0.5.12 (10.0.5.12) 56(84) bytes of data.
64 bytes from 10.0.5.12: icmp_seq=1 ttl=63 time=0.638 ms

Comments Off on OCI (OBMCS) and Libreswan
comments

Posted in Libreswan, OCI, Oracle Bare Metal Cloud Services

Oct 20

Bash variable in an awk search pattern

I spent some time getting this working so documenting for reference.

Trying to grab an IP address from a ssh config file works fine using a static string.

$ awk '/^Host rdpclient1$/{x=1}x&&/HostName/{print $2;exit}' ~/.ssh/Prod-config
10.1.4.4

Using double quotes and a static variable or double quotes and a bash variable does not work.

$ awk "/^Host rdpclient1$/{x=1}x&&/HostName/{print $2;exit}" ~/.ssh/Prod-config
     HostName 10.1.4.4
$ awk "/^Host $host$/{x=1}x&&/HostName/{print $2;exit}" ~/.ssh/Prod-config
     HostName 10.1.4.4

Using double quotes plus a bash variable and escaping the print variable $2 works.

$ awk  "/^Host ${host}$/{x=1}x&&/HostName/{print \$2;exit}" ~/.ssh/Prod-config
10.1.4.4

And an in a little script that use ssh config settings for my RDP through a jumphost or bastion Linux server.

Host gw01
     HostName <public IP>
     User opc
     IdentityFile mysshkey
Host rdpclient1
     HostName 10.1.4.4
     ProxyJump gw01

$ cat rdesktop_jumphost.sh 
#!/bin/bash
host=$1
privateIP=$(awk  "/^Host ${host}$/{x=1}x&&/HostName/{print \$2;exit}" ~/.ssh/Prod-config)
jumphost=$(awk "/^Host ${host}$/{x=1}x&&/ProxyJump/{print \$2;exit}" ~/.ssh/Prod-config)
jumphostIP=$(awk "/^Host ${jumphost}$/{x=1}x&&/HostName/{print \$2;exit}" ~/.ssh/Prod-config)
jumpuser=$(awk "/^Host ${host}$/{x=1}x&&/User/{print \$2;exit}" ~/.ssh/Prod-config)
localRdpPort=33389

ssh -f -N -p 22 -L $localRdpPort:$privateIP:3389 -i mysshkey $jumpuser@$jumphostIP
tunnelpid=$(ps -ef | grep $localRdpPort | grep -v grep | awk '{print $2}')

rdesktop localhost:$localRdpPort

kill $tunnelpid

Comments Off on Bash variable in an awk search pattern
comments

Posted in awk, RDP, SSH

Author Archive

Recent Posts

Tags