bsd.m3th.org
Yet another *nix admin blog

Although it is not a usual task for replacing/upgrading notebook internal hdd, nevertheless, I have performed one lately due to a failing hdd. smartctl reported hdd read failure and I have decided to make an early replacement. However, I still need to duplicate the hdd for recent data that has not been backup.

Cloning the hdd seems not a good option as it takes longer time and might fail to completely replicate the data due to hdd read failure. So I reinstalled OpenSUSE on the new hdd and restore relevant data on partition.

Default lvm volume group naming convention from OpenSUSE installer is somehow same as previous volume group. This will create problem when accessing data on failing hdd as I need to mount partition on lvm volume group which is same as running system. You should change the volume group name to something else other than “system” during the installation. Guess I didn’t paid too much attention during the installation and now I have 2 “system” volume groups. How should I mount the volume on failing hdd then?

Actually it is just an easy task of renaming volume group name.

1) Discover the UUID of the volume with dd by dumping the disk header.

dd if=/dev/sdb2 bs=512 count=255 skip=1 of=/tmp/sdb2.txt


Checking the output for disk UUID.

cat /tmp/sdb2.txt


You will find some thing like this.

system {
id = "8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v"
seqno = 6
status = ["RESIZEABLE", "READ", "WRITE"]
flags = []
extent_size = 8192
max_lv = 0
max_pv = 0

physical_volumes {

pv0 {
id = "dAe8PS-ThIN-Piez-pmqE-8hUv-vdGM-dyvtSO"
device = "/dev/sda2"

status = ["ALLOCATABLE"]
flags = []
dev_size = 487845855
pe_start = 384
pe_count = 59551
}
}

logical_volumes {

home {
id = "hQH10J-MouP-sNok-VNJN-53As-BYsw-b5cqS3"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 1

segment1 {
start_extent = 0
extent_count = 50847

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 0
]
}
}

root {
id = "nde2YD-6rgk-Ufm7-bLf7-ERTc-bHdO-kg7fwF"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 1

segment1 {
start_extent = 0
extent_count = 7680

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 51359
]
}
}

swap {
id = "KXGiD4-qFSH-smun-P4wS-TH14-xxfY-lWYlq8"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
segment_count = 2

segment1 {
start_extent = 0
extent_count = 512

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 59039
]
}
segment2 {
start_extent = 512
extent_count = 512

type = "striped"
stripe_count = 1        # linear

stripes = [
"pv0", 50847
]
}
}
}
}

The UUID of the volume group “system” is “8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v”

2) Renaming the volume group
vgrename 8SX5aX-gQZJ-auYA-UX54-BkBA-nc4V-rNoV6v oldsystem

3) Activate the renamed volume group

# vgchange oldsystem -a y


Now you should have your vg ready. Verify it with

# pvscan


Output

  PV /dev/sdb2   VG oldsystem      lvm2 [232.62 GiB / 0    free]
  PV /dev/sda2   VG system   lvm2 [297.93 GiB / 23.93 GiB free]
  Total: 2 [530.55 GiB] / in use: 2 [530.55 GiB] / in no VG: 0 [0   ]

Check the volume

# lvscan


  ACTIVE            '/dev/oldsystem/home' [198.62 GiB] inherit
  ACTIVE            '/dev/oldsystem/root' [30.00 GiB] inherit
  ACTIVE            '/dev/oldsystem/swap' [4.00 GiB] inherit
  ACTIVE            '/dev/system/home' [250.00 GiB] inherit
  ACTIVE            '/dev/system/root' [20.00 GiB] inherit
  ACTIVE            '/dev/system/swap' [4.00 GiB] inherit

That’s it. You can now mount and dump/restore the failing hdd.

I have been plagued by ssh problem since openssh 5.8p1 on OpenSuSE 11.4. Without any warning, even debug level is set to 3, ssh connection to older router/server is dropped silently. I have issue ssh’ing to AMD64 FreeBSD 8.2-RELEASE which comes with OpenSSH 5.4p1.

chflags@zeus:~> ssh -v 10.0.48.61 -l kevin
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /home/chflags/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.48.61 [10.0.48.61] port 22.
debug1: Connection established.
debug1: identity file /home/chflags/.ssh/id_rsa type -1
debug1: identity file /home/chflags/.ssh/id_rsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_dsa type -1
debug1: identity file /home/chflags/.ssh/id_dsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

With some internet searching, I'm not the only one who's got bitten by this bug :p
Openssh dev: http://www.gossamer-threads.com/lists/engine?do=post_view_flat;post=51339;page=1;mh=-1;list=openssh;sb=post_latest_reply;so=ASC
Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612607
Ubuntu: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/708493
Arch Linux: https://bugs.archlinux.org/task/22897?project=1

WORKAROUNDS
1) Downgrade openssh to version 5.5p1 or lower or better still upgrade to version 5.8p2 or wait for future release of 5.9p1

2) Add "-c 'aes128-ctr'" when connecting to router/server with older version of ssh.

3) Add to ~/.ssh/config. HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss. (I personally couldn't get this work. Can't verify this. You can try it though.)

Once you use one of the workarounds, you should be able to connect to old router/servers. For instance, with workaround 2:-

chflags@zeus:~> ssh -v 10.0.48.61 -c 'aes128-ctr'
OpenSSH_5.8p1, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /home/chflags/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.0.48.61 [10.0.48.61] port 22.
debug1: Connection established.
debug1: identity file /home/chflags/.ssh/id_rsa type -1
debug1: identity file /home/chflags/.ssh/id_rsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_dsa type -1
debug1: identity file /home/chflags/.ssh/id_dsa-cert type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa type -1
debug1: identity file /home/chflags/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1 FreeBSD-20100308
debug1: match: OpenSSH_5.4p1 FreeBSD-20100308 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 63:4c:3e:87:76:5a:d7:62:47:d7:74:60:84:72:10:03
debug1: Host '10.0.48.61' is known and matches the RSA host key.
debug1: Found key in /home/chflags/.ssh/known_hosts:22
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/chflags/.ssh/id_rsa
debug1: Trying private key: /home/chflags/.ssh/id_dsa
debug1: Trying private key: /home/chflags/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:

A quick and easy tip to display Chinese characters in console mode. This applies not only to FreeBSD, it does for Linux and some other *nix variants too.

This is what you get when dealing with Chinese characters in console mode with csh.

Just set up the environment LANG to zh_TW.UTF-8 with this command setenv LANG zh_TW.UTF-8.

Simple eh? Indeed. Making it permanently, edit /etc/csh.cshrc and put these in:-

setenv ENABLE_STARTUP_LOCALE zh_TW.UTF-8
setenv LC_CTYPE en_US.ISO10646-1
setenv LC_ALL zh_TW.UTF-8
setenv LANG zh_TW.UTF-8

For bash, you can just edit /etc/profile and instead of using setenv, you do it with export. i.e. export LANG=zh_TW.UTF-8.

Go hit by buggy network manager on OpenSuSE 11.3 turned disabled after waking up from suspend/hibernate.

Simple workarounds to get network manager working again (Use any of these) :-


# qdbus --system org.freedesktop.NetworkManager /org/freedesktop/NetworkManager wake



# nm-online



# rm /var/lib/NetworkManager/NetworkManager.state && rcnetwork restart


This resume bug is marked fixed. However it is not available in update repo yet.

Keymap for laptop keyboard is fun especially there are lots of default actions attached to it. One particular key, FnF8, which has tiny battery icon is not mapped to any action. It has a keycode of 137 on HP elitebook 6930p. I decided to bind the keycode to call up kpowersave information dialog since I am using KDE4 as desktop manager. But how to call up only kpowersave information dialog? Running command “kpowersave” will only trigger another instance of kpowersave.

I tried to use qdbus but could not find suitable dbus object to display kpowersave information dialog. Nevertheless qdbus is quit handy when come to change power profile of kpowersave.

qdbus is a no go for this purpose. I had to look for something else. Luckily, it did not take much of my time searching. “dcop” is it! dcop kpowersave KPowersaveIface showDetailedDialog will display kpowersave information dialog. Awesome!

I edited keytouch keyboard with these lines.

<key>
<name>battery</name>
<scancode>137</scancode>
<keycode>PROG2</keycode>
<default-action>dcop kpowersave KPowersaveIface showDetailedDialog</default-action>
</key>

Reactivated keytouch, the nifty application to map your multimedia keyboard. This is the result of pressing FnF8.

Nice eh?

I had migrated some of the old machines at work to Xen hypervisor VM. The procedure is rather straight forward and with many options. In this post, I used simple dd command to migrate physical machine to a flat file image on Xen server.

DD IN ACTION

debian-HP370:~/ # dd if=/dev/cciss/c0d0 | ssh me@xenserver dd of=/home/xen/img/debian-HP370.img

This will take a long time depending on your disk size/network speed. So leave it there and go on with other stuff. After a couple of hours, you have the image transferred to Xen server.

TAILORING TO VM ENVIRONMENT

As the physical machine has smart array raid and VM has choices of disk options: IDE, SATA, physical partition under the VM guest, I mounted the image and edit /etc/fstab to reflect disk on VM. Mounting an image file with many partitions is simple. Firstly, offset value of the partition is required. This can be obtained via fdisk command.

xenserver:/home/xen/img # fdisk -lu debian-HP370.img
You must set cylinders.
You can do this from the extra functions menu.

Disk debian-HP370.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x111f5759

Device Boot Start End Blocks Id System
debian-HP370.imgp1 * 63 102269789 51134863+ 83 Linux
debian-HP370.imgp2 102269790 106655534 2192872+ 5 Extended
debian-HP370.imgp5 102269853 106655534 2192841 82 Linux swap / Solaris

The offset value in this example is 63 * 512 = 32256

Note : 63 is the Start sector of the partition that I wanted to mount.

xenserver:/home/xen/img # mount -o loop,offset=32256 debian-HP370.img /mnt/stuff

Next, you can just vi /mnt/stuff/etc/fstab, to suit your Xen VM configurations. We are almost done.

CREATING NEW VM

Creating a new VM is rather easy. You need a configuration file for VM guest. Please refer to example and wiki for complete parameters. Just run xm new <configure file> i.e. xm new debian-vmconfig or else use vm-install and be prompted with bunch of questions for configuration parameters. Sample HVM configuration file for my VM:-

name=”Linux-debian-HP370″
memory=1024
maxmem=2048
vcpus=2
on_poweroff=”destroy”
on_reboot=”restart”
on_crash=”destroy”
localtime=0
keymap=”en-us”

builder=”hvm”
extid=0
device_model=”/usr/lib/xen/bin/qemu-dm”
kernel=”/usr/lib/xen/boot/hvmloader”
boot=”c”
disk=[ 'file:/home/xen/img/debian-HP370.img,sda,w', ]
vif=[ 'mac=00:16:3e:51:16:ee,bridge=br0,model=e1000', ]

stdvga=0
vnc=1
vncunused=1
apic=1
acpi=1
pae=1

serial=”pty”

START THE MACHINE, LITERALLY

At this point of time, you should turn off the physical machine to avoid IP address clash. There is one last step to go which is the editing grub on VM. You could just fire up the new guest VM with xm start Linux-debian-HP370 && xm console Linux-debian-HP370 and hit “e” at GRUB menu to edit kernel parameter for root disk. Lastly, modify /boot/grub/menu.lst to reflect your root partition. Remember to run update-grub after finished editing.

OPTIONAL

Since my xen is a headless box, I have to go extra mile to get into the console by ssh tunnel.

ssh me@xenserver -L 5900:127.0.0.1:5900

Connect vnc to localhost will give you the new shinny VM console.

On my previous post, I encountered problem with ssl-cert in chrooted environment. By installing ssl-cert via apt-get, these processes were triggered.

root 27799 0.0 0.4 4676 2256 pts/2 Ss+ 04:33 0:00 /usr/bin/dpkg --status-fd 13 --configure ssl-cert
root 27800 0.4 1.3 10016 7132 pts/2 S+ 04:33 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /var/lib/dpkg/info/ssl-cert.postinst configure
root 27806 0.0 0.2 3804 1192 pts/2 S+ 04:33 0:00 /bin/sh -e /var/lib/dpkg/info/ssl-cert.postinst configure
root 27808 0.0 0.2 3820 1280 pts/2 S+ 04:33 0:00 /bin/bash -e /usr/sbin/make-ssl-cert generate-default-snakeoil
root 27812 0.0 0.2 3780 1448 pts/2 S+ 04:33 0:00 openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key


Further investigation showed that process 27812 stuck. Running the openssl command manually brings up:

27830:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 5


The error message is exactly same as what Michael Prokop has found out.

The content of /tmp/tmp.OXerK27810 is:

#
# SSLeay example configuration file.
#

[ req_distinguished_name ]
commonName = myshinnybox


DIRTY SOLUTION
As I’m only interested to get packages such as Postfix, Postgresql Apache mod SSL to install, killed the “apt-get install ssl-cert” process and fired up vi and removed the line RANDFILE = $ENV::RANDFILE from /tmp/tmp.OXerK27810.


# openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key
Generating a 1024 bit RSA private key
................................................++++++
.......++++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
ssl-cert is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up ssl-cert (1.0.15) ...
#


I don’t understand why the package ssl-cert exist in the first place when user can just use “openssl” command to generate ssl certificate. Yet making the situation worst, ssl-cert was added as dependency to many packages. Duh! In additional, chroot seems to be buggy under Linux.

Ran into some issues with ssl-cert 1.0.15 installation on Debian chroot environment. But looks like I’m not alone. The issue was reported by Michael Prokop.


molecule:/# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ssl-cert
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/7938B of archives.
After this operation, 90.1kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package ssl-cert.
(Reading database ... 27065 files and directories currently installed.)
Unpacking ssl-cert (from .../ssl-cert_1.0.15_all.deb) ...
Setting up ssl-cert (1.0.15) ...

……took forever……

make-ssl-cert generate-default-snakeoil took forever. So it looks like no fun with ssl-cert in chroot’ed environment. Any solution out there? Buzz me. Thanks.

As Linux kernel vmsplice local root exploit in the wild and the Debian boxes in my office is vulnerable to the exploit, I have decided to upgrade their kernels. It’s sad to see rock-solid Linux boxes went down for the 1st time after running stable nearly 8 months.

17:01:25 up 230 days, 9:59, 3 users, load average: 0.00, 0.00, 0.02


17:02:31 up 231 days, 7:02, 1 user, load average: 0.18, 0.38, 0.18

After upgrade

chflags@mzimyklosb03:~$ ./c
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e64000 .. 0xb7e96000
[-] vmsplice: Bad address
chflags@mzimyklosb03:~$ uname -smr
Linux 2.6.24.2 i686

This a just a short note for my own reference.

1) Install postfix
# yum install postfix

2) Set default MTA to Postix via this command
# alternatives –set mta /usr/sbin/sendmail.postfix

3) Autostart Postfix (Optional but you really want to do it)
# chkconfig –levels 235 sendmail off
# chkconfig –levels 235 postfix on
# /etc/init.d/sendmail stop
# /etc/init.d/postfix start