X11Forwarding.md
· 306 B · Markdown
Raw
# SSH: X11 Forwarding
## Connect
```
ssh -YC <host>
```
## KDE QT5 themes
### On client
.ssh/config
```
Host orion # orion
HostName orion.giran.cyou
User liannnix
SetEnv XDG_CURRENT_DESKTOP=kde
```
### On server
/etc/openssh/sshd_config
```
AcceptEnv XDG_CURRENT_DESKTOP
```
SSH: X11 Forwarding
Connect
ssh -YC <host>
KDE QT5 themes
On client
.ssh/config
Host orion # orion
HostName orion.giran.cyou
User liannnix
SetEnv XDG_CURRENT_DESKTOP=kde
On server
/etc/openssh/sshd_config
AcceptEnv XDG_CURRENT_DESKTOP
BTRFS
Создание RAID1 из уже существующей ФС
btrfs dev add /dev/sda1 /
btrfs balance start -dconvert=raid1 -mconvert=raid1
HDD speed test
dd if=/dev/zero of=test1.img bs=5G count=1 oflag=dsync && rm -rf test1.img
dogtag.md
· 450 B · Markdown
Raw
# Dogtag
## Установка
```bash
apt-get install pki-base pki-ca pki-server dogtag-pki-server-theme
```
## Инициализация
```bash
pkispawn
```
## Ипортирование сертификата администратора
```bash
pki pkcs12-import --pkcs12 ~/.dogtag/pki-main/ca_admin_cert.p12 --password-file pass.txt
pki client-cert-import --pkcs12 ~/.dogtag/pki-main/ca_admin_cert.p12 --pkcs12-password-file pass.txt
```
Dogtag
Установка
apt-get install pki-base pki-ca pki-server dogtag-pki-server-theme
Инициализация
pkispawn
Ипортирование сертификата администратора
pki pkcs12-import --pkcs12 ~/.dogtag/pki-main/ca_admin_cert.p12 --password-file pass.txt
pki client-cert-import --pkcs12 ~/.dogtag/pki-main/ca_admin_cert.p12 --pkcs12-password-file pass.txt
git.md
· 500 B · Markdown
Raw
# GIT
## Worktree
```bash
git worktree
```
## Blame
```bash
git blame
```
## Ours strategy
```bash
git merge -s ours
```
## Empty branch
```bash
git switch --orphan <branch>
```
## From srpm to gear migration hack
```bash
git merge --no-commit --allow-unrelated-histories -s ours <upstream-tag>
git read-tree -u --reset <upstream-tag>
git checkout @ -- .gear package.spec
git commit -a
```
## Chunked add
```bash
git add -p
```
## See only my commits
```bash
git log --first-parent
```
GIT
Worktree
git worktree
Blame
git blame
Ours strategy
git merge -s ours
Empty branch
git switch --orphan <branch>
From srpm to gear migration hack
git merge --no-commit --allow-unrelated-histories -s ours <upstream-tag>
git read-tree -u --reset <upstream-tag>
git checkout @ -- .gear package.spec
git commit -a
Chunked add
git add -p
See only my commits
git log --first-parent
glusterfs.md
· 1.2 KiB · Markdown
Raw
# GlusterFS
## Установка пакетов
```bash
apt-get install glusterfs9 glusterfs9-server
```
## Включение и запуск сервисов
```bash
systemctl enable --now glusterfssharedstorage.service
systemctl enable --now glusterd.service
```
## Добавление пиров (node)
```bash
gluster peer probe sora.giran.cyou
```
## Создание тома
```bash
gluster volume create data replica 3 sora.giran.cyou:/srv/data/brick jarvis.giran.cyou:/srv/data/brick yun.giran.cyou:/srv/data/brick
```
## Монтирование тома
### Интерактивное
```bash
mount.glusterfs sora:/data /mnt/data/ -o acl
```
### Через fstab
```bash
sora.giran.cyou:/data /mnt/data glusterfs acl 0 0
```
## Запуск glusterd после инициализации сети
```bash
systemctl edit glusterd.service
```
```systemd
[Unit]
After=network-online.target
Before=
```
## Статус
```bash
gluster volume status data
```
## Показать файлы, которым требуется восстановление
```bash
gluster volume heal sysvol info
```
## Восстановить данные в томе
```bash
gluster volume heal
```
GlusterFS
Установка пакетов
apt-get install glusterfs9 glusterfs9-server
Включение и запуск сервисов
systemctl enable --now glusterfssharedstorage.service
systemctl enable --now glusterd.service
Добавление пиров (node)
gluster peer probe sora.giran.cyou
Создание тома
gluster volume create data replica 3 sora.giran.cyou:/srv/data/brick jarvis.giran.cyou:/srv/data/brick yun.giran.cyou:/srv/data/brick
Монтирование тома
Интерактивное
mount.glusterfs sora:/data /mnt/data/ -o acl
Через fstab
sora.giran.cyou:/data /mnt/data glusterfs acl 0 0
Запуск glusterd после инициализации сети
systemctl edit glusterd.service
[Unit]
After=network-online.target
Before=
Статус
gluster volume status data
Показать файлы, которым требуется восстановление
gluster volume heal sysvol info
Восстановить данные в томе
gluster volume heal
hasher.md
· 973 B · Markdown
Raw
# Hasher
## hasher user config
`~/.hasher/config`
```
packager="Andrey Limachko <liannnix@altlinux.org>"
## Сборка в /tmp (оперативная память)
# workdir="/tmp/.private/$USER/"
workdir="$HOME/hasher"
target=x86_64
mount=/dev/pts,/proc
known_mountpoints=/proc,/dev/pts,/sys
def_repo="$HOME/alt/repo"
```
## hasher-priv
`/etc/hasher-priv/system`
```
# Systemwide configuration for the hasher-priv(8) helper program.
# See hasher-priv.conf(5) for details.
prefix=~:/tmp/.private
allow_ttydev=yes
allowed_mountpoints=/proc,/dev/pts,/dev/shm,/sys,/sys/fs/cgroup
allowed_devices=/dev/kvm
#rlimit_soft_cpu=86400
#rlimit_hard_cpu=87000
#wlimit_time_elapsed=40000
#wlimit_time_idle=3600
#wlimit_bytes_written=17179869184
#nproc=32
```
`/etc/hasher-priv/fstab`
```
# Information about mount points for the hasher-priv(8) helper program.
# See fstab(5) for details.
proc /proc proc rw,nosuid,nodev,noexec,gid=proc,hidepid=2 0 0
```
Hasher
hasher user config
~/.hasher/config
packager="Andrey Limachko <liannnix@altlinux.org>"
## Сборка в /tmp (оперативная память)
# workdir="/tmp/.private/$USER/"
workdir="$HOME/hasher"
target=x86_64
mount=/dev/pts,/proc
known_mountpoints=/proc,/dev/pts,/sys
def_repo="$HOME/alt/repo"
hasher-priv
/etc/hasher-priv/system
# Systemwide configuration for the hasher-priv(8) helper program.
# See hasher-priv.conf(5) for details.
prefix=~:/tmp/.private
allow_ttydev=yes
allowed_mountpoints=/proc,/dev/pts,/dev/shm,/sys,/sys/fs/cgroup
allowed_devices=/dev/kvm
#rlimit_soft_cpu=86400
#rlimit_hard_cpu=87000
#wlimit_time_elapsed=40000
#wlimit_time_idle=3600
#wlimit_bytes_written=17179869184
#nproc=32
/etc/hasher-priv/fstab
# Information about mount points for the hasher-priv(8) helper program.
# See fstab(5) for details.
proc /proc proc rw,nosuid,nodev,noexec,gid=proc,hidepid=2 0 0
LXC cheat sheet
Autostart network listening service
*/2 * * * * /usr/bin/host -W 5 ya.ru 192.168.20.53 2>&1 > /dev/null || /usr/bin/systemctl restart bind
nsupdate.md
· 752 B · Markdown
Raw
# Update PTR record
nsupdate -g
```bash
server giran.cyou
update delete 10.254.168.192.in-addr.arpa. PTR
update add 10.254.168.192.in-addr.arpa. 300 PTR yun.giran.cyou.
send
quit
```
```bash
echo -e 'server giran.cyou\n update delete 10.254.168.192.in-addr.arpa. PTR\n update add 10.254.168.192.in-addr.arpa. 300 PTR yun.giran.cyou.\n send\n quit
' | nsupdate -g
```
```bash
realm GIRAN.CYOU
update delete 10.254.168.192.in-addr.arpa. in PTR
update add 10.254.168.192.in-addr.arpa. 3600 in PTR yun.giran.cyou.
send
realm GIRAN.CYOU
update delete 7.2.b.0.f.b.e.f.f.f.e.7.d.1.4.a.a.0.0.0.3.0.0.1.0.4.8.e.2.0.a.2.ip6.arpa. in PTR
update add 7.2.b.0.f.b.e.f.f.f.e.7.d.1.4.a.a.0.0.0.3.0.0.1.0.4.8.e.2.0.a.2.ip6.arpa. 3600 in PTR yun.giran.cyou.
send
```
Update PTR record
nsupdate -g
server giran.cyou
update delete 10.254.168.192.in-addr.arpa. PTR
update add 10.254.168.192.in-addr.arpa. 300 PTR yun.giran.cyou.
send
quit
echo -e 'server giran.cyou\n update delete 10.254.168.192.in-addr.arpa. PTR\n update add 10.254.168.192.in-addr.arpa. 300 PTR yun.giran.cyou.\n send\n quit
' | nsupdate -g
realm GIRAN.CYOU
update delete 10.254.168.192.in-addr.arpa. in PTR
update add 10.254.168.192.in-addr.arpa. 3600 in PTR yun.giran.cyou.
send
realm GIRAN.CYOU
update delete 7.2.b.0.f.b.e.f.f.f.e.7.d.1.4.a.a.0.0.0.3.0.0.1.0.4.8.e.2.0.a.2.ip6.arpa. in PTR
update add 7.2.b.0.f.b.e.f.f.f.e.7.d.1.4.a.a.0.0.0.3.0.0.1.0.4.8.e.2.0.a.2.ip6.arpa. 3600 in PTR yun.giran.cyou.
send
openssl.md
· 76 B · Markdown
Raw
# OpenSSL
## show cert info
```
openssl x509 -in cert.pem -noout -text
```
OpenSSL
show cert info
openssl x509 -in cert.pem -noout -text
openvswitch.md
· 154 B · Markdown
Raw
# OpenVSwitch
## add port and physical interface
```bash
ovs-vsctl add-port trunk vlv4ttk_v4ttk tag=201 -- set interface vlv4ttk_v4ttk type=internal
```
OpenVSwitch
add port and physical interface
ovs-vsctl add-port trunk vlv4ttk_v4ttk tag=201 -- set interface vlv4ttk_v4ttk type=internal
pkinit.md
· 2.9 KiB · Markdown
Raw
# KRB5: pkinit
## KDC
```bash
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem
```
`vim extensions.kdc`
```kdc
[kdc_cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type=EXP:0,INTEGER:2
name_string=EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:${ENV::REALM}
```
```bash
openssl genrsa -out kdckey.pem 2048
openssl req -new -out kdc.req -key kdckey.pem
export REALM=DOMAIN.ALT
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
cp kdc.pem /var/lib/kerberos/krb5kdc/
cp kdckey.pem /var/lib/kerberos/krb5kdc/
cp cacert.pem /var/lib/kerberos/krb5kdc/
```
`vim /var/lib/kerberos/krb5kdc/kdc.conf`
```kdc
[kdcdefaults]
...
pkinit_identity = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/var/lib/kerberos/krb5kdc/cacert.pem
[realms]
DOMAIN.ALT = {
...
default_principal_flags = +preauth
}
```
```bash
kadmin.local -q 'addprinc test'
kadmin.local -q 'modprinc +requires_preauth test'
kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
```
`vim extensions.client`
```kdc
[client_cert]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
[princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:principal_seq
[principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:principals
[principals]
princ1=GeneralString:${ENV::CLIENT}
```
```bash
openssl genrsa -out clientkey.pem 2048
openssl req -new -key clientkey.pem -out client.req
export REALM=DOMAIN.ALT
export CLIENT=test
openssl x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile extensions.client -days 365 -out client.pem
scp cacert.pem test@10.64.172.150:
scp client.pem test@10.64.172.150:
scp clientkey.pem test@10.64.172.150:
systemctl restart krb5kdc.service
```
## KCLW
```bash
cp /home/test/*.pem /var/lib/kerberos/krb5/
```
`vim /etc/krb5.conf`
```kdc
[libdefaults]
...
pkinit_anchors = FILE:/var/lib/kerberos/krb5/cacert.pem
#pkinit_identities = FILE:/var/lib/kerberos/krb5/client.pem,/var/lib/kerberos/krb5/clientkey.pem
```
KRB5: pkinit
KDC
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem
vim extensions.kdc
[kdc_cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type=EXP:0,INTEGER:2
name_string=EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:${ENV::REALM}
openssl genrsa -out kdckey.pem 2048
openssl req -new -out kdc.req -key kdckey.pem
export REALM=DOMAIN.ALT
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
cp kdc.pem /var/lib/kerberos/krb5kdc/
cp kdckey.pem /var/lib/kerberos/krb5kdc/
cp cacert.pem /var/lib/kerberos/krb5kdc/
vim /var/lib/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
...
pkinit_identity = FILE:/var/lib/kerberos/krb5kdc/kdc.pem,/var/lib/kerberos/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/var/lib/kerberos/krb5kdc/cacert.pem
[realms]
DOMAIN.ALT = {
...
default_principal_flags = +preauth
}
kadmin.local -q 'addprinc test'
kadmin.local -q 'modprinc +requires_preauth test'
kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
vim extensions.client
[client_cert]
basicConstraints=CA:FALSE
keyUsage=digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
[princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:principal_seq
[principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:principals
[principals]
princ1=GeneralString:${ENV::CLIENT}
openssl genrsa -out clientkey.pem 2048
openssl req -new -key clientkey.pem -out client.req
export REALM=DOMAIN.ALT
export CLIENT=test
openssl x509 -CAkey cakey.pem -CA cacert.pem -req -in client.req -extensions client_cert -extfile extensions.client -days 365 -out client.pem
scp cacert.pem test@10.64.172.150:
scp client.pem test@10.64.172.150:
scp clientkey.pem test@10.64.172.150:
systemctl restart krb5kdc.service
KCLW
cp /home/test/*.pem /var/lib/kerberos/krb5/
vim /etc/krb5.conf
[libdefaults]
...
pkinit_anchors = FILE:/var/lib/kerberos/krb5/cacert.pem
#pkinit_identities = FILE:/var/lib/kerberos/krb5/client.pem,/var/lib/kerberos/krb5/clientkey.pem
samba-client.md
· 155 B · Markdown
Raw
# Register DNS entry for joined machine
```bash
/usr/bin/net ads dns register --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccach pki.giran.cyou
```
Register DNS entry for joined machine
/usr/bin/net ads dns register --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccach pki.giran.cyou
samba-dfs.md
· 494 B · Markdown
Raw
# DFS
[Samba Wiki: DFS](https://wiki.samba.org/index.php/Distributed_File_System_(DFS))
## smb.conf
```
[global]
<...>
host msdfs = yes
[share]
#vfs objects = dfs_samba4
path = /export/dfsroot
msdfs root = yes
```
```
mkdir -p /export/dfsroot`
ln -s msdfs:storage0\\share0 linka`
ln -s msdfs:server1\\share,server2\\share linkb`
```
## Notes
- имена серверов и шар только в нижнем ругистре
- имена ссылок без ограничений
DFS
smb.conf
[global]
<...>
host msdfs = yes
[share]
#vfs objects = dfs_samba4
path = /export/dfsroot
msdfs root = yes
mkdir -p /export/dfsroot`
ln -s msdfs:storage0\\share0 linka`
ln -s msdfs:server1\\share,server2\\share linkb`
Notes
- имена серверов и шар только в нижнем ругистре
- имена ссылок без ограничений
samba-trust.md
· 363 B · Markdown
Raw
# Добавление доверенной зоны на множество КД сразу
```bash
dcs="10.64.165.10 10.64.165.11 10.64.165.12"
for i in $dcs; do
ssh -i ~/.ssh/robot_key root@$i \
'echo -e "zone \"trust.alt\" {\n type forward;\n forward only;\n forwarders { 10.64.66.46; };\n};\n" >> /etc/bind/named.conf'
done
```
Добавление доверенной зоны на множество КД сразу
dcs="10.64.165.10 10.64.165.11 10.64.165.12"
for i in $dcs; do
ssh -i ~/.ssh/robot_key root@$i \
'echo -e "zone \"trust.alt\" {\n type forward;\n forward only;\n forwarders { 10.64.66.46; };\n};\n" >> /etc/bind/named.conf'
done
CPU stress test
pip install s-tui
apt-get install stress
s-tui
systemd-nspawn.md
· 859 B · Markdown
Raw
# Nspawn VM example
```systemd
[Network]
Bridge=vms-priv
[Exec]
## UID/GID mapping delegation for container
PrivateUsers=no # for domain ID's outside nspan 65536 range
## Capabilities
Capability=CAP_SYS_ADMIN # just in case, you can try to remove
#Capability=all # allow all CAP's at once (not recommended)
#Capability=help # list of all avialable CAP's. run systemd-nspawn --capability=help
## Limit for max file descriptors
LimitNOFILE=infinity # samba-common package change ulimit NOFILE to 16384
# /etc/security/limits.d/90-samba.conf
# without this option you can't login to container
## ability to change system call filter
SystemCallFilter=@keyring # allows KEYCTL system calls to work with kernel keyring
# list of all available syscalls: systemd-analyze syscall-filter
```
Nspawn VM example
[Network]
Bridge=vms-priv
[Exec]
## UID/GID mapping delegation for container
PrivateUsers=no # for domain ID's outside nspan 65536 range
## Capabilities
Capability=CAP_SYS_ADMIN # just in case, you can try to remove
#Capability=all # allow all CAP's at once (not recommended)
#Capability=help # list of all avialable CAP's. run systemd-nspawn --capability=help
## Limit for max file descriptors
LimitNOFILE=infinity # samba-common package change ulimit NOFILE to 16384
# /etc/security/limits.d/90-samba.conf
# without this option you can't login to container
## ability to change system call filter
SystemCallFilter=@keyring # allows KEYCTL system calls to work with kernel keyring
# list of all available syscalls: systemd-analyze syscall-filter
virt-install.md
· 296 B · Markdown
Raw
# Virt-install
```
LC_ALL=C virt-install --connect qemu:///system --name node-x86_64 --os-type=linux --graphics vnc --ram 4096 --vcpus=12 --network network=default --virt-type=kvm --import --autostart --disk /data/libvirt_images/node-x86_64.qcow2 --network network=node-x86_64-v --hvm
```
Virt-install
LC_ALL=C virt-install --connect qemu:///system --name node-x86_64 --os-type=linux --graphics vnc --ram 4096 --vcpus=12 --network network=default --virt-type=kvm --import --autostart --disk /data/libvirt_images/node-x86_64.qcow2 --network network=node-x86_64-v --hvm
zfs.md
· 317 B · Markdown
Raw
# ZFS
## Разметка диска fdisk (BIOS-MBR + GPT)
```
g
n -> 1 -> 2048 -> +1M -> y
t -> 1 -> 4
w
```
## Создание zfs pool
```bash
zpool create -o ashift=12 -O compression=lz4 -O normalization=formD -O mountpoint=none main /dev/disk/by-uuid/12407395108911578001
zfs create -V 30G main/system
```
ZFS
Разметка диска fdisk (BIOS-MBR + GPT)
g
n -> 1 -> 2048 -> +1M -> y
t -> 1 -> 4
w
Создание zfs pool
zpool create -o ashift=12 -O compression=lz4 -O normalization=formD -O mountpoint=none main /dev/disk/by-uuid/12407395108911578001
zfs create -V 30G main/system