Tuesday, August 23, 2016

Scaling up number of tcp/ip connections in linux

#as client
sysctl net.ipv4.ip_local_port_range="20000 65535"
sysctl net.ipv4.tcp_fin_timeout=30

#as server
ifconfig eth0 txqueuelen 10000
sysctl net.core.somaxconn=10240
sysctl net.core.netdev_max_backlog=10000
sysctl net.ipv4.tcp_max_syn_backlog=2560
echo 3000000 > /proc/sys/fs/nr_open
ulimit -n 2000000

Saturday, August 13, 2016

Allow 65536 threads with 65536 tcp ports listening



Thread-65532 tcp_port= 65531
Thread-65533 tcp_port= 65532
Thread-65534 tcp_port= 65533
Thread-65535 tcp_port= 65534
Thread-65536 tcp_port= 65535
active threads 62547
join

fix gitlab with letsencrypt certificate

Cannot register Go Runner because of x509: certificate signed by unknown authority If you are using a letsencrypt certificate the bug is trigged by curl. curl https://gitlab.example.com:9999/ci/api/v1/runners/register.json curl: (60) SSL certificate problem: unable to get local issuer certificate To fix this, add letsencrypt root certificates to system
sudo curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt
sudo dpkg-reconfigure ca-certificates
gitlab-ci-multi-runner register
Running in system-mode.

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/ci):
https://gitlab.example.com:9999/ci
Please enter the gitlab-ci token for this runner:
5454353453453453534
Please enter the gitlab-ci description for this runner:
[example2]:
Please enter the gitlab-ci tags for this runner (comma separated):
shared
Registering runner... succeeded                     runner=43242342
Please enter the executor: parallels, shell, ssh, virtualbox, docker+machine, docker-ssh+machine, docker, docker-ssh:
docker
Please enter the default Docker image (eg. ruby:2.1):
ubuntu:16.04
Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!

Wednesday, August 10, 2016

RabbitMQ server configure

# enable plugins and restart
rabbitmq-plugins enable rabbitmq_management
rabbitmq-plugins enable rabbitmq_mqtt
rabbitmq-plugins enable rabbitmq_web_stomp
rabbitmq-plugins enable rabbitmq_shovel
rabbitmq-plugins enable rabbitmq_management_visualiser 
rabbitmq-plugins enable rabbitmq_recent_history_exchange 
rabbitmq-plugins enable rabbitmq_top 
rabbitmq-plugins enable rabbitmq_tracing

# install and enable mqtt over websockets
cd /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.5/plugins
wget http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_web_mqtt-3.6.x-3b6a09bb.ez
 rabbitmq-plugins enable rabbitmq_web_mqtt

/etc/init.d/rabbitmq-server restart

#configure new user
rabbitmqctl add_user newadmin s0m3p4ssw0rd
rabbitmqctl set_user_tags newadmin administrator
rabbitmqctl set_permissions -p / newadmin ".*" ".*" ".*"


Generate SSL/TLS chain



Edit /etc/rabbitmq/rabbitmq.config
[
 {rabbit,
   {ssl_listeners, [5671]},
    {ssl_options, [
     {cacertfile,           "/opt/rabbitmq-ssl/testca/cacert.pem"},
     {certfile,             "/opt/rabbitmq-ssl/server/cert.pem"},
     {keyfile,              "/opt/rabbitmq-ssl/server/key.pem"},
     {verify,               verify_peer},
     {fail_if_no_peer_cert, false}]}
  ]},
 {rabbitmq_mqtt,
    {default_user, <<"guest">>},
    {default_pass, <<"guest">>},
    {allow_anonymous, true},
    {tcp_listeners, [1883]},
    {ssl_listeners, [8883]}
  ]},
].
Restart server
/etc/init.d/rabbitmq-server restart

#Test TLS
openssl s_client -connect 127.0.0.1:5671 -tls1

# Test MQTT
mosquitto_sub -h localhost -v -t '#'
mosquitto_pub -h localhost -t 'test' -m 'msg'

# Test MQTT with TLS
mosquitto_sub -h localhost -p 8883 -v -t '#' \
 --key /opt/rabbitmq-ssl/client/key.pem \
 --cert /opt/rabbitmq-ssl/client/cert.pem \
 --cafile /opt/rabbitmq-ssl/testca/cacert.pem
mosquitto_pub -h localhost -p 8883 -t 'test' -m 'msg' \
 --key /opt/rabbitmq-ssl/client/key.pem \
 --cert /opt/rabbitmq-ssl/client/cert.pem \
 --cafile /opt/rabbitmq-ssl/testca/cacert.pem


Sunday, July 31, 2016

Wednesday, July 20, 2016

openwrt set wan with random mac

uci set network.wan.macaddr=$(hexdump -n6 -e '6/1 ":%02X"' /dev/urandom | cut -f2- -d ":")
uci commit

Sunday, June 19, 2016

Xubuntu abnt2 keyboard

Session and startup -> add ->
setxkbmap -model pc105 -layout br -variant abnt2

phpMyAdmin - Error | The mbstring extension is missing. Ubuntu-16.04

Try using:
sudo apt-get install php-gettext
sudo phpenmod mcrypt 
sudo phpenmod mbstring 
sudo service apache2 restart

Tuesday, June 14, 2016

Chromium not starting as root in Debian

Problem:
root@debian:~# chromium
[1:1:0614/091456:FATAL:sandbox_linux.cc(178)] Check failed: sandbox::Credentials::MoveToNewUserNS(). 
#0 0x0000b0587b0d 
#1 0x0000b05a01c0 
#2 0x0000b4c6cf33 
#3 0x0000b34d75dc 
Solution:
root@debian:~# chromium --user-data-dir=/root/chromium --no-sandbox 

Saturday, May 7, 2016

Debian / Ubuntu: build custom package with checkinstall

Using checkinstall is easy to manage/remove custom packages.

apt-get -y install checkinstall

wget custom-package.tar.gz
tar xfvz custom-package.tar.gz
cd custom-package
./configure
make
checkinstall make install

# list package contents
dpkg -L custom-package

# remove package
dpkg -r custom-package

Sunday, April 17, 2016

Force all network traffic pass through OpenVPN tunnel


# Flush all rules
iptables -F

# Let's change the policy to DROP.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow basic INPUT traffic.
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Allow basic OUTPUT traffic.
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# Allow traffic to the OpenVPN server, DNS and via the tunnel.
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -d vpn.server.example.com --dport 1194 -j ACCEPT

# Reject everything else.
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable


Tuesday, April 5, 2016

Write new system image using bmaptool (beaglebone)


#install
sudo apt-get -y install bmap-tools

# download image and bmap file
wget https://debian.beagleboard.org/images/bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.img.xz
wget https://debian.beagleboard.org/images/bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.bmap

 #write system image
bmaptool copy bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.img.xz /dev/sdb


#results
bmaptool: info: discovered bmap file 'bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.bmap'
bmaptool: info: block map format version 2.0
bmaptool: info: 870400 blocks of size 4096 (3.3 GiB), mapped 743361 blocks (2.8 GiB or 85.4%)
bmaptool: info: copying image 'bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.img.xz' to block device '/dev/sdb' using bmap file 'bone-debian-8.3-lxqt-4gb-armhf-2016-01-24-4gb.bmap'
bmaptool: info: 1% copied

Sunday, March 27, 2016

Google Cloud Plataform - Compute engine - comand line examples



#list machine types
gcloud compute machine-types list

#list created instances
gcloud compute instances list

#create a redhat-6 instance with default machine type
gcloud compute instances create example-instance --image rhel-6 --zone us-central1-a

#delete redhat-6 instance
gcloud compute instances delete example-instance --zone us-central1-a

#create a ubuntu 15.10 instance with f1-micro machine type
gcloud compute instances create ubuntu1510-f1micro --image ubuntu-15-10 --zone us-central1-a --machine-type f1-micro

#create a ubuntu 15.10 instance with f1-micro machine type with HTTP/HTTPS enabled
gcloud compute instances create ubuntu1510-f1micro --image ubuntu-15-10 --zone us-central1-a --machine-type f1-micro  --tags http-server,https-server

#stop ubuntu 15.10 instance
gcloud compute instances stop ubuntu1510-f1micro  --zone us-central1-a

#start ubuntu 15.10 instance
gcloud compute instances start ubuntu1510-f1micro  --zone us-central1-a

#hardware reboot ubuntu 15.10 instance
gcloud compute instances reset ubuntu1510-f1micro  --zone us-central1-a


#ubuntu 15.10 instance change machine type to n1-standard-1
gcloud compute instances set-machine-type ubuntu1510-f1micro --machine-type n1-standard-1 --zone us-central1-a

#ubuntu 15.10 instance change machine type to g1-small
gcloud compute instances set-machine-type ubuntu1510-f1micro --machine-type g1-small  --zone us-central1-a

#ubuntu 15.10 instance change machine type to f1-micro
gcloud compute instances set-machine-type ubuntu1510-f1micro --machine-type f1-micro  --zone us-central1-a

#ubuntu 15.10 instance enable HTTP/HTTPS access
gcloud compute instances add-tags ubuntu1510-f1micro --zone us-central1-a --tags http-server,https-server







Wednesday, March 23, 2016

Ubuntu kernel Rebuild


# Get source
apt-get source linux-image-$(uname -r)

# Get tools
apt-get build-dep linux-image-$(uname -r)

# Copy current config
cp -v /boot/config-$(uname -r)   .config

# Customize config
make menuconfig

# parallel build
make -j

# Install kernel modules first (~260MB with debug symbols stripped)
make INSTALL_MOD_STRIP=1 modules_install

# Install kernel image (~6MB)
make install

# Reboot



References:
https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel