Notes micki-foerster.de

ODOH clients in Go and Rust from Cloudflare

Hardware Memory Models

Rust

Kubernetes

Create a Microk8s Node

The following is based on this blog post.

sudo snap install microk8s --classic
alias kubectl='microk8s.kubectl'
kubectl get nodes
kubectl get po,svc --namespace kube-system

# Enable/disable dashboard
microk8s.enable dns dashboard
microk8s.diable dns dashboard

# Turn off k8s for a while
snap disable microk8s
# Turn it on again
snap enable microk8s

# Remove it completly
sudo snap remove microk8s

c’t References

c’t References

Wireguard

apt install wireguard wireguard-tools

Add interface in /etc/network/interfaces:

auto eth0
iface eth0 inet dhcp
iface eth0 inet6 auto

auto wg0
iface wg0 inet static
  address 192.168.42.1
  netmask 255.255.255.0
  pre-up ip link add wg0 type wireguard
  pre-up wg setconf wg0 /etc/wireguard/wg0.conf
  up ip link set wg0 up
  down ip link delete wg0 
iface wg0 inet6 static
  address fd00:42::1
  netmask 64

Enable router functionality by adding `/etc/sysctl.d/wireguard.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Then enable this settings by

sysctl -p /etc/sysctl.d/wireguard.conf

Restart system now to see if everything work until here.

Enable NAT:

iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip6tables -A FORWARD -i wg0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To make these rules persistent:

apt install iptables-persistent

Wireguard Server

On the host which forwards packages between peers we use the configuration file /etc/wireguard/wg0.conf.

Create private key:

umask 077
wg genkey > /etc/wireguard/server.key
# /etc/wireguard/wg0.conf
[Interface]
ListenPort=40404
PrivateKeys=deadbeef...=

Alternative Configuration

Generate keys:

wg genkey | tee privatekey | wg pubkey > publickey

config file:

[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32

Start:

wg-quick up wg0

Status:

wg show

Enable SystemD service:

systemctl enable wg-quick@wg0

Alternative 2

Check configuration:

ifup wg0

You should see Waiting for DAD... Done.

Public Key

cat /etc/wireguard/server.key | wg pubkey

Client Site

Create private/public keypair for client:

wg genkey | tee /etc/wireguard/client1.key | wg pubkey
cat /etc/wireguard/client1.key

Set peer as allowed client in /etc/wireguard/wg0.conf:

[Peer]
PublicKeys=aabbccdd...=
AllowedIPs=192.168.42.100,fd00:42::100

Enable changed configuration

wg setconf wg0 /etc/wireguard/wg0.conf

Each client gets its own configuration file under /etc/wireguard/clients/ e.g. client1.conf:

[Interface]
PrivateKey=...
Address=192.168.42.100/24,fd00:42::100/64
DNS=1.1.1.1,2606:4700:4700::1111

[Peer]
PublicKey=...
Endpoint=meinwg.dyn6.net:40404
AllowedIPs=0.0.0.0/0,::/0

Alterantive configuration

[Interface]
Address = 10.0.0.2/32
PrivateKey = <contents-of-client-privatekey>
DNS = 1.1.1.1

[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0

Note that setting AllowedIPs to 0.0.0.0/0, ::/0 will forward all traffic over the WireGuard VPN connection. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.

Start:

sudo wg-quick up wg0
# or
sudo systemctl start wg-quick@wg0

Stop:

sudo wg-quick down wg0
# or
sudo systemctl stop wg-quick@wg0

Get Configuration to the Clients

For mobile clients

apt install qrencode
cat /etc/wireguard/clients/client1.conf | qrencode -t ansiutf8

For further clients add [Peer] sections.

Formating/Reading output (JSON,XML)

# JSON:
curl ... | jq .
# XML: 
curl ... | xmllint --format -
# Read node value with Xpath
curl ... | xmllint --xpath "/mainnode/subnode/text()" -

SystemD

Service Types

Dependency to other service

# service that depends on important.service say A.service
Requires=important.service
After=important.service

Requires only defines a dependency but not an ordering. If you use only Requires in A.service, both services will be start together. Only if you use Requires and After then service A will be startet after the important service and will be only startet if the important service is available.

Webengine Notes

Web Engines

WebAssembly

Linux Performance Analysis

Rust / Go

12 factor apps

See here for details.

Yocto notes

Yocto notes

ssh with certain Keyfile

Do you know the message about too many login tries when trying to ssh to an remote host? Use this to pin the one and only correct key or also multiple keys:

ssh -o IdentitiesOnly=yes \
    -o IdentityFile=id1.key \
    -o IdentityFile=id2.key \
    -i id3.key \
    -i id4.key \
    user123@example.com

Linux Command Line Tools for Network Traffic

git SSL certificate verification error

Situation: You are working to build an Yocto image and one recipe fails with

git -c core.fsyncobjectfiles=0 ls-remote https://w1.fi/hostap.git  failed with exit code 128, output:
fatal: unable to access 'https://w1.fi/hostap.git/': server certificate verification failed. CAfile: none CRLfile: none

Quick hack is to disable the verification temporary. Don’t forget to enable it again!

git config --global http.sslverify false

OpenVPN

Cross compiling with Rust/rustc/cargo

When you encountered the following error while trying to cross compile:

error[E0463]: can't find crate for `std`
  |
  = note: the `armv7-unknown-linux-gnueabihf` target may not be installed

Then install missing files with

rustup target add armv7-unknown-linux-gnueabihf
rustup target add armv7-unknown-linux-gnueabi
# To also install arm-* files:
rustup target add arm-unknown-linux-gnueabihf
rustup target add arm-unknown-linux-gnueabi

Then you can cross compile with

CC=arm-linux-gnueabihf-gcc  rustc src/main.rs --target arm-unknown-linux-gnueabihf -C linker=arm-linux-gnueabihf-gcc

Please note that using cargo failed for me by using:

CC=arm-linux-gnueabihf-gcc  cargo build  --target arm-unknown-linux-gnueabihf

Mount partition inside an image

Assume you have an big image sda.img that contains multiple partitions and you want to mount only one of these partitions.

losetup /dev/loop101 sda.img
sfdisk -d /dev/loop101
...
/dev/loop101p10 : start=      229376, size=      786432, ...
...
losetup --detach /dev/loop101

The you take the value 229376 and calculate the offset by multiplying 512 (sector size).

>>> 512*229376
117440512

This value you take into account in the next losetup command:

losetup -o 117440512 /dev/loop101 sda.img
mkdir /tmp/partition
mount /dev/loop101 /tmp/partition

That’s it!

libvirt kvm qemu

Enable serial console on Ubuntu virtual machine

Frequent Problems

Debian Mirror Server for sources.lst

No USB devices under Linux Virtualbox

vim

Cross Compiling

Hacking

Reverse Engineering Tools

Example - Raspberry Pi as network capture device

Enable forwarding and NAT

#!/bin/sh
IPTABLES="/sbin/iptables"
INTDEV="eth0"
EXTDEV="eth1"
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -j MASQUERADE

Install DHCP server

Use apt-get install isc-dhcp-server and configure /etc/dhcp/dhcpd.conf and /etc/default/isc-dhcp-server.conf.

You have to provide the dns server and the default gateway inside the subnet definition:

subnet 192.168.1.0 255.255.255.0 {
    range 192.168.1.20 192.168.1.30;
    option routers 192.168.1.1;
    option domain-name-servers 8.8.8.8,9.9.9.9;
}

Further details can be found here

Search for DHCP server with NMAP

nmap -sU -p 67 --script=dhcp-discover <target>

unbound

Load archive

# Edit /etc/unbound/unbound.conf: enable include: ...*.conf
cp 01_CacheForwarder.con /etc/unbound/unbound.conf.d/
unbound-checkconf
service unbound restart
dig @localhost ct.de
cp 02_Validate.conf /etc/unbound/unbound.conf.d/
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
# Enable root-hints: "/etc/unbound/root.hints"
unbound-anchor -v
dig @localhost dnssec.works
# If it works answer is ;;flags: qr rd ra ad;
# Update root.hints:
cp unbound_updates.sh /etc/cron.weekly
chmod 0755 unbound_updates.sh

BASH scripting

Arrays

declare -a list=("a 2" "b 3" "c 5")

for e in ""; do

  arr=($list)
  echo $list[0]
  echo $list[1]
done

SystemD

How to set text mode as default mode

systemctl set-default multi-user.target

CAN

CAN Interface Modules

See python-can project here.

CAN bus virtualization

Useful from above site are e.g. how to use virtualization for socket can:

$ sudo modprobe vcan
$ sudo ip link add dev virtcan0 type vcan
$ sudo ip link set up virtcan0 

Remote Debugging

start target binary on remote

arm-linux-gnu-gdbserver localhost:4711 ./targetbinary --help

on your host start gdb for target and connect to target system

arm-linux-gnu-gdb build/src/targetbinary
gdb>target remote 192.168.0.1:4711
gdb>b main
gdb>continue

Qemu Serial Device

original setting:

-serial mon:stdio -serial /dev/ttyS1 

this works fine:

-serial telnet:localhost:4321,server,nowait

does not work:

-chardev tty,path=/dev/ttyS2,id=hostserial -device pci-serial,chardev=hostserial