Blog

sha256: 2b87a252a3d912530dd8c20df6bee7f6cbc4ede0074fdf217e318aab39d9736c

How to install Smokeping on Debian in 5 Minutes

Smokeping

Installer …

wget https://blog.stoege.net/scripts/smokeping_debian.sh

Set Hostname

root@smokeping:~# cat /etc/hostname
smokeping.planet

Install Packages

apt-get install apache2 borgbackup curl echoping fping hping3 htop ipcalc jq lftp lynx mlocate mtr nmap pwgen rsync sipcalc smokeping tmate tree tshark unzip vim vnstat wget zip

Enable Smokeping in Apache

cd /etc/apache2/conf-enabled
ln -s ../conf-available/smokeping.conf .

Enable Module CGI

a2enmod cgid
systemctl restart apache2

Some Smokeping Fixes

mkdir -p /var/run/smokeping

Tune General

cat << 'EOF' > /etc/smokeping/config.d/General
*** General ***

owner    = Franz Musterer
contact  = nospam@nomail.ch
mailhost = smtp-relay-host

# NOTE: do not put the Image Cache below cgi-bin
# since all files under cgi-bin will be executed ... this is not
# good for images.
cgiurl   = http://host211/smokeping/smokeping.cgi

# specify this to get syslog logging
syslogfacility = local0
# each probe is now run in its own process
# disable this to revert to the old behaviour
# concurrentprobes = no

@include /etc/smokeping/config.d/pathnames
EOF

Tune Databases

cat << 'EOF' > /etc/smokeping/config.d/Database
*** Database ***

step     = 300
pings    = 20
#step     = 60
#pings    = 59

# consfn mrhb steps total

AVERAGE  0.5   1  1008
AVERAGE  0.5  12  4320
    MIN  0.5  12  4320
    MAX  0.5  12  4320
AVERAGE  0.5 144   720
    MAX  0.5 144   720
    MIN  0.5 144   720
EOF

Tune Probes

cat << EOF > /etc/smokeping/config.d/Probes
*** Probes ***

+ FPing

binary = /usr/bin/fping


+ EchoPingHttp

binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 80
priority = 6
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1


+EchoPingHttps

binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
accept_redirects = yes
extraopts =
ignore_cache = yes
ipversion = 4
pings = 5
port = 443
priority = 6
prot = 3443
revalidate_data = no
timeout = 20
tos = 0xa0
url = /
waittime = 1


+EchoPingDNS

binary = /usr/bin/echoping
forks = 5
offset = 50%
step = 300

# The following variables can be overridden in each target section
dns_request = google.com
dns_tcp = no
dns_type = A
extraopts =
ipversion = 4
pings = 5
plugin = /usr/lib/echoping/dns.so
pluginargs = -p
priority = 6
timeout = 1
tos = 0xa0
waittime = 1
EOF

Tune Targets

cat << 'EOF' > /etc/smokeping/config.d/Targets
*** Targets ***

probe = FPing

menu = Top
title = Network Latency Grapher
remark = Welcome to the SmokePing website of xxx Company. \
         Here you will learn all about the latency of our network.

+ Local
menu = Local
title = Local Network

++ LocalMachine

menu = Local Machine
title = This host
host = localhost


+ Planet
menu = Planet
title = My Little Planet

++ host1
host = host1.planet

++ host2
host = host2.planet



+ Inet
menu = Internet
title = some Hosts on the Net

++ google
menu = google
title = google, 8.8.8.8
host = 8.8.8.8

++ switch
host = www.switch.ch

++ uzh
host = www.uzh.ch

++ blick
host = www.blick.ch



+ HTTP
menu = HTTP
title = some HTTP Probes
probe = EchoPingHttp

++ example-net
host = www.example.net

++ example-ch
host = www.example.ch

++ example-com
host = www.example.com

EOF

Restart Smokeping

systemctl restart smokeping

Browse

http://IP-OF-HOST/smokeping

Requirement

Webserver http
Webserver https
Protected Folder https://egal.com/protected with Client Certificate

/etc/httpd.conf

# $OpenBSD: httpd.conf,v 1.20 2018/06/13 15:08:24 reyk Exp $

server "*" {
  listen on * port 8080
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

/etc/nginx/nginx.conf

# Take note of http://wiki.nginx.org/Pitfalls

#user  www;
worker_processes  1;

#load_module "modules/ngx_stream_module.so";

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#error_log  syslog:server=unix:/dev/log,severity=notice;

#pid        logs/nginx.pid;

worker_rlimit_nofile 1024;
events {
    worker_connections  800;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    index         index.html index.htm;

    #access_log  logs/access.log  main;

    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server_tokens off;

    server {
        listen       80;
        listen       [::]:80;
        server_name  localhost;
        root         /var/www/htdocs;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root  /var/www/htdocs;
        }
    }


    # HTTPS server
    server {
        listen       443 ssl;
        server_name  localhost;
        root         /var/www/htdocs;

        ssl_certificate      /etc/ssl/puffy201.planet.crt;
        ssl_certificate_key  /etc/ssl/private/puffy201.planet.key;

        ssl_session_timeout  5m;
        ssl_session_cache    shared:SSL:1m;

        ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
        ssl_prefer_server_ciphers   on;

        ssl_client_certificate /etc/ssl/root_ca.crt;
        ssl_verify_client optional;


    location /secure
    {
        if ($ssl_client_verify != SUCCESS) {
             return 403;
        }

        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
    }

    location /
    {
        proxy_pass  http://127.0.0.1:8080;

        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

        ### Set headers ####
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
      }
    }
}

Any Comments ?

sha256: 66399e64ba490e0bdaa65dac27a679891a89c1a99ae57055b73fb3839cb2ee76

NGINX with Client Certificates

root@debian:/etc/nginx/sites-available#
server {
  listen 80;
  listen [::]:80;

  server_name host198.planet;
  root /var/www/host198.planet;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name host198.planet;
  root /var/www/host198.planet;

  ssl_certificate /etc/ssl/private/fullchain.crt;
  ssl_certificate_key /etc/ssl/private/host198.planet.key;

  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_client_certificate /etc/ssl/private/ca.crt;
  ssl_verify_client optional;

  access_log /var/log/nginx/host198.planet;
  index index.html;

  #location / {
  #        try_files $uri $uri/ =404;
  #}
  location / {
    # if the client-side certificate failed to authenticate, show a 403
    # message to the client
    if ($ssl_client_verify != SUCCESS) {
      return 403;
    }
  }
}

Any Comments ?

sha256: dbf64919ee3864f77b78f71f2b4b70d6794d96dd3dbbe1ae9ce3442cda571c26

Running a Promox Cluster with CEPH.

Here a few Commands to figure out the Status of CEPH

ceph status
ceph osd status
pveceph lspools
ceph pg dump

Manual Backup

vzdump 777 --dumpdir /mnt/backup --mode snapshot

Manual Restore

qmrestore /mnt/backup/vzdump-qemu-777.vma 777

Proxmox Performance Overview

Intel Nuc I5, 32GB RAM, 500GB SSD

root@nuc:~# pveperf
CPU BOGOMIPS:      36799.44
REGEX/SECOND:      3927398
HD SIZE:           93.99 GB (/dev/mapper/pve-root)
BUFFERED READS:    522.34 MB/sec
AVERAGE SEEK TIME: 0.11 ms
FSYNCS/SECOND:     1588.49
DNS EXT:           49.40 ms
DNS INT:           0.65 ms (planet)

Remove Cluster Config

Source: Proxmox Forum

Voraussetzungen

login mit ssh und key auf den switch
braucht ein “enable” command ohne passwort, um in den enable mode zu gelangen

install Rancid

pkg_add rancid

Update Config

vim /etc/rancid/rancid.conf

RCSSYS=git; export RCSSYS
LIST_OF_GROUPS="switches"; export LIST_OF_GROUPS

Switch User

su - _rancid

.cloginrc

cat << 'EOF' >> .cloginrc
add user        * backupuser
add password    * passwort enablepasswort
add method      * ssh
EOF
chmod 600 .cloginrc

Build Env & Directories

rancid-cvs

Router.db

switch1;cisco;up
switch2;cisco;up
switch3;cisco;up
switch4;cisco;up
switch5;cisco;up

Update clogin File

needed ???

IPv6 Client mit OpenBSD

Stateless Autoconfig

ifconfig vether0 slaacd

falls der Router im RA ein “Managed Address Configuration: Set” schickt, muss der Client eine DHCPv6 Anfrage an den DHCPv6 Server schicken. OpenBSD hat das im Base System nicht drin, drum installieren wird den Client

pkg_add dhcpcd

umweg ~# cat /etc/dhcpcd.conf
ipv6only
noipv6rs
duid
persistent
option rapid_commit
require dhcp_server_identifier

# disable running any hooks; not typically required for simple DHCPv6-PD setup
script ""

# List interfaces explicitly so that dhcpcd doesn't touch others
allowinterfaces vether0

interface vether0
        # the following two lines tell dhcpcd to do router solicitation
        # itself. don't use them if using "inet6 autoconf" (slaacd)
        ipv6rs
        ia_na 1

und last but not least den Service enablen und restarten

like ssh and secure keys ?

Generate Secure Key

ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d\")"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d %H:%M\")"

What’s ed25519 ?

Wikipedia about Curve25519

$2^{{255}}-19$

Distribute Key

ssh-copy-id user@remotehost

Connect to Remote

Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)

ssh -a remotehost

Connect with Agent Forwarding

or if you need Agent Forwarding

how to update hugo

you can use ports (pkg_add hugo) and get the lastest stable hugo package based on OpenBSD release cycles (2 x year), or grab the latest binary from github and put it on your machine.

Releases: https://github.com/gohugoio/hugo/releases

cd /tmp
ftp https://github.com/gohugoio/hugo/releases/download/v0.62.0/hugo_0.62.0_OpenBSD-64bit.tar.gz
tar xfz hugo_0.62.0_OpenBSD-64bit.tar.gz
doas mv hugo /usr/local/bin/

or find latest automatically

doas su -
cd /tmp/
u=$(lynx -dump -listonly https://github.com/gohugoio/hugo/releases/latest |grep "OpenBSD-64bit" |sed 's/.*https/https/')
f=$(echo $u |sed 's/.*\///')
ftp $u
tar xfz $f
doas mv hugo /usr/local/bin/
rm $f

or extract automatically

How to migrate all Packages

Got several Packages installed on Host A and you would like to migrate them to Host B ? That’s easy :)

Extract on Host A

pkg_info -mz | tee list
ansible--
bash--
...
vnstat--
wget--

scp list HostB:/tmp/

Import on Host B

doas pkg_add -l /tmp/list

Oneline

or you can simple do it in one line, although there are two commands. copy and install

Install

doas pkg_add scamper

Scamper

umweg ~# scamper -c "trace -M" -i 8.8.8.8
traceroute from 130.60.xx.xx to 8.8.8.8
 1  130.60.xx.xx 0.418 ms [mtu: 1500]
 2  130.60.xx.xx 0.411 ms [mtu: 1500]
 3  10.1.1.209  1.658 ms [mtu: 1500]
 4  10.1.0.54  2.284 ms [mtu: 1500]
 5  10.20.128.37  0.848 ms [mtu: 1500]
 6  192.41.136.65  0.994 ms [mtu: 1500]
 7  192.41.136.1  0.774 ms [mtu: 1500]
 8  72.14.195.4  1.491 ms [mtu: 1500]
 9  74.125.243.161  2.975 ms [mtu: 1500]
10  172.253.50.23  2.530 ms [mtu: 1500]
11  8.8.8.8  1.901 ms [mtu: 1500]

Source

https://www.caida.org/tools/measurement/scamper/