System Administration

Sort of CDN to serve client-side libraries via an auto-pull git repo on tmpfs

/ chirale / Leave a comment

This configuration will allow to install on a Debian-based system a fast server for client libraries. Key technologies used are:

  • tmpfs to serve files from volatile memory
  • git / mercurial from github / bitbucket to get files from a public or private repository
  • systemd units to mount tmpfs and sync
  • nginx to serve files to user

On this first step you’ll create a service to reserve some RAM for static files, pulling them from a private or public repo.

Mount tmpfs with systemd

To serve files directly from RAM, you have to mount a tmpfs directory. You can do it on fstab:

/etc/fstab

tmpfs /mnt/cdn tmpfs rw,nodev,nosuid,size=300M 0 0

Or with a systemd unit:

/etc/systemd/system/mnt-cdn.mount

[Unit]
Description=Mount empty CDN directory on volatile memory

[Mount]
What=tmpfs
Where=/mnt/cdn
Type=tmpfs
Options=defaults,noatime,size=300M

[Install]
WantedBy=multi-user.target
  • noatime will disable last access on contained files, reducing write on disk
  • size will reserve 300MB for /mnt/cdn partition on RAM (increase as needed)
  • WantedBy=multi-user.target mount the partition on runlevel 3 (multi-user mode with networking)

Create two units on a local path like /usr/local/share/systemd then create a symlinks on /etc/systemd/system or create directly them on /etc/systemd/system. You can also directly create them on /usr/local/share/systemd.

Create the pull service

When the /mnt/cdn is successfully loaded, pull static files from your repository.

/etc/systemd/system/cdn-pull.service

[Unit]
Description=Pull on CDN directory.
BindsTo=mnt-cdn.mount

[Service]
User=youruserhere
Group=youruserhere
ExecStart=/usr/local/share/systemd/cdn-pull.sh

[Install]
WantedBy=mnt-cdn.mount
  • Clone the git repository with a user on system using a key with an alias
  • Change youruserhere to the user who cloned the repository
  • Add to /root/.ssh/config and to  /root/.ssh/my_private_key the private key to do the pull
  • WantedBy=mnt-cdn.mount copy the files to RAM only after the /mnt/cdn is created

On pull, all files will be written by root as youruserhere:youruserhere.

After the pull, to reduce RAM occupation, this script doesn’t download directly to RAM .git directory but copy them with rsync excluding them:

/usr/local/share/systemd/cdn-pull.sh

#!/bin/bash
# stop on first error
set -e
cd /srv/cdn-all
git pull
exec rsync -a --exclude=.git --exclude=.gitignore /srv/cdn-all/* /mnt/cdn/

Get systemd to know about the mount and service

To reload systemd units, you have to

systemctl daemon-reload

Then do the mount via the systemd unit:

systemctl start mnt-cdn.mount

Enable on boot

Since the cdn-pull.service is tied to mnt-cdn.mount, both have to be enabled to run:

systemctl enable mnt-cdn.mount
systemctl enable cdn-pull.service
  1. When the system is ready create the tmpfs on /mnt/cdn/
  2. After tmpfs is successfully created by the unit, the file will be automatically synced through cdn-pull.service.

Mount will auto-start sync

Start only the mnt-cdn.mount:

systemctl start mnt-cdn.mount

And then ask for info about both services:

systemctl status mnt-cdn.mount
systemctl status cdn-pull.service
  • mnt-cdn.mount have to be active (mounted)
  • cdn-pull.service should be active (script is running) or inactive (sync is completed). In both cases, it’s ok.

With this set-up, when you restart the mnt-cdn.mount files will be automatically pulled and synced to RAM when system starts and when you start or restart mnt-cdn.mount service.

Next you can serve these files on nginx and the final step could be to auto-detect push to update files automagically.

See also

Advertisements

Create a Windows 10 recovery disk on Linux

/ chirale / Leave a comment

In this howto there are the steps to follow when a Windows 10 OS is not bootable anymore and you haven’t a recovery disk. This is a typical case after a new OS will be installed on Dual boot or boot partition was altered.

    1. Download Windows 10 iso:
      1. Download the official Windows 10 image
    2. Prepare USB to be bootable:
      1. Open GParted with 
        gparted /dev/DEVICE-TO-ERASE
      2. Select the USB drive
      3. Device > New partition table
      4. Select GPT
      5. Apply: this will delete any data on the USB
      6. Create a new NTFS partition then Apply (do not use FAT32 since some files can be greater than 4GB)
      7. Close GParted
    3. Write files:
      1. Unplug and plug USB
      2. Copy all Windows files to the empty USB drive using 7zip with: 
        7z x -y -o/media/user/path-to-USB/ Win10_1809Oct_Italian_x64.iso
      3. If something goes wrong during copy, you can mount the ISO image then rsync the source with the USB drive (the trailing slash is important): 
        cd path/to/usb/drive
rsync -avzp /media/myuser/CCCOMA_X64FRE_IT-IT_DV91/ .
      4. umount
    4. Add boot flag
      1. Open the
      2. Select the new partition then
      3. Select Partition > Manage flags
      4. Select boot flag (esp will be auto-selected)
  1. Use windows tools
    1. Follow this howto by MS to recover MBR, restore BCD or similar actions

You can follow these steps to write on a USB a recovery ISO from windows the same way.

Disable password authentication on sshd

/ chirale / Leave a comment

To disallow password authentication on ssh, adduser –disabled-password will not disable openSSH password.

To disable the password authentication, you have to put these values on /etc/ssh/sshd_config to:

PasswordAuthentication no
UsePAM no
PermitRootLogin no

Then you’ve to:

systemctl restart sshd

to apply changes.

Connection will not be reset so before logout try to login on a different terminal to check you can login.

Actually PermitRootLogin disable the root login for any method, but it’s an useful addition. Remember to add at least one user to the sudo group or you will not be able to operate as super-user without using su – root.

To check if password auth is disabled:

ssh -o PreferredAuthentications=password USER@HOST

Exprected output is:

USER@HOST: Permission denied (publickey).

Partition a new disk on linux using fdisk, lsblk and mkfs

/ chirale / Leave a comment

First, you’ve to create a new partition.

You can list all available storage device with:

lsblk

If your disk is new, the new device will appear empty (without children on the tree).

Then:

fdisk /dev/sdc

Press m to show the manual.

To create a partition larger than 2TB, you’ve to use a GPT partition (g) then create a new extended partition (n) then with (p) it will show you how the partition will like before you write (w) them.

Then, lsblk will show the device with the new partition, e.g.:

sdc 8:32 0 3.5T 0 disk 
└─sdc1 8:33 0 3.5T 0 part

Then format the new partition /dev/sdc1 with the specified filesystem (e.g. ext4):

mkfs -t ext4 /dev/sdc1

If you haven’t take not of the UUID shown by mkfs after format, use blkid command to list the UUID of the device, so if device name change the fstab is still valid.

And add to /etc/fstab (put the last 0 to 1 to check filesystem on startup):

UUID=xxxxxxx-xxx-xxxx-xxx-xxxx /mnt/mydata ext4 defaults 0 0

To get the UUID later:

sudo blkid /dev/sdc1

Create the mount directory with:

mkdir /mnt/mydata

Then mount the new partition with:

mount /mnt/mydata

Get number of files or directory using tree

/ chirale / Leave a comment

Tree is an useful linux command to display a tree representation a full directory structure or a part of it.

On a Debian based distro like Ubuntu install:

sudo apt-get install tree

The last line of tree print a line like this:

346 directories, 174 files

If you’re changing files and directories and you want a real-time update of files and directories number, you can use watch.

watch -n 20 'tree | tail -n 1'

Tree will print the tree, tail will extract the last line, then watch will refresh the result every 20 seconds.

Nginx configuration for Django

/ chirale / Leave a comment

Django is a powerful framework for building websites. To run a production website, usually an application server is used. So nginx will do two basic things:

  • Serve your Django application from the application server port to the web port (Reverse Proxy)
  • Serve static and media files

The application server used in this example is gunicorn, the application server chosen by Instagram of the earlier days, but it can be anything running on port 9999. Change port number as required in the example.

The following nginx conf was adapted from this, with some additions and it contains:

  • a commented non www to www website redirect
  • gzip for javascript, json, css and proxy routes
  • media files with etag (1 year)
  • static files with etag (1 minute)
  • an host-based favicon distributor (reusable as is)
  • a commented basic auth to make a website private
  • reverse proxy to gunicorn
  • a simple block for a common type of malicious activity

It works fine with Django 1 and 2.

# Howto: https://chirale.org/2018/08/23/nginx-configuration-for-django/
# uncomment for redirect
# server {
#    # redirect WITH www from example.com and example.net
#    listen 80;
#    server_name example.com example.net;
#    return 301 http://www.example.com$request_uri;
# }

server {
    listen	80;
    # the domain name it will serve for
    server_name www.example.com;
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;

    # enable gzip for proxy requests
    gzip on;
    gzip_proxied any;
    gzip_vary on;
    gzip_http_version 1.1;
    gzip_types application/javascript application/json text/css text/xml;
    gzip_comp_level 4;

    # @see http://uwsgi-docs.readthedocs.org/en/latest/tutorials/Django_and_nginx.html#configure-nginx-for-your-site

    # Django media
    location /media  {
        etag on;
        expires 365d;
        alias /path/to/media_root;  # your Django project's media files - amend as required
    }

    location /static {
        etag on;
        expires 1m;
        alias /path/to/static_root; # your Django project's static files - amend as required
    }

    location /favicon.ico {
        # all favicons inside /path/to/favicons/ this directory
        # notation: www.example.com.ico
       alias /path/to/favicons/$host.ico;
    }

    location / {
        # an HTTP header important enough to have its own Wikipedia entry:
        #   http://en.wikipedia.org/wiki/X-Forwarded-For
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # enable this if and only if you use HTTPS, this helps Rack
        # set the proper protocol for doing redirects:
        # proxy_set_header X-Forwarded-Proto https;

        # pass the Host: header from the client right along so redirects
        # can be set properly within the Rack application
        proxy_set_header Host $http_host;

        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;

        # set "proxy_buffering off" *only* for Rainbows! when doing
        # Comet/long-poll stuff.  It's also safe to set if you're
        # using only serving fast clients with Unicorn + nginx.
        # Otherwise you _want_ nginx to buffer responses to slow
        # clients, really.
        # proxy_buffering off;

        # Uncomment for maintenance
        ### auth_basic "Insert password here";
        ### auth_basic_user_file /path/to/.htpasswd;

        proxy_connect_timeout       30000;
        proxy_send_timeout          30000;
        proxy_read_timeout          30000;
        send_timeout                30000;

        # @see https://eng.eelcowesemann.nl/linux-unix-android/nginx/nginx-blocking/ and seositecheckup.com
        if ($http_user_agent ~ "libwww-perl") {
          return 403;
          break;
        }

        # Try to serve static files from nginx, no point in making an
        # *application* server like Unicorn/Rainbows! serve static files.
        if (!-f $request_filename) {
            proxy_pass http://localhost:9999;
            break;
        }
    }
}

Run nginx -t to check and then systemctl reload nginx to apply.

This is a http version, to configure the website for https follow this howto.

nginx: [emerg] open() “/usr/share/nginx/off” failed (13: Permission denied) [SOLVED]

/ chirale / Leave a comment

After a failed restart of the nginx server, you can get this error typing journalctl -xe:

nginx: [emerg] open() “/usr/share/nginx/off” failed (13: Permission denied) [SOLVED]

This is caused by a misconfiguration of nginx.conf or a conf inside the /etc/nginx/conf.d/ directory where there’s something like:

error_log off;

This is the wrong way to disable logs. Nginx is actually trying to write a file called off inside the default folder.

The right way

To disable error_log simply do not declare it in your .conf file.

To stop logging accesses, you can disable access_log writing in your .conf file:

access_log off;