IT notes

vm-bhyve Pfsense

Install vm-bhyve: pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/vm-bhyve-1.4.2.pkg pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/uefi-edk2-bhyve-g20210226,2.pkg pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/uefi-edk2-bhyve-csm-0.2_3,1.pkg pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/bhyve-firmware-1.0_1.pkg Add to /etc/rc.conf.local: vm_enable="YES" vm_dir="zfs:tank/vms" vm_delay="5" Create zfs tank/vms: zfs create tank/vms Initialize vm: vm init This should be run once after each host reboot before running any other vm commands Create switch in pfSense first and then using: vm switch create -t manual -b bridge0 public in this case bridge0 is the name of the bridge created from the GUI interface

vncserver

To start vncserver and listen connections from anywhere: vncserver -localhost no :1

GPG RemoteForward

To Forward your SSH session if using a Yubikey and gpg-agent: For example to connect from a MacOS to a Linux VM: On the client, add this to your ~/.ssh/config Host foo Hostname X.X.X.X ForwardAgent yes RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/monkey/.gnupg/S.gpg-agent.extra RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh /Users/monkey/.gnupg/S.gpg-agent.extra.ssh (remote socket) (local socket) To find the local socket in your mac/client do: gpgconf --list-dirs agent-extra-socket To find the remove socket, in the Linux VM, do:

DTrace

To enable ensure kernel is compiled with: makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support options KDTRACE_FRAME # Ensure frames are compiled in options KDTRACE_HOOKS # Kernel DTrace hooks options DDB_CTF # Kernel ELF linker loads CTF data Build kernel, reboot: kldload dtraceall To check for example redis-server: dtrace -x ustackframes=100 -n 'profile-197 /execname == "redis-server" && arg1/ {@[ustack()] = count(); } tick-60s { exit(0); }' -o out.

pkg.txz.pubkeysig

If pkg can’t be installed because missing pkg.txz.pubkeysig, try this: Go to /usr/local/poudriere/data/packages/13amd64-default/.latest/Latest: echo -n "$(sha256 -q pkg.txz)" | openssl dgst -sha256 -sign /usr/local/etc/ssl/keys/pkg.key -binary -out ./pkg.txz.pubkeysig

Bhyve Ubuntu

In /etc.rc.conf: cloned_interfaces="lo1 bridge0 tap0" config_lo1="inet 127.0.1.1/8" autobridge_interfaces="bridge0" autobridge_bridge0="tap* igb0" ifconfig_bridge0="addm igb0 addm tap0 up description bhyve" In /boot/loader.conf: vmm_load="YES" nmdm_load="YES" Check that you have: sysctl net.link.tap.up_on_open=1 Create the volume: zfs create -V100G -o volmode=dev tank/ubuntuvm Install: pkg install uefi-edk2-bhyve this will create /usr/local/share/uefi-firmware/BHYVE_UEFI.fd Setup and install: bhyve -AHP -w \ -s 1:0,lpc \ -s 2:0,virtio-net,tap0 \ -s 3:0,ahci-cd,/tank/iso/ubuntu-20.04.2-live-server-amd64.iso \ -s 4:0,virtio-blk,/dev/zvol/tank/ubuntuvm \ -s 29,fbuf,tcp=0.0.0.0:5900,w=800,h=600,wait \ -l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.

mail.rc

When using AWS SES if trying to send mail to root you could get something like: 554 Transaction failed: Missiong final '@domain' AWS requires that the FROM and TO have a @domain so need to modify /etc/mail.rc and add the alias like: alias root root<[email protected]>

vultr shutdown -o -n -r now

To prevent the system to hang on “detaching uhub0” reboot using the flag -n: shutdown -o -n -r now

pip upgrade

Upgrade using: pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip3 install --upgrade --user

gpg: selecting card failed: Operation not supported by device

If using a yubikey and getting this: gpg: selecting card failed: Operation not supported by device gpg: OpenPGP card not available: Operation not supported by device Add to ~/.gnupg/scdaemon.conf disable-ccid To debug you could use: reader-port Yubico Yubi debug-all debug-level guru disable-ccid log-file /tmp/scd.log

Pipenv Pyinstaller

Create a basic hello world using flask: mkdir /tmp/project cd /tmp/project Create app.py: from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return 'Hello World!' if __name__ == '__main__': app.run(host='0.0.0.0') Instal flask:  pipenv install flask test the app: pipenv shell python app.py Install pyinstaller: pipenv install pyinstaller Create the requirements.txt: pipenv run pip freeze > requirements.txt Create the binary:  pyinstaller --onefile app.

ZFS encryption

Create an encrypted file system: zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt tank/test-enc Check encryption: $ zfs get encryption tank/test-enc NAME PROPERTY VALUE SOURCE tank/test-enc encryption aes-256-gcm - Check status: zfs get -p encryption,keystatus,keyformat,keylocation,encryptionroot

ssh comment

Create a new pair of ssh keys RSA with a custom comment: ssh-keygen -C "monkey" -t rsa -b 4096 -o -a 100 -f /tmp/monkey

fdesetup

To remove a user from the login screen when booting and login from the first time: sudo fdesetup remove -user monkey The user will not be listed any more in the login screen, but you will need first logging with a user that can decrypt the disk and then switch to your user. Note this will not delete or remove the user account

ssh only password

When using ssh if you only need to use password (no keys): ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <host>

yumdownloader

To download rpms for using them in an offline environment, install first yumdownloader: yum install yum-utils Create a directory to store the rpm's: mkdir /tmp/rpms Download the rpms: yumdownloader --destdir=/tmp/rpms --resolve MariaDB-server galera-4 MariaDB-client MariaDB-shared MariaDB-backup MariaDB-common

psql

To install PostgreSQL client on macOS: brew doctor brew update brew install libpq Test: $ psql -V psql (PostgreSQL) 13.2

Flush DNS

To flush DNS on macOS: sudo killall -HUP mDNSResponder;sudo killall mDNSResponderHelper;sudo dscacheutil -flushcache

Centos Disable Ipv6

Edit file /etc/default/grub and add ipv6.disable=1, example: # cat /etc/default/grub GRUB_TIMEOUT=5 GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="ipv6.disable=1 crashkernel=auto rhgb quiet" GRUB_DISABLE_RECOVERY="true" Then regenerate and reboot: grub2-mkconfig -o /boot/grub2/grub.cfg And reboot Using sysctl (no need to reboot), append below lines in /etc/sysctl.conf: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 Then run: sysctl -p

storj

Setup up and configure your jail, then create user storj: pw useradd -n storj -m Clone and get and install latest version: git clone -b v1.14.7 https://github.com/storj/storj.git storj cd storj go install -race -v storj.io/storj/cmd/... Create a dir to contanin the identity and storage: mkdir /mnt/storj chown -R storj:storj /mnt/storj In the main host create the file system to be used in the jail: zfs create tank/storj Create fstat.