Month: November 2021

Create certificate in Synology NAS with self signed CA

Posted on by Bian Xi Leave a Comment on Create certificate in Synology NAS with self signed CA

Create certificate in Synology NAS with self signed CA

If the CA certificate is managed by Synology NAS, following steps can be used to create a certificate under that CA.

Create certificate request

  1. Go to Control Panel -> Security -> Certificate
  2. Select CSR
  3. Select Create certificate signing request (CSR)
  4. Then fill up information required
  5. Select Download, the CSR will be downloaded into local machine

The downloaded file contains two files, server.key and server.csr.

Sign certificate

  1. Go to Control Panel -> Security -> Certificate
  2. Select CSR
  3. Select Sign certificate signing request (CSR) and select the root certificate to be used
  4. Use Browse button to select the CSR file in previous step
  5. Select Download, the CSR will be downloaded into local machine. The CSR file should be in archive folder, and named as server.csr
  6. In Subject Alternative Name, put both server full name and short name, or other names if the server is playing multiple roles.
  7. Click on Download, then a file named as server.crt is downloaded locally.

Import generated certificate

There are three files you have,

  • The certificate file, name as server.crt
  • The private file, name as server.key

  • The intermediate certificate file, such as syno-ca-cert.pem or other CA intermediate certificate

    They also can be imported into synology certificate app for certificate management

  1. Go to Control Panel -> Security -> Certificate
  2. Select Add -> Add
  3. Select Add a new certificate
  4. Select Import certificate
  5. Click on Browse button for Private Key to select server.key file
  6. Click on Browse button for Certificate to select server.crt file
  7. Click on Browse button for Intermediate Certificate to select syno-ca-cert.pem file
  8. Click OK button

Add root certificate to MacOS

Posted on by Bian Xi Leave a Comment on Add root certificate to MacOS

Add root certificate to MacOS

If you have your own root certificate like I do, the follow the steps below to add it in MacOS.

Browser vs OS level installation

When accessing a server which signed using your own root certificate, if it isn't installed locally, browser will prompt the warning. Then need to select trust the certifcate in order to continue.

This action only trust that machine certificate in the browser, it only does

  • Trust the machine certificate, not the root certificate
  • Only trust in the browser currently used

The benefit of installing root certificate OS level are

  • All applications will trust certificate
  • Only one time installation required
  • Trusted for all users in the system (Not Firefox Browser)

Download certificate

Provide by issuer

Go to issuer software, such as Synology NAS, download from certificate store, and extract CA certificate, such as example-ca-cert.pem.

From browser with root certificate

The root certificate can be downloaded from browser if the brower has been installed. For example, in Firefox,

  • Click on lock icon besides URL => connection secure => more information, then Page Info window appears
  • Click on View Certificate in Security tab, then certificate information page is displayed as a new browser tab.
  • Look for chain certificate. In Firefox, it is under Miscellaneous => Download PEM (chain)
  • Click on chain certificate and save it locally.

Note: The downloaded certificate file contains both server certificate and root certificate. Delete server certificate using text editor if possible. If the server certificate had been installed in keychain, it can be removed from keychain later too

Install certificate

Use following steps to install CA certificate into keychain

  • Double click the certificate file (with ".pem" or ".cer" extension)
  • Choose "System" from the keychain option. Then press "Add" to install after password provided

Set certificate "Always Trust"

To set system wide trust, use following steps.

  • Open Keychain Access application
  • Look for root certificate, double click it
  • Expand Trust section
  • Select "Always Trust" from list of When using this certificate.

Delete server certificate if needed

If the server certificate was also installed, suggest to delete it from keychain and browser certificate store. This is to avoid false information about successful installation.

  • Open Keychain Access application
  • Look for server certificate
  • Right click on it, then select delete certificate

Firefox Only

In Firefox, which has its own certificate store, the system certificates are not accepted. So use following steps to enable system certificates to be used for current user.

  • Open new tab, and type about:config
  • Search for security.enterprise_roots.enabled
  • Change it to true by double click the line.

Note: This only enable trust for current user

Reboot

Verify

Use browser to access another website which has the same root certificate, the certificate not trusted page should not appear.

References

FAQ: How to add root certificate to Mac OS X

Script to delete old docker images

Posted on by Bian Xi Leave a Comment on Script to delete old docker images

Script to delete old docker images

To schedule a task to delete old docker images.

Assumption

Assuming there is a local copy of image normally. If not, need to directly operate in registry server or pull image locally before execution.

Prereq

Following information should be set as environment variable.

user=username
password=password
registry=registry.example.net
repo=repo

List images

List by image date

This is for local images, list all images' digests created 30 days ago.

docker images $registry/$repo --digests --format "{{.Repository}} {{.Tag}} {{.ID}} {{.Digest}} {{.CreatedAt}}" | awk '{if ($5 < strftime("%Y-%m-%d", systime()-3600*24*30)) {print $1,$2,$3,$4}}'

List by tags

List all tags in format of YYYYDDMM older than 30 days.

TAG_LIST=`curl -s https://$user:$password@$registry/v2/$repo/tags/list | jq '.tags[] | select(. < (now-3600*24*30 | strftime("%Y%m%d")) )'`

Note: strflocaltime can be used if your jq supports it.

Query remote manifest by tag

Using docker command

docker manifest inspect $registry/$repo:$tag -v | jq '.Descriptor.digest'

or using rest api

curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://username:password@registry.example.net/v2/${repo}/manifests/20210624 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

Delete tags

Delete from registry

curl -X DELETE https://$username:$password@$registry/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete from local

Delete image using image id.

docker rmi $image_id

Script

#!/bin/bash

. ./set_env.sh

user=USERNAME
password=$PASSWORD

repo=${1:-repo_name}
registry=REGISTRY_NAME
keep_days=30

## List all docker images

docker images $registry/$repo --digests --format "{{.Repository}} {{.Tag}} {{.ID}} {{.Digest}} {{.CreatedAt}}" | awk -v keep_days=$keep_days '{if ($5 < strftime("%Y-%m-%d", systime()-3600*24*keep_days)) {print $1,$2,$3,$4}}' | while read line
do
        read repo_path tag id manifest <<< $line

        echo Deleting from registry: $line
        curl -X DELETE https://$user:$password@$registry/v2/${repo}/manifests/$manifest

        echo Deleting from local: $line
        docker rmi $id
done

## List all docker images with tags in registry server
curl -s https://$user:$password@$registry/v2/$repo/tags/list | jq '.tags[] | select(. < (now-3600*24*30 | strftime("%Y%m%d")) )' | tr -d '"' | while read tag
do
        echo Deleting from registry: $tag
        manifest=`docker manifest inspect $registry/$repo:$tag -v | jq '.Descriptor.digest' | tr -d '"'`
        curl -X DELETE https://$user:$password@$registry/v2/${repo}/manifests/$manifest
done

References

Docker Registry HTTP API V2
Can I get an image digest without downloading the image?

JFrog artifactory open-source edition

Posted on by Bian Xi Leave a Comment on JFrog artifactory open-source edition

JFrog artifactory open-source edition

JFrog artifactory contains many feature, such as git, docker, etc.

Download URL

https://jfrog.com/open-source/#artifactory

Docker

Docker image can be pulled via docker command

docker pull releases-docker.jfrog.io/jfrog/artifactory-oss:latest

Docker compose can be found in download url as well.

Clean up docker registry

Posted on by Bian Xi Leave a Comment on Clean up docker registry

Clean up docker registry

After docker containers are backed up daily to docker registry, clean up process is required.

Note: If the image without tag, and if it can be found client locately, then can run command docker inspect to find out. Otherwise, can check "Run command from server" section find out.

List _catalog (repositries)

Following curl command can be used to display all _catalog (repositries).

curl https://username:password@registry.example.net/v2/_catalog

List images (tags) for each repositry

Following curl command can be used to display tags for specific repo

curl https://username:password@registry.example.net/v2/${repo}/tags/list

Get Digest

Using pull request

Use pull image command to get digest as below.

docker pull registry.example.net/${repo}:20210624
20210624: Pulling from user/host/dnsmasq
...
22b5d63ad977: Already exists
8e2e66517d7e: Pull complete
Digest: sha256:7535af1f65524f9200b901fc31b9c779819e45c0502ef99605666842a319908f

Get digest when deleting local image

Using delete local image action also can get digest as well

docker rmi registry.example.net/${repo}:20210619
# Untagged: registry.example.net/user/host/dnsmasq:20210619
# Untagged: registry.example.net/user/host/dnsmasq@sha256:e300ff463dc18c7b3bf3964dc5a9832f613d829285a0da49e5fd37519dc7d0fc
# Deleted: sha256:35baba3d5948b5844b67adcd6a236905039e929f8647d4e4afc9e64e9460d557
# Deleted: sha256:bd681f3956f55dc028bae7ca4c2657457824a0e356c59705302fb084660a669b

The Digest is the second tag.

Note: The first deleted sha256 allowed to be deleted too, but not the second deleted. Don't understand why

Run command from client

Run following command to get Digest

curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://username:password@registry.example.net/v2/${repo}/manifests/20210624 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

Run command from server

This is usefull if there is no image at client and no tag for specfic image.

docker exec privateregistry_registry_1 bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml | grep '${repo}: marking manifest' | awk '{print $4}'

Check manifests exists or not

curl https://username:password@registry.example.net/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete tag

curl -X DELETE https://username:password@registry.example.net/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete _catalog

The v2 registry doesn't allow deleting only certain tags from an image, and deletion of tags is in an open PR for a future version of the Registry (https://github.com/docker/distribution/pull/2169).

rm -rf docker/registry/v2/repositories/${repo}/

*Note: After delete, garbage-collect, restart, the repo is still reporting out as empty _catalog.

Run garbage-collect

Login to registry server and run following command

docker exec registry bin/registry garbage-collect --delete-untagged /etc/docker/registry/config.yml

If the repo is still listed in the output, need to delete them too.

Restart registry if necessary

docker restart registry

References

Docker Private Registry - Deleted all images, but still showing in catalog
Clean Up Your Docker Registry
Delete repository from v2 private registry
Pull Request - New Tags API #2169
Docker Registry HTTP API V2

GPU via M.2

Posted on by Bian Xi Leave a Comment on GPU via M.2

GPU via M.2

Product

ATD-Link R43SG

Supports

Morefine S500+

Where to buy

https://www.aliexpress.com/item/1005003279448856.html?spm=a2g0o.productlist.0.0.7cffa20dWbpXKF&algo_pvid=3274993e-85b9-4c9a-9b2f-40609e37fa3d&algo_exp_id=3274993e-85b9-4c9a-9b2f-40609e37fa3d-3&pdp_ext_f=%7B%22sku_id%22%3A%2212000024996792414%22%7D

Review

Morefine S500+ Using RTX 3080 TI

M.2 PCIe x4 to External eGPU - Faster than TB3 eGPU's

ADT-link R43SG M.2 PCIe 3.0 x4 / NVMe to external GPU review. Cards tested GTX 1060 6GB & GTX 1080 Ti. Where to buy: http://s.click.aliexpress.com/e/INILpRw

8750H mini PC with 2 x M.2 NMVe slots: http://s.click.aliexpress.com/e/bpWvyIlE

Create LABEL for filesystems in Linux

Posted on by Bian Xi Leave a Comment on Create LABEL for filesystems in Linux

Create LABEL for filesystems in Linux

LABEL is used in /etc/fstab and system boot, such as cmdline.txt and grub, to allow the mounting identify the filesystem..

In order to allow system recognize the LABEL, blkid needs to show the filesystem has the LABEL.

Assign LABEL during filesystem creation

vfat

mkfs.vfat -n "label" /dev/XXX

ext4

mkfs.ext4 -L "label" /dev/XXX

btrfs

mkfs.btrfs -L "label" /dev/XXX

Change LABEL

LABEL can be changed after filesystem created.

swap

swaplabel -L "new label" /dev/XXX using util-linux

ext2/3/4

e2label /dev/XXX "new label" using e2fsprogs

btrfs

btrfs filesystem label /dev/XXX "new label" using btrfs-progs

reiserfs

reiserfstune -l "new label" /dev/XXX using reiserfsprogs

jfs

jfs_tune -L "new label" /dev/XXX using jfsutils

xfs

xfs_admin -L "new label" /dev/XXX using xfsprogs

fat/vfat

fatlabel /dev/XXX "new label" using dosfstools
mlabel -i /dev/XXX ::"new label" using mtools

exfat

tune.exfat -L "new label" /dev/XXX using exfatprogs
exfatlabel /dev/XXX "new label" using exfatprogs or exfat-utils

ntfs

ntfslabel /dev/XXX "new label" using ntfs-3g

udf

udflabel /dev/XXX "new label" using udftools

crypto_LUKS (LUKS2 only)

cryptsetup config --label="new label" /dev/XXX using cryptsetup

References

Persistent block device naming
How do I change the "label" reported by lsblk? [duplicate]

Overlay Filesystem Basic

Posted on by Bian Xi Leave a Comment on Overlay Filesystem Basic

Overlay Filesystem Basic

Overlay filesystem merges lower and upper directories into merged directory.

Mount writable

mount -t overlay overlay -o lowerdir=/lower1:/lower2:/lower3,upperdir=/upper,workdir=/work /merged

The above example will have the order:

/upper
/lower1
/lower2
/lower3

  • The lower directory can be read-only or could be an overlay itself.
  • The upper directory is normally writable.
  • The work directory is used to prepare files as they are switched between the layers, it needs to be an empty directory on the same filesystem mount as the upper directory.
  • All changes in the merged directory are still reflected in upper.
  • New files created in lower and upper will be shown in merged.
  • All files before opened directory, the content is still mapped according to layer.
  • All files after opened in merged directory, the content will not be reflected in merged directory.

Mount read-only

To mount as read only, no upper and work directory are required.

mount -t overlay overlay -o lowerdir=/lower1:/lower2 /merged

Whiteout files

Whiteout is to simulate a file removed from upper layer directory. It is created as a character device with 0/0 device number.

Opaque directories

Opaque is to simulate a directory removed from upper layer directory. It is made by setting the xattr “trusted.overlay.opaque” to “y”.

References

Overlay filesystem
Overlay Filesystem
Explaining OverlayFS – What it Does and How it Works

Placing fingers for FPS gaming

Posted on by Bian Xi Leave a Comment on Placing fingers for FPS gaming

Placing fingers for FPS gaming

Frames per second (FPS) gaming requires muscle memory, fast response is not only needs for screen, but also for player, there is no time to move eyes from screen to hands at all.

Keyboard

Place fingers correctly while gaming can take advantage, such as fast response, less mistake, less stress, etc. Following placement just a guide for some games, such as genshin impact, etc.

  • Middle finger on W and alternate it between S
  • Index finger on D
  • Ring finger on A
  • Pinky finger on shift alternating to Ctrl when needing to crouch
  • Thumb finger over space alternating to C/X/Z for the commands

If you put keyboard flat, you may able to use the palm near to your pinky finger to hit control. In this case, you need to use Middle/Index/Ring to hit C/X/Z, anyway, thumb is not easy to reach them as well.

Controller

Most of buttons and sticks are very obvious, except bumpers and triggers.

  • Index finger on bumper
  • Middle finger on trigger