Blog

Blog

Troubleshooting Hashicorp Vault SSH Certificate Login

Posted on by Bian Xi Leave a Comment on Troubleshooting Hashicorp Vault SSH Certificate Login

Troubleshooting Hashicorp Vault SSH Certificate Login

If can not login via SSH, normally can use -vvv as SSH option in SSH client command to verify, but it could be very long to read.

Another way is use systemctl status sshd command at server side to check the error.

For example, the output of systemctl status sshd got following lines,

Dec 12 00:40:37 example-host systemd[1]: Started OpenBSD Secure Shell server.
Dec 12 00:40:54 example-host sshd[22712]: error: Certificate invalid: expired
Dec 12 00:40:54 example-host sshd[22712]: Connection closed by authenticating user ubuntu 101.78.78.154 port 53369 [preauth]
Dec 12 00:41:12 example-host sshd[22716]: error: Certificate invalid: name is not a listed principal
Dec 12 00:41:12 example-host sshd[22716]: Connection closed by authenticating user ubuntu 101.78.78.154 port 53372 [preauth]

The first error shows vault signed certificate at client side had expired, need to rerun vault command to regenerate signed certificate.

The second error shows the user name was used in client is not listed in vault signed certificate, so need to use correct user name or configure a new role in the vault.

Run do-release-upgrade to ubuntu 21.10

Posted on by Bian Xi Leave a Comment on Run do-release-upgrade to ubuntu 21.10

Run do-release-upgrade to ubuntu 21.10

Looks like a simple task, but ending with many things to do...

No screen

After run do-release-upgrade, I went to sleep, then ssh connection dropped due to iMac auto sleep. The installation stopped at asking question of grub installation.

When I check the process, got a process similar to below one, which is still at pts/1, which means the process is still running at another virtual terminal.

/usr/bin/python3 /tmp/ubuntu-release-upgrader-qzt422az/focal --mode=server --frontend=DistUpgradeViewText

When I try to run do-release-upgrade again, got following message.

# do-release-upgrade 
Checking for a new Ubuntu release
No new release found.

Then I try to run apt install screen, says apt is locked by process nnnn.

As suggested by others, I killed the process nnnn, and run following command, then the terminal change to installation virtual screen, and continued.

dpkg --configure -a

Error on grub-efi

Then got following error

# dpkg --configure -a
Setting up grub-efi-amd64-signed (1.173+2.04-1ubuntu47) ...
NTFS signature is missing.
Failed to mount '/dev/sda1': Invalid argument
The device '/dev/sda1' doesn't seem to have a valid NTFS.
Maybe the wrong device is used? Or the whole disk instead of a
partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 12
Errors were encountered while processing:
 grub-efi-amd64-signed

As suggested by others, I ran following commands, which remove grub2 and install grub, then no error any more.

Note: do backup of /etc/default/grub, and verify the contents. I didn't do this, caused more issues later

apt-get purge grub\*
sudo apt-get install grub-efi
sudo apt-get autoremove
sudo update-grub

No zpool found during reboot

The system go into initramfs mode after reboot, looks like iSCSI devices not found.

Then I booted from CD again, and found that iSCSI configuration in /etc/default/grub was missing.

After login to iSCSI, I mirror back the bpool and rpool back to local disk, and run following command to fix it.

update-initramfs -v -k $(uname -r) -c
update-grub

Forgot waiting for resilvering finish

Forgot wait for zpool sync finish, the I rebooted the server.

Note: Some people said it is ok, but my case is NOT OK.

After perform zpool resync again, got following error with local partition CKSUM = 1.

One or more devices has experienced an unrecoverable error.

This was caused by reboot, just perform following command to clean the flag.

zpool clear rpool

Booting hung

This is an old issue, caused by network shutdown before iSCSI drive dismount. Run following command,

systemctl edit --full open-iscsi.service

Comment out the following line

#ExecStop=/lib/open-iscsi/logout-all.sh

References

Sub-process /usr/bin/dpkg returned an error code (1)

Duplicate partition table in ubuntu

Posted on by Bian Xi Leave a Comment on Duplicate partition table in ubuntu

Duplicate partition table in ubuntu

Note: Haven't got chance to test this.

Duplicate partitions

sfdisk -d /dev/sdX > part_table
sfdisk /dev/sdY < part_table

This will keeping the same disk & partition IDs, mainly for backup and restore partition purpose.

Generate new partition IDs

grep -v ^label-id part_table | sed -e 's/, *uuid=[0-9A-F-]*//' | sfdisk /dev/sdY

References

How to copy the partition layout of a whole disk using standard tools

Selection of container orchestration platform

Posted on by Bian Xi Leave a Comment on Selection of container orchestration platform

Selection of container orchestration platform

I'm trying to manage my docker containers using container orchestration platform. There are a few of them can be used.

Variations

Docker Swarm

Easy to setup and manage existing docker machines.

Kubernetes (K8s)

Widely used.

K3S

K3s is Rancher’s k3s Kubernetes distro, lightweight, single binary, and low resource usage.

Openshift

Complex

Consideration

Unlike company environments, most of my docker containers applications have individual database. The application usage is low, autoscaling isn't a requirement for me but the backup and restore is important.

References

k8s vs k3s
Docker Swarm vs Kubernetes: how to choose a container orchestration tool

Memory upgrade for Synology DS2419+

Posted on by Bian Xi Leave a Comment on Memory upgrade for Synology DS2419+

Memory upgrade for Synology DS2419+

As mentioned in memorystock.com, Synology DS2419+ can use Dual Rank Memory (16GB DDR4 PC4-19200 2400MHz SODIMM NON-ECC Unbuffered 260pin 1.2V CL15 Dual Rank MemoryStock Part# 977ms-977). But my last upgrade failed using Dual Rank memory, only Single Rank works.

Some people mentioned that Synology NAS can use 32GB RAM, but some people said it will cause data corruption if exceed max supported memory. I just upgraded my DS1812+ more than officially supported memory size, hope it will be ok.

References

Synology 64GB DDR4 Unofficial Memory Upgrade Test for DiskStation NAS
Synology NAS Unofficial Memory Upgrade Guide
Memory Upgrade for Synology DiskStation DS2419+ Computer

Renumber storage pools and volumes in Synology NAS

Posted on by Bian Xi 2 Comments on Renumber storage pools and volumes in Synology NAS

Renumber storage pools and volumes in Synology NAS

Story

For me, memorizing is a big issue, especially for logicless items. If it is anti-logic environment, I would make many mistakes which causes huge headache.

Numbering in Synology NAS is an issue for me, I got one volume2 but in storage pool 1, the volume1 is in storage pool 2. Normally, my thinking is simple, all packages are installed in volume1 and all iSCSI LUN created in volume1 as well, because I got SSD cache for volume1.

But above configuration confused me when ever received notification, I need to think about which volume got issue because the notification mentioned storage pool instead.

Today, thinking about change storage pool name again, because I know it is a setting hold by Synology, not Linux OS. Then I got answer.

Warning

Luckily I got issue with my DSM6, not DSM7, because they said that this can not be done in DSM7.

Renumber storage pool

Read storage pool number

# synospace --meta -e
[/dev/vg1/volume_1]
---------------------
Descriptions=[]
Reuse Space ID=[]
[/dev/vg1]
---------------------
Descriptions=[]
Reuse Space ID=[reuse_2]

Above result shows device /dev/vg1 is numbered as Storage Pool 2

Set number

To set storage pool number for specific device, use following command

# synospace --meta -s -i reuse_{storage_pool_number} {device_name}

Change volume number

Note: This one, I haven't tested. But if it works, then I might want to try to shink volume next time

Stop services

Stop all docker containers, etc., then stop all services using following command

syno_poweroff_task -d

list LV

lvm lvscan

rename LV

lvm lvrename {VG name} {old LV name} {new LV name}

Reboot

reboot

Shared folders and iSCSI services should be automatically modified and checking all you services are running correctly.

References

Renaming/renumbering storage pools and volumes
Synology Rename Volume and Storage Pool

Unplugged wrong disks in DS2419+

Posted on by Bian Xi Leave a Comment on Unplugged wrong disks in DS2419+

Unplugged wrong disks in DS2419+

Today, made a mistake, unplugged wrong disk in DS2419+, and caused it hang. At that time, I was moving 3 shared folders as well.

After hard reboot, everything back to orginal, I'm quite suprise, this is the second time I unplugged wrong disk in Synology NAS. Quite happy with this product, only one issue for me, they can not handle disk with bad sector well.

Proxmox Virtual Environment

Posted on by Bian Xi Leave a Comment on Proxmox Virtual Environment

Proxmox Virtual Environment

Proxmox is a KVM hypervisor and Linux Containers (LXC), thinking using it replace TrueNAS. But after research, found that it can not use thin disk, this is a big issue for me to save disk space.

TrueNAS still got some better points compare with Proxmox VE, such as the storage management, TrueNAS ZFS management looks more fesible than Proxmox can do. But Proxmox has some other points, such as support multiple hosts, more complex networking, file based VM image. TrueNAS uses ZFS volume to manage VM image, which creates many snapshots, hope the TrueNAS can have lesser bugs, especially on ZFS snapshots.

In the end, I think I will still use TrueNAs, I need ZFS pool feature to avoid disk issue.

References

Proxmox Virtual Environment

Server Overlay and Serverless

Posted on by Bian Xi Leave a Comment on Server Overlay and Serverless

Server Overlay and Serverless

Can application layer isolated from OS layer?

Overlay

Docker uses overlay system, but it requires docker file to rebulid docker image. My colleague was asking me about the image patching and I told him that upper layer can overwrite the lower layer, there is no way to prevent this.

Layering

If the layering can be done in managed way, then it could be a better option to deploy applications. So the ideal is to separate platform to more layers as below

  • OS layer - Kernal and all OS packages are sitting in this layer
  • OS configuration layer - This layer consists of operating system configurations, such as network configuration, application filesystem configuration, etc.
  • OS to APP Patch layer - Some specific OS requirements for specific application.
  • Middleware layer - This includes middleware packages
  • Data layer - This includes all data required to run application
  • Application layer - This is the actual application

Docker or Containerd

The Docker or Containerd packages can be in OS layer, but the actual configuration should be Middleware layer.

CoreOS

The CoreOS implementation is a good example for this layering.

Sample implementation

solve raspbian SD card corruption issues with read-only mounted root partition

Steps

  • Copy the script in next section to /sbin/overlayRoot.sh and make it executable
sudo chmod +x /sbin/overlayRoot.sh
  • Disable swap:
sudo dphys-swapfile swapoff
sudo dphys-swapfile uninstall
sudo update-rc.d dphys-swapfile remove
  • Add following line to the end of cmdline.txt file in the boot partition:
init=/sbin/overlayRoot.sh
  • reboot

Script

The copy of script is listed below

#!/bin/sh
#  Read-only Root-FS for Raspian using overlayfs
#  Version 1.1
#
#  Version History:
#  1.0: initial release
#  1.1: adopted new fstab style with PARTUUID. the script will now look for a /dev/xyz definiton first 
#       (old raspbian), if that is not found, it will look for a partition with LABEL=rootfs, if that
#       is not found it look for a PARTUUID string in fstab for / and convert that to a device name
#       using the blkid command. 
#
#  Created 2017 by Pascal Suter @ DALCO AG, Switzerland to work on Raspian as custom init script
#  (raspbian does not use an initramfs on boot)
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see
#    <http://www.gnu.org/licenses/>.
#
#
#  Tested with Raspbian mini, 2018-10-09
#
#  This script will mount the root filesystem read-only and overlay it with a temporary tempfs 
#  which is read-write mounted. This is done using the overlayFS which is part of the linux kernel 
#  since version 3.18. 
#  when this script is in use, all changes made to anywhere in the root filesystem mount will be lost 
#  upon reboot of the system. The SD card will only be accessed as read-only drive, which significantly
#  helps to prolong its life and prevent filesystem coruption in environments where the system is usually
#  not shut down properly 
#
#  Install: 
#  copy this script to /sbin/overlayRoot.sh, make it executable and add "init=/sbin/overlayRoot.sh" to the 
#  cmdline.txt file in the raspbian image's boot partition. 
#  I strongly recommend to disable swapping before using this. it will work with swap but that just does 
#  not make sens as the swap file will be stored in the tempfs which again resides in the ram.
#  run these commands on the booted raspberry pi BEFORE you set the init=/sbin/overlayRoot.sh boot option:
#  sudo dphys-swapfile swapoff
#  sudo dphys-swapfile uninstall
#  sudo update-rc.d dphys-swapfile remove
#
#  To install software, run upgrades and do other changes to the raspberry setup, simply remove the init= 
#  entry from the cmdline.txt file and reboot, make the changes, add the init= entry and reboot once more. 

fail(){
    echo -e "$1"
    /bin/bash
}

# load module
modprobe overlay
if [ $? -ne 0 ]; then
    fail "ERROR: missing overlay kernel module"
fi
# mount /proc
mount -t proc proc /proc
if [ $? -ne 0 ]; then
    fail "ERROR: could not mount proc"
fi
# create a writable fs to then create our mountpoints 
mount -t tmpfs inittemp /mnt
if [ $? -ne 0 ]; then
    fail "ERROR: could not create a temporary filesystem to mount the base filesystems for overlayfs"
fi
mkdir /mnt/lower
mkdir /mnt/rw
mount -t tmpfs root-rw /mnt/rw
if [ $? -ne 0 ]; then
    fail "ERROR: could not create tempfs for upper filesystem"
fi
mkdir /mnt/rw/upper
mkdir /mnt/rw/work
mkdir /mnt/newroot
# mount root filesystem readonly 
rootDev=`awk '$2 == "/" {print $1}' /etc/fstab`
rootMountOpt=`awk '$2 == "/" {print $4}' /etc/fstab`
rootFsType=`awk '$2 == "/" {print $3}' /etc/fstab`
echo "check if we can locate the root device based on fstab"
blkid $rootDev
if [ $? -gt 0 ]; then
    echo "no success, try if a filesystem with label 'rootfs' is avaialble"
    rootDevFstab=$rootDev
    rootDev=`blkid -L "rootfs"`
    if [ $? -gt 0 ]; then
        echo "no luck either, try to further parse fstab's root device definition"
        echo "try if fstab contains a PARTUUID definition"
        echo "$rootDevFstab" | grep 'PARTUUID=\(.*\)-\([0-9]\{2\}\)'
        if [ $? -gt 0 ]; then 
        fail "could not find a root filesystem device in fstab. Make sure that fstab contains a device definition or a PARTUUID entry for / or that the root filesystem has a label 'rootfs' assigned to it"
        fi
        device=""
        partition=""
        eval `echo "$rootDevFstab" | sed -e 's/PARTUUID=\(.*\)-\([0-9]\{2\}\)/device=\1;partition=\2/'`
        rootDev=`blkid -t "PTUUID=$device" | awk -F : '{print $1}'`p$(($partition))
        blkid $rootDev
        if [ $? -gt 0 ]; then
        fail "The PARTUUID entry in fstab could not be converted into a valid device name. Make sure that fstab contains a device definition or a PARTUUID entry for / or that the root filesystem has a label 'rootfs' assigned to it"
        fi
    fi
fi
mount -t ${rootFsType} -o ${rootMountOpt},ro ${rootDev} /mnt/lower
if [ $? -ne 0 ]; then
    fail "ERROR: could not ro-mount original root partition"
fi
mount -t overlay -o lowerdir=/mnt/lower,upperdir=/mnt/rw/upper,workdir=/mnt/rw/work overlayfs-root /mnt/newroot
if [ $? -ne 0 ]; then
    fail "ERROR: could not mount overlayFS"
fi
# create mountpoints inside the new root filesystem-overlay
mkdir /mnt/newroot/ro
mkdir /mnt/newroot/rw
# remove root mount from fstab (this is already a non-permanent modification)
grep -v "$rootDev" /mnt/lower/etc/fstab > /mnt/newroot/etc/fstab
echo "#the original root mount has been removed by overlayRoot.sh" >> /mnt/newroot/etc/fstab
echo "#this is only a temporary modification, the original fstab" >> /mnt/newroot/etc/fstab
echo "#stored on the disk can be found in /ro/etc/fstab" >> /mnt/newroot/etc/fstab
# change to the new overlay root
cd /mnt/newroot
pivot_root . mnt
exec chroot . sh -c "$(cat <<END
# move ro and rw mounts to the new root
mount --move /mnt/mnt/lower/ /ro
if [ $? -ne 0 ]; then
    echo "ERROR: could not move ro-root into newroot"
    /bin/bash
fi
mount --move /mnt/mnt/rw /rw
if [ $? -ne 0 ]; then
    echo "ERROR: could not move tempfs rw mount into newroot"
    /bin/bash
fi
# unmount unneeded mounts so we can unmout the old readonly root
umount /mnt/mnt
umount /mnt/proc
umount /mnt/dev
umount /mnt
# continue with regular init
exec /sbin/init
END
)"