Blog

Blog

Plan install a NextCloud server at home

Posted on by Bian Xi Leave a Comment on Plan install a NextCloud server at home

Plan install a NextCloud server at home

Planning to have a NextCloud server at home. There are many solutions.

Solutions

Synology

Install NextCloud as docker in Synology ds1812+ or ds2419+, but

  • Unable to use other system next time.
  • Expose all data in NAS
  • CPU and memory limited

But consider use it as storage via iSCSI.

TrueNAS

Install NextCloud on TrueNAS is officially supported. It is installed as docker container in TrueNAS, but

  • Use more power as the system running on a normal PC
  • Migration might be hard

Raspberry Pi

Install NextCloud on Raspberry Pi, a few options there

  • Install directly on OS, but will mix up with OS as well
  • Install as docker, needs to have correct structure to be maintained
  • Install as NextCloudPi, limited storage on SD card

First plan

After considered all above, first plan will be

  • Install on a Pi which has 1GB ethernet port
  • Install BerryBoot and boot from Synology iSCSI disk
  • Configure storage utilize Synology NAS

Pros

  • Separate storage and application
  • Low power
  • Easy to replace the hardware
  • Got official update regularly

Second plan

After read some documents on line, feel the raspberry pi at current stage still isn't good for NextCloud. The major issue is the CPU speed, which also caused 1GB ethernet performance drop to 40MB/s.

I think I had better use my core 2 due machine to install NextCloud. Maybe I will try it on Raspberry Pi 4 with 8GB RAM later as well.

References

NextCloud Website
BerryBoot Installation
BerryBoot iSCSI Installation
Berryboot install NextCloudPi on an external drive step by step
Nextcloud now officially supported on TrueNAS
NextCloud Plugin on TrueNAS

Add self-signed certificate for TrueNAS

Posted on by Bian Xi Leave a Comment on Add self-signed certificate for TrueNAS

Add self-signed certificate for TrueNAS

To use self-signed certificate in TrueNAS, following steps are required.

Add Certificate into TrueNAS

  • Select Credentials -> Certificates
  • In Certificates section, click on Add button
  • In Add Certificate window, give a name, and select Import Certificate
  • In Extra Constraints section, cut and paste the contents of cert file and key file into Certificate and Private Key textboxes

Configure GUI certificate

  • Select System Settings -> General
  • In GUI section, click on Settings button
  • In GUI Settings window, select the certificate to be used in GUI SSL Certificate option
  • Click on Save button

Restart

Restart UI web server, which is done automatically.

Refresh browser, need to click reload botton.

Add root certificate to MacOS

Posted on by Bian Xi Leave a Comment on Add root certificate to MacOS

Add root certificate to MacOS

If you have your own root certificate like I do, the follow the steps below to add it in MacOS.

Browser vs OS level installation

When accessing a server which signed using your own root certificate, if it isn't installed locally, browser will prompt the warning. Then need to select trust the certifcate in order to continue.

This action only trust that machine certificate in the browser, it only does

  • Trust the machine certificate, not the root certificate
  • Only trust in the browser currently used

The benefit of installing root certificate OS level are

  • All applications will trust certificate
  • Only one time installation required
  • Trusted for all users in the system (Not Firefox Browser)

Download certificate

Provide by issuer

Go to issuer software, such as Synology NAS, download from certificate store, and extract CA certificate, such as example-ca-cert.pem.

From browser with root certificate

The root certificate can be downloaded from browser if the brower has been installed. For example, in Firefox,

  • Click on lock icon besides URL => connection secure => more information, then Page Info window appears
  • Click on View Certificate in Security tab, then certificate information page is displayed as a new browser tab.
  • Look for chain certificate. In Firefox, it is under Miscellaneous => Download PEM (chain)
  • Click on chain certificate and save it locally.

Note: The downloaded certificate file contains both server certificate and root certificate. Delete server certificate using text editor if possible. If the server certificate had been installed in keychain, it can be removed from keychain later too

Install certificate

Use following steps to install CA certificate into keychain

  • Double click the certificate file (with ".pem" or ".cer" extension)
  • Choose "System" from the keychain option. Then press "Add" to install after password provided

Set certificate "Always Trust"

To set system wide trust, use following steps.

  • Open Keychain Access application
  • Look for root certificate, double click it
  • Expand Trust section
  • Select "Always Trust" from list of When using this certificate.

Delete server certificate if needed

If the server certificate was also installed, suggest to delete it from keychain and browser certificate store. This is to avoid false information about successful installation.

  • Open Keychain Access application
  • Look for server certificate
  • Right click on it, then select delete certificate

Firefox Only

In Firefox, which has its own certificate store, the system certificates are not accepted. So use following steps to enable system certificates to be used for current user.

  • Open new tab, and type about:config
  • Search for security.enterprise_roots.enabled
  • Change it to true by double click the line.

Note: This only enable trust for current user

Reboot

Verify

Use browser to access another website which has the same root certificate, the certificate not trusted page should not appear.

References

FAQ: How to add root certificate to Mac OS X

Script to delete old docker images

Posted on by Bian Xi Leave a Comment on Script to delete old docker images

Script to delete old docker images

To schedule a task to delete old docker images.

Assumption

Assuming there is a local copy of image normally. If not, need to directly operate in registry server or pull image locally before execution.

Prereq

Following information should be set as environment variable.

user=username
password=password
registry=registry.example.net
repo=repo

List images

List by image date

This is for local images, list all images' digests created 30 days ago.

docker images $registry/$repo --digests --format "{{.Repository}} {{.Tag}} {{.ID}} {{.Digest}} {{.CreatedAt}}" | awk '{if ($5 < strftime("%Y-%m-%d", systime()-3600*24*30)) {print $1,$2,$3,$4}}'

List by tags

List all tags in format of YYYYDDMM older than 30 days.

TAG_LIST=`curl -s https://$user:$password@$registry/v2/$repo/tags/list | jq '.tags[] | select(. < (now-3600*24*30 | strftime("%Y%m%d")) )'`

Note: strflocaltime can be used if your jq supports it.

Query remote manifest by tag

Using docker command

docker manifest inspect $registry/$repo:$tag -v | jq '.Descriptor.digest'

or using rest api

curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://username:password@registry.example.net/v2/${repo}/manifests/20210624 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

Delete tags

Delete from registry

curl -X DELETE https://$username:$password@$registry/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete from local

Delete image using image id.

docker rmi $image_id

Script

#!/bin/bash

. ./set_env.sh

user=USERNAME
password=$PASSWORD

repo=${1:-repo_name}
registry=REGISTRY_NAME
keep_days=30

## List all docker images

docker images $registry/$repo --digests --format "{{.Repository}} {{.Tag}} {{.ID}} {{.Digest}} {{.CreatedAt}}" | awk -v keep_days=$keep_days '{if ($5 < strftime("%Y-%m-%d", systime()-3600*24*keep_days)) {print $1,$2,$3,$4}}' | while read line
do
        read repo_path tag id manifest <<< $line

        echo Deleting from registry: $line
        curl -X DELETE https://$user:$password@$registry/v2/${repo}/manifests/$manifest

        echo Deleting from local: $line
        docker rmi $id
done

## List all docker images with tags in registry server
curl -s https://$user:$password@$registry/v2/$repo/tags/list | jq '.tags[] | select(. < (now-3600*24*30 | strftime("%Y%m%d")) )' | tr -d '"' | while read tag
do
        echo Deleting from registry: $tag
        manifest=`docker manifest inspect $registry/$repo:$tag -v | jq '.Descriptor.digest' | tr -d '"'`
        curl -X DELETE https://$user:$password@$registry/v2/${repo}/manifests/$manifest
done

References

Docker Registry HTTP API V2
Can I get an image digest without downloading the image?

Clean up docker registry

Posted on by Bian Xi Leave a Comment on Clean up docker registry

Clean up docker registry

After docker containers are backed up daily to docker registry, clean up process is required.

Note: If the image without tag, and if it can be found client locately, then can run command docker inspect to find out. Otherwise, can check "Run command from server" section find out.

List _catalog (repositries)

Following curl command can be used to display all _catalog (repositries).

curl https://username:password@registry.example.net/v2/_catalog

List images (tags) for each repositry

Following curl command can be used to display tags for specific repo

curl https://username:password@registry.example.net/v2/${repo}/tags/list

Get Digest

Using pull request

Use pull image command to get digest as below.

docker pull registry.example.net/${repo}:20210624
20210624: Pulling from user/host/dnsmasq
...
22b5d63ad977: Already exists
8e2e66517d7e: Pull complete
Digest: sha256:7535af1f65524f9200b901fc31b9c779819e45c0502ef99605666842a319908f

Get digest when deleting local image

Using delete local image action also can get digest as well

docker rmi registry.example.net/${repo}:20210619
# Untagged: registry.example.net/user/host/dnsmasq:20210619
# Untagged: registry.example.net/user/host/dnsmasq@sha256:e300ff463dc18c7b3bf3964dc5a9832f613d829285a0da49e5fd37519dc7d0fc
# Deleted: sha256:35baba3d5948b5844b67adcd6a236905039e929f8647d4e4afc9e64e9460d557
# Deleted: sha256:bd681f3956f55dc028bae7ca4c2657457824a0e356c59705302fb084660a669b

The Digest is the second tag.

Note: The first deleted sha256 allowed to be deleted too, but not the second deleted. Don't understand why

Run command from client

Run following command to get Digest

curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET https://username:password@registry.example.net/v2/${repo}/manifests/20210624 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}'

Run command from server

This is usefull if there is no image at client and no tag for specfic image.

docker exec privateregistry_registry_1 bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml | grep '${repo}: marking manifest' | awk '{print $4}'

Check manifests exists or not

curl https://username:password@registry.example.net/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete tag

curl -X DELETE https://username:password@registry.example.net/v2/${repo}/manifests/sha256:xxxxxxxxxxxxxxxx

Delete _catalog

The v2 registry doesn't allow deleting only certain tags from an image, and deletion of tags is in an open PR for a future version of the Registry (https://github.com/docker/distribution/pull/2169).

rm -rf docker/registry/v2/repositories/${repo}/

*Note: After delete, garbage-collect, restart, the repo is still reporting out as empty _catalog.

Run garbage-collect

Login to registry server and run following command

docker exec registry bin/registry garbage-collect --delete-untagged /etc/docker/registry/config.yml

If the repo is still listed in the output, need to delete them too.

Restart registry if necessary

docker restart registry

References

Docker Private Registry - Deleted all images, but still showing in catalog
Clean Up Your Docker Registry
Delete repository from v2 private registry
Pull Request - New Tags API #2169
Docker Registry HTTP API V2

JFrog artifactory open-source edition

Posted on by Bian Xi Leave a Comment on JFrog artifactory open-source edition

JFrog artifactory open-source edition

JFrog artifactory contains many feature, such as git, docker, etc.

Download URL

https://jfrog.com/open-source/#artifactory

Docker

Docker image can be pulled via docker command

docker pull releases-docker.jfrog.io/jfrog/artifactory-oss:latest

Docker compose can be found in download url as well.

Rsync backup client

Posted on by Bian Xi Leave a Comment on Rsync backup client

Rsync backup client

Rsync backup command can be used as below.

rsync -avR --delete
        --backup-dir=/folder-`date +%Y.%m.%d` \
        --password-file=/root/password_file \
        --exclude-from='exclude-list.txt' \
        /app \
        /usr/local/share/ca-certificates/ \
        /etc/network/interfaces \
        /etc/NetworkManager/system-connections/ \
        /root \
        /home \
        rsync@server::NetBackup/folder

The password_file only contains rsync password without any other data.

In rsync@server::NetBackup/folder, rsync is user id, server is rsync server, NetBackup is rsync service (share folder), folder is where backup to be saved.

The backup-dir is the folder created in the rsync server to save changes.

Create LABEL for filesystems in Linux

Posted on by Bian Xi Leave a Comment on Create LABEL for filesystems in Linux

Create LABEL for filesystems in Linux

LABEL is used in /etc/fstab and system boot, such as cmdline.txt and grub, to allow the mounting identify the filesystem..

In order to allow system recognize the LABEL, blkid needs to show the filesystem has the LABEL.

Assign LABEL during filesystem creation

vfat

mkfs.vfat -n "label" /dev/XXX

ext4

mkfs.ext4 -L "label" /dev/XXX

btrfs

mkfs.btrfs -L "label" /dev/XXX

Change LABEL

LABEL can be changed after filesystem created.

swap

swaplabel -L "new label" /dev/XXX using util-linux

ext2/3/4

e2label /dev/XXX "new label" using e2fsprogs

btrfs

btrfs filesystem label /dev/XXX "new label" using btrfs-progs

reiserfs

reiserfstune -l "new label" /dev/XXX using reiserfsprogs

jfs

jfs_tune -L "new label" /dev/XXX using jfsutils

xfs

xfs_admin -L "new label" /dev/XXX using xfsprogs

fat/vfat

fatlabel /dev/XXX "new label" using dosfstools
mlabel -i /dev/XXX ::"new label" using mtools

exfat

tune.exfat -L "new label" /dev/XXX using exfatprogs
exfatlabel /dev/XXX "new label" using exfatprogs or exfat-utils

ntfs

ntfslabel /dev/XXX "new label" using ntfs-3g

udf

udflabel /dev/XXX "new label" using udftools

crypto_LUKS (LUKS2 only)

cryptsetup config --label="new label" /dev/XXX using cryptsetup

References

Persistent block device naming
How do I change the "label" reported by lsblk? [duplicate]

Change user name in ubuntu

Posted on by Bian Xi Leave a Comment on Change user name in ubuntu

Change user name in ubuntu

To change default user name ubuntu created in Raspberry Pi image, without adding a temporary user or enable root id, can be done using background job.

Commands

Change user name and home directory

usermod -l newUsername -d /home/newUsername oldUsername

Change group name

groupmod -n <newgroup> <oldgroup>

Job

The actual execution should be triggered as background job. I used screen command as below

  1. Login as ubuntu (default id)
  2. Run sudo -i to root
  3. Run screen to launch screen session
  4. Run following command, and press Ctrl-A d detach screen session immediately, without command executed.
newname=<new_user_name>
sleep 30; ps -ef | grep ^ubuntu | awk '{print $2}' | xargs kill -9 ; usermod -l $newname -d /home/$newname ubuntu; groupmod -n $newname ubuntu; mv /home/ubuntu /home/$newname
  1. Quit from console or ssh session
  2. After 30 seconds, login to the system using newname if succeeded. Othewise, use ubuntu login again.
  3. Then sudo to root and run screen -r to check if error or quit screen session.

References

How do I change my username?