Subpage about Rust
Use this documentation for installation and afterwards configure your reverse DNS to point back to your domain. Together with the TLS communication between postfix and the Gmail server this was sufficient for emails not landing in the SPAM folder of the recipients.
rustc/cargoWhen you encountered the following error while trying to cross compile:
error[E0463]: can't find crate for `std`
|
= note: the `armv7-unknown-linux-gnueabihf` target may not be installedThen install missing files with
rustup target add armv7-unknown-linux-gnueabihf
rustup target add armv7-unknown-linux-gnueabi
# To also install arm-* files:
rustup target add arm-unknown-linux-gnueabihf
rustup target add arm-unknown-linux-gnueabiThen you can cross compile with
CC=arm-linux-gnueabihf-gcc rustc src/main.rs --target arm-unknown-linux-gnueabihf -C linker=arm-linux-gnueabihf-gccPlease note that using cargo failed for me by using:
CC=arm-linux-gnueabihf-gcc cargo build --target arm-unknown-linux-gnueabihf:set textwidth=80gggqGImagine you want to capture traffic from your Raspberry Pi and want to see it in Wireshark in realtime.
user@pc $ mkfifo capture
user@pc $ ssh rpi sudo tcpdump -U -n -w - -i eth0 tcp port 53 > capture
# Or more specific DNS traffic:
user@pc $ ssh rpi sudo tcpdump -U -n -w - -i eth0 tcp port 53 > captureThen open Wireshark and under Manage interfaces open tab Pipes and create a new pipe which points on the file you created with mkfifo above. Then start to capture and you see the traffic.
Next step I try is to use dumpcap instead of tcpdump.
mkfifo /tmp/capture
# Set /tmp/capture as capture device under "Manage interfaces" in Wireshark
ssh rpi sudo dumpcap -n -w - -i eth0 -f \'not tcp port 22\' > /tmp/captureThe above captures all traffic but not the SSH traffic in particular not the traffic you are producing with this ssh command. Probably, you could further restrict this capture filter by using not host 192.168.0.123 and not tcp port 22 if your host has this IP.
The following is based on this blog post.
sudo snap install microk8s --classic
alias kubectl='microk8s.kubectl'
kubectl get nodes
kubectl get po,svc --namespace kube-system
# Enable/disable dashboard
microk8s.enable dns dashboard
microk8s.diable dns dashboard
# Turn off k8s for a while
snap disable microk8s
# Turn it on again
snap enable microk8s
# Remove it completly
sudo snap remove microk8sapt install wireguard wireguard-toolsAdd interface in /etc/network/interfaces:
auto eth0
iface eth0 inet dhcp
iface eth0 inet6 auto
auto wg0
iface wg0 inet static
address 192.168.42.1
netmask 255.255.255.0
pre-up ip link add wg0 type wireguard
pre-up wg setconf wg0 /etc/wireguard/wg0.conf
up ip link set wg0 up
down ip link delete wg0
iface wg0 inet6 static
address fd00:42::1
netmask 64Enable router functionality by adding `/etc/sysctl.d/wireguard.conf:
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1Then enable this settings by
sysctl -p /etc/sysctl.d/wireguard.confRestart system now to see if everything work until here.
Enable NAT:
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip6tables -A FORWARD -i wg0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADETo make these rules persistent:
apt install iptables-persistentOn the host which forwards packages between peers we use the configuration file /etc/wireguard/wg0.conf.
Create private key:
umask 077
wg genkey > /etc/wireguard/server.key# /etc/wireguard/wg0.conf
[Interface]
ListenPort=40404
PrivateKeys=deadbeef...=Generate keys:
wg genkey | tee privatekey | wg pubkey > publickeyconfig file:
[Interface]
PrivateKey = <contents-of-server-privatekey>
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
[Peer]
PublicKey = <contents-of-client-publickey>
AllowedIPs = 10.0.0.2/32Start:
wg-quick up wg0Status:
wg showEnable SystemD service:
systemctl enable wg-quick@wg0Check configuration:
ifup wg0You should see Waiting for DAD... Done.
cat /etc/wireguard/server.key | wg pubkeyCreate private/public keypair for client:
wg genkey | tee /etc/wireguard/client1.key | wg pubkey
cat /etc/wireguard/client1.keySet peer as allowed client in /etc/wireguard/wg0.conf:
[Peer]
PublicKeys=aabbccdd...=
AllowedIPs=192.168.42.100,fd00:42::100Enable changed configuration
wg setconf wg0 /etc/wireguard/wg0.confEach client gets its own configuration file under /etc/wireguard/clients/ e.g. client1.conf:
[Interface]
PrivateKey=...
Address=192.168.42.100/24,fd00:42::100/64
DNS=1.1.1.1,2606:4700:4700::1111
[Peer]
PublicKey=...
Endpoint=meinwg.dyn6.net:40404
AllowedIPs=0.0.0.0/0,::/0[Interface]
Address = 10.0.0.2/32
PrivateKey = <contents-of-client-privatekey>
DNS = 1.1.1.1
[Peer]
PublicKey = <contents-of-server-publickey>
Endpoint = <server-public-ip>:51820
AllowedIPs = 0.0.0.0/0, ::/0Note that setting AllowedIPs to 0.0.0.0/0, ::/0 will forward all traffic over the WireGuard VPN connection. If you want to only use WireGuard for specific destinations, set their IP address ranges in the list separated by a comma.
Start:
sudo wg-quick up wg0
# or
sudo systemctl start wg-quick@wg0Stop:
sudo wg-quick down wg0
# or
sudo systemctl stop wg-quick@wg0For mobile clients
apt install qrencode
cat /etc/wireguard/clients/client1.conf | qrencode -t ansiutf8For further clients add [Peer] sections.
# JSON:
curl ... | jq .
# XML:
curl ... | xmllint --format -
# Read node value with Xpath
curl ... | xmllint --xpath "/mainnode/subnode/text()" -Type=oneshot is used for units, such as a filesystem check or a cleanup, which execute an action without keeping active processes. Such systemd units will wail until the process specified by ExecStart terminates, and then deactivate by running the process specified by ExecStop. This is useful for scripts that do a single job and then exit. You may want to set RemainAfterExit=yes as well so that systemd still considers the service as active after the process has exited.Type=simple (the default setting) systemd considers the service to be started up immediately. The process must not fork. Do not use this type if other services need to be ordered on this service, unless it is socket activated. It is used when the process configured with ExecStart is the main process of the service. Such units will wait until the process specified by ExecStart returns, then deactivate by running the process specified by ExecStop.RemainAfterExit=yes, the service will be considered active even when all its processes have returned, and therefore the process specified by ExecStop will not run automatically. However, this setting is not recommended since the service will still appear as being active even if it has crashed. This setting is disabled by default.Type=forking is used when the process specified by ExecStart is expected to exit after start-up is complete, while its child process(es) continue(s) to run in the background. This is the behavior of traditional UNIX daemons and the recommended choice in your case. The ExecStop setting is optional and is used to communicate with the service for a clean termination. The process specified by ExecStop will run in case the service crashes. In the absence of any ExecStop option, the systemctl stop servicename command will simply kill the remaining processes of the unit, as specified by the KillMode option.# service that depends on important.service say A.service
Requires=important.service
After=important.serviceRequires only defines a dependency but not an ordering. If you use only Requires in A.service, both services will be start together. Only if you use Requires and After then service A will be startet after the important service and will be only startet if the important service is available.
See here for details.
Do you know the message about too many login tries when trying to ssh to an remote host? Use this to pin the one and only correct key or also multiple keys:
ssh -o IdentitiesOnly=yes \
-o IdentityFile=id1.key \
-o IdentityFile=id2.key \
-i id3.key \
-i id4.key \
user123@example.comSituation: You are working to build an Yocto image and one recipe fails with
git -c core.fsyncobjectfiles=0 ls-remote https://w1.fi/hostap.git failed with exit code 128, output:
fatal: unable to access 'https://w1.fi/hostap.git/': server certificate verification failed. CAfile: none CRLfile: noneQuick hack is to disable the verification temporary. Don’t forget to enable it again!
git config --global http.sslverify falseAssume you have an big image sda.img that contains multiple partitions and you want to mount only one of these partitions.
losetup /dev/loop101 sda.img
sfdisk -d /dev/loop101
...
/dev/loop101p10 : start= 229376, size= 786432, ...
...
losetup --detach /dev/loop101The you take the value 229376 and calculate the offset by multiplying 512 (sector size).
>>> 512*229376
117440512This value you take into account in the next losetup command:
losetup -o 117440512 /dev/loop101 sda.img
mkdir /tmp/partition
mount /dev/loop101 /tmp/partitionThat’s it!
systemctl start serial-getty@ttyS0systemctl enable serial-getty@ttyS0sources.lstnetselect-apt for testing debian mirror serversudo adduser $USER vboxusers#!/bin/sh
IPTABLES="/sbin/iptables"
INTDEV="eth0"
EXTDEV="eth1"
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -j MASQUERADEUse apt-get install isc-dhcp-server and configure /etc/dhcp/dhcpd.conf and /etc/default/isc-dhcp-server.conf.
You have to provide the dns server and the default gateway inside the subnet definition:
subnet 192.168.1.0 255.255.255.0 {
range 192.168.1.20 192.168.1.30;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8,9.9.9.9;
}Further details can be found here
Load archive
# Edit /etc/unbound/unbound.conf: enable include: ...*.conf
cp 01_CacheForwarder.con /etc/unbound/unbound.conf.d/
unbound-checkconf
service unbound restart
dig @localhost ct.de
cp 02_Validate.conf /etc/unbound/unbound.conf.d/
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
# Enable root-hints: "/etc/unbound/root.hints"
unbound-anchor -v
dig @localhost dnssec.works
# If it works answer is ;;flags: qr rd ra ad;
# Update root.hints:
cp unbound_updates.sh /etc/cron.weekly
chmod 0755 unbound_updates.shSee python-can project here.
Useful from above site are e.g. how to use virtualization for socket can:
$ sudo modprobe vcan
$ sudo ip link add dev virtcan0 type vcan
$ sudo ip link set up virtcan0 arm-linux-gnu-gdbserver localhost:4711 ./targetbinary --helparm-linux-gnu-gdb build/src/targetbinary
gdb>target remote 192.168.0.1:4711
gdb>b main
gdb>continue-serial mon:stdio -serial /dev/ttyS1 -serial telnet:localhost:4321,server,nowait-chardev tty,path=/dev/ttyS2,id=hostserial -device pci-serial,chardev=hostserial# Edit file .git/hooks/pre-commit and set it to executable:
cargo fmt
# '-D warnings' turns warning to errors and leads to the hook to fail
exec cargo clippy -- -D warnings