Category Archives: DevOps

Access to device over 3g mobile internet or NAT

ssh-tunneling
The problem is to present access to your device (pc, raspberry etc) which has usb-dongle (or wifi) connected to mobile internet provider.
So, in this case you have no public (white) IP address and this is the challenge!

The solution i advice is to use SSH tunnel. For this you need public SSH server accessible from the world. If has one go ahead!

Part 1. Configure public SSH server!
Add to “/etc/ssh/sshd_config”:

PermitTunnel yes
ClientAliveInterval 60
GatewayPorts yes

Restart service:

sudo systemctl restart sshd.service

And that’s it for changes on public side. All other is related to your private (local, intranet, etc) machine.

Part 2. Make public-private key pair!
Install SSH client. For Ubuntu use:

sudo apt install openssh-client

To connect to our public SSH server we’ll use key-based authorization.

ssh-keygen

Attention! Set empty passphrase for key pair!

Copy public SSH key to public SSH server

ssh-copy-id -i ~/.ssh/mykey @

Start SSH agent and load your new key:

eval `ssh-agent -s`
ssh-add ~/.ssh/mykey

Now you’ve successfully logged in to you public SSH server:

ssh -i ~/.ssh/mykey @

If not, check all steps in this part.

Part 3. Make robust SSH tunnel through 3g/4g/etc channel!
You know if you have no dedicated IP in your internet service provider the IP address will change unpredictable. And this is the problem for creating SSH tunnels. Even you read anywhere about autossh that’s doesn’t help. So, let’s build our system will recreate SSH tunnel each time when public IP address is changed.

Install SSH server. For Ubuntu use:

sudo apt install openssh-server

For the next step we need to create a few files:
The main one is “~/tun_manager.sh”



#!/bin/sh

echo
echo [ $(date +%Y-%m-%d\ %H:%M:%S,%3N) ]

# Settings
IP_LOG=~/ip.log

# Init log
if [ ! -f $IP_LOG ]; then
  echo "" > $IP_LOG
fi

# Start SSH tunnel if not exists
PID=$(~/tun_pid.sh)
if [ -n "$PID" ]; then
  echo "SSH tunnel is already created"
else
  ~/tun_start.sh &
  sleep 3
  PID=$(~/tun_pid.sh)
fi
echo "Pid: $PID"

echo "Check new public IP..."

# Get current IP
CURRENT_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
echo "Current IP: $CURRENT_IP"

if [ -z "$CURRENT_IP" ]; then
  echo "Current IP is empty. Exit."
  exit 0
fi

# Get last IP
LAST_IP=$(tail -n 1 $IP_LOG)
echo "Last IP:    $LAST_IP"

if [ "$CURRENT_IP" != "$LAST_IP" ]; then
  # Save current IP
  echo $CURRENT_IP >> $IP_LOG

  echo "Restarting SSH tunnel - started"
  ~/tun_stop.sh
  ~/tun_start.sh &
  sleep 3
  echo "Restarting SSH tunnel - finished"
else
  echo "IP is not changed. Exit."
fi


File “~/tun_pid.sh”

#!/bin/sh

echo $(ps aux | grep -i "ssh -v -N" | grep -v grep | awk '{print $2}')

File “~/tun_start.sh”

#!/bin/sh

echo "Creating SSH tunnel..."
while true
do
  ssh -v -N -C \
    -o ServerAliveInterval=60 \
    -o ExitOnForwardFailure=yes \
    -i ~/.ssh/mykey \
    -R 0.0.0.0:22222:localhost:22 @ \
    -E ~/ssh.log
  echo "Recreating SSH tunnel..."
  sleep 5
done

File “~/tun_stop.sh”

#!/bin/sh

killall tun_start.sh

for i in `ps aux | grep -i "ssh -v -N" | grep -v grep | awk '{print $2}'`; do
  kill -9 $i
done

The last step is to run our tunnel manager by cron task. So, edit cron file:

sudo mcedit /etc/crontab

Or any other method you like and add the task:

*/5 * * * *  /home//tun_manager.sh >> /home//tm.log

So, each 5 minutes you’ll check the system and recreate SSH tunnel.

Part 4. Testing!
Now we ready for connection to our private SSH server from the world:

ssh @ -p22222

See also,
https://help.ubuntu.com/lts/serverguide/openssh-server.html

https://blogs.wcode.org/2015/04/howto-ssh-to-your-iot-device-when-its-behind-a-firewall-or-on-a-3g-dongle/

http://wiki.maemo.org/Reverse_ssh

https://askubuntu.com/questions/95910/command-for-determining-my-public-ip

Install Oracle Java 8 on Ubuntu Linux

java8_logo
To install Oracle JDK 8 on Ubuntu you can choose one of two methods:
A. Automatic installation:

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:webupd8team/java

sudo apt-get update

sudo apt-get install oracle-java8-installer

sudo update-alternatives --config java
sudo update-alternatives --config javac
sudo update-alternatives --config javaws

B. Manual installation:

Download oracle jdk at http://www.oracle.com/technetwork/java/javase/downloads/index.html

Extract archive into /usr/local/jdk1.8.0_65

Setup
sudo update-alternatives --install  /usr/bin/java java /usr/local/jdk1.8.0_65/bin/java 1
sudo update-alternatives --install  /usr/bin/javac javac /usr/local/jdk1.8.0_65/bin/javac 1
sudo update-alternatives --install  /usr/bin/javaws javaws /usr/local/jdk1.8.0_65/bin/javaws 1

sudo update-alternatives --set  java /usr/local/jdk1.8.0_65/bin/java
sudo update-alternatives --set  javac /usr/local/jdk1.8.0_65/bin/javac
sudo update-alternatives --set  javaws /usr/local/jdk1.8.0_65/bin/javaws

Thanx to http://stackoverflow.com/a/31869659

Change default password for Oracle 11g Database

oracle11g
To change the default password for SYS and SYSTEM users use the trick.

1. Run in shell:

sqlplus  / as sysdba

2. Change password for SYS:

SQL> alter user SYS identified by "your-super-password";

3. Change password for SYSTEM:

SQL> alter user SYSTEM identified by "your-super-password";

Thanx to http://stackoverflow.com/a/740884

Using RSYNC to backup (synchronize) folders

rsync
If you want to synchronize two folders use next snippets.

1. Sync folder “source” content to “target” folder:

rsync -arpv --delete /mnt/source/ /mnt/target

Notice trailing slash for “source” folder!

2. Sync whole folder “source” to “parent” folder:

rsync -arpv --delete /mnt/source /mnt/parent

More info https://linux.die.net/man/1/rsync

Generate SSH key (identity)

ssh
To generate SSH key you have to do following:

1. Install any SSH client (if absent).

2. Show existing keys:

ls -la ~/.ssh

It can be empty.

3. Generate key itself:

ssh-keygen -t rsa -b 4096 -C "your@email.com"

You’ll be prompted to enter the path to store the key. Also, you can enter a passphrase. But it can be empty in some cases.

4. Check for new key:

ls -la ~/.ssh

You’ll see something like:

-rw-r–r– 1 dtv 197121 1679 jun 11 2016 id_rsa
-rw-r–r– 1 dtv 197121 400 jun 11 2016 id_rsa.pub

5. Run SSH agent to add new key:

eval "$(ssh-agent -s)"

6. Add SSH key:

ssh-add ~/.ssh/id_rsa

Thanx to https://help.github.com/articles/generating-an-ssh-key/

Multiple SSH keys configuration

ssh-keys
If you are using, for example GIT, it may be needed to use different ssh keys for different servers. By default git client uses “~/.ssh/id_rsa” private key.
And you’ll get the error like:

Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

If you want to use another ssh key, you should load it before with ssh-add command each time.

To avoid the issue you can specify the ssh key for certain server.
Just create (or update) file “~/.ssh/config” with content:

Host  someserver.com
  HostName                  someserver.com
  Port                      22
  PreferredAuthentications  publickey
  IdentityFile              "C:\Users\user42\.ssh\private-ssh-key-file"

Thanx to
https://confluence.atlassian.com/bitbucket/configure-multiple-ssh-identities-for-gitbash-mac-osx-linux-271943168.html
and https://gist.github.com/jexchan/2351996

Apache and SVN configuration with user permissions

apache-svn
This tutorial shows how to configure Apache+SVN couple.

1. First of all you should install Apache Httpd server (version 2.4 in this case) with DAV_SVN module and subversion client:

yum -y install httpd mod_dav_svn subversion

2. Check installed modules are turned on:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_user_module modules/mod_authz_user.so

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so

LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LoadModule dontdothat_module  modules/mod_dontdothat.so

3. Configure repository folder in http.conf:

<Directory "/srv/svn/repos">
    Options None
    AllowOverride None
    Require all granted
</Directory>

4. Add virtual host:

<VirtualHost *:80>
    ServerName svn.domain.com
    DocumentRoot "/srv/svn"
    ErrorLog "/srv/svn/log/svn.domain.com_error_log"
    CustomLog "/srv/svn/log/svn.domain.com_access_log" common
    TransferLog "/srv/svn/log/svn.domain.com_transfer_log"

    LimitXMLRequestBody 0
    LimitRequestBody 0

    <Location />
        DAV svn
        SVNParentPath "/srv/svn/repos"
        SVNListParentPath on
        AuthType Basic
        AuthName "Subversion repository"
        AuthUserFile "/srv/svn/svn.passwd"
        AuthzSVNAccessFile "/srv/svn/svn.access"
        Require valid-user
    </Location>
</VirtualHost>

5. Create passwd file “/srv/svn/svn.passwd”:

htpasswd -c -b /srv/svn/svn.passwd tom tomPasswordHere
htpasswd -b /srv/svn/svn.passwd jerry jerryPasswordHere
htpasswd -b /srv/svn/svn.passwd spike spikePasswordHere

6. Create access file “/srv/svn/svn.access”:

[groups]
adminGroup = tom
otherGroup = jerry,spike

[/]
* =
@adminGroup = rw

[php:/project42]
@otherGroup = rw

[php:/projectGood]
@otherGroup = r

So, as you see adminGroup has full access to php repository.
But otherGroup has write access to project42 and only read permissions on projectGood.

Also see http://stackoverflow.com/questions/81361/how-to-setup-access-control-in-svn