Run this:
sudo add-apt-repository ppa:nextcloud-devs/client && sudo apt update && sudo apt -y install nextcloud-client
03
Dec
2020
Linux
03
Dec
2020
How to install bup on Ubuntu 22.04
I’ve built a PPA that currently publishes bup 0.33 for Ubuntu 22.04 for x64 computers
This one-liner installs the PPA, updates the APT package cache and installs bup:
sudo add-apt-repository -y ppa:ulikoehler/bup && sudo apt update && sudo apt -y install bup
Want to build it yourself?
The bup package has been built using my deb-buildscripts toolchain. In order to build it yourself:
git clone https://github.com/ulikoehler/deb-buildscripts cd deb-buildscripts ./deb-bup.py
You might need to install some build dependencies for the build process to work, but the script will tell you what is missing.
Additionally you should install python3-xattr– the package in Ubuntu is too old, so install it using
sudo pip3 install --upgrade pyxattr
In case you get
sudo: pip3: command not found
install pip3 using:
sudo apt -y install python3-pip
30
Nov
2020
The security risk of running docker mariadb/mysql with MYSQL_ALLOW_EMPTY_PASSWORD=yes
This is part of a common docker-compose.yml which is frequently seen on the internet
version: '3'
services:
mariadb:
image: 'mariadb:latest'
environment:
- MYSQL_ALLOW_EMPTY_PASSWORD=yes
- MYSQL_DATABASE=redmine
volumes:
- './mariadb_data:/var/lib/mysql'
[...]Simple and secure, right? A no-root-password MariaDB instance that’s running in a separate container and does not have its port 3306 exposed – so only services from the same docker-compose.yml can reach it since docker-compose puts all those services in a separate network.
Wrong.
While the MariaDB instance is not reachable from the internet since no, it can be reached by any process via its internal IP address.
In order to comprehend what’s happening, we shall take a look at docker’s networks. In this case, my docker-compose config is called redmine.
$ docker network ls | grep redmine ea7ed38f469b redmine_default bridge local
This is the network that docker-compose creates without any explicit network configuration. Let’s inspect the network to show the hosts:
[
// [...]
"Containers": {
"2578fc65b4dab9f204d0a252e421dd4ddd9f41c35642d48350f4e59370581757": {
"Name": "redmine_mariadb_1",
"EndpointID": "1e6d81acc096a12fc740173f4e107090333c42e8a86680ac5c9886c148d578e7",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"7867f71d2a36265c34c133b70aea487b90ea68fcf30ecb42d6e7e9a376cf8e07": {
"Name": "redmine_redmine_1",
"EndpointID": "f5ac7b3325aa9bde12f0c625c4881f9a6fc9957da4965767563ec9a3b76c19c3",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
}
},
// [...]
]
We can see that the IP address of the redmine_mariadb_1 container is 172.18.0.2.
Using the internal IP 172.18.0.2, you can access the MySQL server.
Any process on the host (even from unprivileged users) can connect to the container without any password, e.g.
$ mysqldump -uroot -h172.18.0.2 --all-databases // This will show the dump of the entire MariaDB database
How to mitigate this security risk?
Mitigation is quite easy since we only need to set a root password for the MariaDB instance.
My recommended best practice is to avoid duplicate passwords. In order to do this, create a .env file in the directory where docker-compose.yml is located.
MARIADB_ROOT_PASSWORD=aiPaipei6ookaemue4voo0NooC0AeH
Remember to replace the password by a random password or use this shell script to automatically create it:
echo MARIADB_ROOT_PASSWORD=$(pwgen 30) > .env
Now we can use ${MARIADB_ROOT_PASSWORD} in docker-compose.yml whereever the MariaDB root password is required, for example:
version: '3'
services:
mariadb:
image: 'mariadb:latest'
environment:
- MYSQL_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD}
- MYSQL_DATABASE=redmine
volumes:
- './mariadb_data:/var/lib/mysql'
redmine:
image: 'redmine:latest'
environment:
- REDMINE_USERNAME=admin
- REDMINE_PASSWORD=redmineadmin
- [email protected]
- REDMINE_DB_MYSQL=mariadb
- REDMINE_DB_USERNAME=root
- REDMINE_DB_PASSWORD=${MARIADB_ROOT_PASSWORD}
ports:
- '3718:3000'
volumes:
- './redmine_data/conf:/usr/src/redmine/conf'
- './redmine_data/files:/usr/src/redmine/files'
- './redmine_themes:/usr/src/redmine/public/themes'
depends_on:
- mariadb
Note that the mariadb docker image will not change the root password if the database directory already exists (mariadb_data in this example).
My recommended best practice for changing the root password is to use mysqldump --all-databases to export the entire database to a SQL file, then backup and delete the data directory, then re-start the container so the new root password will be set. After that, re-import the dump from the SQL file.
29
Nov
2020
Best practice for installing & autostarting OpenVPN client/server configurations on Ubuntu
This post details my systemd-based setup for installing and activating OpenVPN client or server configs on Ubuntu. It might also work for other Linux distributions that are based on systemd..
First, place the OpenVPN config (usually a .ovpn file, but it can also be a .conf file) in /etc/openvpn. You need to change the filename extension to .conf – .ovpn won’t work. Furthermore, ensure that there are no spaces in the filename.
In this example, our original OpenVPN config will be called techoverflow.ovpn, hence it needs to be copied to /etc/openvpn/techoverflow.conf!
Now we can enable (i.e. autostart on boot – but not start immediately) the config using
sudo systemctl enable openvpn@techoverflow
For techoverflow.conf you need to systemctl enableopenvpn@techoverflow whereas for a hypothetical foo.conf you would need to systemctl enable openvpn@foo.
Now we can start the VPN config – i.e. run it immediately using
sudo systemctl start openvpn@techoverflow
Now your VPN client or server is running – or is it? We shall check the logs using
journalctl -xfu openvpn@techoverflow
In order to manually restart the VPN client or server use
sudo systemctl restart openvpn@techoverflow
and similarly run this to stop the VPN client or server:
sudo systemctl stop openvpn@techoverflow
In order to show if the instance is running – i.e. show its status, use
sudo systemctl status openvpn@techoverflow
Example output for an OpenVPN client:
● [email protected] - OpenVPN connection to techoverflow Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-11-29 03:37:52 CET; 953ms ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 4123809 (openvpn) Status: "Pre-connection initialization successful" Tasks: 1 (limit: 18689) Memory: 1.3M CGroup: /system.slice/system-openvpn.slice/[email protected] └─4123809 /usr/sbin/openvpn --daemon ovpn-techoverflow --status /run/openvpn/techoverflow.status 10 --cd /etc/openvpn --script-security 2 --config /etc/ope> Nov 29 03:37:52 localgrid systemd[1]: Starting OpenVPN connection to techoverflow... Nov 29 03:37:52 localgrid ovpn-techoverflow[4123809]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep > Nov 29 03:37:52 localgrid ovpn-techoverflow[4123809]: library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10 Nov 29 03:37:52 localgrid systemd[1]: Started OpenVPN connection to techoverflow. Nov 29 03:37:52 localgrid ovpn-techoverflow[4123809]: TCP/UDP: Preserving recently used remote address: [AF_INET]83.135.163.227:19011 Nov 29 03:37:52 localgrid ovpn-techoverflow[4123809]: UDPv4 link local (bound): [AF_INET][undef]:1194 Nov 29 03:37:52 localgrid ovpn-techoverflow[4123809]: UDPv4 link remote: [AF_INET]83.135.163.22:19011 Nov 29 03:37:53 localgrid ovpn-techoverflow[4123809]: [nas-vpn.haar.techoverflow.net] Peer Connection Initiated with [AF_INET]83.135.163.227:19011
28
Nov
2020
Simple self-hosted WebWormhole.io using docker-compose
Note: This config is currently missing a TURN server, so it won’t work if the clients can’t reach each other! I am working on this.
WebWormhole.io is a new service similar to and inspired by magic-wormhole that allows easily sharing files between browsers without the need to install a software. Internally, it uses WebRTC, allowing direct transfer of files between computers even through firewalls.
While there is no official Docker image published on Docker Hub, the WebWormhole GitHub project provides an official Dockerfile. Based on this, I have published ulikoehler/webwormhole which has been built using
git clone https://github.com/saljam/webwormhole.git cd webwormhole docker build -t ulikoehler/webwormhole:latest . docker push ulikoehler/webwormhole:latest
This is the docker-compose.yml that you can use to run WebWormhole behind a reverse proxy:
version: '3'
services:
webwormhole:
image: 'ulikoehler/webwormhole:latest'
entrypoint: ["/bin/ww", "server", "-http=localhost:52618", "-https="]
network_mode: hostand this is my nginx config:
server {
server_name webwormhole.mydomain.com;
access_log off;
error_log /var/log/nginx/webwormhole.mydomain.com.error.log;
location / {
proxy_pass http://localhost:52618/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect default;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/webwormhole.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/webwormhole.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = webwormhole.mydomain.com) {
return 301 https://$host$request_uri;
}
server_name webwormhole.mydomain.com;
listen 80;
return 404; # managed by Certbot
}
I store docker-compose.yml in /var/lib/webwormhole.mydomain.com and I used the script from our previous post Create a systemd service for your docker-compose project in 10 seconds in order to create this systemd config file in /etc/systemd/system/webwormhole.mydomain.com.service:
[Unit] Description=webwormhole.mydomain.com Requires=docker.service After=docker.service [Service] Restart=always User=root Group=docker WorkingDirectory=/var/lib/webwormhole.mydomain.com # Shutdown container (if running) when unit is started ExecStartPre=/usr/local/bin/docker-compose -f docker-compose.yml down # Start container when unit is started ExecStart=/usr/local/bin/docker-compose -f docker-compose.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f docker-compose.yml down [Install] WantedBy=multi-user.target
which you can start and enable using
sudo systemctl enable webwormhole.mydomain.com sudo systemctl start webwormhole.mydomain.com
24
Oct
2020
Create a systemd service for your docker-compose project in 10 seconds
Run this in the directory where docker-compose.yml is located:
curl -fsSL https://techoverflow.net/scripts/create-docker-compose-service.sh | sudo bash /dev/stdin
This script will automatically create a systemd service that starts docker-compose up and shuts down using docker-compose down. Our script will also systemctl enable the script (i.e. start automatically on boot) and systemctl start it (start it immediately).
How it works
The command above will download the script from TechOverflow and run it in bash:
#!/bin/bash
# Create a systemd service that autostarts & manages a docker-compose instance in the current directory
# by Uli Köhler - https://techoverflow.net
# Licensed as CC0 1.0 Universal
SERVICENAME=$(basename $(pwd))
echo "Creating systemd service... /etc/systemd/system/${SERVICENAME}.service"
# Create systemd service file
sudo cat >/etc/systemd/system/$SERVICENAME.service <<EOF
[Unit]
Description=$SERVICENAME
Requires=docker.service
After=docker.service
[Service]
Restart=always
User=root
Group=docker
WorkingDirectory=$(pwd)
# Shutdown container (if running) when unit is started
ExecStartPre=$(which docker-compose) -f docker-compose.yml down
# Start container when unit is started
ExecStart=$(which docker-compose) -f docker-compose.yml up
# Stop container when unit is stopped
ExecStop=$(which docker-compose) -f docker-compose.yml down
[Install]
WantedBy=multi-user.target
EOF
echo "Enabling & starting $SERVICENAME"
# Autostart systemd service
sudo systemctl enable $SERVICENAME.service
# Start systemd service now
sudo systemctl start $SERVICENAME.serviceThe service name is the directory name:
SERVICENAME=$(basename $(pwd))
Now we will create the service file in /etc/systemd/system/${SERVICENAME}.service using the template embedded in the script
The script will automatically determine the location of docker-composeusing $(which docker-compose) and finally enable and start the systemd service:
# Autostart systemd service sudo systemctl enable $SERVICENAME.service # Start systemd service now sudo systemctl start $SERVICENAME.service
24
Oct
2020
Running Portainer using docker-compose and systemd
In this post we’ll show how to run Portainer Community Edition on a computer using docker-compose and systemd. In case you haven’t installed docker or docker-compose, see How to install docker and docker-compose on Ubuntu in 30 seconds.
If you already have a Portainer instance and want to run a Portainer Edge Agent on a remote computer, see Running Portainer Edge Agent using docker-compose and systemd!
First, create the directory where the docker-compose.yml will live and edit it:
sudo mkdir -p /var/lib/portainer sudo nano /var/lib/portainer/docker-compose.yml
Now paste this config file:
version: '2'
services:
portainer:
image: portainer/portainer
command: -H unix:///var/run/docker.sock
restart: always
ports:
- 9192:9000
- 8000:8000
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
volumes:
portainer_data:In this case, we’re exposing the Web UI on port 9192 since we’re using a reverse proxy setup in order to access the web UI. Using Portainer over HTTP without a HTTPS frontend is a security risk!
This is my nginx config that is used to reverse proxy my Portainer instance. Note that I generate the HTTPS config using certbot --nginx, hence it’s not shown here:
server {
server_name portainer.mydomain.com;
location / {
proxy_pass http://localhost:9192/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect default;
}
listen 80;
}
Now we can create the systemd service that will automatically start Portainer:
sudo nano /etc/systemd/system/portainer.service
[Unit] Description=Portainer Requires=docker.service After=docker.service [Service] Restart=always User=root Group=docker WorkingDirectory=/var/lib/portainer # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f docker-compose.yml down # Start container when unit is started ExecStart=/usr/local/bin/docker-compose -f docker-compose.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f docker-compose.yml down [Install] WantedBy=multi-user.target
Now we can can enable autostart on boot and start Portainer:
sudo systemctl enable portainer.service sudo systemctl start portainer.service
24
Oct
2020
Running Portainer Edge Agent using docker-compose and systemd
In this post we’ll show how to run the Portainer Edge Agent on a computer using docker-compose and systemd. In case you haven’t installed docker or docker-compose, see How to install docker and docker-compose on Ubuntu in 30 seconds.
If you don’t have a Portainer instance running to which the Edge Agent can connect, see Running Portainer using docker-compose and systemd!
First, create the directory where the docker-compose.yml will live and edit it:
sudo mkdir -p /var/lib/portainer-edge-agent sudo nano /var/lib/portainer-edge-agent/docker-compose.yml
Now paste this config file:
version: "3"
services:
portainer_edge_agent:
image: portainer/agent
command: -H unix:///var/run/docker.sock
restart: always
volumes:
- /:/host
- /var/lib/docker/volumes:/var/lib/docker/volumes
- /var/run/docker.sock:/var/run/docker.sock
- portainer_agent_data:/data
environment:
- CAP_HOST_MANAGEMENT=1
- EDGE=1
- EDGE_ID=[YOUR EDGE ID]
- EDGE_KEY=[YOUR EDGE KEY]
volumes:
portainer_agent_data:Don’t forget to fill in [YOUR EDGE ID] and [YOUR EDGE KEY]. You can find those by creating a new endpoint in your Portainer instance.
Now we can create the systemd service that will automatically start the Edge Agent:
sudo nano /etc/systemd/system/PortainerEdgeAgent.service
[Unit] Description=PortainerEdgeAgent Requires=docker.service After=docker.service [Service] Restart=always User=root Group=docker WorkingDirectory=/var/lib/portainer-edge-agent # Shutdown container (if running) when unit is stopped ExecStartPre=/usr/local/bin/docker-compose -f docker-compose.yml down # Start container when unit is started ExecStart=/usr/local/bin/docker-compose -f docker-compose.yml up # Stop container when unit is stopped ExecStop=/usr/local/bin/docker-compose -f docker-compose.yml down [Install] WantedBy=multi-user.target
Now we can can enable and start the agent:
sudo systemctl enable PortainerEdgeAgent.service sudo systemctl start PortainerEdgeAgent.service
16
Oct
2020
How to install woeusb on Ubuntu in 3 minutes
Use this simple command in order to add the WoeUSB APT repository and install woeusb:
sudo add-apt-repository -y ppa:tomtomtom/woeusb ; sudo apt -y install woeusb
For more informatio, refer to the Ubuntuusers wiki page on WoeUSB
16
Oct
2020
How to cleanup large gitlab prometheus/data in Omnibus/Docker setting
In many of my dockerized Gitlab instances, the prometheus/data folder was eating up multiple Gigabytes of hard drive space even though I was not using Prometheus at all.
In order to fix this, I first disabled Prometheus in the docker-compose.yml config using
prometheus_monitoring['enable'] = false
Also see How I reduced gitlab memory consumption in my docker-based setup for a detailed explanantion.
After that, you need to restart gitlab in order for the settings change to take effect.
Now you can just delete the Prometheus data folder. Make a backup of the entire gitlab data folder before this step.
Run this command from within your gitlab data folder:
rm -rf prometheus/data
28
Sep
2020
How to fix apt update error NO_PUBKEY 78BD65473CB3BD13
If you encounter this error message during APT update:
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 78BD65473CB3BD13
you need to import the key using
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 78BD65473CB3BD13
20
Sep
2020
Find total filesize of all WAV files in a directory using command line tools
Use this command to find the total file size of all .wav files (including .WAV files)
find . -name "*.wav" -or -name "*.WAV" -exec du -ch {} + | tail -n 1Example output:
6,7G total
20
Sep
2020
How to delete all .DS_Store files recursively on the command line
Use this command to recursively delete all .DS_Store files present in the directory mydir and all its subdirectories:
find mydir -type f -name .DS_Store -print0 | xargs -0 rm
Warning: Deleting the files can’t be undone.
19
Sep
2020
How to fix SSH not accepting public key in authorized_keys
Problem:
You have added your SSH public key to a remote server manually or using ssh-copy-id but still you can’t login using that public key
Solution:
Typically this is caused by bad permissions of your ~/.ssh directory and/or your authorized_keys file. Fix that using:
chmod -R 700 ~/.ssh
then try to login again
19
Sep
2020
How to run systemd timer twice daily
In order to run a systemd timer twice daily at fixed times, use this syntax in the .timer file:
OnCalendar=*-*-* 00,12:00:00
This line means: Run the service on each and every day (*-*-*) at 00:00:00 and 12:00:00 (00,12:00:00)
19
Sep
2020
Find and remove all empty directories using the Linux command line
In order to find and remove all empty subdirectories in the current directory (.) recursively, use this command:
find . -depth -type d -print0 | xargs -0 rmdir
This command will only remove empty directories! Any file or non-empty directory won’t be modified.
Explanation of what the parts mean:
find: Use the find command to find directories recursively.: Start recursing from the current directory. In case you want to start from a different directory, use that directory name here.-type d: Only find directories – ignore files-depth: Before printing a directory name, print all its sub-directory names. This avoids having to run this command repeatedly because the parent directory can’t be removed since its empty sub-directories need to be removed first-print0When printing all the directories that have been found, print a NUL character between directories. This is required in order to handle spaces in the directory names correctly| xargs: Pipe the directories toxargs, a program that runs-0: Split the input by NUL characters instead of newlines. This corresponds with the-print0option tofindand is required to handle spaces in directory names correctly.rmdir: For each directory found, runrmdiri.e. try to remove the directory if it’s empty.
26
Jun
2020
How to fix Raspberry Pi OpenVPN error “ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)”
Problem:
You want to setup OpenVPN on your Raspberry Pi but you see an error message like
Fri Jun 26 18:12:35 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) Fri Jun 26 18:12:35 2020 Exiting due to fatal error
Solution:
This error occurs if you’ve installed OpenVPN using sudo apt install -y openvpn but if you didn’t reboot after installing it. In order to fix the issue, reboot using
sudo reboot
13
Jun
2020
How to fix raspi-config “The splash screen is not installed so cannot be activated”
Problem:
You want to enable the boot splash screen on your Raspberry Pi using raspi-config, but you see this error message:
The splash screen is not installed so cannot be activated
followed by There was an error running option B3 Splash Screen
Solution:
As you can find out from reading the raspi-config source code, it checks for the existence of /usr/share/plymouth/themes/pix/pix.script. In order to install this file, install the rpd-plym-splash package:
sudo apt -y install rpd-plym-splash
13
Jun
2020
How to manually reload Chromium Kiosk
Problem:
You are running a Chromium Kiosk e.g. on a Raspberry Pi using a command like
chromium-browser --noerrdialogs --disable-infobars --disk-cache-dir=/dev/null --disk-cache-size=1 --kiosk http://localhost
e.g. in /etc/xdg/openbox/autostart, but you don’t know how to manuy reload the Kiosk e.g. after you have changed the underlying website
Solution:
In /etc/xdg/openbox/autostart or wherever your chromium-browser command is, enclose it in
while true ; do [CHROMIUM COMMAND] ; sleep 1 ; done
The complete command would look like this, for example:
while true ; do chromium-browser --noerrdialogs --disable-infobars --disk-cache-dir=/dev/null --disk-cache-size=1 --kiosk http://localhost ; sleep 1 ; done
Now, to manually reload Chromium, all you have to do is to kill the process using
killall /usr/lib/chromium-browser/chromium-browser-v7
This will kill the Chromium process and the while loop will automatically restart it after one second.
In case you see an error message like
/usr/lib/chromium-browser/chromium-browser-v7: No such file or directory
you need to find out which executable is used for Chromium in order to pass that to killall. To find out the name of the executable, use
ps a | grep -i chromium
and look for a string similar to /usr/lib/chromium-browser/chromium-browser-v7.
13
Jun
2020
How to fix Chromium Kiosk still displaying old page after reboot
Problem:
You are running a Chromium Kiosk application on an embedded computer (like a Raspberry Pi) using a command like
chromium-browser --noerrdialogs --disable-infobars --kiosk http://localhost
but when you update the webpage, Chromium still displays the old page even after a reboot.
Solution:
Disable Chromium’s cache by adding
--disk-cache-dir=/dev/null --disk-cache-size=1
to the command (which is typically found in /etc/xdg/openbox/autostart). The full command will look like this:
chromium-browser --noerrdialogs --disable-infobars --disk-cache-dir=/dev/null --disk-cache-size=1 --kiosk http://localhost