Run the command “paste <(cat /sys/class/thermal/thermal_zone/type) <(cat /sys/class/thermal/thermal_zone/temp) | column -s $’\t’ -t | sed ‘s/(.)..$/.\1°C/'” as root to get the CPU temperature on Ubuntu Server.
A great and useful purpose for old embedded Linux wireless routers, is to re-purpose them as VLAN breakout boxes!
If you’re like me, you probably have a bunch of old Linksys (or other brand) Linux embedded wireless routers sitting around your home. You probably also have VLANs running on your home network or homelab for various reasons.
Let’s get to it!
Why would we need to do this?
VLANs are great, but typically the money it costs for VLAN supported switches, APs, routers, and other devices is more than your typical home gear.
You may be able to justify these purchases for your core network infrastructure, but when your cabling out to individual rooms in your house or apartment, you may not want to spend a lot of money on switches for that room.
The cost of a gigabit embedded Linux router is usually a lot less than a manageable switch that provides VLANs. At the same time, if you’re a true geek you probably have at least 5 of these embedded Linux routers sitting around in boxes… Why spend money at all?
What does this accomplish?
As an example: In my basement I have a single Cat 5e Ethernet cable providing all VLANs in a trunk from my server room. In my basement I have all my multimedia devices, IoT devices, a wireless access point (with 3 SSIDs/VLANs), and more.
Instead of purchasing an expensive manageable switch that supports VLANs, I ended up flashing OpenWRT on a couple Linksys E4200v2 wireless access points. I then connect the OpenWRT device to my Ubiquiti UniFi Network Infrastructure.
On the E4200 for my basement, I configured the WAN port to accept the incoming VLAN trunk and then configured the other LAN ports depending on their purpose. One of the LAN ports remains as a VLAN trunk for the Ubiquiti UniFi NanoHD wireless access point (as it needs all VLANs), and the other LAN ports untag traffic on various VLANs for specific purposes. One of these ports is the output for my main network LAN (which goes to a normal non-VLAN switch).
All you have to do is make sure you label the ports so you know what VLAN or trunk you’re plugging in to.
This is why I call it a “VLAN Breakout Box”! I also make sure to disable all the wireless radios on the router as I don’t need these (it also reduces the load on the CPU, although negligible).
So how do we do this?
We use OpenWRT and flash it to compatible embedded Linux wireless routers, switches, and other devices. It can even be used on x86 hardware.
If we’re picky, we’d prefer embedded SBC (Single Board Computer) devices that have a switch-on-chip setup, so that the packet switching can be handled via hardware and not software. We want this for better performance.
Always make sure you know what you’re doing when flashing hardware. You may brick your device if you fail to follow instructions properly.
On a final note, one of the reasons why I prefer OpenWRT over DD-WRT, is that with the GUI, you can configure any acceptable VLAN ID, whereas on DD-WRT you’re restricted to a very limited number of VLANs.
After upgrading a computer from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS, during boot the screen goes blank (turns black), all HD disk activity halts, and the system becomes frozen. This event can also occur on a fresh installation or when updates are installed.
This is due to a video mode issue that causes the system to halt or freeze. It’s much like the issue I described here on a Fedora Linux system.
To get the system to boot:
After turning on your PC, hold the right SHIFT key to get to the GRUB bootloader if your computer uses a BIOS. If your computer uses EFI or UEFI, continuously tap the “ESC” (escape) key after turning on your PC.
Once GRUB is open, press the “e” key to edit the first highlighted entry “Ubuntu”.
Move your cursor down to the line that starts with “linux”, and use the right arrow key to find the section with the words “ro quiet splash”.
Add “nomodeset” after these words.
Feel free to remove “quiet” and “splash” for more verbosity to troubleshoot the boot process.
Press “CTRL + X” or “F10” to boot.
The system should now boot.
To permanently resolve the issue:
Once the system has booted using the temporary fix, log in.
Open a terminal window (Applications -> Terminal, or press the “Start” button and type terminal).
Either “su” in to root, or use “sudo” to open your favorite text editor and edit the file “/etc/default/grub” (I use nano which can be install by running “apt install nano”):
Locate the line with the variable “GRUB_CMDLINE_LINUX_DEFAULT”, and add “nomodeset” to the variables. Feel free to remove “splash” and “quiet” if you’d like text boot. Here’s an example of my line after editing (yours will look different):
You’re trying to install Ubuntu on your computer, but it freezes due to lack of resources, specifically memory. This can happen when you’re trying to re-purpose old laptops, netbooks, etc.
This recently happened to met as I tried to install Ubuntu on an old HP Netbook. Originally I used Fedora, but had to switch to Ubuntu due to library issues (I wanted to use the VMware Horizon Client on it).
Unfortunately, when I’d kick off the USB installer, the OS would completely freeze (mouse either unresponsive, or extremely glitchy).
The Fix – External SWAP File
In the ~5 minutes where the system is operable, I used the key sequence “CTRL + ALT + F2” to get to a text tty console session. From here I noticed the system eventually uses all the RAM and maxes out the memory. When this occurs, this is when the system becomes unresponsive.
Since this is a Live CD installer, there is no swap file for the system to use once the RAM has filled up.
To fix this and workaround the problem, I grabbed a second blank USB stick and used it as an external swap file. Using this allowed me to run the installer, complete the installer, and successfully install Ubuntu.
Please make sure you are choosing the right device names in the instructions below. Choosing the wrong device name can cause your to write to the wrong USB stick, or worse the hard drive of your system.
Attached USB Installer, boot system.
Once system has booted, press “CTRL + ALT + F2” to open a tty console session.
Login using user: “Ubuntu” with a blank password.
Type “sudo su” to get a root shell.
Type in “tail -f /var/log/kern.log” and connect your spare blank USB stick that you want to use for SWAP space. Note the device name, in my case it was “/dev/sdd”.
Press “CTRL + C” to stop tailing the log file, then run “fdisk /dev/sdd” and replace “/dev/sdd” with whatever your device was. PLEASE MAKE SURE YOU ARE CHOOSING THE RIGHT USB DEVICE NAME.
Use “n” to create a new partition, follow the prompts, when it asks for size I randomly chose “+2G” for a 2GB swap file. Use “w” to write the partition table and then quit the fdisk application.
Run “mkswap /dev/sdd1” and replace “sdd1” with the device and partition number of your USB Swap stick. This will format the partition and mark it as a SWAP filesystem.
Run “swapon /dev/sdd1” and replace “sdd1” with your swap partition you created. This will activate the external swap file on the USB stick.
Press “CTRL + ALT + F1” to return to the Ubuntu installation guide. Continue the install as normal.
This should also work for other Linux distributions, as I have also used this in the past with Fedora (on a Single Board Computer with almost no RAM).
During the install process where the Ubuntu installer formats your hard drive, the install will actually mount the hard drive swap file as well (it’ll use both). Once the installer is complete, shut down the system and remove the USB SWAP stick.
You can skip the “openssh-server” package if you don’t want to enable SSH. A display manager configuration prompt will present itself, choose “gdm”
Now we need to add the internal FQDN to the hosts file. Run “nano /etc/hosts” to open the hosts file. Create a new line at the top and enter
127.0.0.1 compname.domain.com compname
Modify “compname.domain.com” and “compname” to reflect your FQDN and computer name.
Restart the Guest VM
Open terminal, “sudo su” to get a root console
Extract the Horizon Agent tarball with
tar zxvf VMware-horizonagent-linux-x86_64-7.8.0-12610615.tar.gz
Please note that if your version is different, your file name may be different. Please adjust accordingly.
Change directory in to the VMware Horizon Agent that we just extracted.
Run the installer for the horizon agent with
Follow the prompts, restart the host
Log on to your View Connection Server
Create a manual pool, and configure it accordingly
Add the Ubuntu Linux VM to the pool
Entitle the users to the pool, and assign the users to the host under inventory
In the VMware documentation, it states to select “lightdm” on the Display MAnager configuration window that presents itself in step 7. However if you choose this, the VMware Horizon Agent for Linux will not install. Choosing “gdm” allows it to install and function.
I have noticed audio issues when using the Spotify snapd. I believe this is caused by timer-based audio scheduling in PulseAudio. I have tried using the “tsched=0” flag in the PulseAudio config, however this has no effect and I haven’t been able to resolve this yet. Audio in Chrome and other audio players works fine. A workaround is to install “pavucontrol” and have it open while using Spotify and the audio issues will temporarily be resolved. I also tried using the VMware Tools (deprecated) instead of OpenVM Tools to see if this helped with the audio issues, but it did not.
If you have 3D Acceleration with a GRID card, the Linux VDI VM will be able to utilize 3D accelerated vSGA as long as you have it configured on the ESXi host.
One of the coolest things I love about running VMware Horizon View and VDI is that you can repurpose old computers, laptops, or even netbooks in to perfect VDI clients running Linux! This is extremely easy to do and gives life to old hardware you may have lying around (and we all know there’s nothing wrong with that).
I generally use Fedora and the VMware Horizon View Linux client to accomplish this. See below to see how I do it!
Download the Fedora Workstation install or netboot ISO from here.
Burn it to a DVD/CD if you have DVD/CD drive, or you can write it to a USB stick using this method here.
Install Fedora on to your laptop/notebook/netbook using the workstation install.
Update your Fedora Linux install using the following command
dnf -y upgrade
Install the prerequisites for the VMware Horizon View Linux client using these commands
To run the client, you can find it in the GUI applications list as “VMware Horizon Client”, or you can launch it by running “vmware-view”.
VMware Horizon View on Linux in action
Here is a VMware Horizon View Linux client running on HP Mini 220 Netbook
-If you’re comfortable, instead of the workstation install, you can install the Fedora LXQt Desktop spin, which is a lightweight desktop environment perfect for low performance hardware or netbooks. More information and the download link for Fedora LXQt Desktop Spin can be found here: https://spins.fedoraproject.org/en/lxqt/
-If you installed Fedora Workstation and would like to install the LXQt window manager afterwards, you can do so by running the following command (after installing, at login prompt, click on the gear to change window managers):
dnf install @lxqt-desktop-environment
-Some of the prerequisites above in the guide may not be required, however I have installed them anyways for compatibility.
After doing a fresh install or upgrade of Fedora Core Linux (FC28 in my case, but this applies to any version), you may notice that when the system boots it gets stuck on a black screen with a white cursor. The cursor will not move and there will be no drive activity.
This issue occurs with GNOME on my old HP Mini 210 Netbook every time I do a fresh install of Fedora on it (or upgrade it).
Follow the process below to temporarily boot and then permanently fix it.
To get the system to boot:
Power on the computer, and carefully wait for the GRUB bootloader to appear (the boot selection screen).
When the GRUB bootloader appears, press the “e” key to edit the highlighted (default) boot entry.
Scroll down until you get to the line starting with “linux16”, then use your right arrow key and scroll right until you get to the end of the kernel options (while scrolling right, you may scroll multiple lines down which is fine and expected). The line should finally end with “rhgb” and “quiet”.
Remove “rhgb” and “quiet”, and then add “nomodeset=0”
Press “CTRL+x” to boot the system.
The system should now boot.
FYI: “rhgb” is the kernel switch/option for redhat graphical boot, and “quiet” makes the system messages more quiet (who would have guessed).
To permanently resolve the issue:
Once the system has booted, log in.
Open a terminal window (Applications -> Terminal, or press the “Start” button and type terminal).
Use your favorite text editor and edit the file “/etc/default/grub” (I use nano which can be install by running “dnf install nano”):
Locate the line with the variable “GRUB_CMDLINE_LINUX”, and add “nomodeset=0” to the variables. Feel free to remove “rhgb” and “quiet” if you’d like text boot. Here’s an example of my line after editing (yours will look different):
Issue the following command to write the ISO image to the USB stick. Change the input filename, and output device name to reflect your own.
[[email protected] Downloads]# dd if=Fedora-Workstation-netinst-x86_64-28-1.1.iso of=/dev/sdb
1193984+0 records in
1193984+0 records out
611319808 bytes (611 MB, 583 MiB) copied, 13.6777 s, 44.7 MB/s
Choosing the wrong /dev/sd[x] device can case you to write the ISO file to your hard drive, or another hard drive in your system. Make sure you select the right device name. If you’re unsure, don’t run the command.
Let’s say that you’re hosting someone’s equipment and they start to abuse their connection speed. Let’s say that you’re limited in your bandwidth, and you want to control your own bandwidth to make sure you don’t max out your own internet connection. You can take care of both of these problems by building your own traffic shaping network control device using CentOS and using the “tc” linux command.
In this post I’m going to explain what traffic shaping is, why you’d want to use traffic shaping, and how to build a very basic traffic shaping device to control bandwidth on your network.
What is traffic shaping
Traffic shaping is when one attempts to control a connection in their network to prioritize, control, or shape traffic. This can be used to control either bandwidth or packets. In this example we are using it to control bandwidth such as upload and download speeds.
Why traffic shaping
For service providers, when hosting customer’s equipment, the customer may abuse their connection or even max it out legitimately. This can put a halt on the internet connection if you share it with them, or cause bigger issues if it’s shared with other customers. In this example, you would want to implement traffic shaping to allot only a certain amount of bandwidth so they wouldn’t bring the internet connection or network to a halt.
For normal people (or a single business), as fast as the internet is today, it’s still very easy to max your connection out. When this happens you can experience packet loss, slow speeds, and interruption of services. If you host your own servers this can cause even a bigger issue with interruption of those services as well. You may want to limit your own bandwidth to make sure that you don’t bring your internet to a halt, and save some for other devices and/or users.
Another reason is just to implement basic QoS (Quality of Service) across your network, to keep usage and services in harmony and eliminate any from hogging the network connections up.
How to build your own basic traffic shaping device with CentOS and tc
In this post we will build a very simple traffic shaping device that limits and throttles an internet connection to a defined upload and download speed that we set.
You can do this with a computer with multiple NICs (preferably one NIC for management, one NIC for internet, and one NIC for network and/or the hosts to be throttled). If you want to get creative, there are also a number of physical network/firewall appliances that are x86 based, that you can install Linux on. These are very handy as they come with many NICs.
When I set this up, I used an old decommissioned Sophos UTM 220 that I’ve had sitting around doing nothing for a couple years (pic below). The UTM 220 provides 8 NICs, and is very easy to install Linux on to.
Sophos UTM 220 Running CentOS Linux
Please Note: The Sophos UTM 220 is just a fancy computer in a 1U rack mounted case with 8 NICs. All I did was install CentOS on it like a normal computer.
Essentially, all we’ll be doing is installing CentOS Linux, installing “tc”, configuring the network adapters, and then configuring a startup script. In my example my ISP provides me 174Mbps download, and 15Mbps upload. My target is to throttle the connection to 70Mbps download, and 8Mbps upload. I will allow the connection to burst to 80Mbps down, and 10Mbps up.
To get started:
Install CentOS on the computer or device. The specifics of this are beyond the scope of this document, however you’ll want to perform a minimal install. This device is strictly acting as a network device, so no packages are required other than the minimal install option.
During the CentOS install, only configure your main management NIC. This is the NIC you will use to SSH to, control the device, and update the device. No other traffic will pass through this NIC.
After the install is complete, run the following command to enable ssh on boot:
chkconfig sshd on
Install “tc” by running the command:
yum install tc
Next, we’ll need to locate the NIC startup scripts for the 2 adapters that will perform the traffic shaping. These adapters are the internet NIC, and the NIC for the throttled network/hosts. Below is an example of one of the network startup scripts. You’re NIC device names will probably be different.
Now you’ll need to open the file using your favorite text editor and locate and set ONBOOT to no as shown below. You can ignore all the other variables. You’ll need to repeat this for the 2nd NIC as well.
Now we can configure the linux startup script to configure a network bridge between the two NICs above, and then configure the traffic shaping rules with tc. Locate and open the following file for editing:
Append the following text to the rc.local file:
# Lets make that bridge
brctl addbr bridge0
# Lets add those NICs to the bridge
brctl addif bridge0 enp5s0
brctl addif bridge0 enp2s0
# Confirm no IP set to NICs that are shaping
ifconfig enp5s0 0.0.0.0
ifconfig enp2s0 0.0.0.0
# Bring the bridge online
ifconfig bridge0 up
# Clear out any existing tc policies
tc qdisc del dev enp2s0 root
tc qdisc del dev enp5s0 root
# Configure new traffic shaping policies on the NICs
# Set the upload to 8Mbps and burstable to 10mbps
tc qdisc add dev enp2s0 root tbf rate 8mbit burst 10mbit latency 50ms
# Set the download to 70Mbps and burstable to 80Mbps
tc qdisc add dev enp5s0 root tbf rate 70mbit burst 80mbit latency 50ms
Restart the linux box:
shutdown -r now
You now have a traffic shaping network device!
Please note that normally you would not place the script in the rc.local file, however we wanted something quick and simple. The script may not survive in the rc.local file when updates/upgrades are applied against on the Linux install, so keep this in mind. You’ll also need to test to make sure that you are throttling in the correct direction with the 2 NICs. Make sure you test this setup and allow time to confirm it’s working before putting it in a production network.
I’m a big fan of MFA, specifically Duo Security‘s product (I did a corporate blog post here). I’ve been using this product for some time and use it for an extra level of protection on my workstations, servers, and customer sites. I liked it so much so that my company (Digitally Accurate Inc.) became a partner and now resells the services.
Here’s a demo of DUO MFA being used with CentOS Linux:
Today I want to write about a couple issues I had when deploying the pam_duo module on CentOS Linux 7. The original duo guide can be found at https://duo.com/docs/duounix, however while it did work for the most part, I noticed there were some issues with the pam configuration files, especially if you are wanting to use Duo MFA with usernames and passwords, and not keys for authentication.
A symptom of the issue: I noticed that when following the instructions on the website for deployment, after entering the username, it would skip the password prompt, and go right for DUO authentication, completely bypassing the password all together. I’m assuming this is because the guide was written for key authentication, but I figured I’d do a quick crash-course post on the topic and create a simple guide. I also noticed that sometimes even if an incorrect password was typed in, it would allow authentication if DUO passed as successful.
Ultimately I decided to learn about PAM, understand what it was doing, and finally configure it properly. Using the guide below I can confirm the password and MFA authentication operate correctly.
To configure Duo MFA on CentOS 7 for use with usernames and passwords
First and foremost, you must log in to your Duo Account and go to applications, click “Protect an Application” and select “Unix Application”. Configure the application and document/log your ikey, secret key, and API hostname.
Now we want to create a yum repo where we can install, and keep the pam_duo module up to date. Create the file /etc/yum.repos.d/duosec.repo and then populate it with the following:
We’ll need to install the signging key that the repo uses, and then install the duo_unix package. By using yum, we’ll be able to keep this package regularly up to date when we update the server. Run the following commands:
Configure the pam_duo module by editing the /etc/duo/pam_duo.conf file. You’ll need to populate the lines with your ikey, secret key, and API hostname that you documented above. We use “failmode=safe” so that in the event of an internet disconnection, we can still login to the server without duo. It’s safe to enable this fail-safe, as the purpose is to protect it against the internet. Please see below:
; Duo integration key
ikey = XXXXXXXXXXXXXXXXXXXX
; Duo secret key
skey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
; Duo API host
host = XXXXXXXXX.duosecurity.com
; Send command for Duo Push authentication
pushinfo = yes
; failmode safe if no internet it works (secure locks it up)
failmode = safe
Configure sshd to allow Challenge Response Authentication by editing /etc/ssh/sshd_config, then locate and change “ChallengeResponseAuthentication” to yes. Please note that the line should already be there, and you should simply have to move the comment symbol to comment the old line, and uncomment the below line as shown below:
And now it gets tricky… We need to edit the pam authentication files to incorporate the Duo MFA service in to it’s authentication process. I highly recommend that throughout this, you open (and leave open) an additional SSH session, so that if you make a change in error and lock yourself out, you can use the extra SSH session to revert any changes to the system to re-allow access. It’s always best to make a backup and copy of these files so you can easily revert if needed.
DISCLAIMER: I am not responsable if you lock yourself out of your system. Please make sure that you have an extra SSH session open so that you can revert changes. It is assumed you are aware of the seriousness of the changes you are making and that you are taking all precautions (including a backup) to protect yourself from any errors.
Essentially two files are used for authentication that we need to modify. One file is for SSH logins, and the other is for console logins. In my case, I wanted to protect both methods. You can do either, or both. If you are doing both, it may be a good idea to test with SSH, before making modifications to your console login, to make sure your settings are correct. Please see below for the modifications to enable pam_duo:
/etc/pam.d/password-auth (this file is used for SSH authentication)
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
#auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
/etc/pam.d/system-auth (this file is used for console authentication)
Now, we must restart sshd for the changes to take affect. Please make sure you have your extra SSH session open in the event you need to rollback your /etc/pam.d/ files. Restart the sshd service using the following command:
service sshd restart
Attempt to open a new SSH session to your server. It should now ask for a username, password, and then prompt for Duo authentication. And you’re done!
Privacy & Cookies Policy