Patch OpenSSH Only

apt install --only-upgrade  openssh-client openssh-server openssh-sftp-server

Time Zone

timedatectl set-timezone Europe/Zurich

-> set symlink: /etc/localtime -> ../usr/share/zoneinfo/Europe/Zurich

Fix Sudo Stuff

use ‘sudo -i’ and keep SSH_AUTH_SOCK if set

apt update
apt install sudo
usermod -aG sudo stoege
echo "Defaults env_keep+=SSH_AUTH_SOCK" > /etc/sudoers.d/ssh_auth_sock
echo "%sudo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/group_sudo_nopass

Any Comments ?

sha256: 7e5018c28bea4357e2f6703ec2876e92798e020801a61e46d6e3698151bc5a38

History

Long time ago, there were huge discussions about Python 2.7 or Python 3.xx. Fortunately, these times are gone and we’ve all gotten over the hurdle to Python 3. But are you on 3.6, 3.7, 3.8 ? or even 3.11 or 3.12 ? That’s the current Version you should use for your daily Projects ?

Status of Python versions

A good indicator is this Website: https://devguide.python.org/versions/

OpenBSD

It’s also recommended to check what our Operating System is installing by default, or what you can get from their Package Repository.

Minio on Debian

Need some S3 Storage for Reasons ? Here a few Lines, how to Setup and enable TLS.

Install Minio

login as root for the whole installation. Or use sudo/doas if preferred.

Upgrade you Box

apt update && apt upgrade -y

reboot if needed

add User

Let’s add User as we don’t wanna run it as root

useradd -r minio-user -s /sbin/nologin

Get Minio

Download, set execute permission and move it

Behind Corp Proxy

let’s assume you’re behing a Corp Proxy which enforce TLS Inspection, you don’t have the Proxy Cert and you want to Upgrade your Boxes …

… and of course, you do this in the LAB and for Research only and not your Productiv Environment!

TLS Inspection enabled

apt-get upate
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted.
The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx yyyy]

Disable TLS Check

touch /etc/apt/apt.conf.d/99verify-peer.conf
echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Update

apt-get update
apt-get upgrade

Any Comments ?

sha256: 40c39ed441b4690a8644cd63bfd2e6987f06a70c4f922eca14de5dcc27d4fb35

Install Debian 12

or install Debian 11.7 and Upgrade to 12

Setup

3 Nodes

192.168.100.151     k8s-master
192.168.100.152     k8s-worker1
192.168.100.153     k8s-worker2

Locale

export LC_CTYPE=en_US.UTF-8
export LC_ALL=en_US.UTF-8

Kubernetes

https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

Swap Off

swapoff -a
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

Install FW

apt-get install ufw
ufw enable

Master

ufw allow 22/tcp
ufw allow 6443/tcp
ufw allow 2379/tcp
ufw allow 2380/tcp
ufw allow 10250/tcp
ufw allow 10251/tcp
ufw allow 10252/tcp
ufw allow 10255/tcp
ufw reload

Worker

ufw allow 22/tcp
ufw allow 10250/tcp
ufw allow 30000:32767/tcp
ufw reload

Containerd

cat << EOF >> /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF

modprobe overlay
modprobe br_netfilter

cat << EOF >> /etc/sysctl.d/99-kubernetes-k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF

sysctl --system

Containerd

apt update
apt -y install containerd

Adapt Containerd to Kubernetes

containerd config default > /etc/containerd/config.toml >/dev/null 2>&1

Update config.toml

sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

Restart Containerd

systemctl enable containerd
systemctl restart containerd

add Kubernetes

apt install gnupg gnupg2 curl software-properties-common -y
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg |gpg --dearmour -o /etc/apt/trusted.gpg.d/cgoogle.gpg
apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"

Kubectl

apt update
apt install kubelet kubeadm kubectl -y
apt-mark hold kubelet kubeadm kubectl

Kube Init on MASTER

kubeadm init --control-plane-endpoint=k8s-master

Downgrade to 1.26

Version 1.27 seems not production ready, so, you may have to downgrade it :(

Debian 12 is here !

Links

you may find some of my Posts about Debian useful

Upgrade Script

assuming you have Debian 11.x running

cat << 'EOF' > /root/upgrade_to_v12.sh
#!/usr/bin/env bash

# set Version
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/*

# Update
apt-get -y update
apt-get -y upgrade
apt-get -y dist-upgrade
apt autoclean
apt autoremove
apt --purge autoremove

# you may add/update -> /etc/apt/sources.list
# deb http://security.debian.org/debian-security/ bookworm-security main
# deb-src http://security.debian.org/debian-security/ bookworm-security main

exit 0
EOF

chmod u+x /root/upgrade_to_v12.sh

Run

run the script and wait a few minutes …

Let’s Setup Docker on Debian

Get Debian on some Cloud Provider

Update Apt

apt-get install ca-certificates curl gnupg lsb-release

add official GPG Keys

mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg |gpg --dearmor -o /etc/apt/keyrings/docker.gpg

add Repo to Sources

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" |tee /etc/apt/sources.list.d/docker.list > /dev/null

install Docker Engine

apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

Check Version

docker version

root@docker:~# docker version
Client: Docker Engine - Community
 Version:           20.10.18
 API version:       1.41
 Go version:        go1.18.6
 Git commit:        b40c2f6
 Built:             Thu Sep  8 23:12:08 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Docker Compose Version

docker compose version

root@docker:~# docker compose version
Docker Compose version v2.10.2

Install Hello World

docker run hello-world

Prepare Folders

mkdir -p /etc/docker/container/traefik
cd /etc/docker/container/traefik

Build Docker-compose

cat << 'EOF' > docker-compose.yml
services:
  traefik:
    image: traefik:v2.6
    restart: always
    command:
      - "--providers.docker"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=traefik_web"
      - "--entrypoints.http.address=:80"
      - "--entrypoints.http.http.redirections.entrypoint.to=https"
      - "--entrypoints.http.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.https.address=:443"
      - "--entrypoints.https.http.tls.certResolver=le"
      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "--certificatesresolvers.le.acme.email=docker@stoege.net"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
networks:
  web:
    name: traefik_web
EOF

docker compose up

docker compose up -d

docker compose ps

docker compose ps

NAME                COMMAND                  SERVICE             STATUS              PORTS
traefik-traefik-1   "/entrypoint.sh --pr…"   traefik             running             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp

Demo Nginx

mkdir -p /etc/docker/container/nginx-demo
cd /etc/docker/container/nginx-demo

docker-compose.yml

cat << 'EOF' > docker-compose.yml
services:
  nginx:
    image: nginx:1.20
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.v4.docker.noflow.ch`)"
    networks:
      - traefik_web

networks:
  traefik_web:
    external: true
EOF

Nginx up

docker compose up -d

Tail logfile

docker compose logs -f

-> https://nginx.v4.docker.noflow.ch

Environment

OpenBSD 7.0
Debian 11.2 with Strongswan
IPv4 only
IKE v1

ToDo

IPv6 and Dualstack
IKE v2

Debian

ipsec.conf

conn puffy
   authby      = secret
   ike         = aes256-sha256-modp2048
   keyexchange = ikev1
   ikelifetime = 1h
   keyingtries = 0
   left        = %defaultroute
   right       = 193.xx.xx.xx
   leftid      = 212.xx.xx.xx
   rightid     = 193.xx.xx.xx
   lifetime    = 1200s
   leftsubnet  = 10.11.1.8/30
   rightsubnet = 10.1.6.0/24
   esp         = aes256-sha256-modp2048
   dpddelay    = 30
   dpdtimeout  = 120
   dpdaction   = restart
   auto        = start

OpenBSD

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.gre.allow=1

Apply all Settings

for i in $(cat /etc/sysctl.conf); do sysctl $i;done

/etc/ipsec.conf

# Tunnel to Debian

local_gw    = "193.xx.xx.xx"
local_net   = "10.1.6.0/24"
remote_gw   = "212.xx.xx.xx"
remote_net  = "10.11.1.8/30"
key         = "DAS-SAG-ICH-DIR-NICHT-:)"

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $local_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $remote_gw \
psk $key

start/restart services

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K
rcctl restart ipsec isakmpd

Enc Interfaces

cat /etc/hostname.enc0
up

FW Rules

# Allow UDP Port 500 and 4500
pass in  on (egress) proto udp from 193.xx.xx.xx to 212.xx.xx.xx port {isakmp, ipsec-nat-t}
pass out on (egress) proto udp from 212.xx.xx.xx to 193.xx.xx.xx {isakmp, ipsec-nat-t}

# Allow ESP encapsulated IPsec traffic on the external interface
pass in  on (egress) proto esp from 193.xx.xx.xx to 212.xx.xx.xx
pass out on (egress) proto esp from 212.xx.xx.xx to 139.xx.xx.xx

# Allow IP in IP Traffic
pass in  on enc0 proto ipencap from 193.xx.xx.xx to 212.xx.xx.xx keep state (if-bound)
pass out on enc0 proto ipencap from 212.xx.xx.xx to 193.xx.xx.xx keep state (if-bound)

Start Services & Apply Setting

… or reboot the Box so all Settings gets applied

Bootstrapping Debian

a little helper how to generate a Debian Template. This time, it’s a VM Hosted on Vultr

New VM

1 CPU, 1GB RAM, 25GB Disk

upload debian-10.9.0-amd64-netinst.iso
boot from iso
install:      (text based)
lang:         english
country:      switzerland
locale:       US (en_US.UTF-8)
keymap:       Swiss German
nic:          ens3
hostname:     template-25G
domain:       your.domain.de
passwd:       xxxxxxxx
user:         firstname lastname / loginame
passwd:       xxxxxxxx
disk:         Guided - entire disk with LVM - (one partition | separate /home | separate /home, /var and /tmp)
              separate partition for large disks
              one partition for smaller disks
write:        yes
disk:         20GB (for guided partitioning), 5GB for Spare
write:        yes
another dvd:  no
mirror:       switzerland, debian.ethz.ch
survey:       no
software:     SSH Server, standard system utilities
grub:         yes, /dev/sda3

remove iso and reboot

login as user, su to root

mkdir /root/.ssh && chmod 600 /root/.ssh
echo "ssh-ed25519 AAAAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

halt -p
-> snapshot template-debian-25G

Any Comments ?

sha256: 5b87992169bc05b44db33f9e79fa557f81844b871c8a7566d94b8bf11841ad32

how to update checkmk

let’s assume you already have a running version of checkmk. You should install patches / updated every few month.

Main and Download URL’s

Main URL: https://checkmk.com/de/download?edition=cre&version=stable&dist=debian&os=bullseye

https://download.checkmk.com/checkmk/1.6.0p20/check-mk-raw-1.6.0p20_0.bullseye_amd64.deb

https://download.checkmk.com/checkmk/2.0.0p12/check-mk-raw-2.0.0p12_0.bullseye_amd64.deb

Download and Install Package

Login as Root

v="2.0.0p25"
cd /tmp
wget -O checkmk.deb "https://download.checkmk.com/checkmk/${v}/check-mk-raw-${v}_0.bullseye_amd64.deb"
gdebi checkmk.deb

Update Checkmk

Switch User …

su - mysite

.. Switch User and start Update

omd status
omd version
omd stop
omd update
omd start

Cleanup

exit
omd cleanup

Check Application

Open Browser, check News and Plugins