Rob Garth » debian

Backup/Restore remote disk images.

robg — Wed, 09 Mar 2011 03:28:22 +0000

There are occasion when backing up data is not enough. You may want a snapshot of your whole system. There are some great tools out there like Clonezilla, which in turn uses partdisk, or Ghost if you don’t mind closed source. But you can do this using tools almost certainly available even in the most minimal of linux installs.

Caveats:

The image is easily restorable to the hardware it was created on. If you restore to another computer it will create unexpected issues. Usually fixable by creating a new initrd
The partition sizes are fixed and must be restored to a harddrive of equal or larger size.
dd creates a byte level copy of your harddrive, empty space is included in the backup. Without gzip a 160GB disk will create a 160GB disk image. With Gzip the image will still be very large.

Backup image to another Linux machine

If you have a Linux workstation with a large enough hard-drive you can simply backup and restore across the network. You will need root access to both boxes. Netcat is also available for Windows and Mac.

1. On the Destination Where you are storing the backup

In this example /dev/sda is the harddrive you want to backup/restore. Make sure you choose the correct harddrive.

 # nc -l 1010 > harddrive.img.gz

2. On the source computer The machine being backed-up

# dd if=/dev/sda | gzip -cf | nc -q 10 xxx.xxx.xxx.xxx 1010

Restore image form another Linux machine

1. On the Targe The machine you are restoring to

You will need to boot into a live image, I suggest Ubuntu, from USB or a CD.
From the now booted, live operating system:
# nc -l 1010 | gzip -dcf | dd of=/dev/sda

2. On the Source machine The machine with the image saved

# nc -q 10 xxx.xxx.xxx.xxx 1010 < harddrive.img.gz

Simpana, Galaxy and Debian

robg — Mon, 21 Feb 2011 02:56:06 +0000

This post is not particular generic and will only affect a few, but I will write it because the problem caused me huge frustration, and much time was wasted.

We currently use CommVault for backup and the Galaxy agent to make it work with Linux. I had a freshly installed Linux box which simply would not back up. The Controller and agent could communicate and there were no errors raised on either. Every time a backup was run, the scan would work, but as soon as data transfer was ready a communication error was raised.

It turns out that a clean install of Debina/Ubuntu adds an entry for your FQDN which point to 127.0.1.1. This is included for machines which swap networks and possibly hostnames form time to time (think laptops) so app suites like GNOME still work. It is also, in my opinion, stupid.

This entry was breaking Galaxy. I can only guess what was happening as it is a closed source suite. But I think at some point in the backup process, even though communication is already happening, the agent gives the Controller the IP address to talk to. As the hosts file had a pointer to a localhost IP, this IP address was handed back to the Controller. and everything breaks.

So simple lesson, if you have a Debian/Ubuntu machine with static networking, replace the 127.0.1.1 entry in /etc/hosts for the FQDN to the real IP address.

OpenVPN server with Username and Password auth

robg — Thu, 25 Feb 2010 10:45:16 +0000

I did this on Debian but these instruction should work equally well for Ubuntu

Setup IP Forwarding/Masquerading/Firewall

To turn on IP Forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forward

Set the change permanantly in /etc/sysctl.conf by uncommenting the line:
net.ipv4.ip_forward=1

To turn on IP Masquerading add the following IP Tables rule:

# iptables --table nat --append POSTROUTING \ --out-interface eth0 --jump MASQUERADE

Firewall
If you are running a firewall, and I strongly recommend you do on a public facing box you need to allow UDP on port 1194 into you box.
# iptables -A INPUT -udp -m udp --dport 1194 -j ACCEPT

But these rules need be persistant so we need to create a script to run when the interface starts up

# iptables-save > /etc/iptables.conf

Create a new file: /etc/network/if-up.d/iptables and paste in the following:

#!/bin/sh /sbin/iptables-restore < /etc/iptables.conf

Set it to executable:
# chmod 755 /etc/network/if-up.d/iptables

Now when networking starts the firewall is brought up. If all you have done is what is above, your box is not really firewalled, as no traffic is dropped or blocked. For a basic firewall the following config, forwards everything, allows bind internally and only allows SSH and OpenVPN on the external interface.

/etc/iptables.conf (example):

#
*nat
:PREROUTING ACCEPT [36:18250]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [12:806]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
#
*filter
:INPUT ACCEPT [19:1037]
:FORWARD ACCEPT [420:191307]
:OUTPUT ACCEPT [314:39042]
# Allow everything on loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow already established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow SSH
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow DNS to this machine fron the private network
# (If you plan to run you own DNS, I run dns_masq)
-A INPUT -p tcp --dport 53 -s 10.8.0.0/16 -j ACCEPT
# Allow OpenVPN
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
# DROP the rest
-A INPUT -i eth0 -j DROP
COMMIT
#

Setup Open VPN

Installation

Install OpenVPN:

# aptitude install openvpn openssl

Edit /etc/default/openvpn. Comment all lines, and add:

AUTOSTART="openvpn"

Create Certificates and Keys

On you server as root:

# cd /etc/openvpn

Copy the the following directory

# cp -r /usr/share/doc/openvpn/examples/easy-rsa . # cd easy-rsa/2.0/

Edit the file “vars”. Change the default values at the bottom of the file to match your details.

Import you ssl settings:
# . ./vars

run: # ./cleann-all. Do not run this every time as it will remove all existing certificates.

Create your Certificate Authority

# ./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

Now build the key and certificate for you server

# ./build-key-server server

Set the common name to “server”

Answer yes to signing the certificate and commiting it.

Now let’s create Diffie Hellman parameters:

# ./build-dh

Most other guides now get you to generate client certs, but we are using username and password authentication so we do not need to do this.

Configure OpenVPN

Edit the file /etc/openvpn/openvpn.conf and add the following (the comments are unnecessary they are just there for explanation):

    dev tun
    ## udp is recommended, avoid TCP over TCP
    proto udp
    ## any port will do, this is the standard
    port 1194 

    ## certs we created earlier
    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

    user nobody
    group nogroup
    ## You can make this any private subnet you like
    server 10.8.0.0 255.255.255.0

    persist-key
    persist-tun

    #status openvpn-status.log
    #verb 3
    client-to-client

    ## make this connection the default gateway for network traffic
    push "redirect-gateway def1"
    ## I am running dns_masq, you may want to put your server's DNS here
    ## or even google: 8.8.8.8
    push "dhcp-option DNS 10.8.0.1"

    log-append /var/log/openvpn

    ## User authentication settings. Usernames must be able to authenticate with PAM
    ## To use radius or another auth mechanism create /etc/pam.d/openvpn
    ## by default it is doing common-auth (a user must have a local accout and pasword)
    plugin /usr/lib/openvpn/openvpn-auth-pam.so login
    client-cert-not-required
    username-as-common-name

    ## A management interface allows you to telnet from local host to use
    ## telnet localhost 7505
    management localhost 7505

Restart OpenVPN: # /etc/init.d/openvpn restart

So this is the server done. We haven’t configured anything to connect to it yet.
Client how-to comming up next time.

Update. Client how-to is available

Lenny, Icedove and teeny tiny fonts

robg — Tue, 19 Jan 2010 22:59:25 +0000

You know the font situation on debian and gnome isn’t terrible in lenny. Actually it looks fairly decent. Until you load icedove (thunderbird).

The fonts are teeny, pixelated and hard to read. Luckily it is a very easy fix.

Open icedove, go to “Edit -> Preference -> Advanced -> Config Editor”

Change the value for “layout.css.dpi” from “-1″ to “0″

Restart icedove

Setting up pptpd on debian (lenny)

robg — Fri, 01 Jan 2010 01:22:33 +0000

There are other giudes to do this, but none seemed complete, I had to get the iptables rules from the debug document on poptop.org. I guess they are not always needed.

I started with a clean install of lenny from http://rackspacecloud.com.

Install poptop

# aptitude install pptpd

Edit pptpd config files

/etc/pptpd.conf

You need to set the private ip of the server and the ip range for clients, the 2 lines are added to this file:

localip 192.168.0.1 remoteip 192.168.0.10-20

Set them to whatever private (or public) ip addressing you want. You could use IP addresses currently available in your network, if you do this you will not need to add the iptables rules for natting later in this guide.

/etc/ppp/pptpd-options

Option 1
Set ms-wins and ms-dns to the name server the server you are currently working on is using (look in reolv.conf).

Option 2
Or as I did install dnsmasq on the server and run it as a chaching dns server
# aptitude install dnsmasq

And then set ms-dns and ms-wins to 192.168.0.1 (or the localip you set)

/etc/ppp/chap-secrets

Setup users and passwords to connect the pptp server

username pptpd somepassword *

Turn on IP Forwarding

# echo 1 > /proc/sys/net/ipv4/ip_forward

Set the change permanantly in /etc/sysctl.conf by uncommenting the line:

net.ipv4.ip_forward=1

Turn on NATing

If you have created a new private network for your pptpd server, you probably have, you need to add a rule to iptables.

# iptables --table nat --append POSTROUTING \ --out-interface eth0 --jump MASQUERADE

But this rule needs be persistant so we need to create a script to run when the interface starts up

# iptables-save > /etc/iptables.conf

Create a new file: /etc/network/if-up.d/iptables and paste in the following

#!/bin/sh /sbin/iptables-restore < /etc/iptables.conf

Set it to executable
# chmod 755 /etc/network/if-up.d/iptables

All Done!. Just startup pptpd

# /etc/init.d/pptpd start

Moving host

robg — Thu, 31 Dec 2009 22:21:17 +0000

I am thinking of moving host again. I have no issues with dreamhost, but I have been playing with the rackspace cloud, and I like it.

I can have my own virtual machine, lowest specs, for abut the same price as dreamhost each month. And since it is my own box I can do whatever I like with it.

If this site got more hits, and I had to increase the specs, dreamhost would be cheaper, but no one comes here so rackspace will work super.

More importantly this lets me setup a vpn server outside of Australia. While I find it very unlikely that I will ever go to a site banned by the government’s filtering scheme, my protest is to simply bypass it.

http://nocleanfeed.com/

The move will happen over the next few weeks as I find time to install wordpress on debian and get it configured and hardened. The DNS will be staying on dreamhost, so I doubt any changes will be noticed.