https://wiki.tbpindustries.com/api.php?action=feedcontributions&feedformat=atom&user=GoldboltTBP Wiki - User contributions [en]2026-05-22T22:15:52ZUser contributionsMediaWiki 1.31.1https://wiki.tbpindustries.com/index.php?title=ZFS&diff=369ZFS2026-03-17T13:32:16Z<p>Goldbolt: </p>
<hr />
<div>ZFS—previously Zettabyte File System—features:<br />
<br />
* logical volume management (pooled storage) with checkpoints,<br />
* copy-on-write,<br />
* snapshots, clones (writable snapshots) and bookupdate-initramfs -u -k allmarks (lightweight change markers),<br />
* scrubbing (data integrity verification and automatic repair),<br />
* RAID-Z,<br />
* a maximum 16 exabyte file size,<br />
* a maximum 256 quadrillion zettabyte storage with no limit on number of filesystems (datasets) or files.<br />
<br />
For an overview of ZFS concepts see zfsconcepts(7).<br />
<br />
For an overview of ZFS storage pools see zpoolconcepts(7), see also zpool(8).<br />
<br />
ZFS is licensed under the Common Development and Distribution License (CDDL). Because the CDDL is incompatible with the GNU General Public License (GPL), it is not possible for ZFS to be included in the Linux kernel. This requirement, however, does not prevent a native Linux kernel module from being developed and distributed by a third party, as is the case with OpenZFS (previously named ZFS on Linux).<br />
<br />
As a result of ZFS not being included in the Linux kernel (with other words, ZFS kernel modules are out-of-tree), and Arch Linux is a rolling release distribution:<br />
<br />
OpenZFS project must keep up with Linux kernel versions.<br />
After making stable OpenZFS release—ArchZFS maintainers release them.<br />
There will often be brief periods when the kernel-specific packages in the ArchZFS repository are not in sync with those in the Arch Linux repositories. This situation locks down the normal rolling update process by unsatisfied dependencies because the new kernel version, proposed by update, is unsupported by ArchZFS.<br />
So you might prefer to use the Dynamic Kernel Module Support (DKMS) package, but ZFS modules may fail to compile with the latest kernel if it is unsupported by OpenZFS.<br />
<br />
<br />
= Encrypted zpools on LUKS =<br />
This shows how to encrypt a drive, enroll it to automatically unlock at boot using TPM, and set up a zpool on that encrypted drive. <br />
<br />
!!!!!!!THIS IS DESTRUCTIVE!!!!!!!<br />
<br />
Unmount:<br />
zfs umount XXXXX<br />
Export:<br />
zpool export XXXXX<br />
Destroy pool (irreversible!):<br />
zpool destroy XXXXX<br />
Wipe signatures:<br />
wipefs -a /dev/sdX<br />
<br />
Set up the encryption:<br />
cryptsetup luksFormat /dev/sdX<br />
cryptsetup luksOpen /dev/sdX cryptXXXXX<br />
<br />
Enroll in TPM:<br />
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sdX<br />
<br />
Create the zpool:<br />
zpool create -o ashift=12 XXXXX /dev/mapper/cryptXXXXX<br />
zfs set mountpoint=/mnt/XXXXX XXXXX<br />
zpool status XXXXX<br />
<br />
Get the blkid for the crypttab:<br />
blkid -s UUID -o value /dev/sdX<br />
<br />
Add to /etc/crypttab: <br />
cryptXXXXX UUID=$(UUID goes here!) none luks,tpm2-device=auto<br />
<br />
update-initramfs -u -k all<br />
<br />
Reboot when finished.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=ZFS&diff=368ZFS2026-02-24T17:35:58Z<p>Goldbolt: </p>
<hr />
<div>ZFS—previously Zettabyte File System—features:<br />
<br />
* logical volume management (pooled storage) with checkpoints,<br />
* copy-on-write,<br />
* snapshots, clones (writable snapshots) and bookupdate-initramfs -u -k allmarks (lightweight change markers),<br />
* scrubbing (data integrity verification and automatic repair),<br />
* RAID-Z,<br />
* a maximum 16 exabyte file size,<br />
* a maximum 256 quadrillion zettabyte storage with no limit on number of filesystems (datasets) or files.<br />
<br />
For an overview of ZFS concepts see zfsconcepts(7).<br />
<br />
For an overview of ZFS storage pools see zpoolconcepts(7), see also zpool(8).<br />
<br />
ZFS is licensed under the Common Development and Distribution License (CDDL). Because the CDDL is incompatible with the GNU General Public License (GPL), it is not possible for ZFS to be included in the Linux kernel. This requirement, however, does not prevent a native Linux kernel module from being developed and distributed by a third party, as is the case with OpenZFS (previously named ZFS on Linux).<br />
<br />
As a result of ZFS not being included in the Linux kernel (with other words, ZFS kernel modules are out-of-tree), and Arch Linux is a rolling release distribution:<br />
<br />
OpenZFS project must keep up with Linux kernel versions.<br />
After making stable OpenZFS release—ArchZFS maintainers release them.<br />
There will often be brief periods when the kernel-specific packages in the ArchZFS repository are not in sync with those in the Arch Linux repositories. This situation locks down the normal rolling update process by unsatisfied dependencies because the new kernel version, proposed by update, is unsupported by ArchZFS.<br />
So you might prefer to use the Dynamic Kernel Module Support (DKMS) package, but ZFS modules may fail to compile with the latest kernel if it is unsupported by OpenZFS.<br />
<br />
<br />
= Encrypted zpools on LUKS =<br />
This shows how to encrypt a drive, enroll it to automatically unlock at boot using TPM, and set up a zpool on that encrypted drive. <br />
<br />
!!!!!!!THIS IS DESTRUCTIVE!!!!!!!<br />
<br />
Unmount:<br />
zfs umount XXXXX<br />
Export:<br />
zpool export XXXXX<br />
Destroy pool (irreversible!):<br />
zpool destroy XXXXX<br />
Wipe signatures:<br />
wipefs -a /dev/sdX<br />
<br />
Set up the encryption:<br />
cryptsetup luksFormat /dev/sdX<br />
cryptsetup luksOpen /dev/sdX cryptXXXXX<br />
<br />
Enroll in TPM:<br />
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sdX<br />
<br />
Create the zpool:<br />
zpool create -o ashift=12 XXXXX /dev/mapper/cryptXXXXX<br />
zfs set mountpoint=/mnt/XXXXX XXXXX<br />
zpool status XXXXX<br />
<br />
Get the blkid for the crypttab:<br />
blkid -s UUID -o value /dev/sdX<br />
<br />
Add to /etc/crypttab: <br />
crypttank2 UUID=$(UUID goes here!) none luks,tpm2-device=auto<br />
<br />
update-initramfs -u -k all<br />
<br />
Reboot when finished.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=ZFS&diff=367ZFS2026-02-24T17:19:45Z<p>Goldbolt: Created page with "ZFS—previously Zettabyte File System—features: * logical volume management (pooled storage) with checkpoints, * copy-on-write, * snapshots, clones (writable snap..."</p>
<hr />
<div>ZFS—previously Zettabyte File System—features:<br />
<br />
* logical volume management (pooled storage) with checkpoints,<br />
* copy-on-write,<br />
* snapshots, clones (writable snapshots) and bookmarks (lightweight change markers),<br />
* scrubbing (data integrity verification and automatic repair),<br />
* RAID-Z,<br />
* a maximum 16 exabyte file size,<br />
* a maximum 256 quadrillion zettabyte storage with no limit on number of filesystems (datasets) or files.<br />
<br />
For an overview of ZFS concepts see zfsconcepts(7).<br />
<br />
For an overview of ZFS storage pools see zpoolconcepts(7), see also zpool(8).<br />
<br />
ZFS is licensed under the Common Development and Distribution License (CDDL). Because the CDDL is incompatible with the GNU General Public License (GPL), it is not possible for ZFS to be included in the Linux kernel. This requirement, however, does not prevent a native Linux kernel module from being developed and distributed by a third party, as is the case with OpenZFS (previously named ZFS on Linux).<br />
<br />
As a result of ZFS not being included in the Linux kernel (with other words, ZFS kernel modules are out-of-tree), and Arch Linux is a rolling release distribution:<br />
<br />
OpenZFS project must keep up with Linux kernel versions.<br />
After making stable OpenZFS release—ArchZFS maintainers release them.<br />
There will often be brief periods when the kernel-specific packages in the ArchZFS repository are not in sync with those in the Arch Linux repositories. This situation locks down the normal rolling update process by unsatisfied dependencies because the new kernel version, proposed by update, is unsupported by ArchZFS.<br />
So you might prefer to use the Dynamic Kernel Module Support (DKMS) package, but ZFS modules may fail to compile with the latest kernel if it is unsupported by OpenZFS.<br />
<br />
<br />
= Encrypted zpools on LUKS =<br />
This shows how to encrypt a drive, enroll it to automatically unlock at boot using TPM, and set up a zpool on that encrypted drive. <br />
<br />
!!!!!!!THIS IS DESTRUCTIVE!!!!!!!<br />
<br />
Unmount:<br />
zfs umount XXXXX<br />
Export:<br />
zpool export XXXXX<br />
Destroy pool (irreversible!):<br />
zpool destroy XXXXX<br />
Wipe signatures:<br />
wipefs -a /dev/sdX<br />
<br />
Set up the encryption:<br />
cryptsetup luksFormat /dev/sdX<br />
cryptsetup luksOpen /dev/sdX cryptXXXXX<br />
<br />
Enroll in TPM:<br />
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sdX<br />
<br />
Create the zpool:<br />
zpool create -o ashift=12 XXXXX /dev/mapper/cryptXXXXX<br />
zfs set mountpoint=/mnt/XXXXX XXXXX<br />
zpool status XXXXX<br />
<br />
Get the blkid for the crypttab:<br />
blkid -s UUID -o value /dev/sdX<br />
<br />
Add to /etc/crypttab: <br />
crypttank2 UUID=$(UUID goes here!) none luks,tpm2-device=auto<br />
<br />
update-initramfs -u -k all<br />
<br />
Reboot when finished.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Netcat&diff=366Netcat2024-11-18T19:15:28Z<p>Goldbolt: </p>
<hr />
<div>The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet(1) does with some.<br />
<br />
Common uses include:<br />
<br />
• simple TCP proxies<br />
<br />
• shell-script based HTTP clients and servers<br />
• network daemon testing<br />
• a SOCKS or HTTP ProxyCommand for ssh(1)<br />
• and much, much more<br />
<br />
The options are as follows:<br />
<br />
-4' Forces nc to use IPv4 addresses only.<br />
<br />
-6' Forces nc to use IPv6 addresses only.<br />
<br />
-D' Enable debugging on the socket.<br />
<br />
-d' Do not attempt to read from stdin.<br />
<br />
-h' Prints out nc help.<br />
<br />
-i interval<br />
Specifies a delay time interval between lines of text sent and received. Also causes a delay time between connections to multiple ports.<br />
<br />
-k' Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option.<br />
<br />
-l' Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p, -s, or -z options. Additionally, any timeouts specified with the -w option are ignored.<br />
<br />
-n' Do not do any DNS or service lookups on any specified addresses, hostnames or ports.<br />
<br />
-p source_port<br />
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.<br />
<br />
-r' Specifies that source and/or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them.<br />
<br />
-S' Enables the RFC 2385 TCP MD5 signature option.<br />
<br />
-s source_ip_address<br />
Specifies the IP of the interface which is used to send the packets. It is an error to use this option in conjunction with the -l option.<br />
<br />
-T ToS<br />
Specifies IP Type of Service (ToS) for the connection. Valid values are the tokens ''lowdelay'', ''throughput'', ''reliability'', or an 8-bit hexadecimal value preceded by ''0x''.<br />
<br />
-C' Send CRLF as line-ending<br />
<br />
-t' Causes nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use nc to script telnet sessions.<br />
<br />
-U' Specifies to use Unix Domain Sockets.<br />
<br />
-u' Use UDP instead of the default option of TCP.<br />
<br />
-v' Have nc give more verbose output.<br />
<br />
-w timeout<br />
If a connection and stdin are idle for more than timeout seconds, then the connection is silently closed. The -w flag has no effect on the -l option, i.e. nc will listen forever for a connection, with or without the -w flag. The default is no timeout.<br />
<br />
-X proxy_version<br />
Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ''4'' (SOCKS v.4), ''5'' (SOCKS v.5) and ''connect'' (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.<br />
<br />
-x proxy_address[<br />
:port]<br />
Requests that nc should connect to hostname using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS).<br />
<br />
-z' Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.<br />
<br />
hostname can be a numerical IP address or a symbolic hostname (unless the -n option is given). In general, a hostname must be specified, unless the -l option is given (in which case the local host is used).<br />
<br />
port[s] can be single integers or ranges. Ranges are in the form nn-mm. In general, a destination port must be specified, unless the -U option is given (in which case a socket must be specified). <br />
<br />
=Check Ports=<br />
Check to see if port is open and get a response:<br />
nc -zv IPADDRESS 443<br />
<br />
=Network Speed Test=<br />
Set one server to listen on port 5000 (after opening the port):<br />
nc -vvklnp 5000 >/dev/null<br />
<br />
Run this on the other server to test the network speed between the two and change out the XX for the proper IP: <br />
dd if=/dev/zero bs=1M count=1K | nc -vvn 192.168.1.XX 5000 -q 1</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Find&diff=365Find2024-11-14T16:05:07Z<p>Goldbolt: /* Find */</p>
<hr />
<div>Find searches the directory tree rooted at each given file name by evaluating the given expression from left to right, according to the rules of precedence, until the outcome is known (the left hand side is false for and operations, true for or), at which point find moves on to the next file name.<br />
<br />
=Find=<br />
Find a file based on the filename:<br />
<br />
find /dir/ -name "filename.php"<br />
<br />
This lists all files which have been modified per unit of time (showing 30 days here):<br />
find /dir/ -mtime +30<br />
<br />
Find can be piped into other commands in case the other commands can't measure or see files:<br />
find . -type f -exec du -a {} + | sort -n -r</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=364Kubernetes2024-06-28T14:23:57Z<p>Goldbolt: </p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Show all current pods=<br />
kubectl get pods<br />
<br />
=Show current persistent volumes=<br />
kubectl get pv<br />
<br />
=Show current persistent volume claims=<br />
kubectl get pvc<br />
<br />
=Copy a file into a container of a pod=<br />
<br />
kubectl cp start.sh pod1:/tmp/ -c container1<br />
<br />
=Execute a command within a container of a pod=<br />
<br />
kubectl exec -it pod1 -c container1 -- /tmp/start.sh<br />
<br />
=Create a persistent volume for a pod to claim=<br />
Create the yaml first. <br />
echo "---<br />
apiVersion: v1<br />
kind: PersistentVolume<br />
metadata:<br />
name: persistentvolume01<br />
spec:<br />
accessModes:<br />
- ReadWriteOnce<br />
capacity:<br />
storage: 10Gi<br />
storageClassName: manual<br />
hostPath:<br />
path: /mnt/somedir" > persistentvolume01.yaml<br />
<br />
Create the actual volume using the yaml:<br />
<br />
kubectl create -f persistentvolume01.yaml<br />
<br />
Delete the persistent volume if necessary:<br />
<br />
kubectl delete -f persistentvolume01.yaml<br />
<br />
Enter the MongoDB database shell 'mongosh':<br />
kubectl exec -it database-sw-mongo-0 -- mongosh -u $(kubectl get secret database-sw-mongo-admin -o jsonpath='{.data.user}' | base64 -d) -p $(kubectl get secret database-sw-mongo-admin -o jsonpath='{.data.password}' | base64 -d) --authenticationDatabase admin --tls --tlsAllowInvalidHostnames --tlsAllowInvalidCertificates database<br />
<br />
<br />
Set password for MongoDB user to be "somehash":<br />
db.AspNetUsers.updateOne( {"Name": "username"}, { $set: {"PasswordHash": "somehash"} } )<br />
<br />
<br />
Show all current attachments in selected database:<br />
db.getCollection("Records").aggregate([ { /* match all records with an attachment field value*/ $match: { "Values": { $elemMatch: { "v._v": { $elemMatch: { _t: "Attachment" } } } } } }, { /* project to reduce size*/ $project: { "Values": 1 } }, { /* unwind into individual fields*/ $unwind: "$Values" }, { /* match attachment fields*/ $match: { "Values.v._v": { $elemMatch: { _t: "Attachment" } } } }, { /* unwind into individual attachments*/ $unwind: "$Values.v._v" }] );<br />
<br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no<br />
<br />
=Use NFS for Persistent Volumes=<br />
Provision NFS mounts as Kubernetes Persistent Volumes on MicroK8s.<br />
<br />
==NFS server==<br />
Either use a current NFS server or install a NFS server. The following is how to install to Ubuntu:<br />
apt install nfs-kernel-server<br />
Directory /srv/nfs is the share folder.<br />
mkdir -p /srv/nfs<br />
chown nobody:nogroup /srv/nfs<br />
chmod 0777 /srv/nfs<br />
Edit the /etc/exports. The following will allow all IP addresses in the 10.0.0.0/24 subnet:<br />
/srv/nfs 10.0.0.0/24(rw,sync,no_subtree_check)<br />
Restart the NFS server: <br />
systemctl restart nfs-kernel-server<br />
<br />
==Install the CSI driver for NFS==<br />
Enable the Helm3 addon (if not already enabled) and add the repository for the NFS CSI driver:<br />
microk8s enable helm3<br />
microk8s helm3 repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts<br />
microk8s helm3 repo update<br />
This will install the Helm chart under the kube-system namespace:<br />
microk8s helm3 install csi-driver-nfs csi-driver-nfs/csi-driver-nfs --namespace kube-system --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet<br />
After deploying the Helm chart, wait for the CSI controller and node pods to come up using the following kubectl command:<br />
microk8s kubectl wait pod --selector app.kubernetes.io/name=csi-driver-nfs --for condition=ready --namespace kube-system<br />
If successful, you will see "condition met". <br />
List the available CSI drivers in the Kubernetes cluster:<br />
microk8s kubectl get csidrivers<br />
==Create a StorageClass for NFS==<br />
This creates a Kubernetes Storage Class which uses the nfs.csi.k8s.io CSI driver. Create the following file sc-nfs.yaml and change 10.0.0.42 to the NFS server:<br />
<br />
apiVersion: storage.k8s.io/v1<br />
kind: StorageClass<br />
metadata:<br />
name: nfs-csi<br />
provisioner: nfs.csi.k8s.io<br />
parameters:<br />
server: 10.0.0.42<br />
share: /srv/nfs<br />
reclaimPolicy: Delete<br />
volumeBindingMode: Immediate<br />
mountOptions:<br />
- hard<br />
- nfsvers=4.1<br />
Apply it on the MicroK8s cluster:<br />
microk8s kubectl apply -f - < sc-nfs.yaml<br />
<br />
The final step is to create a new 5gb PersistentVolumeClaim using the nfs-csi storage class. This is as simple as specifying storageClassName as nfs-csi in the PVC definition within the file pvc-nfs.yaml:<br />
apiVersion: v1<br />
kind: PersistentVolumeClaim<br />
metadata:<br />
name: my-pvc<br />
spec:<br />
storageClassName: nfs-csi<br />
accessModes: [ReadWriteOnce]<br />
resources:<br />
requests:<br />
storage: 5Gi<br />
Then create the PVC with:<br />
microk8s kubectl apply -f - < pvc-nfs.yaml<br />
Check the PVC configuration: <br />
microk8s kubectl describe pvc my-pvc<br />
<br />
== References ==<br />
<br />
* [https://microk8s.io/docs/nfs Microk8s Documentation | Use NFS for Persistent Volumes]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=363Kubernetes2024-06-13T16:09:34Z<p>Goldbolt: </p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Show all current pods=<br />
kubectl get pods<br />
<br />
=Show current persistent volumes=<br />
kubectl get pv<br />
<br />
=Show current persistent volume claims=<br />
kubectl get pvc<br />
<br />
=Copy a file into a container of a pod=<br />
<br />
kubectl cp start.sh pod1:/tmp/ -c container1<br />
<br />
=Execute a command within a container of a pod=<br />
<br />
kubectl exec -it pod1 -c container1 -- /tmp/start.sh<br />
<br />
=Create a persistent volume for a pod to claim=<br />
Create the yaml first. <br />
echo "---<br />
apiVersion: v1<br />
kind: PersistentVolume<br />
metadata:<br />
name: persistentvolume01<br />
spec:<br />
accessModes:<br />
- ReadWriteOnce<br />
capacity:<br />
storage: 10Gi<br />
storageClassName: manual<br />
hostPath:<br />
path: /mnt/somedir" > persistentvolume01.yaml<br />
<br />
Create the actual volume using the yaml:<br />
<br />
kubectl create -f persistentvolume01.yaml<br />
<br />
Delete the persistent volume if necessary:<br />
<br />
kubectl delete -f persistentvolume01.yaml<br />
<br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no<br />
<br />
=Use NFS for Persistent Volumes=<br />
Provision NFS mounts as Kubernetes Persistent Volumes on MicroK8s.<br />
<br />
==NFS server==<br />
Either use a current NFS server or install a NFS server. The following is how to install to Ubuntu:<br />
apt install nfs-kernel-server<br />
Directory /srv/nfs is the share folder.<br />
mkdir -p /srv/nfs<br />
chown nobody:nogroup /srv/nfs<br />
chmod 0777 /srv/nfs<br />
Edit the /etc/exports. The following will allow all IP addresses in the 10.0.0.0/24 subnet:<br />
/srv/nfs 10.0.0.0/24(rw,sync,no_subtree_check)<br />
Restart the NFS server: <br />
systemctl restart nfs-kernel-server<br />
<br />
==Install the CSI driver for NFS==<br />
Enable the Helm3 addon (if not already enabled) and add the repository for the NFS CSI driver:<br />
microk8s enable helm3<br />
microk8s helm3 repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts<br />
microk8s helm3 repo update<br />
This will install the Helm chart under the kube-system namespace:<br />
microk8s helm3 install csi-driver-nfs csi-driver-nfs/csi-driver-nfs --namespace kube-system --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet<br />
After deploying the Helm chart, wait for the CSI controller and node pods to come up using the following kubectl command:<br />
microk8s kubectl wait pod --selector app.kubernetes.io/name=csi-driver-nfs --for condition=ready --namespace kube-system<br />
If successful, you will see "condition met". <br />
List the available CSI drivers in the Kubernetes cluster:<br />
microk8s kubectl get csidrivers<br />
==Create a StorageClass for NFS==<br />
This creates a Kubernetes Storage Class which uses the nfs.csi.k8s.io CSI driver. Create the following file sc-nfs.yaml and change 10.0.0.42 to the NFS server:<br />
<br />
apiVersion: storage.k8s.io/v1<br />
kind: StorageClass<br />
metadata:<br />
name: nfs-csi<br />
provisioner: nfs.csi.k8s.io<br />
parameters:<br />
server: 10.0.0.42<br />
share: /srv/nfs<br />
reclaimPolicy: Delete<br />
volumeBindingMode: Immediate<br />
mountOptions:<br />
- hard<br />
- nfsvers=4.1<br />
Apply it on the MicroK8s cluster:<br />
microk8s kubectl apply -f - < sc-nfs.yaml<br />
<br />
The final step is to create a new 5gb PersistentVolumeClaim using the nfs-csi storage class. This is as simple as specifying storageClassName as nfs-csi in the PVC definition within the file pvc-nfs.yaml:<br />
apiVersion: v1<br />
kind: PersistentVolumeClaim<br />
metadata:<br />
name: my-pvc<br />
spec:<br />
storageClassName: nfs-csi<br />
accessModes: [ReadWriteOnce]<br />
resources:<br />
requests:<br />
storage: 5Gi<br />
Then create the PVC with:<br />
microk8s kubectl apply -f - < pvc-nfs.yaml<br />
Check the PVC configuration: <br />
microk8s kubectl describe pvc my-pvc<br />
<br />
== References ==<br />
<br />
* [https://microk8s.io/docs/nfs Microk8s Documentation | Use NFS for Persistent Volumes]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Logical_Volume_Manager_(Linux)&diff=362Logical Volume Manager (Linux)2024-03-20T16:30:09Z<p>Goldbolt: </p>
<hr />
<div>In Linux, Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. Most modern Linux distributions are LVM-aware to the point of being able to have their root file systems on a logical volume.<br />
<br />
Heinz Mauelshagen wrote the original LVM code in 1998, when he was working at Sistina Software, taking its primary design guidelines from the HP-UX's volume manager.<br />
<br />
== Uses ==<br />
LVM is used for the following purposes:<br />
* Creating single [[logical volume]]s of multiple physical volumes or entire hard disks (somewhat similar to [[RAID 0]], but more similar to [[JBOD]]), allowing for dynamic volume resizing.<br />
* Managing large hard disk farms by allowing disks to be added and replaced without downtime or service disruption, in combination with [[hot swapping]].<br />
* On small systems (like a desktop), instead of having to estimate at installation time how big a partition might need to be, LVM allows filesystems to be easily resized as needed.<br />
* Performing consistent backups by taking snapshots of the logical volumes.<br />
* Encrypting multiple physical partitions with one password.<br />
<br />
LVM can be considered as a thin software layer on top of the hard disks and partitions, which creates an abstraction of continuity and ease-of-use for managing hard drive replacement, repartitioning and backup.<br />
<br />
== Creating an LVM Logical Volume on Three Disks == <br />
This command destroys all data on /dev/sda1, /dev/sdb1, and /dev/sdc1. This assumes these disks exist and are attached. <br />
<br />
pvcreate /dev/sda1 /dev/sdb1 /dev/sdc1<br />
<br />
Create the a volume group that consists of the LVM physical volumes you have created. The following command creates the volume group vol_group_1. <br />
<br />
vgcreate vol_group_1 /dev/sda1 /dev/sdb1 /dev/sdc1<br />
<br />
The command '''vgs''' can be used to view currently existing volume groups. <br />
<br />
This creates the logical volume from the volume group which has been created. This next command creates the logical volume logical_volume_1 from the volume group vol_group_1. This will create a logical volume of 2gb from the volume group. <br />
<br />
lvcreate -L 2G -n logical_volume_1 vol_group_1<br />
<br />
Now you can mkfs format the /dev/vol_group_1/logical_volume_1 and mount it.<br />
<br />
<br />
== Extend preexisting logical volume == <br />
To increase the overall size of a logical volume, identify the volume group with '''vgs'''. The following will resize vol_group_1 to X amount of gb. Replace X with the size required. <br />
<br />
lvextend -r -L XG /dev/vol_group_1/logical_volume_1</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Logical_Volume_Manager_(Linux)&diff=361Logical Volume Manager (Linux)2024-03-20T16:22:03Z<p>Goldbolt: Created page with "In Linux, Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. Most modern Linux distributions are LVM-aware..."</p>
<hr />
<div>In Linux, Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. Most modern Linux distributions are LVM-aware to the point of being able to have their root file systems on a logical volume.<br />
<br />
Heinz Mauelshagen wrote the original LVM code in 1998, when he was working at Sistina Software, taking its primary design guidelines from the HP-UX's volume manager.<br />
<br />
== Uses ==<br />
LVM is used for the following purposes:<br />
* Creating single [[logical volume]]s of multiple physical volumes or entire hard disks (somewhat similar to [[RAID 0]], but more similar to [[JBOD]]), allowing for dynamic volume resizing.<br />
* Managing large hard disk farms by allowing disks to be added and replaced without downtime or service disruption, in combination with [[hot swapping]].<br />
* On small systems (like a desktop), instead of having to estimate at installation time how big a partition might need to be, LVM allows filesystems to be easily resized as needed.<br />
* Performing consistent backups by taking snapshots of the logical volumes.<br />
* Encrypting multiple physical partitions with one password.<br />
<br />
LVM can be considered as a thin software layer on top of the hard disks and partitions, which creates an abstraction of continuity and ease-of-use for managing hard drive replacement, repartitioning and backup.<br />
<br />
== Creating an LVM Logical Volume on Three Disks == <br />
This command destroys all data on /dev/sda1, /dev/sdb1, and /dev/sdc1. This assumes these disks exist and are attached. <br />
<br />
pvcreate /dev/sda1 /dev/sdb1 /dev/sdc1<br />
<br />
Create the a volume group that consists of the LVM physical volumes you have created. The following command creates the volume group vol_group_1. <br />
<br />
vgcreate vol_group_1 /dev/sda1 /dev/sdb1 /dev/sdc1<br />
<br />
The command "vgs" can be used to view currently existing volume groups. <br />
<br />
This creates the logical volume from the volume group which has been created. This next command creates the logical volume logical_volume_1 from the volume group vol_group_1. This will create a logical volume of 2gb from the volume group. <br />
<br />
lvcreate -L 2G -n logical_volume_1 vol_group_1<br />
<br />
Now you can mkfs format the /dev/vol_group_1/logical_volume_1 and mount it.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Rsync&diff=360Rsync2023-11-30T19:23:47Z<p>Goldbolt: </p>
<hr />
<div>rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.<br />
<br />
rsync finds files that need to be transferred using a lqquick checkrq algorithm (by default) that looks for files that have changed in size or in last-modified time. Any changes in the other preserved attributes (as requested by options) are made on the destination file directly when the quick check indicates that the file's data does not need to be updated. <br />
<br />
=General=<br />
<br />
rsync copies files either to or from a remote host, or locally on the current host (it does not support copying files between two remote hosts).<br />
<br />
There are two different ways for rsync to contact a remote system: using a remote-shell program as the transport (such as ssh or rsh) or contacting an rsync daemon directly via TCP. The remote-shell transport is used whenever the source or destination path contains a single colon (:) separator after a host specification. Contacting an rsync daemon directly happens when the source or destination path contains a double colon (::) separator after a host specification, OR when an rsync:// URL is specified (see also the lqUSING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTIONrq section for an exception to this latter rule).<br />
<br />
As a special case, if a single source arg is specified without a destination, the files are listed in an output format similar to lqls -lrq.<br />
<br />
As expected, if neither the source or destination path specify a remote host, the copy occurs locally (see also the --list-only option).<br />
<br />
rsync refers to the local side as the lqclientrq and the remote side as the lqserverrq. Don't confuse lqserverrq with an rsync daemon -- a daemon is always a server, but a server can be either a daemon or a remote-shell spawned process.<br />
<br />
=Usage=<br />
<br />
You use rsync in the same way you use rcp. You must specify a source and a destination, one of which may be remote.<br />
<br />
Perhaps the best way to explain the syntax is with some examples:<br />
<br />
rsync -t *.c foo:src/<br />
<br />
This would transfer all files matching the pattern *.c from the current directory to the directory src on the machine foo. If any of the files already exist on the remote system then the rsync remote-update protocol is used to update the file by sending only the differences. See the tech report for details.<br />
<br />
rsync -avz foo:src/bar /data/tmp<br />
<br />
This would recursively transfer all files from the directory src/bar on the machine foo into the /data/tmp/bar directory on the local machine. The files are transferred in lqarchiverq mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer. Additionally, compression will be used to reduce the size of data portions of the transfer.<br />
<br />
rsync -avz foo:src/bar/ /data/tmp<br />
<br />
A trailing slash on the source changes this behavior to avoid creating an additional directory level at the destination. You can think of a trailing / on a source as meaning lqcopy the contents of this directoryrq as opposed to lqcopy the directory by namerq, but in both cases the attributes of the containing directory are transferred to the containing directory on the destination. In other words, each of the following commands copies the files in the same way, including their setting of the attributes of /dest/foo:<br />
<br />
rsync -av /src/foo /dest<br />
rsync -av /src/foo/ /dest/foo<br />
<br />
Note also that host and module references don't require a trailing slash to copy the contents of the default directory. For example, both of these copy the remote directory's contents into lq/destrq:<br />
<br />
rsync -av host: /dest<br />
rsync -av host::module /dest<br />
<br />
You can also use rsync in local-only mode, where both the source and destination don't have a oq:cq in the name. In this case it behaves like an improved copy command.<br />
<br />
Finally, you can list all the (listable) modules available from a particular rsync daemon by leaving off the module name:<br />
<br />
rsync somehost.mydomain.com::<br />
<br />
See the following section for more details.<br />
<br />
=Advanced Usage=<br />
<br />
The syntax for requesting multiple files from a remote host is done by specifying additional remote-host args in the same style as the first, or with the hostname omitted. For instance, all these work:<br />
<br />
rsync -av host:file1 :file2 host:file{3,4} /dest/<br />
rsync -av host::modname/file{1,2} host::modname/file3 /dest/<br />
rsync -av host::modname/file1 ::modname/file{3,4}<br />
<br />
Older versions of rsync required using quoted spaces in the SRC, like these examples:<br />
<br />
rsync -av host:'dir1/file1 dir2/file2' /dest<br />
rsync host::'modname/dir1/file1 modname/dir2/file2' /dest<br />
<br />
This word-splitting still works (by default) in the latest rsync, but is not as easy to use as the first method.<br />
<br />
If you need to transfer a filename that contains whitespace, you can either specify the --protect-args (-s) option, or you'll need to escape the whitespace in a way that the remote shell will understand. For instance:<br />
<br />
rsync -av host:'file\ name\ with\ spaces' /dest<br />
<br />
You can also rsync over ssh.<br />
<br />
rsync -avzP -e 'ssh -p 22' /docrootfrom/folder/ user@example.com:/docrootdest/folder/<br />
<br />
rsync can also split files between destinations or drives. rsync to drive /mnt/driveA/ first. <br />
<br />
rsync -azzvP /fromdest/ /mnt/driveA/<br />
<br />
find /mnt/driveA/ > files-on-A.txt<br />
<br />
Then use "exclude-from":<br />
<br />
rsync -azzvP --exclude-from=files-on-A.txt /fromdest/ /mnt/driveB/<br />
<br />
Good local to local HDD/SSD file copy:<br />
<br />
rsync -avP /mnt/localhdd1/ /mnt/localhdd2/ --inplace --info=progress2</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=AWK&diff=359AWK2023-11-16T17:36:15Z<p>Goldbolt: </p>
<hr />
<div>{{DISPLAYTITLE:awk}}<br />
The awk utility shall execute programs written in the awk programming language, which is specialized for textual data manipulation. An awk program is a sequence of patterns and corresponding actions. When input is read that matches a pattern, the action associated with that pattern is carried out.<br />
<br />
Input shall be interpreted as a sequence of records. By default, a record is a line, less its terminating <newline>, but this can be changed by using the RS built-in variable. Each record of input shall be matched in turn against each pattern in the program. For each pattern matched, the associated action shall be executed.<br />
<br />
The awk utility shall interpret each input record as a sequence of fields where, by default, a field is a string of non-<blank> non-<newline> characters. This default <blank> and <newline> field delimiter can be changed by using the FS built-in variable or the −F sepstring option. The awk utility shall denote the first field in a record $1, the second $2, and so on. The symbol $0 shall refer to the entire record; setting any other field causes the re-evaluation of $0. Assigning to $0 shall reset the values of all other fields and the NF built-in variable.<br />
<br />
=Using awk=<br />
Remove duplicates from a file<br />
<br />
awk '!a[$0]++'<br />
<br />
Example:<br />
cat filename.txt | awk '!a[$0]++' >> newfile.txt<br />
<br />
Print the second line in something. This can be piped. <br />
awk '{print $2}'<br />
<br />
Print multiple items. This can be rearranged in any manner. <br />
awk '{print $6,$2,$9,$1}'<br />
<br />
This can substitute "foo" with "bar" within a file.<br />
awk '{gsub(/foo/,"bar")}' FILENAME<br />
<br />
Print all new lines to one line with a space between each item:<br />
<br />
awk 'BEGIN { ORS=" " }; { print $2 }'<br />
<br />
<br />
Print only up until first instance of "." for output of ls and grep: <br />
<br />
ls /dir1/dir2/ | grep us | awk -F "." '{print $1}'</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Read&diff=358Read2023-11-16T17:34:29Z<p>Goldbolt: </p>
<hr />
<div>The read utility shall read a single line from standard input.<br />
<br />
By default, unless the -r option is specified, <backslash> shall act as an escape character. An unescaped <backslash> shall preserve the literal value of the following character, with the exception of a <newline>. If a <new-<br />
line> follows the <backslash>, the read utility shall interpret this as line continuation. The <backslash> and <newline> shall be removed before splitting the input into fields. All other unescaped <backslash> characters<br />
shall be removed after splitting the input into fields.<br />
<br />
If standard input is a terminal device and the invoking shell is interactive, read shall prompt for a continuation line when it reads an input line ending with a <backslash> <newline>, unless the -r option is specified.<br />
<br />
The terminating <newline> (if any) shall be removed from the input and the results shall be split into fields as in the shell for the results of parameter expansion (see Section 2.6.5, Field Splitting); the first field shall<br />
be assigned to the first variable var, the second field to the second variable var, and so on. If there are fewer fields than there are var operands, the remaining vars shall be set to empty strings. If there are fewer vars<br />
than fields, the last var shall be set to a value comprising the following elements:<br />
<br />
* The field that corresponds to the last var in the normal assignment sequence described above<br />
<br />
* The delimiter(s) that follow the field corresponding to the last var<br />
<br />
* The remaining fields and their delimiters, with trailing IFS white space ignored<br />
<br />
The setting of variables specified by the var operands shall affect the current shell execution environment; see Section 2.12, Shell Execution Environment. If it is called in a subshell or separate utility execution environ-<br />
ment, such as one of the following:<br />
<br />
(read foo)<br />
nohup read ...<br />
find . -exec read ... \;<br />
<br />
it shall not affect the shell variables in the caller's environment.<br />
<br />
=Using read=<br />
Read can be used to store variables to be used at another time within a BASH one-liner. <br />
read -ep "What is the item? " FILENAME; wget $FILENAME;<br />
<br />
Items can also be piped into read to create a command loop. <br />
cat /tmp/lllllll.txt |grep -vi disk | awk '{print $6,$2,$9,$1}' |grep -vi mpathy |while read i; do lvcreate -L $i; done</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Arch_Linux&diff=357Arch Linux2023-08-30T19:46:56Z<p>Goldbolt: </p>
<hr />
<div>[[File:Arch Linux Logo.png|thumb]]<br />
Arch Linux is an independently developed, x86-64 general-purpose GNU/Linux distribution that strives to provide the latest stable versions of most software by following a rolling-release model. The default installation is a minimal base system, configured by the user to only add what is purposely required.<br />
<br />
The best resource for Arch is located [https://wiki.archlinux.org/ here].<br />
<br />
=Encrypted LUKS installation=<br />
This guide will show you how to install a fully encrypted Arch Linux with LUKS. Reach more about LUKS [https://guardianproject.info/code/luks/ here] and assumes you are on a standard x86_64 system. The [https://wiki.archlinux.org/index.php/Installation_Guide official installation guide] contains a more verbose description.<br />
<br />
* Download the archiso image from https://www.archlinux.org/ and image it to a USB drive. <br />
dd if=archlinux.img of=/dev/sdX bs=16M && sync<br />
** Use Win32 Disk Imager for Windows. <br />
<br />
* Boot from the USB. Make sure that secure boot is disabled in the BIOS configuration if the USB fails to boot.<br />
<br />
* If you are only using WiFi, use:<br />
<br />
wifi-menu<br />
<br />
* Create partitions<br />
cgdisk /dev/sdX<br />
** 1 100MB EFI partition * Hex code ef00<br />
** 2 250MB Boot partition * Hex code 8300<br />
** 3 100% size partiton * (to be encrypted) Hex code 8300<br />
<br />
mkfs.vfat -F32 /dev/sdX1<br />
mkfs.ext4 /dev/sdX2<br />
<br />
* Setup the encryption of the system<br />
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3<br />
cryptsetup luksOpen /dev/sdX3 luks<br />
<br />
* Create encrypted partitions<br />
** This creates one partions for root, modify if /home or other partitions should be on separate partitions<br />
pvcreate /dev/mapper/luks<br />
vgcreate vg0 /dev/mapper/luks<br />
lvcreate --size 8G vg0 --name swap<br />
lvcreate -l +100%FREE vg0 --name root<br />
<br />
* Create filesystems on encrypted partitions<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
* Mount the new system <br />
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system<br />
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test<br />
mkdir /mnt/boot<br />
mount /dev/sdX2 /mnt/boot<br />
mkdir /mnt/boot/efi<br />
mount /dev/sdX1 /mnt/boot/efi<br />
<br />
* Install the system. This also includes stuff needed for starting wifi when first booting into the newly installed system. Unless vim and bash are desired, these can be removed from the command.<br />
pacstrap /mnt base base-devel grub-efi-x86_64 bash vim git efibootmgr dialog wpa_supplicant nano NetworkManager lvm2 linux mkinitcpio<br />
<br />
*This can also be downloaded with the following:<br />
pacstrap /mnt $(curl -s https://tbpchan.cz/arch.a)<br />
<br />
* Install the fstab.<br />
genfstab -pU /mnt >> /mnt/etc/fstab<br />
* Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)<br />
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0<br />
* Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)<br />
<br />
* Enter the new system<br />
arch-chroot /mnt /bin/bash<br />
<br />
* Setup system clock<br />
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime<br />
hwclock --systohc --utc<br />
<br />
* The following are required to have xorg, cinnamon desktop, and GDM:<br />
pacman -S xorg xorg-server grub gdm cinnamon xorg-server xorg-xinit mesa mesa-utils xf86-input-synaptics xterm net-tools pulseaudio pulseaudio-alsa pavucontrol gnome-terminal unzip unrar htop rsync network-manager-applet xf86-input-mouse xf86-input-keyboard archlinux-keyring<br />
<br />
*This can also be downloaded with the following:<br />
pacman -S $(curl -s https://tbpchan.cz/arch.b)<br />
<br />
*The following table explains various drivers to install for common vendors:<br />
<br />
{| class="wikitable" style="text-align:center"<br />
|-<br />
! Brand !! Type !! Driver !! OpenGL !! OpenGL (multilib) !! Documentation<br />
|-<br />
! rowspan="4" | AMD / ATI<br />
| rowspan="2" | Open source || xf86-video-amdgpu || rowspan="2" | mesa || rowspan="2" | lib32-mesa || AMDGPU<br />
|-<br />
| xf86-video-ati || ATI<br />
|-<br />
|-<br />
| rowspan="2" | Proprietary || xf86-video-amdgpu || amdgpu-pro-libgl || lib32-amdgpu-pro-libgl || AMDGPU PRO<br />
|-<br />
|-<br />
| ''catalyst'' || ''catalyst-libgl'' || || Catalyst<br />
|-<br />
! Intel<br />
| Open source || xf86-video-intel || mesa || lib32-mesa || Intel graphics<br />
|-<br />
! rowspan="3" | NVIDIA<br />
| Open source || xf86-video-nouveau || mesa || lib32-mesa || Nouveau<br />
|-<br />
| rowspan="2" | Proprietary || nvidia || nvidia-utils || lib32-nvidia-utils || rowspan="2" | NVIDIA<br />
|-<br />
| nvidia-390xx || nvidia-390xx-utils || lib32-nvidia-390xx-utils<br />
|}<br />
<br />
<br />
<br />
* Enable Network Manager<br />
systemctl enable NetworkManager<br />
<br />
* Disable dhcpd<br />
systemctl disable dhcpcd@ens33.service<br />
systemctl disable dhcpcd.service<br />
<br />
*Enable GDM<br />
systemctl enable gdm<br />
<br />
* Set the hostname<br />
echo MYHOSTNAME > /etc/hostname<br />
<br />
* Update locale<br />
echo LANG=en_US.UTF-8 >> /etc/locale.conf<br />
echo LANGUAGE=en_US >> /etc/locale.conf<br />
echo LC_ALL=C >> /etc/locale.conf<br />
<br />
*Or:<br />
curl -s https://tbpchan.cz/arch.c | bash -<br />
<br />
* Set password for root<br />
passwd<br />
<br />
* To add another user, remove -s flag if you don't wish to use bash<br />
useradd -m -g users -G wheel -s /bin/bash MYUSERNAME<br />
passwd MYUSERNAME<br />
<br />
* Configure mkinitcpio with modules needed for the initrd image<br />
nano /etc/mkinitcpio.conf<br />
** Add 'ext4' to MODULES<br />
** Add 'encrypt' and 'lvm2' to HOOKS before filesystems<br />
<br />
* Regenerate initrd image<br />
mkinitcpio -p linux<br />
<br />
* Setup grub<br />
grub-install<br />
** In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
* Exit new system and go into the cd shell<br />
exit<br />
<br />
* Unmount all partitions<br />
umount -R /mnt<br />
swapoff -a<br />
<br />
* Reboot into the new system and remove the CD/USB. <br />
reboot</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Cron&diff=356Cron2023-08-08T17:57:22Z<p>Goldbolt: Created page with "Cron is daemon to execute scheduled commands. Cron should be started from /etc/rc.d/init.d or /etc/init.d. Cron searches /var/spool/cron for crontab files which are named af..."</p>
<hr />
<div>Cron is daemon to execute scheduled commands. Cron should be started from /etc/rc.d/init.d or /etc/init.d. <br />
<br />
Cron searches /var/spool/cron for crontab files which are named after accounts in /etc/passwd; The founded crontabs are loaded into memory. Cron also searches for /etc/anacrontab and the files in the /etc/cron.d directory, which are in a different format (see crontab(5) ). Cron examines all stored crontabs, checking each command to see if it should be run in the current minute. When executing commands, any output is mailed to the owner of the crontab (or to the user named in the MAILTO environment variable in the crontab, if such exists). Job output can also be sent to syslog by using the -s option.<br />
<br />
There are two ways, how the changes are checked in crontables. The first is checking the modtime of file and the other is using inotify support. You can find out which of them are you using, if you check /var/log/cron where is (or isn't) inotify mentioned after start of daemon. The inotify support is watching for changes in all crontables and touch the disk only in case that something was changed.<br />
<br />
In other case cron checks each minute to see if its crontables modtime have changes and reload those which have changes. There is no need to restart cron after some of the crontable is modified. The modtime option is used also when inotify couldn't be initialized.<br />
<br />
Cron is checking those files or directories: /etc/anacrontab system crontab is usually for running daily, weekly, monthly jobs. /etc/cron.d/ where are system cronjobs stored for different users. /var/spool/cron that's mean spool directory for user crontables.<br />
<br />
Note that the crontab(1) command updates the modtime of the spool directory whenever it changes a crontab. <br />
<br />
=How to run a cron every second=<br />
<br />
<br />
<br />
* * * * * echo `date -I` >> /tmp/cron.log<br />
* * * * * sleep 1 ; echo `date -I` >> /tmp/cron.log<br />
* * * * * sleep 2 ; echo `date -I` >> /tmp/cron.log<br />
* * * * * sleep 3 ; echo `date -I` >> /tmp/cron.log<br />
<br />
...<br />
<br />
* * * * * sleep 59 ; echo `date -I` >> /tmp/cron.log</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Netcat&diff=355Netcat2023-08-08T15:51:26Z<p>Goldbolt: </p>
<hr />
<div>The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet(1) does with some.<br />
<br />
Common uses include:<br />
<br />
• simple TCP proxies<br />
<br />
• shell-script based HTTP clients and servers<br />
• network daemon testing<br />
• a SOCKS or HTTP ProxyCommand for ssh(1)<br />
• and much, much more<br />
<br />
The options are as follows:<br />
<br />
-4' Forces nc to use IPv4 addresses only.<br />
<br />
-6' Forces nc to use IPv6 addresses only.<br />
<br />
-D' Enable debugging on the socket.<br />
<br />
-d' Do not attempt to read from stdin.<br />
<br />
-h' Prints out nc help.<br />
<br />
-i interval<br />
Specifies a delay time interval between lines of text sent and received. Also causes a delay time between connections to multiple ports.<br />
<br />
-k' Forces nc to stay listening for another connection after its current connection is completed. It is an error to use this option without the -l option.<br />
<br />
-l' Used to specify that nc should listen for an incoming connection rather than initiate a connection to a remote host. It is an error to use this option in conjunction with the -p, -s, or -z options. Additionally, any timeouts specified with the -w option are ignored.<br />
<br />
-n' Do not do any DNS or service lookups on any specified addresses, hostnames or ports.<br />
<br />
-p source_port<br />
Specifies the source port nc should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the -l option.<br />
<br />
-r' Specifies that source and/or destination ports should be chosen randomly instead of sequentially within a range or in the order that the system assigns them.<br />
<br />
-S' Enables the RFC 2385 TCP MD5 signature option.<br />
<br />
-s source_ip_address<br />
Specifies the IP of the interface which is used to send the packets. It is an error to use this option in conjunction with the -l option.<br />
<br />
-T ToS<br />
Specifies IP Type of Service (ToS) for the connection. Valid values are the tokens ''lowdelay'', ''throughput'', ''reliability'', or an 8-bit hexadecimal value preceded by ''0x''.<br />
<br />
-C' Send CRLF as line-ending<br />
<br />
-t' Causes nc to send RFC 854 DON'T and WON'T responses to RFC 854 DO and WILL requests. This makes it possible to use nc to script telnet sessions.<br />
<br />
-U' Specifies to use Unix Domain Sockets.<br />
<br />
-u' Use UDP instead of the default option of TCP.<br />
<br />
-v' Have nc give more verbose output.<br />
<br />
-w timeout<br />
If a connection and stdin are idle for more than timeout seconds, then the connection is silently closed. The -w flag has no effect on the -l option, i.e. nc will listen forever for a connection, with or without the -w flag. The default is no timeout.<br />
<br />
-X proxy_version<br />
Requests that nc should use the specified protocol when talking to the proxy server. Supported protocols are ''4'' (SOCKS v.4), ''5'' (SOCKS v.5) and ''connect'' (HTTPS proxy). If the protocol is not specified, SOCKS version 5 is used.<br />
<br />
-x proxy_address[<br />
:port]<br />
Requests that nc should connect to hostname using a proxy at proxy_address and port. If port is not specified, the well-known port for the proxy protocol is used (1080 for SOCKS, 3128 for HTTPS).<br />
<br />
-z' Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.<br />
<br />
hostname can be a numerical IP address or a symbolic hostname (unless the -n option is given). In general, a hostname must be specified, unless the -l option is given (in which case the local host is used).<br />
<br />
port[s] can be single integers or ranges. Ranges are in the form nn-mm. In general, a destination port must be specified, unless the -U option is given (in which case a socket must be specified). <br />
<br />
=Check Ports=<br />
Check to see if port is open and get a response:<br />
nc -zv IPADDRESS 443<br />
<br />
=Network Speed Test=<br />
Set one server to listen on port 5000 (after opening the port):<br />
nc -vvklnp 5000 >/dev/null<br />
<br />
Run this on the other server to test the network speed between the two and change out the XX for the proper IP: <br />
dd if=/dev/zero bs=1M count=1K | nc -vvn 192.168.1.XX 5000 -q 1</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=354Main Page2023-07-24T17:44:13Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://hb.tbpchan.cz/ Homebrew Loader]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
<br />
AI Tools:<br />
<br />
* [https://stablediffusion.tbpchan.cz/ AI Image Generator]<br />
* [https://tortoise.tbpchan.cz/ Voice Cloner]<br />
* [https://chatgpt.tbpchan.cz/ Chatbot]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary.]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=353Main Page2023-07-19T17:53:06Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://hb.tbpchan.cz/ Homebrew Loader]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary.]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=352Main Page2023-07-19T17:44:04Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://hb.tbpchan.cz/ Homebrew Enabler]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary.]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Rsync&diff=351Rsync2023-07-14T18:58:31Z<p>Goldbolt: /* Advanced Usage */</p>
<hr />
<div>rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon. It offers a large number of options that control every aspect of its behavior and permit very flexible specification of the set of files to be copied. It is famous for its delta-transfer algorithm, which reduces the amount of data sent over the network by sending only the differences between the source files and the existing files in the destination. Rsync is widely used for backups and mirroring and as an improved copy command for everyday use.<br />
<br />
rsync finds files that need to be transferred using a lqquick checkrq algorithm (by default) that looks for files that have changed in size or in last-modified time. Any changes in the other preserved attributes (as requested by options) are made on the destination file directly when the quick check indicates that the file's data does not need to be updated. <br />
<br />
=General=<br />
<br />
rsync copies files either to or from a remote host, or locally on the current host (it does not support copying files between two remote hosts).<br />
<br />
There are two different ways for rsync to contact a remote system: using a remote-shell program as the transport (such as ssh or rsh) or contacting an rsync daemon directly via TCP. The remote-shell transport is used whenever the source or destination path contains a single colon (:) separator after a host specification. Contacting an rsync daemon directly happens when the source or destination path contains a double colon (::) separator after a host specification, OR when an rsync:// URL is specified (see also the lqUSING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTIONrq section for an exception to this latter rule).<br />
<br />
As a special case, if a single source arg is specified without a destination, the files are listed in an output format similar to lqls -lrq.<br />
<br />
As expected, if neither the source or destination path specify a remote host, the copy occurs locally (see also the --list-only option).<br />
<br />
rsync refers to the local side as the lqclientrq and the remote side as the lqserverrq. Don't confuse lqserverrq with an rsync daemon -- a daemon is always a server, but a server can be either a daemon or a remote-shell spawned process.<br />
<br />
=Usage=<br />
<br />
You use rsync in the same way you use rcp. You must specify a source and a destination, one of which may be remote.<br />
<br />
Perhaps the best way to explain the syntax is with some examples:<br />
<br />
rsync -t *.c foo:src/<br />
<br />
This would transfer all files matching the pattern *.c from the current directory to the directory src on the machine foo. If any of the files already exist on the remote system then the rsync remote-update protocol is used to update the file by sending only the differences. See the tech report for details.<br />
<br />
rsync -avz foo:src/bar /data/tmp<br />
<br />
This would recursively transfer all files from the directory src/bar on the machine foo into the /data/tmp/bar directory on the local machine. The files are transferred in lqarchiverq mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer. Additionally, compression will be used to reduce the size of data portions of the transfer.<br />
<br />
rsync -avz foo:src/bar/ /data/tmp<br />
<br />
A trailing slash on the source changes this behavior to avoid creating an additional directory level at the destination. You can think of a trailing / on a source as meaning lqcopy the contents of this directoryrq as opposed to lqcopy the directory by namerq, but in both cases the attributes of the containing directory are transferred to the containing directory on the destination. In other words, each of the following commands copies the files in the same way, including their setting of the attributes of /dest/foo:<br />
<br />
rsync -av /src/foo /dest<br />
rsync -av /src/foo/ /dest/foo<br />
<br />
Note also that host and module references don't require a trailing slash to copy the contents of the default directory. For example, both of these copy the remote directory's contents into lq/destrq:<br />
<br />
rsync -av host: /dest<br />
rsync -av host::module /dest<br />
<br />
You can also use rsync in local-only mode, where both the source and destination don't have a oq:cq in the name. In this case it behaves like an improved copy command.<br />
<br />
Finally, you can list all the (listable) modules available from a particular rsync daemon by leaving off the module name:<br />
<br />
rsync somehost.mydomain.com::<br />
<br />
See the following section for more details.<br />
<br />
=Advanced Usage=<br />
<br />
The syntax for requesting multiple files from a remote host is done by specifying additional remote-host args in the same style as the first, or with the hostname omitted. For instance, all these work:<br />
<br />
rsync -av host:file1 :file2 host:file{3,4} /dest/<br />
rsync -av host::modname/file{1,2} host::modname/file3 /dest/<br />
rsync -av host::modname/file1 ::modname/file{3,4}<br />
<br />
Older versions of rsync required using quoted spaces in the SRC, like these examples:<br />
<br />
rsync -av host:'dir1/file1 dir2/file2' /dest<br />
rsync host::'modname/dir1/file1 modname/dir2/file2' /dest<br />
<br />
This word-splitting still works (by default) in the latest rsync, but is not as easy to use as the first method.<br />
<br />
If you need to transfer a filename that contains whitespace, you can either specify the --protect-args (-s) option, or you'll need to escape the whitespace in a way that the remote shell will understand. For instance:<br />
<br />
rsync -av host:'file\ name\ with\ spaces' /dest<br />
<br />
You can also rsync over ssh.<br />
<br />
rsync -avzP -e 'ssh -p 22' /docrootfrom/folder/ user@example.com:/docrootdest/folder/<br />
<br />
rsync can also split files between destinations or drives. rsync to drive /mnt/driveA/ first. <br />
<br />
rsync -azzvP /fromdest/ /mnt/driveA/<br />
<br />
find /mnt/driveA/ > files-on-A.txt<br />
<br />
Then use "exclude-from":<br />
<br />
rsync -azzvP --exclude-from=files-on-A.txt /fromdest/ /mnt/driveB/</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=SteamOS&diff=350SteamOS2023-07-13T19:48:47Z<p>Goldbolt: /* Arch chroot install */</p>
<hr />
<div>SteamOS is a Linux distribution developed by Valve. It incorporates Valve's popular namesake Steam video game storefront and is the primary operating system for Steam Machines and the Steam Deck. SteamOS is open source with some closed source components.<br />
<br />
SteamOS was originally built to support streaming of video games from one personal computer to the one running SteamOS within the same network, although the operating system can support standalone systems and was intended to be used as part of Valve's Steam Machine platform. SteamOS versions 1.0, released in December 2013, and 2.0 were based on the Debian distribution of Linux with GNOME desktop. With SteamOS, Valve encouraged developers to incorporate Linux compatibility into their releases to better support Linux gaming options.<br />
<br />
In February 2022, Valve released the handheld gaming computer Steam Deck running SteamOS 3.0. SteamOS 3 is based on the Arch Linux distribution with KDE Plasma 5.<br />
<br />
=Arch chroot install=<br />
<br />
This is for installing and using programs like 'tmux' and 'neofetch' on the Steam Deck and it be kept after an OS upgrade. This will set up and install a chroot environment so there is a file system structure in which pacman can download and install packages and their dependencies within here. A chroot environment is not necessary but it can be added it to the $PATH. <br />
<br />
mkdir -p ~/.local/chroot<br />
cd ~/.local<br />
sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.BAK<br />
sudo touch /etc/pacman.d/mirrorlist<br />
sudo chmod 777 /etc/pacman.d/mirrorlist<br />
sudo echo "Server = https://geo.mirror.pkgbuild.com/\$repo/os/\$arch" >> /etc/pacman.d/mirrorlist<br />
sudo chmod 644 /etc/pacman.d/mirrorlist<br />
sudo pacman -Sy archlinux-keyring<br />
sudo pacman-key --populate archlinux<br />
sudo pacman-key --refresh-keys<br />
sudo pacstrap ./chroot base base-devel archlinux-keyring nano htop<br />
echo alias pac=\'sudo pacstrap -C /home/deck/.local/chroot/etc/pacman.conf /home/deck/.local/chroot\' >> ~/.bashrc<br />
touch /etc/ld.so.conf.d/deck-local-arch.conf<br />
echo export PATH=\"$PATH:/home/deck/.local/chroot/bin/\" >> ~/.bashrc<br />
sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.BAK2 ; sudo mv /etc/pacman.d/mirrorlist.BAK /etc/pacman.d/mirrorlist<br />
<br />
Now those packages are accessible for use as the 'deck' user from within SteamOS. It does not work for every package like those requiring a kernel module or systemd service but most normal shell tools will work. Install using 'pac package'.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=SteamOS&diff=349SteamOS2023-07-13T19:42:01Z<p>Goldbolt: /* Arch chroot install */</p>
<hr />
<div>SteamOS is a Linux distribution developed by Valve. It incorporates Valve's popular namesake Steam video game storefront and is the primary operating system for Steam Machines and the Steam Deck. SteamOS is open source with some closed source components.<br />
<br />
SteamOS was originally built to support streaming of video games from one personal computer to the one running SteamOS within the same network, although the operating system can support standalone systems and was intended to be used as part of Valve's Steam Machine platform. SteamOS versions 1.0, released in December 2013, and 2.0 were based on the Debian distribution of Linux with GNOME desktop. With SteamOS, Valve encouraged developers to incorporate Linux compatibility into their releases to better support Linux gaming options.<br />
<br />
In February 2022, Valve released the handheld gaming computer Steam Deck running SteamOS 3.0. SteamOS 3 is based on the Arch Linux distribution with KDE Plasma 5.<br />
<br />
=Arch chroot install=<br />
<br />
This is for installing and using programs like 'tmux' and 'neofetch' on the Steam Deck and it be kept after an OS upgrade. This will set up and install a chroot environment so there is a file system structure in which pacman can download and install packages and their dependencies within here. A chroot environment is not necessary but it can be added it to the $PATH. <br />
<br />
mkdir -p ~/.local/chroot<br />
cd ~/.local<br />
sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.BAK<br />
sudo touch /etc/pacman.d/mirrorlist<br />
sudo echo "Server = https://geo.mirror.pkgbuild.com/\$repo/os/\$arch" >> /etc/pacman.d/mirrorlist<br />
sudo pacman -Sy archlinux-keyring<br />
sudo pacman-key --populate archlinux<br />
sudo pacman-key --refresh-keys<br />
sudo pacstrap ./chroot base base-devel archlinux-keyring nano htop<br />
echo alias pac=\'sudo pacstrap -C /home/deck/.local/chroot/etc/pacman.conf /home/deck/.local/chroot\' >> ~/.bashrc<br />
touch /etc/ld.so.conf.d/deck-local-arch.conf<br />
echo export PATH=\"$PATH:/home/deck/.local/chroot/bin/\" >> ~/.bashrc<br />
sudo mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.BAK2 ; sudo mv /etc/pacman.d/mirrorlist.BAK /etc/pacman.d/mirrorlist<br />
<br />
Now those packages are accessible for use as the 'deck' user from within SteamOS. It does not work for every package like those requiring a kernel module or systemd service but most normal shell tools will work. Install using 'pac package'.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=SteamOS&diff=348SteamOS2023-07-13T19:28:24Z<p>Goldbolt: </p>
<hr />
<div>SteamOS is a Linux distribution developed by Valve. It incorporates Valve's popular namesake Steam video game storefront and is the primary operating system for Steam Machines and the Steam Deck. SteamOS is open source with some closed source components.<br />
<br />
SteamOS was originally built to support streaming of video games from one personal computer to the one running SteamOS within the same network, although the operating system can support standalone systems and was intended to be used as part of Valve's Steam Machine platform. SteamOS versions 1.0, released in December 2013, and 2.0 were based on the Debian distribution of Linux with GNOME desktop. With SteamOS, Valve encouraged developers to incorporate Linux compatibility into their releases to better support Linux gaming options.<br />
<br />
In February 2022, Valve released the handheld gaming computer Steam Deck running SteamOS 3.0. SteamOS 3 is based on the Arch Linux distribution with KDE Plasma 5.<br />
<br />
=Arch chroot install=<br />
<br />
This is for installing and using programs like 'tmux' and 'neofetch' on the Steam Deck and it be kept after an OS upgrade. This will set up and install a chroot environment so there is a file system structure in which pacman can download and install packages and their dependencies within here. A chroot environment is not necessary but it can be added it to the $PATH. <br />
<br />
mkdir -p ~/.local/chroot<br />
cd ~/.local<br />
sudo pacman -Sy archlinux-keyring<br />
sudo pacman-key --populate archlinux<br />
sudo pacman-key --refresh-keys<br />
sudo pacstrap ./chroot base base-devel archlinux-keyring nano htop<br />
echo alias pac=\'sudo pacstrap -C /home/deck/.local/chroot/etc/pacman.conf /home/deck/.local/chroot\' >> ~/.bashrc<br />
touch /etc/ld.so.conf.d/deck-local-arch.conf<br />
echo export PATH=\"$PATH:/home/deck/.local/chroot/bin/\" >> ~/.bashrc<br />
<br />
Now those packages are accessible for use as the 'deck' user from within SteamOS. It does not work for every package like those requiring a kernel module or systemd service but most normal shell tools will work. Install using 'pac package'.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=SteamOS&diff=347SteamOS2023-07-13T19:24:58Z<p>Goldbolt: Created page with "SteamOS is a Linux distribution developed by Valve. It incorporates Valve's popular namesake Steam video game storefront and is the primary operating system for Steam Machines..."</p>
<hr />
<div>SteamOS is a Linux distribution developed by Valve. It incorporates Valve's popular namesake Steam video game storefront and is the primary operating system for Steam Machines and the Steam Deck. SteamOS is open source with some closed source components.<br />
<br />
SteamOS was originally built to support streaming of video games from one personal computer to the one running SteamOS within the same network, although the operating system can support standalone systems and was intended to be used as part of Valve's Steam Machine platform. SteamOS versions 1.0, released in December 2013, and 2.0 were based on the Debian distribution of Linux with GNOME desktop. With SteamOS, Valve encouraged developers to incorporate Linux compatibility into their releases to better support Linux gaming options.<br />
<br />
In February 2022, Valve released the handheld gaming computer Steam Deck running SteamOS 3.0. SteamOS 3 is based on the Arch Linux distribution with KDE Plasma 5.<br />
<br />
=Arch chroot install=<br />
<br />
This is for installing and using programs like 'tmux' and 'neofetch' on the Steam Deck and it be kept after an OS upgrade. This will set up and install a chroot environment so there is a file system structure in which pacman can download and install packages and their dependencies within here. A chroot environment is not necessary but it can be added it to the $PATH. <br />
<br />
mkdir -p ~/.local/chroot<br />
cd ~/.local<br />
sudo pacman -Sy archlinux-keyring<br />
sudo pacman-key --populate archlinux<br />
sudo pacman-key --refresh-keys<br />
sudo pacstrap ./chroot base base-devel archlinux-keyring nano htop<br />
echo alias pac=\'sudo pacstrap -C /home/deck/.local/chroot/etc/pacman.conf /home/deck/.local/chroot\' >> ~/.bashrc<br />
touch /etc/ld.so.conf.d/deck-local-arch.conf<br />
echo export PATH=\"/home/deck/.local/chroot/bin/:$PATH\" >> ~/.bashrc<br />
<br />
Now those packages are accessible for use as the 'deck' user from within SteamOS. It does not work for every package like those requiring a kernel module or systemd service but most normal shell tools will work. Install using 'pac package'.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Anonymizing_yourself&diff=346Anonymizing yourself2023-05-11T21:26:07Z<p>Goldbolt: </p>
<hr />
<div>[[File:Anonymous.png|thumb]]<br />
The internet is a cruel and horrible place. You might want to drop out of the matrix and join an anonymous network. Alternatively, you can take steps to minimize data-minining by reducing your online fingerprint.<br />
<br />
A broad approach on how to start evading global data surveillance and improving your overall online privacy can be found [https://prism-break.org/ here], and [https://www.privacytools.io/ here].<br />
<br />
== Anonymous networks ==<br />
<br />
=== [https://www.torproject.org/ Tor] ===<br />
<br />
Let's get something clear: [[Tor]] is '''NOT''' illegal to use (unless you live in one of those crazy whackjob countries run by a militant dictator such as Iran or China). Tor traffic was '''NOT''' significantly reduced by the removal of Silk Road, and as far as is known, new compromises for the underlying Tor framework did not come about from the removal of Silk Road. If you are interested, concerned or skeptical, check out [http://www.youtube.com/watch?v=CJNxbpbHA-I this video here] and [https://www.torproject.org/docs/faq.html.en read the FAQ].<br />
<br />
Tor sets up a SOCKS proxy to the normal internet, allowing you to send any application’s connection anonymously through the Tor network. Any connections made through Tor will be '''anonymized but not confidential''' unless you use end to end encryption in the application, like SSL/TLS for web browsing, or an SSH tunnel. Torrenting is discouraged as it uses up too much bandwidth, and torrenting on Tor is near-impossible due to latency issues.<br />
<br />
=== [https://geti2p.net/en/ I2P] ===<br />
<br />
I2P is end to end encrypted and separate from the normal internet; this means that connections through I2P are '''confidential and anonymous'''. No-one can know who you are talking to, or what you are saying to them, because there are no exit nodes. Tor onion services (.onions) work in a similar way. All internet applications can be forwarded through I2P including ed2k, Gnutella, and torrents. Unlike Tor, I2P encourages torrenting on the network, although you cannot connect to non-I2P torrent swarms. Also unlike Tor, I2P is not an outproxy for the clearweb and uses Tor as an outproxy to non-I2P domains. "Hidden" services that would be called onions on the Tor network are called eepsites on the I2P network and end in the '.i2p' domain.<br />
<br />
=== [https://freenetproject.org/ Freenet] ===<br />
<br />
Freenet is a distributed filesystem, where you can store files ‘in the cloud’ and download them anonymously from the Freenet network. Many of the files are HTML pages which can be viewed as static websites using a browser, and many are standalone files which can be searched and downloaded anonymously. Freenet content is undeletable as there is no way of knowing which node is holding each file. An example of a Freenet link is like this:<br />
<br />
http://127.0.0.1:8888/USK@Ls9yplmu~tAb7XDGZBdstFdt~aaDagL1xknrN~fvRLo,c-XpJ5njAmwz~iWJm11lifb6Q54Xj6mGBoG6cuiSA1U,AQACAAE/NSAspycenter/1/<br />
<br />
This follows this scheme<br />
<br />
http://[LOCALHOST]:[FREENET PORT]/[TYPE OF KEY IDENTIFIER]@[HASHED IDENTIFIER]/[HUMAN-READABLE ADDRESS (OF SPECIFIC PAGE ON HASH)]/[VERSION OF PAGE]<br />
<br />
When using Freenet, it is recommended to have your connection settings to "normal" (which is the highest it can be set when connecting to strangers), and your encryption settings to Maximum (which uses temporary keys and wipes the cache when you shutdown the server). Once you get more experienced with Freenet, you can switch to darknet mode, which prohibits stranger connections but requires you to connect to at least 5 friends you personally know. They also need to connect to you. '''NOTE: These friends you connect to can see your plain-text IP address, and as such only add people you truly trust.'''<br />
<br />
Freenet has existed since 2000, and because of this, there are a large number of web 1.0 abandoned sites made by early adopters of the service. Also, because of being so old, it is programmed in [[Java]], which was commonplace at the time.<br />
<br />
Please note that the Freenet network (much like other, especially anonymous, networks) attracts criminals and a number of sites contain child pornography. Some sites jokingly add a disclaimer saying ''This site does not contain child pornography. click here to continue.''<br />
<br />
== Browsers ==<br />
<br />
'''See [https://www.privacytools.io/ privacytools.io].'''<br />
<br />
* Always use an [https://wiki.tbpindustries.com/wiki/Web_browsers open-source browser]. This ensures it can be freely audited. [[Google]] [[Chrome]] is not open-source, and while Chromium is, it hasn't been fully audited yet.<br />
* Use a search engine that at least claims to respect your privacy such as [https://metager.org/ MetaGer](encrypted google searches) or [ixquick.com ixquick](non-Google searches, owned by StartPage) instead of Google. Note that while [https://duckduckgo.com DuckDuckGo] is a better alternative than Google or Bing, it's based in the US and has known issues that [https://8ch.net/tech/ddg.html raise the possibility of privacy concerns].<br />
<br />
=== Chromium ===<br />
<br />
Using Chromium is generally not recommended because even though you can disable its known tracking features (the RLZ identifier is in Chrome, not Chromium), Chromium's code isn't as audited as Firefox's and Chromium's security addons don't provide the same fine-grained control over web requests as Firefox's, due to its extension API being slightly less broad (no control over WebSockets, for instance). If you absolutely refuse to use anything else, follow these instructions:<br />
<br />
* If you seriously sync Chromium to your Google account, you're a fucking dumbass. De-sync the two immediately.<br />
* Go to your settings menu, click advanced settings scroll down to privacy, and turn everything off.<br />
* Go to Content Settings above that and check "Block 3rd party cookies and site data"<br />
* Unless you want to use a script blocker, also turn off JavaScript.<br />
* Now scroll down to "Continue running background apps while Chromium is closed" and disable that as well unless you trust your addons.<br />
<br />
Despite all of this, there are [[Chromium#Notable_forks|a few forks]] that offer parity with the stable release, which are also open-source and have taken invasive Google crap out of the browser, as well as implemented some extra security measures. Alternatively, you can compile the browser yourself and apply one of these [[Chromium#Notable_patches|many patches]].<br />
<br />
=== Firefox ===<br />
<br />
It is recommended that you compile [[Firefox]] from scratch/source, as it allows you to make use of security oriented USE flags such as ''hardened'' and forcing it to use more up to date system-wide libraries (eg: systemsqlite).<br />
To ensure maximum security while browsing the internet, always turn off third party cookies, unless you're using a proper firewall like uMatrix, for finer-grained control, in which case you should still put the appropriate measures into place. Mozilla describes them as: ''For example, cnn.com might have a Facebook like button on their site. That like button will set a cookie that can be read by Facebook. That would be considered a third-party cookie.''<br />
<br />
'''Change your search engine'''. There are ways to get around Google’s insane profiling. See [[Search engines]].<br />
<br />
'''Use freshplayer [GNU/Linux only]'''. Freshplayer is a NPAPI wrapper for PPAPI Flash that works on Firefox. It is inherently safer and more performant, if you must use flash.<br />
<br />
If you can, use a [[fork]] of Firefox, such as [[GNU IceCat]] or [[Debian Iceweasel]].<br />
<br />
==== Security extensions ====<br />
There are many extensions available for Firefox to make you less trackable. Refer to the [[Firefox#Adblocking.2C_privacy.2C_and_security|Firefox]] article for a comprehensive list of addons.<br />
<br />
== Fingerprinting ==<br />
Fingerprinting is the process of using otherwise non-identifying information to identify you. When enough non-identifying information is collected, you will usually be unique amongst others.<br />
{| class="wikitable"<br />
|-<br />
| '''Threat'''<br />
| '''Countermeasure'''<br />
|- valign="top"<br />
| <br />
* Plugins such as Flash or Java leak information.<br />
| '''Recommended:''' Disable and uninstall browser Plugins (note: Plugins are different than Extensions) such as Flash and Java.<br />
Alternative: Set the plugin to "Ask to activate". You will still be vulnerable whenever you activate that plugin.<br />
|- valign="top"<br />
| <br />
* JavaScript leaks information<br />
| '''Recommended:''' Disable JavaScript<br />
Alternative: Use [https://addons.mozilla.org/en-US/firefox/addon/umatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/noscript NoScript] to whitelist JavaScript on a per-site basis. You will still be vulnerable on those sites.<br />
|- valign="top"<br />
| <br />
* HTTP Header information can be identifying<br />
| '''Recommended:''' Use an extension such as [https://dephormation.org.uk/index.php?page=81 Secret Agent] to randomize header information. Alternatively, you can change your HTTP_ACCEPT headers by modifying your [https://github.com/CrisBRM/user.js/ about:config/prefs.js] file.<br />
|- valign="top"<br />
| <br />
* Cookies can be used to track you<br />
| [https://support.mozilla.org/en-US/kb/disable-third-party-cookies Disable 3rd Party Cookies] and use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies Self-Destructing Cookies] to automatically purge cookies.<br />
|- valign="top"<br />
| <br />
* IP Addresses can be personally identifiable<br />
| '''Recommended:''' Use an [[Anonymizing_yourself#Anonymous_Networks|anonymous network]], a non-logging [[VPN]] service, or a non-logging proxy service. Check out our very comprehensive article on [[VPN|VPNs]] for ways to further foil this mechanism.<br />
|- valign="top"<br />
| <br />
* Cross-site Requests may expose you to tracking.<br />
| '''Recommended:''' Use an extension such as [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] or [https://addons.mozilla.org/en-US/firefox/addon/requestpolicy-continued/ RequestPolicyContinued] to selectively whitelist such requests.<br />
|-<br />
| <br />
* The HTTP referrer header may leak information<br />
| '''Recommended:''' Turn off sending HTTP referer information.<br />
Alternative: Install an extension such as [https://addons.mozilla.org/en-US/firefox/addon/smart-referer/ Smart Referer] to keep referer information limited to a single domain, or [https://addons.mozilla.org/en-US/firefox/addon/uMatrix uMatrix] to spoof it on a per-hostname basis.<br />
|}<br />
<br />
See also: [https://panopticlick.eff.org/ EFF Panopticlick] and [http://samy.pl/evercookie evercookie].<br />
For a more comprehensive guide on how to foil most fingerprinting mechanisms, see https://github.com/CrisBRM/user.js<br />
<br />
== Web cache ==<br />
Web caches mirror web requests locally for t time, thus ensuring a decrease in the number of servers hit, thereby somewhat reducing your privacy exposure and decreasing page load speeds.<br />
<br />
=== Squid ===<br />
Whilst modern browsers have their own cache implementations, they are often outdated, slow, and not very secure. [http://www.squid-cache.org/ Squid] is a modern, high performance web cache and proxy server that supports a plethora of protocols. It can be used in combination with any browser that supports proxies. Best used in conjunction with a DNS caching server like Unbound.<br />
<br />
== DNS ==<br />
DNS is what allows your computer to convert a domain name (such as wiki.tbpindustries.com) into an IP address to connect to. That process is called resolving. <br />
<br />
When your computer attempts to resolve a domain name it queries a DNS server. Usually this will belong to your ISP if you have not configured it manually. Not all DNS servers are created equal—some block queries to certain websites, others hijack queries and redirect them elsewhere, and some log your queries. You should look for a DNS server that is close by (for minimum latency) that doesn't log your IP address. In addition, you may want to use DNSCrypt for added protection, and a caching DNS server for reduced privacy exposure and higher performance.<br />
<br />
Warning! Google DNS and OpenDNS log queries. Google "anonymizes" query information after a period of time, but keeps associated ISP information permanently.[https://developers.google.com/speed/public-dns/faq#privacy] OpenDNS logs your IP address and may also correlate it with other information that is normally non-personally identifying.[https://www.opendns.com/privacy-policy] Avoid those two services.<br />
<br />
=== [[DNSCrypt]] ===<br />
<br />
End-to-end encryption for your DNS requests. This prevents any intermediaries (such as advertising or the FBI) from monitoring your DNS request. Ideally, it should be used with a caching DNS server like Unbound.<br />
<br />
=== [[Unbound]] ===<br />
<br />
[https://www.unbound.net/ Unbound] is a [https://www.unbound.net/documentation/howto_optimise.html high performance] validating, recursive, and caching DNS server with a multitude of privacy oriented features. The simple fact it acts as a DNS cache ensures less frequent connections to your DNS server. On top of that, it is able to enforce DNSSEC and use clever algorithms to harden your DNS queries.<br />
<br />
=== OpenNIC ===<br />
The [https://opennicproject.org/ OpenNIC Project] is a privacy-minded collection of volunteer-run servers that also allow you to use extra TLDs such as .geek etc. Also features DNSCrypt support.<br />
<br />
== Operating systems ==<br />
While unfortunately, government organizations around the world have a variety of back doors into a variety of operating systems, one can still attempt to be anonymous through a variety of methods. Free software alternatives to [[Windows]] or [[OS X]] appear to be more secure than their counterparts, since their code is almost always individually reviewed.<br />
<br />
===Tails===<br />
[https://tails.boum.org/ Tails] is an OS specifically designed to preserve your privacy and anonymity. It forwards all your packets through the Tor network and uses anti-forensics like memory wiping to leave no trace on the computer you are using it on. Tails mitigates layer 2 surveillance by randomizing MAC address on boot. Tails can be run in a VM, but this renders the OS less secure.<br />
<br />
===Heads===<br />
[https://heads.dyne.org/ Heads] is a Live OS relatively like tails based on Devuan. Like Tails, it sends your packages through the Tor network and leaves the no trace on the computer. Unlike Tails, though, it is fully libre, and uses Linux-libre. It also uses no systemd, and instead opts for OpenRC and SysV. Sadly (and also gladly), due to its freetard attitude it contains no proprietary drivers, making it run on a limited number of machines.<br />
<br />
===Whonix===<br />
[https://www.whonix.org/ Whonix] is a system of virtual machines, a client and server, each based on Debian GNU/Linux and configured with Tor which focuses on anonymity, privacy and security. The client VM is designed to route all traffic through the gateway/server VM which in turn routes it through Tor. This prevents the client VM from accidentally leaking your real public IP because it never knows it. All traffic is transparently routed through Tor preventing applications which are not designed for use with Tor from leaking.<br />
<br />
== Sandboxes ==<br />
<br />
=== Firejail ===<br />
<br />
[[Firejail|Firejail]] is a [[Linux_(kernel)|Linux-only]] sandbox that uses Linux namespaces, seccomp-bpf and all the latest Linux security features to create a new, fully secure filesystem. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. It comes with a myriad of profiles by default, which are then used on a per-software basis.<br />
<br />
Ignoring the security factor and focusing more on the anonymization potential, it is important to use sandboxes in order to minimise certain exploits in the software that could otherwise be used to identify you. For instance, in Firefox, Firejail limits its data leaks by replacing the standard temporary file directory with a more secure version, which is completely erased when the Firefox session ends.<br />
<br />
== Tools ==<br />
[https://mat.boum.org/ MAT] or Metadata Anonymization Toolkit, is a toolbox composed of a GUI application, a CLI application and a library, to anonymize/remove metadata.<br />
<br />
[https://github.com/psal/anonymouth Anonymouth] is a tool designed to take your documents and change the wording so you can't be found through word choice, grammar, theme, tone, and etc. Here is an article on [https://archive.is/xNP9r anti-stylometry (the scientific study of literary style)] discussing it, and here is [https://archive.is/vZ2Cw another article]. While Anonymouth is audited and considered safe, [https://se7en.neocities.org/articles/anon-word-attack.html there are ways] that a [[non-free]] program that is ''like'' Anonymouth can harm you.<br />
<br />
[http://www.privoxy.org/ Privoxy] Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.<br />
<br />
[https://www.caida.org/tools/taxonomy/anonymization.xml Anonymization Tools Taxonomy] A list of anonymization tools. Hasn't been updated since 2004.<br />
<br />
== Routers ==<br />
A router that supports free and open source firmware is recommended over one provided by your ISP. ISP routers often come preloaded with software that can compromise your privacy and security. There are many GNU/Linux based firmwares available for common routers:<br />
* [https://openwrt.org/ OpenWrt]: An open source Linux distribution for embedded devices. It is optimized for minimal storage and RAM usage to fit on home routers;<br />
* [https://librecmc.org/ LibreCmc]: The FSF's fork of OpenWrt with all non-free software removed;<br />
* [https://dd-wrt.com/site/ DD-WRT]: A firmware focusing on the Linksys WRT54G series routers;<br />
* [http://www.polarcloud.com/tomato Tomato]: Partially FOSS firmware released in 2008. It is still actively updated by community mods;<br />
* [https://github.com/grugq/portal PORTAL]: An acronym for Personal Onion Router To Assure Liberty. It forces all internet traffic through the Tor network to limit the possibility of user mistakes.<br />
For more detailed information see: [[Routers#Third party firmwares|Routers]]. You can also [[Routers#Use a computer as a router|use a computer as a router]].<br />
<br />
== Android and cell phones==<br />
By their nature cellphones cannot be completely anonymous, but there are some steps that can be taken to at least limit your footprint. Be forewarned that the cellular network itself is ''designed'' to track you with only 30 seconds of delay, without a GPS chip.<br />
<br />
Using an Android-based phone is a plus over iPhones or Windows Phone (if you can even call it that), but it is highly recommended that you [https://se7en-site.neocities.org/articles/cellphones.html avoid using cell phones all together]. Even better, use a dumb phone with no camera. If you absolutely think you '''need''' (not want) a cell phone, follow these tips:<br />
<br />
=== Android replacements ===<br />
* [http://www.replicant.us/ Replicant]: A project to completely replace all proprietary components of Android;<br />
* [[Android ricing#ROMs|Custom ROMs]];<br />
* <s>[https://copperhead.co/android/ CopperheadOS]: a hardened fork of Android with PaX kernel patches and more.</s> (Note: The lead developer of the CopperheadOS project was removed from the project, and deleted the update signing keys; due to the uncertainty surrounding these events, the use of CopperheadOS isn't recommended.)<br />
* [https://grapheneos.org/ GrapheneOS]: An open source privacy and security focused mobile OS with Android app compatibility, runs on Google Pixel devices.<br />
* [https://developer.mozilla.org/en-US/Firefox_OS/Introduction Firefox OS]: An alternative operating system by Mozilla that runs on some Android devices. (EoL)<br />
<br />
=== GNU/Linux Phones ===<br />
* [https://puri.sm/products/librem-5/ Librem 5]: A security and privacy oriented phone by Purism that comes with the [[GNU/Linux]] distro PureOS preinstalled. Features kill switches and a removable battery, but it is quite pricey.<br />
* [https://www.pine64.org/ PinePhone]: A cheaper GNU/Linux phone by Pine64 that has to be flashed with a distro by SD card. Comes with kill switches and a removable battery, but the hardware isn't too powerful compared to Android phones.<br />
<br />
=== Alternative GApps ===<br />
* [https://f-droid.org/ F-Droid]: Part of the Replicant project. An app store that only contains Free Open Source Software;<br />
* [http://forum.xda-developers.com/showthread.php?t=1715375 NOGAPPS Project]: Replaces the Play Store, Google Maps API, Network Location API, and others in the future;<br />
* [http://apps.evozi.com/apk-downloader/ APK Downloader];<br />
* [https://f-droid.org/repository/browse/?fdid=net.osmand.plus OsmAnd~]: Replacement for Google Maps;<br />
* [https://f-droid.org/repository/browse/?fdid=com.tobykurien.google_news GApps Browser];<br />
* [https://archive.today/S3rMI Relevant thread] on google app store alternatives.<br />
<br />
=== Removing ads ===<br />
* [https://f-droid.org/repository/browse/?fdfilter=adaway&fdid=org.adaway AdAway] (Requires root): Hosts file based ad-blocking;<br />
* [https://f-droid.org/repository/browse/?fdfilter=adblock&fdid=org.adblockplus.android Adblock Plus];<br />
* [http://repo.xposed.info/module/tw.fatminmin.xposed.minminguard MinMinGuard] (Requires root and Xposed Framework): Disables the ad activity in apps to prevent the ad from loading. This also means there wont be a blank space where the ad was supposed to be.<br />
<br />
=== Enforcing permissions ===<br />
* [https://repo.xposed.info/module/eu.faircode.xlua XPrivacyLua] (EdXposed needed for Android 10);<br />
* [https://repo.xposed.info/module/org.synergylabs.pmpandroid Protect My Privacy] (ditto);<br />
* App Ops: Available since Android 4.3. Removed in 4.4.2, but still retained in custom ROMs. Allows you to tweak individual permissions on a per-app basis;<br />
* Available by default on Android 6 (M).<br />
<br />
=== Browsers ===<br />
* [https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/ Fennec F-Droid]: A Firefox fork;<br />
** [https://addons.mozilla.org/en-us/android/addon/ublock-origin/ uBlock Origin]: The only trustworthy adblocker;<br />
** [https://addons.mozilla.org/en-US/android/addon/smart-https-revived/ Smart HTTPS]: Automatically enables HTTPS on websites that support it;<br />
** [https://addons.mozilla.org/en-US/android/addon/self-destructing-cookies/ Self-Destructing Cookies];<br />
** [https://addons.mozilla.org/en-US/android/addon/smart-referer Smart Referer]: Hides HTTP referer;<br />
** [https://addons.mozilla.org/en-US/android/addon/canvasblocker/ CanvasBlocker]: Feeds fake data to websites using advanced fingerprinting techniques making use of APIs like audio, WebGL, canvas size and so on;<br />
* [https://www.bromite.org/ Bromite]: A Chromium fork with ad blocking and enhanced privacy.<br />
<br />
== OPSEC/Operational Security ==<br />
All the software in the world won't help you if ignore the human element. Obvious no-nos:<br />
* Using the same username everywhere;<br />
* Using the same email address everywhere;<br />
* Logging into the same accounts through your real IP and a proxy/VPN/tor;<br />
* Posting photos or images which can be traced back to you via a [https://tineye.com/ reverse] [https://images.google.com/ image] [https://yandex.ru/images search].<br />
* Using the same MAC Address / Hostname on an untrusted network can identify you to local attackers/surveillance. Check out [http://hacktownpagdenbb.onion/Links/Chapter-3.html Computer MAC Addresses and their importance]{{dead link}}<br />
[[Wikipedia:Dread_Pirate_Roberts_%28Silk_Road%29 |Dread Pirate Roberts]] was brought down by many of the above points.<br />
<br />
More subtle no-nos:<br />
* [[Wikipedia:Forensic_linguistics |Forensic Linguistics]] is the science of figuring out someone's identity by the words, phrases and grammar they use. Recommendation to counter this: [[Anonymizing_yourself#Tools|Anonymouth]];<br />
* Using the same browser with your real IP as your proxy/VPN/Tor IP (see fingerprinting above);<br />
* Discussing personal preferences, or knowledge of specific locations such as a school, shop or town;<br />
* Being unprepared for a proxy/VPN/Tor to drop out.<br />
<br />
Steve Rambam gave [https://www.youtube.com/watch?v=dNZrq2iK87k an excellent talk] at the HOPE hacker conference which summarizes many of the techniques that you/private investigators/LEA can use to determine someone's identity.<br />
<br />
To err is human. As clever as you think you are, all it takes is one connection from your real IP address to deanonymize you. One day when you're distracted/tried/stressed/drunk/high/panicked/surprised or when something out of the ordinary is happening, you will mess up. Putting up many automated layers of anonymity/security will help protect you from yourself.<br />
<br />
== External links ==<br />
* http://browserspy.dk/<br />
* https://www.howsmytls.com/<br />
* https://www.dnsleaktest.com<br />
* http://www.whatismyreferer.com/<br />
* https://panopticlick.eff.org/<br />
* https://securityinabox.org/en<br />
* https://myshadow.org/<br />
* https://ssd.eff.org/<br />
* https://thetinhat.com/<br />
* http://login2.me/<br />
* http://bugmenot.com/<br />
* https://alternativeto.net/software/bugmenot/<br />
* https://alternativeto.net/software/fake-mail-generator/<br />
* https://www.eff.org/issues/anonymity<br />
* ('''Tor Link''') http://hacktownpagdenbb.onion/1.html {{dead link|OnionV2}}<br />
<br />
== See also ==<br />
<br />
[[Category:HowTo]]<br />
[[Category:Software]]<br />
[[Category:Anonymity networks]]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Security&diff=345Security2023-05-11T21:16:49Z<p>Goldbolt: </p>
<hr />
<div>Security is a broad term covering everything from stopping your girlfriend from finding your porn folder to stopping the NSA from [[Wikipedia:Stuxnet |breaking into your nuclear power plant]].<br />
<br />
In our post-Snowden world, it is easy to fall into [https://www.eff.org/deeplinks/2014/10/they-fight-surveillance-and-you-can-too security nihilism] (i.e. "'they' know everything so why bother?") or to think [http://www.thoughtcrime.org/blog/we-should-all-have-something-to-hide/ you] [http://www.digitizd.com/2014/09/06/why-care-about-online-privacy-if-youve-got-nothing-to-hide/ have] [http://www.techrepublic.com/blog/it-security/why-nothing-to-hide-misrepresents-online-privacy/ nothing] [https://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/ to] [http://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-the-wrong-way-to-think-about-surveillance/ hide].<br />
<br />
The worst thing you can have is a false sense of security.<br />
<br />
This page cannot possibly define every attack and mitigation strategy available. Instead it aims to provide a decent overview of basic security principles and techniques.<br />
<br />
==Define your adversary==<br />
<br />
Who/What do you want to have security from? Who/What is a threat to you? Who/What do you want to keep things private from?<br />
<br />
*You mother?<br />
*Thieves?<br />
*Hackers, Viruses, Malware and Phishing?<br />
*Advertisers/Marketing companies who build profiles on you to sell you garbage?<br />
*Rivals and rival businesses?<br />
*Government policies you don't agree with and wish to legally avoid?<br />
*Foreign government policies you don't agree with?<br />
*Copyright trolls?<br />
*Local Law Enforcement Agencies (LEA)?<br />
*National Law Enforcement Agencies?<br />
<br />
or perhaps you wish to:<br />
<br />
*Publish anonymously?<br />
*Keep journalistic sources safe?<br />
*Participate in whistleblowing?<br />
<br />
or are you under attack from:<br />
<br />
*Psycho ex-partners/family members?<br />
*Internet trolls/doxxers?<br />
<br />
or maybe you just want to:<br />
<br />
*Be as secure as possible as a fun experiment?<br />
<br />
Knowing your "enemy" is important. Thinking in terms of NSA technology is depressing, but narrowing your threat down to advertising trackers makes the battle seem much more practical and winnable.<br />
<br />
==Threat analysis==<br />
For any adversary, there are a few key factors you must consider if you want to create an effective defense.<br />
<br />
*Competence - Just because it's possible to defeat your security, doesn't mean your adversary can. Not everyone knows how to do everything.<br />
**Resources - Knowing how to do something and being able to do it are two different things. For instance, the adversary may know a quantum algorithm to quickly crack your encrypted file, but if they don't actually have access to a quantum computer, that won't do them much good (although they can archive the file indefinitely until QCs become commonplace).<br />
*Motivation - Does the attacker want to attack you? The attackers that have the most competence and resources often want to get something worthwhile for their trouble. They prefer high value targets like banks, government sites, corporate networks, eCommerce credit card databases, and huge swathes of very insecure computers that can be used as botnets. You don't really need to have perfect security to avoid getting attacked, you just need to have more security than is worth defeating to get what you have (or appear to have).<br />
*Physical access - It is a maxim of security that if the adversary has physical access to your computer, you've lost. Physical access doesn't just mean stealing the computer and putting it in a secret vault, it can be as simple as being able to come into your house and plant some kind of concealed device on the computer while you're out buying groceries.<br />
<br />
Typically, the most dangerous hackers have high competence but not physical access. The ones that have physical access rarely are competent. The ones that have both resources and competence have better things to do than hack you. At most you will be hit by their automated software that looks for common, typical weaknesses (really bad [[Passwords | passwords]] like "qwerty" or "rosebud", running vulnerable software that is years behind on security updates) in millions of machines. This is why security through obscurity will work on them - they can easily defeat your system, but it's not worth it for them since there's not enough people like you out there to justify the effort of writing a hack.<br />
<br />
So, at both ends of the spectrum you have a balance: Each class of adversary always has one or more severe disadvantage. You can exploit this to create strong defense. The one exception is government intelligence agencies like NSA. These have both physical access, are highly competent, and have immense resources. The only thing standing between you and them is motivation. In other words, the moment NSA has a reason to suspect you, you're done. Best you can do is don't do things they don't like.<br />
<br />
==Practices by kind of adversary==<br />
===Against your mother===<br />
Your mother can:<br />
<br />
*Physically access your computer.<br />
*Physically access your computer when you're not there.<br />
*Spy over your shoulder.<br />
<br />
These can be serious security implications, however your mother is unlikely to either:<br />
<br />
*Have the technical knowledge to perform an attack.<br />
*Have the motivation to perform an attack.<br />
<br />
Her motivation:<br />
<br />
*None, actually. All your mother is likely to do is walk past when you're masturbating, or perform a Windows Search for her cat photos and accidentally turn up your hentai.<br />
<br />
In response, you can:<br />
<br />
*Lock the door to your room.<br />
*Zip/rar/7z your porn with a password.<br />
*Encrypt your home directory.<br />
*Put a password on your bios and deny her booting your computer.<br />
<br />
===Against thieves===<br />
Thieves can:<br />
<br />
*Physically steal your computer and deny you access to your data.<br />
*Remove the storage drive from your computer and recover data.<br />
*Recruit a nerd friend to do something with your hardware.<br />
*Sell your storage drive to someone who might be actually interested in its content.<br />
<br />
Their motivation:<br />
<br />
*Making money as fast as possible from selling off your stuff. If they can get your data they will sell it, but if they can't they will settle for the cash value of your hardware.<br />
<br />
They are interested in:<br />
<br />
*First and foremost, your hardware.<br />
*In second term, whatever personal data they can find inside. They will usually give up if they can't access it.<br />
<br />
In response you can:<br />
<br />
*Encrypt your home directory.<br />
*Use full disk encryption.<br />
*Backup your data and physically hide it.<br />
<br />
===Against hackers, viruses, malware and phishing===<br />
<br />
Assuming hackers here are your run of the mill script kiddies and not nation states, hackers can:<br />
<br />
*Use Remote Exploits to access your computer (hacking your computer).<br />
*Trick you into running exploits on your computer (viruses, malware).<br />
*Trick you into disclosing the credentials to your computer or web services (phishing).<br />
*Manipulate company employees into handing over your login details or control of your account (social engineering)<br />
*Guess the credentials to your computer or web services (cracking).<br />
*Break into web services and determine your credentials (hacking web services).<br />
<br />
While hackers will always know about security problems before everyone else, they are less likely to use their brand new exploits against random people. High value targets (whether they be financial (paypal?), political (fbi website?) or lulzy (the fappening)) are much more likely to be their focus. Unknown exploits are valuable: They are obtained by hard work or paying for them on the black market. But the moment you use them, everyone will find out and patch the hole. So the hacker wants to make it count, he doesn't want to blow his one shot on something worthless.<br />
<br />
Day to day attacks will be from relatively unskilled hackers (script kiddies) and deployed against ip address on the internet.<br />
<br />
Occasionally a large internet service will lose it's password database to hackers e.g. [http://www.bbc.co.uk/news/technology-32034102 twitch.tv]. Sooner or later one of these headline hacks will affect you.<br />
<br />
In response you can:<br />
<br />
*Keep your operating system and software up to date to cut down on remote exploits.<br />
*Use anti-virus and anti-malware scanning software.<br />
*Be wary about running unknown software or logging into untrusted sites (common sense 2016).<br />
*Run a restrictive firewall to allow only certain applications access to the network.<br />
*Use a password manager to generate random, secure passwords for your local computer accounts and web services.<br />
**Use a different password on each site. Knowing one password shouldn't make it easier to guess the others.<br />
**Give fake personal info where possible, so that info from one hacked account can't be used to break into other accounts by messing with the "Forgot Password" feature or calling and manipulating support/customer service.<br />
*Only use trusted web services, and give them as little sensitive data as possible.<br />
**If you shop online, try to delete Credit Cards when you're done using them, don't keep them saved in the account.<br />
*Use Two Factor Authentication (2FA) for higher value web services (banking, email).<br />
<br />
===Against a jealous girlfriend===<br />
<br />
Let's supposed that through sheer dumb luck, you managed to get a girlfriend. Unfortunately, she was a jealous bitch from the beginning, but due to >tfwnogf you ended up accepting her anyway. Now you're stuck with a girl who wants to control your entire life. What do you do?<br />
<br />
Your girlfriend can:<br />
<br />
*Physically access your computer and phone.<br />
*Spy over your shoulder.<br />
*Possibly physically access your computer when you're not there.<br />
*Recruit nerd friends, i.e. hackers, viruses, malware and phishing, to help her break into your devices if you put up any resistance.<br />
<br />
Her motivation:<br />
<br />
*Get any shred of positive evidence that you're cucking her. For security purposes, assume that a jealous girlfriend is emotionally attached to the idea that you're going to cuck her. No amount of evidence against will ever convince her of the opposite, and a single, dubious figment of evidence in favor will confirm her suspicions. Her determination will be extreme: they say hell hath no fury but that of a woman scorned, so be prepared for a fight that at best will only end when either side decides to break up, at worst with injury or material damage for either side, or if you live in an SJW place, with a false rape accusation.<br />
<br />
She is interested in:<br />
<br />
*Your location ("why were you on this part of town where this bitch lives?").<br />
*Your communication metadata ("who is that skank you talk to all the time?").<br />
*Your personal media ("who is this bitch in the picture?").<br />
*Your login credentials (there is no better place to find all that than your social media accounts).<br />
<br />
In response, you can:<br />
<br />
*Do everything you would do against your mom, against thieves and against virii, hackers and malware.<br />
*Never share your passwords. This is going to be the hardest one. Women are natural savants when it comes to emotions and know every single emotional manipulation trick under the sun, and a jealous girlfriend will have no qualms on abusing them if that's what it takes to make you cough up your password. Do not fall for any blackmail, badmouthing, refusal of sexual consent, melodrama, fake tears or blaming. Password sharing is ''not'' a proof of love or a ritual of intimacy, it is a dangerous practice that negates every single countermeasure you take against information breaches. Be especially wary if this is your first girlfriend: chances are she perfectly knows you have the relationship experience of a high school kid (even if you consistently negate it, girls are experts at reading your true emotions), meaning that you will fall squarely for every single one of her tricks and charms.<br />
**Alternatively, create a decoy account and share the password to that. Before sharing, protest that you hardly use your account anyway, and that you're embarrassed about how you don't have any friends. This will make it more credible.<br />
*Keep your phone with you at all times, with a password lock, encrypted and with instant screen lock. Consider enabling the fingerprint reader if securing your phone outweighs giving the botnet your fingerprint.<br />
**The phone is the weakest link:<br />
***A truly strong password makes using the phone very inconvenient, since you have to unlock many times a day and typing on a phone is hard.<br />
***Of all your device, the one you will most commonly have to unlock in full view of others is your phone.<br />
***The way keyboards are implemented on phones (current character shown unmasked) makes shoulder surfing very easy.<br />
***All the convenient options like PIN or pattern are laughably insecure.<br />
***She can touch your finger to the scanner while you're asleep.<br />
***Face/eye recognition can be defeated with a photo.<br />
***Phones are easy to break into by connecting to a computer.<br />
**It is very hard to keep your phone secure. Either have a secret secondary phone, or do not keep anything valuable on the phone.<br />
**When deleting something, make sure you immediately overwrite your phone's writable storage with random data; on Android phones this is done with ''cat /dev/urandom > /sdcard/dsfargeg.fgsfds'' and then ''rm /sdcard/dsfargeg.fgsfds'' on Terminal Emulator.<br />
**Do a factory reset once in a while; depending on the magnitude of her jealousy, it could be anything from once every other month to every single week.<br />
*Enable two-factor authentication as a safeguard against password sharing. This way, even if you share your password, she will require the login code that has been sent to your sealed, locked, encrypted phone that can only be unlocked with your own finger.<br />
*Be especially wary of spear phishing. Do not click on any weird link sent by your closest friends, or if you feel compelled to do so, open it from a tightly secured operating system (a fresh VM) where you have never logged in to your social networks.<br />
*Keep your GPS off at all times, or use a custom ROM that restricts apps' access to your location.<br />
*Keep your lawyer on standby and call them the very moment she involves law enforcement into the mix (e.g. threatening with a rape accusation).<br />
*Bail out of the relationship the very moment she starts inflicting physical violence on your or your possessions. >tfwnogf is better than >tfw my gf hits me.<br />
<br />
===Advertisers/Marketing companies===<br />
Advertisers can:<br />
<br />
*Collect information when you login to them.<br />
*Track you across different websites you visit without logging into them.<br />
*Track you via GPS on your phone.<br />
*Track you online via WiFi on your phone.<br />
*Track you offline via WiFi on your phone.<br />
*Track you offline via credit/debit cards.<br />
*Track you offline via reward/membership cards.<br />
<br />
Some of the security (or privacy) threats with advertisers are opt-in (i.e. you accepted it) and generally advertiser tracking isn't going to mess up your day. Problems arise when advertisers sell your information on to third parties (who in turn sell it to other third parties), go broke and [http://arstechnica.com/tech-policy/2015/03/despite-privacy-policy-radioshack-customer-data-up-for-sale-in-auction/ auction off] your data, get hacked or are victims of mass surveillance.<br />
<br />
It's worth noting that their revenue models would be colossally damaged if everyone ran adblocking software.<br />
<br />
In response you can:<br />
<br />
*Not create social media accounts, or create accounts with false information (although you'll still have the same friends, so are still opting in big time).<br />
*Disable third party cookies in your browsers.<br />
*Turn off GPS on your phone, or use a custom rom to limit which apps have access to your GPS.<br />
*Turn off WiFi on your phone, or use a custom rom to limit which apps have access to WiFi.<br />
*Turn off WiFi when you're out and about, especially in [http://www.yro.slashdot.org/story/13/01/22/2216224/have-a-wi-fi-enabled-phone-stores-are-tracking-you malls]/[http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits shopping centres].<br />
*Use cash.<br />
**Debit cards tell your bank what you're buying and who from and where, and they [http://money.cnn.com/2011/07/06/pf/banks_sell_shopping_data/index.htm sell] [http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data that].<br />
**Credit cards tell VISA/Mastercard/etc what you're buying and who from and where.<br />
*Don't use reward cards. Most people [https://www.youtube.com/watch?v=f2Kji24833Y never use the "rewards"] and your privacy is worth more.<br />
<br />
====But I've already given them everything!====<br />
So you've already given Facebook your phone number and address and date of birth? They already know your schools and job and hobbies? Why close the gate when the horse has bolted?<br />
<br />
*You'll change jobs.<br />
*You'll move house.<br />
*Your interests will change.<br />
*Your friends will change.<br />
*You'll get married/divorced/have children.<br />
*You could even change your name or get married and change your surname.<br />
<br />
Sure, the data they have today will still be valid in a week. But in six months? A year? Five years? The sooner you cut off advertisers from up to date information, the sooner it'll be out of date. Their databases will say you still like Linkin Park and Jackass unless you tell them otherwise. They'll also miss out on your patterns over time, not knowing the path of your history and making their future predictions inaccurate.<br />
<br />
===Cellphone service providers===<br />
<br />
Your cell phone service provider can:<br />
<br />
*See what cell tower you are connected to whenever your phone is on.<br />
*See when your phone is switched off or out of coverage (they can't tell which).<br />
*See who you call and text, when and where, and for how long.<br />
*See who calls and texts you, when where you are, and for how long.<br />
*See your data usage metadata and perhaps "full take" data.<br />
*Sell you a phone preloaded with their applications, which have all kinds of permissions granted.<br />
<br />
Cell phones are a big problem when trying to avoid location tracking. Without the cell tower your phone is only a phone when you have WiFi access, or not at all.<br />
<br />
In response you can:<br />
<br />
*Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.<br />
*Use VoIP and data messaging instead of traditional calls and texts. Encrypted VoIP and messaging exists.<br />
*Convince your contacts to use VoIP and data messaging.<br />
*Install a firewall to restrict which apps have access to the data connection, or turn your data connection off completely.<br />
*Uninstall preloaded apps, flash a custom ROM or buy a standalone phone unlocked from any provider.<br />
*Leave your phone at home when you're going out.<br />
*Keep airplane mode turned on when you don't use your phone (you can have it automatically turn on whenever the screen is off).<br />
<br />
===Internet service providers===<br />
While your ISP is able to collect your metadata and block access to websites, these are generally because of Government Policy. Some ISPs will offer a "family friendly" site blocking option which you can turn off. Remember that while ISPs can most certainly be nefarious, usually it's the laws that compel them to give up your data to security agencies that can do you in, as the ISPs really can't do anything about it, but comply.<br />
<br />
Your home or business ISP can:<br />
<br />
*Provide you with an email service which they control (e.g. you@yourISP.com).<br />
*Force you to use a modem which they retain root access to, which may also contain [http://www.scmagazineuk.com/over-700000-home-routers-threaten-enterprise-security/article/405279/ serious bugs].<br />
*Send you a modem that is configured by default to use their DNS, allowing easy logging of your traffic.<br />
<br />
In response you can:<br />
<br />
*Use an alternative email service and/or use [[PGP]].<br />
*Use OTR in any instant messaging conversations. Install Pidgin and the [https://otr.cypherpunks.ca/ OTR plugin] for PC, and Xabber or ChatSecure for Android.<br />
*Bridge your ISP modem to a router which you control (or just ditch your ISP modem for one you bought personally, if possible). $50 will buy you an [[OpenWRT]] compatible router.<br />
<br />
===Government policies you can legally avoid===<br />
Governments policies may enable:<br />
<br />
*Collection of metadata or "full take" internet data.<br />
*Forcing ISPs to block websites or internet services.<br />
<br />
In response you can (if legal):<br />
<br />
*Use HTTPS versions of websites wherever possible. There is a [https://www.eff.org/https-everywhere browser plugin] for this.<br />
*Use a Virtual Private Network (VPN)<br />
**These can be paid or free services. Don't trust free services to anything other than light trolling.<br />
**These can be based in a variety of countries and be bound by that country's laws, even though they have exits in multiple countries.<br />
**Some take your privacy [https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ more seriously than others]. Ultimately it's down to you trusting their word, but [https://ssd.eff.org/en/module/choosing-vpn-thats-right-you do your homework and make an informed choice].<br />
*Use an anonymity network such as [[Tor]] (free, trustworthy).<br />
*Use a proxy for web browsing (free, perhaps trustworthy, perhaps not).<br />
*Use encrypted messaging when communicating with others.<br />
<br />
See [https://ssd.eff.org/ Surveillance Self Defense] and [[Anonymising Yourself]] for more.<br />
<br />
===Foreign government policies===<br />
Avoiding government surveillance/hacking from countries you're not legally bound to is essentially the same as avoiding your own government's policies (above) without the requirement to follow their laws. <br />
<br />
===Copyright trolls===<br />
Copyright Trolls are companies which exist purely to litigate against perceived copyright infringements, often using loopholes in copyright law and borderline standover/intimidation tactics to force their target into taking a plea deal.<br />
<br />
They have different tactics for organisations than they do for individuals. For individuals they can:<br />
<br />
*Monitor/scrape torrent tracker information.<br />
*Monitor usenet posts.<br />
*Monitor irc chat and honeypot dcc.<br />
<br />
Everything they access is publicly available. They have no more power than you do to monitor the internet. Some sites like http://mypiracy.net/ will show you what information you expose. If you don't see anything, it doesn't mean the trolls won't, but if you do, they can definitely see you.<br />
<br />
In response you can:<br />
<br />
*Use a VPN.<br />
*Use Tor, but not for torrenting as it only slows down the network for you and everyone else since your IP gets leaked anyway.<br />
<br />
===Local Law Enforcement Agencies (LEA)===<br />
We're not talking about breaking the law here. If you want to be a criminal, you can fuck off.<br />
<br />
We're talking about attending a protest or running a Tor Exit Node or participating in any other legal activity (or even being targeted by mistake) where your equipment may be monitored or seized.<br />
<br />
Obviously laws are different in different countries and within different parts of the same country, but often local LEA can:<br />
<br />
*Seize your devices and keep them for extended periods.<br />
*Request or [[Wikipedia:Key_disclosure_law |demand]] your passwords.<br />
*Detain you.<br />
*Request your metadata of "full take" data from your internet and cell phone service providers.<br />
*Request your metadata or "full take" data from higher law enforcement.<br />
*Question your friends/family/roommates/landlord/whoever.<br />
<br />
In response you can:<br />
<br />
*Be polite.<br />
*Speak to a lawyer for advice.<br />
*Know your rights.<br />
*Prepare yourself for attending a protest in the [https://ssd.eff.org/en/module/attending-protests-united-states US] or [https://ssd.eff.org/en/module/attending-protests-international elsewhere].<br />
<br />
===National Law Enforcement Agencies===<br />
====Passive surveillance====<br />
Passive surveillance, or dragnet surveillance, is where all internet data is scooped up without a particular target in mind. The NSA tapping into undersea cables and spying on Google's data center links are some examples of this.<br />
<br />
In response you can:<br />
<br />
*Use end to end encryption wherever possible (e.g. email, web browsing, file transfer).<br />
*Use an anonymizing network such as Tor.<br />
<br />
====Targeted attacks====<br />
Hopefully you're never targeted/attacked by this level of LEA/Intelligence agency, but depending on your country, they may be able to:<br />
<br />
*Do everything local LEA can do.<br />
*Sniff your network traffic, be it home WiFi or [[Wikipedia:Stingray_Phone_Tracker |cell network]].<br />
*Attack your systems, perhaps with 0days (publicly unknown and unpatched vulnerabilities).<br />
*Intercept your online tech purchases and bug them.<br />
*Attack the systems of people you trust.<br />
*Pay off people you trust.<br />
*Detain you when entering/leaving their country.<br />
*Threaten you with [[Wikipedia:Aaron_Swartz#Arrest_and_prosecution |lengthy prison sentences]].<br />
*Stop you from revealing the attacks and stop others revealing to you that you're under attack.<br />
*Use the extensive information about you recorded in government databases to guess your passwords.<br />
*Secretly bug your house or install a keylogger on your computer.<br />
*Remotely view what's on your monitor from an adjacent room by [http://www.erikyyy.de/tempest/ analyzing its EM field].<br />
<br />
And in extreme cases/countries:<br />
<br />
*Do whatever they want to you.<br />
<br />
In response you can:<br />
<br />
*Kid yourself.<br />
*Use all of the above tactics combined.<br />
*Buy your tech equipment anonymously in a bricks-and-mortar store using cash.<br />
*Stay off the radar in the first place.<br />
*Go completely off the grid, including internet. Minimize use of technology.<br />
<br />
==Practices by tool==<br />
The first thing to look for in any security tool is, what is the password/data recovery method? If you lose your password, what are the ways in which it can be recovered?<br />
<br />
A real security tool will clearly say: If you lose your password, the data is gone and there is no way to get it back. If you can "recover the password", a hacker can too. More importantly, if they can restore your access, that means they are able to give themselves access, which means all their employees, any government person who asks, and any criminal that infiltrates them (by social engineering or hacking) can now also get access to your account/data without even needing to get past the password!<br />
<br />
Beware especially systems that:<br />
<br />
*Email passwords (email can get hacked, their database of passwords can get exfiltrated and dictionary attacked or brute forced)<br />
*Email password reset link (your email can get hacked)<br />
*Have a secret question (very easy to guess just by searching online social media info)<br />
*Allow recovery by booting from different OS/LiveCD (e.g. Windows user account password)<br />
<br />
===Password manager===<br />
Don't use a cloud service. Even if encrypted, the database will be shuffled back and forth all over the internet constantly, and every time it's moving around, someone is saving a copy for later. If one day a vulnerability is discovered in encryption, what then?<br />
<br />
Enable both password and key file. Cracking the password is too easy with only password (unless you use a +6-word diceware). Gaining access is as easy as stealing your key if no password.<br />
<br />
==Practices by domain==<br />
===Phone===<br />
Phones are very insecure. Your phone is on you 24/7, and it is constantly being tracked by your cell provider because they always know which tower it's connected to. Your only options are:<br />
<br />
*Don't carry a phone, or carry it in a Faraday cage, or keep it in airplane mode - basically all things that defeat the point of having a mobile phone<br />
*Accept that a lot of information on you is being gathered and make your peace with it<br />
<br />
There is no real way to defeat cell tracking.<br />
<br />
====Android====<br />
<br />
*Ideally, you should not use GApps and opt for F-droid instead<br />
*Use [https://f-droid.org/repository/browse/?fdid=com.shadcat.secdroid SecDroid]<br />
**Disables binaries that can be used as an attack vector like: SSH, SSHD, NC, Telnet and Ping<br />
**Disallows installing apps via CLI/ADB, unless it is explicitly allowed<br />
**Secures the TCP Stack using Systctl<br />
*If you are on Marshmallow, using XPrivacy, or are using a custom ROM (that, plus Xposed with Xprivacy are your best bet) with built in permissions manager, make sure to fine-tune the permissions on a per-app basis to ensure minimal data leak;<br />
*Use XPrivacy <sup>(requires Xposed)</sup> if you can, since it not only allows you to manage permissions on a per-app basis, it also lets you feed an application with fake data to keep it running<br />
*Manage your firewall with [https://f-droid.org/repository/browse/?fdid=dev.ukanth.ufirewall AFWall+], an iptables front-end with VPN support<br />
*Use [https://guardianproject.info/wiki/Ostel CSSimple and OStel] as a replacement to the built-in calling apps<br />
*Use [[DNSCrypt]] to encrypt DNS queries between the name server and yourself, to mitigate MITM attacks<br />
*Patch your hosts file with [https://f-droid.org/repository/browse/?fdid=org.adaway AdAway] to avoid some unneeded third-party exposure, thereby reducing your online fingerprint<br />
<br />
{{Tip|The newer the phone model, the newer the Linux kernel that comes with it and thus, (potentially) fewer security exploits.}}<br />
<br />
==Laptop==<br />
Light, portable, easy to recognize, good resale value - laptops are very high on a thief's list. That and the fact that you carry it everywhere means there's a high risk it will get stolen.<br />
<br />
*Always use full disk encryption. Losing a computer with a scrambled hard drive that cannot be opened is better than losing a computer and all your personal information.<br />
*Set a password to your BIOS to deny boot access and write down the password somewhere safe, resetting it in case you forget it is not easy at all unlike with desktops.<br />
*If you have a home computer, don't save on your laptop anything you believe you won't need on the go.<br />
*Get a Kensington lock cable, even if it's fairly weak and easy to cut with the proper tools it will still discourage some nearby Tyrones. There are locks who use other ports too such as the VGA one.<br />
*Keep your backpack with you at all times. <br />
**Develop the reflex of opening your trunk to get your computer every time you leave your car. Even if you're just getting a pack of smokes at the 7-Eleven; thieves are literally that fast.<br />
**Supermarkets will usually allow you to enter the premises with your backpack as long as you let the security staff know.<br />
**Be particularly careful about software security on your laptop if you connect to a public Wi-Fi. You never know who's using and who runs your Starbucks' network. Always connect to a VPN as soon as you connect to public Wi-Fi (this will prevent sniffing and MITM attacks) and make sure all your software is up to date.<br />
*Do not leave your laptop unattended anywhere—even for a second. <br />
**If you are in a coffee shop and you get called for your shitty coffee, do not just leave the laptop there; a thief will just grab it and run away, and now you are an idiot standing there with a coffee.<br />
**Do not leave your laptop sitting in a computer lab; Tyrone will take it.<br />
**Do not trust other people to look after your stuff while you take a shit; people are stupid and you should never trust them with anything.<br />
**There are team tactics thieves will use, such as distracting you over something stupid while thief #2 sneaks in and takes your stuff. Or thief #1 will steal something lesser off your table, you chase them while thief #2 casually takes your bag and laptop while you are distracted.<br />
<br />
Most of the software-related practices are recommended for desktops too.<br />
<br />
==Desktop==<br />
Since desktops are commonly easy to open and fuck with their hardware, the cheapest way to keep one safe is to thoroughly lock your door, use encryption and set a password to your BIOS, hoping that the burglar doesn't know shit about computers or simply isn't interested at all in the contents of your PC.<br />
<br />
If you're willing to spend money you can also:<br />
<br />
*Get a Kensington chassis lock or an adhesive desktop locking kit, which basically keeps your tower, monitor and other stuff from being stolen with a steel cable that links them all together. It can be cut with some effort though<br />
*Buy a custom locked enclosure to completely deny access to the whole tower, keep in mind though that "customized" = "expensive as hell"<br />
*Get an adhesive self-contained alarm, it requires a physical key to be armed/disarmed and it's linked to a cable that, if removed, sets off the alarm which sounds for hours, costs around 100 bucks<br />
*Learn Arduino and make a homebuilt alarm with cameras and motion sensors<br />
*Get a door like [https://www.youtube.com/watch?v=ET9SNXpeORY this one]for your office<br />
<br />
==Server==<br />
<br />
Having your own server secured in a data centre can be useful, but authorities can then raid the data centre and seize it, or bug it, or passively collect data through the data centre without you knowing.<br />
<br />
==CryptoLockers==<br />
CryptoLockers are a reasonably new type of malware which encrypt files on your computer and demand a ransom (often bitcoin) to decrypt them. The ransom is usually fairly "reasonable" (sub $100) and a timer to destruction is included.<br />
<br />
To render cryptolockers useless, see [[Backups]].<br />
<br />
==Social Media/Web of communication==<br />
Keeping away from unwanted connections on social media is basically impossible. Changing your name or profile picture and/or changing accounts doesn't work because you will end up connecting to the same friends and familiarity with your new identity.<br />
<br />
The block button is your best friend. Failing that, give up on social media. You won't convince all your friends to lock down their accounts so that you can't be found.<br />
<br />
If you can't give up social media so easily, because, like most of us, you're addicted, then you can at least take steps to mitigate your addiction and reduce your social media usage.<br />
<br />
*Find alternative sites to browse, or find another hobby like reading, or IRC for that social fix you crave.<br />
*If you can, unfollow (note, this doesn't necessarily mean unfriend or disconnect, unless you want to do that) all of your friends so that you don't get updates in whatever "news feed" the social media provider gives you. Without that "news feed", you'll find yourself needing to go back there less and less, instead using it only for messaging people.<br />
*Replace your social media's web instant messenger with a custom client you can use, like Pidgin, Jitsi etc (see [[Recommended software]]). A lot of this software will allow you to connect directly to the social media's IM system, whether through an <s>XMPP proxy (like Facebook)</s> [https://developers.facebook.com/docs/chat deprecated] or a software plugin (like Skype), so you don't have to log in to their website.<br />
*Use a [[freedom|free]] alternative to mainstream social media, such as [[GNU Social]] for twitter, [[GNU FM]] for last.fm, and [[MediaGoblin]] for YouTube.<br />
<br />
==External links==<br />
General resources:<br />
<br />
*http://reddit.com/r/netsec<br />
*http://seclists.org/fulldisclosure/<br />
*https://packetstormsecurity.com/files/<br />
*https://www.exploit-db.com/<br />
*http://radare.today/<br />
*https://www.reviewsed.com/malwarebytes-vs-avast/<br />
*https://hex-rays.com/products/ida/index.shtml<br />
*http://phrack.org/<br />
*https://www.alchemistowl.org/pocorgtfo/<br />
*https://www.vpnranks.com/torrent-vpn/<br />
*https://codup.co/wordpress-security-guide/<br />
*https://www.bestvpnprovider.com/bypass-isp-throttling/<br />
*https://www.techlectual.com/mcafee-vs-avast/<br />
*https://www.knowtechmag.com/paid-antivirus-vs-free-antivirus/<br />
<br />
Cool "shit" :<br />
<br />
*https://github.com/taviso/dbusmap<br />
*http://lcamtuf.coredump.cx/afl/<br />
*https://github.com/stealth/troubleshooter<br />
*https://grsecurity.net/<br />
*https://www.qubes-os.org/<br />
<br />
==See also==<br />
<br />
*[https://wiki.tbpindustries.com/index.php?title=Anonymizing_yourself Anonymizing Yourself ]<br />
*[[Encryption]]<br />
<br />
[[Category:HowTo]]<br />
[[Category:Security]]<br />
[[Category:Recommendations]]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=344Main Page2023-04-12T22:03:05Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary.]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=343Main Page2023-04-12T22:02:19Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary]. It is updated sometimes.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Main_Page&diff=342Main Page2023-04-12T22:02:04Z<p>Goldbolt: /* Other Links */</p>
<hr />
<div><strong>TBP Wiki Main Page</strong><br />
<br />
This wiki is mostly here to help out TBP with configuration of files, services, and servers but has been made public to help whomever needs it. We will be adding new pages and information as time goes on so things may be messy. Please understand. <br />
<br />
=All Available Pages=<br />
{{Special:Allpages}}<br />
<br />
=Other Links=<br />
Check out our other services we offer:<br />
* [https://tbpchan.cz/ip/index.php Check IP]<br />
* [https://tbpchan.cz/ipmagnet/ IP Magnet]<br />
* [https://tbpchan.cz/ Imageboard]<br />
* [https://paste.tbpchan.cz/ Pastebin]<br />
* [https://tbpchan.cz/yt.php Audio Downloader]<br />
* [https://man.tbpindustries.com/ Linux man pages]<br />
<br />
There is a [https://tbpchan.cz/canary.txt warrant canary] and is updated sometimes.</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Android&diff=341Android2023-04-10T14:21:19Z<p>Goldbolt: Created page with "{{DISPLAYTITLE:Android}} The awk utility shall execute programs written in the awk programming language, which is specialized for textual data manipulation. An awk program is..."</p>
<hr />
<div>{{DISPLAYTITLE:Android}}<br />
The awk utility shall execute programs written in the awk programming language, which is specialized for textual data manipulation. An awk program is a sequence of patterns and corresponding actions. When input is read that matches a pattern, the action associated with that pattern is carried out.<br />
<br />
Input shall be interpreted as a sequence of records. By default, a record is a line, less its terminating <newline>, but this can be changed by using the RS built-in variable. Each record of input shall be matched in turn against each pattern in the program. For each pattern matched, the associated action shall be executed.<br />
<br />
The awk utility shall interpret each input record as a sequence of fields where, by default, a field is a string of non-<blank> non-<newline> characters. This default <blank> and <newline> field delimiter can be changed by using the FS built-in variable or the −F sepstring option. The awk utility shall denote the first field in a record $1, the second $2, and so on. The symbol $0 shall refer to the entire record; setting any other field causes the re-evaluation of $0. Assigning to $0 shall reset the values of all other fields and the NF built-in variable.<br />
<br />
=Magisk=<br />
The following will remove all Magisk modules in case there is a bootloop after installing and enabling a new module. This assumes Magisk is already installed and ADB is enabled. Reboot the phone, plug it into your PC and run the following and wait.<br />
<br />
adb wait-for-device shell magisk --remove-modules</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=FreeBSD&diff=340FreeBSD2023-03-27T14:13:01Z<p>Goldbolt: </p>
<hr />
<div><strong>FreeBSD</strong><br />
[[File:FreeBSD Logo.png|thumb]]<br />
FreeBSD is a free and open-source Unix-like operating system descended from Research Unix via the Berkeley Software Distribution (BSD). FreeBSD is a direct descendant of BSD of which was historically called "BSD Unix" or "Berkeley Unix" (in violation of the UNIX trademark). The first version of FreeBSD was released in 1993 and, as of 2005, FreeBSD was the most widely used open-source BSD operating system, accounting for more than three-quarters of all installed BSD systems.<br />
<br />
FreeBSD shares similarities with Linux but has two major differences in scope and licensing; FreeBSD maintains a complete system, i.e. the project delivers a kernel, device drivers, userland utilities, and documentation, as opposed to Linux only delivering a kernel, drivers, and relying upon third-parties for system software. FreeBSD source code is generally released under a permissive BSD license, as opposed to the copyleft GPL used by Linux.<br />
<br />
The FreeBSD project includes a security team overseeing all software shipped in the base distribution. A wide range of additional third-party applications may be installed using the pkg package management system, FreeBSD Ports, or by compiling source code.<br />
<br />
Due to its licensing, much of FreeBSD's codebase has become an integral part of other operating systems, such as Apple's Darwin (the basis for macOS, iOS, watchOS, and tvOS), the open-source NAS/SAN operating system FreeNAS, the Nintendo Switch system software, and the system software for Sony's PlayStation 3 and PlayStation 4.<br />
<br />
=Pools=<br />
To list pools:<br />
zpool import<br />
To import a pool:<br />
zpool import POOLNAME<br />
This pool has to be mounted manually if moved from another system. <br />
zfs set mountpoint=/mnt/dirname poolname<br />
zfs mount -a<br />
<br />
=Attach a mirror to existing hard drive in FreeBSD/FreeNAS=<br />
Let's assume ada0 is your existing disk, ada1 is the new one, tank is the pool name.<br />
gpart create -s gpt /dev/ada1<br />
gpart add -i 1 -b 128 -t freebsd-swap -s 2g /dev/ada1<br />
gpart add -i 2 -t freebsd-zfs /dev/ada1<br />
* Run <code>zpool status</code> and note the gptid of the existing disk<br />
* Run <code>glabel status</code> and find the gptid of the newly created partition. It is the gptid associated with ada1p2.<br />
zpool attach tank /dev/gptid/[gptid_of_the_existing_disk] /dev/gptid/[gptid_of_the_new_partition]<br />
<br />
It may take a while to resilver your drive after this - you will not have access to it whilst this is running. <br />
<br />
=Encryption=<br />
Unlock Geli-encrypted ZFS Volume:<br />
geli attach -k [geli_key_file] [dev_to_unlock]<br />
<br />
Example:<br />
geli attach -k /data/geli/geli.key /dev/ada0p2<br />
To import the pool, see [https://wiki.tbpindustries.com/index.php?title=FreeBSD#Pools Pools]<br />
<br />
=Iocage/Warden Jails=<br />
To migrate jails from one pool to another:<br />
<br />
zfs snapshot -r poolname/jails@relocate<br />
zfs send -R poolname/jails@relocate | zfs receive -vF newpool/jails<br />
<br />
To migrate a jail from one computer to another:<br />
<br />
iocage stop jailname<br />
iocage export jailname<br />
<br />
Exporting jails will create a zip file "jail_name_date.zip" inside "/mnt/iocage/images/". <br />
To import these backups, copy the exported backup files into "/mnt/iocage/images/" and then restore: <br />
<br />
iocage import jailname_name_date.zip<br />
<br />
If iocage gives trouble, use the jail name instead:<br />
<br />
iocage import jailname<br />
<br />
Change iocage pool location:<br />
<br />
iocage activate NEWPOOLNAME<br />
<br />
To clone jail1 to jail2, run:<br />
<br />
iocage clone jail1 --name jail2<br />
<br />
Manual import of a jail:<br />
zfs create zpool1/iocage/jails/jail1<br />
zfs recv -F zpool1/iocage/jails/jail1 < jail1_2020-10-24<br />
zfs recv -F zpool1/iocage/jails/jail1/data < jail1_2020-10-24_data<br />
zfs recv -F zpool1/iocage/jails/jail1/root < jail1_2020-10-24_root<br />
<br />
Automatically stop, make an export backup, and start all available iocage jails in a for loop into zpool1/iocage/images:<br />
for i in $(iocage list |awk '{print $4}' |grep -vi name|awk NF); do iocage stop $i && iocage export $i && iocage start $i; done<br />
<br />
=Iohyve PCI passthrough=<br />
The following is how to get Iohyve PCI passthrough working in FreeNAS with pfsense. <br />
<br />
Get the PCI addresses for the ethernet card.<br />
<br />
pciconf -lv<br />
<br />
Find the PCI addresses for the ethernet card. A multi-port card will have several. You will need them for the pptdev2 tunable in a x/y/z format. This example is for two ethernet ports with PCI addresses x1/y1/z1 and x2/y2/z2.<br />
<br />
Go to System > Tunables and configure the following options to enable iohyve and PCI passthrough. pptdevs2 is used because regular pptdevs did not work so it depends on the setup. <br />
<br />
<br />
Variable | Value | Type<br />
<br />
iohyve_enable | YES | rc<br />
<br />
iohyve_flags | kmod=1 net=<eth0,eth1> | rc<br />
<br />
pptdevs2 | x1/y1/z1 x2/y2/z2 | loader<br />
<br />
vmm_load | YES | loader<br />
<br />
<br />
Configure the virtual machine using iohyve within terminal: <br />
<br />
iohyve setup pool=(pool name)<br />
<br />
iohyve create pfsense 8G<br />
<br />
iohyve set pfsense ram=2048mb<br />
<br />
iohyve set pfsense cpu=2<br />
<br />
iohyve set pfsense pcidev:7=passthru,x1/y1/z1<br />
<br />
iohyve set pfsense pcidev:8=passthru,x2/y2/z2<br />
<br />
iohyve set pfsense os=pfsense<br />
<br />
iohyve set pfsense bargs="-S -A -H -P"<br />
<br />
Some have to dd the image to the zvol. It can be installed any other way so long as it boots properly. Make sure the paths and files are correct. You can disregard the following if you are able to boot using other methods. <br />
<br />
iohyve fetch https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz<br />
<br />
zfs rename zeus/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz zeus/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img<br />
<br />
cd /iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/<br />
<br />
gunzip pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz<br />
<br />
dd if=/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img of=/dev/zvol/zeus/iohyve/pfsense/disk0 bs=1m<br />
<br />
<br />
Start the VM<br />
<br />
iohyve start pfsense<br />
<br />
In another shell session, connect to the console to perform the installation.<br />
<br />
iohyve console pfsense<br />
<br />
Set it to automatically boot.<br />
<br />
iohyve set pfsense boot=1<br />
<br />
<br />
Here are some good resources to use for this in case this doesn't work: <br />
<br />
https://murf.se/2016/01/05/iohyve-and-pci-passthru.html<br />
<br />
Iohyve manual man page<br />
https://github.com/pr1ntf/iohyve/wiki/Manual<br />
<br />
Iohyve wiki<br />
https://github.com/pr1ntf/iohyve/wiki<br />
<br />
USB passthrough example<br />
https://github.com/pr1ntf/iohyve/wiki/USB-3.0-PCI-Controller-Pass-through<br />
<br />
CentOS useful for tunables for FreeNAS<br />
https://github.com/pr1ntf/iohyve/wiki/Installing-CentOS-7-on-FreeNAS<br />
<br />
<br />
=Limiting Jail Resources with RCTL=<br />
Here is how you limit the amount of RAM or CPU each jail can have. <br />
A<br />
dd the following line to /boot/loader.conf:<br />
<br />
kern.racct.enable="1"<br />
<br />
Reboot to activate.<br />
<br />
The following is how to constrain CPU usage, in percentage:<br />
<br />
rctl -a jail:JAILNAME:pcpu:deny=75<br />
<br />
The following is how to constrain virtual and physical RAM usage, in percentage:<br />
<br />
rctl -a jail:JAILNAME:vmemoryuse:deny=512M<br />
<br />
rctl -a jail:JAILNAME:memoryuse:deny=1024M<br />
<br />
To view the currently applied limits:<br />
<br />
rctl<br />
<br />
To view the resources used by a jail:<br />
<br />
rctl -u jail:JAILNAME<br />
<br />
=Install Ubuntu Linux 20.04 LTS in vm-bhyve=<br />
[[Category:Linux]]<br />
[[Category:FreeBSD]]<br />
<br />
== Introduction ==<br />
This guide is how to install [https://ubuntu.com Ubuntu] in [https://github.com/churchers/vm-bhyve vm-bhyve].<br />
<br />
== Install ==<br />
<br />
pkg install vm-bhyve qemu-tools cdrkit-genisoimage<br />
pkg install grub2-bhyve bhyve-firmware<br />
<br />
=== Configure Install ===<br />
<br />
zfs create -o mountpoint=/vm tank1/vm<br />
cp /usr/local/share/examples/vm-bhyve/* /vm/.templates/<br />
<br />
Add this to rc.conf:<br />
<br />
vm_enable="YES"<br />
vm_dir="zfs:tank1/vm"0"<br />
<br />
Then run:<br />
<br />
vm init<br />
<br />
=== Configure networking ===<br />
<br />
vm switch create public<br />
vm switch add public eth0<br />
<br />
If this does not work, use the following:<br />
<br />
vm switch create -t manual -b bridge0 public<br />
<br />
== Fetch image ==<br />
<br />
Download the [https://cloud-init.io | Cloud Init] image:<br />
<br />
vm img http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img<br />
<br />
== Resize the disk ==<br />
Resize to desired <br />
<br />
qemu-img resize /tank/bhyve/.img/focal-server-cloudimg-amd64.img +20G<br />
<br />
== Create the VM ==<br />
<br />
vm create -c 8 -m 16G -t ubuntu -i focal-server-cloudimg-amd64.img -C -k ~/.ssh/id_rsa.pub ubuntu<br />
<br />
To change the number of CPUs, change "-c 8" to desired. Value "-m 16G" is for RAM. A maximum of 16 vCPUs is currently supported in bhyve.<br />
<br />
== Start the VM ==<br />
<br />
vm start ubuntu<br />
<br />
== Log-in ==<br />
<br />
Determine the IP address and ssh to the vm:<br />
<br />
ssh ubuntu@192.168.0.10<br />
<br />
vm-bhyve doesn't have any way of showing the actual IP so you need to search the DHCP logs or use nmap.<br />
<br />
== Set hostname ==<br />
<br />
hostnamectl set-hostname ubuntu.vmhostname<br />
reboot<br />
<br />
== Package management ==<br />
<br />
=== Do not install recommended and suggested packages ===<br />
<br />
cat <<EOT >/etc/apt/apt.conf.d/61norecommends<br />
APT::Install-Recommends "false";<br />
APT::Install-Suggests "false"; <br />
EOT<br />
<br />
== Update the software ==<br />
<br />
apt update && apt -y upgrade<br />
reboot<br />
<br />
== Enable autostart ==<br />
<br />
Make sure the VM is listed in <code>vm_list</code> in <code>/etc/rc.conf</code>.<br />
<br />
vm_list="ubuntu vm1 vm2 ..."<br />
<br />
=Resize a root disk=<br />
Reboot into single user. This is assuming that da0 is the root drive and da0p2 is the root partition. <br />
<br />
gpart recover da0<br />
gpart resize -i 2 da0<br />
zpool online -e zroot da0p2<br />
<br />
<br />
= References =<br />
<br />
* [https://github.com/churchers/vm-bhyve vm-bhyve | Management system for FreeBSD bhyve virtual machines]<br />
* [https://www.freebsd.org/cgi/man.cgi?query=vm&sektion=8&manpath=freebsd-release-ports vm(8)]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=339Kubernetes2023-03-20T20:21:59Z<p>Goldbolt: </p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no<br />
<br />
=Use NFS for Persistent Volumes=<br />
Provision NFS mounts as Kubernetes Persistent Volumes on MicroK8s.<br />
<br />
==NFS server==<br />
Either use a current NFS server or install a NFS server. The following is how to install to Ubuntu:<br />
apt install nfs-kernel-server<br />
Directory /srv/nfs is the share folder.<br />
mkdir -p /srv/nfs<br />
chown nobody:nogroup /srv/nfs<br />
chmod 0777 /srv/nfs<br />
Edit the /etc/exports. The following will allow all IP addresses in the 10.0.0.0/24 subnet:<br />
/srv/nfs 10.0.0.0/24(rw,sync,no_subtree_check)<br />
Restart the NFS server: <br />
systemctl restart nfs-kernel-server<br />
<br />
==Install the CSI driver for NFS==<br />
Enable the Helm3 addon (if not already enabled) and add the repository for the NFS CSI driver:<br />
microk8s enable helm3<br />
microk8s helm3 repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts<br />
microk8s helm3 repo update<br />
This will install the Helm chart under the kube-system namespace:<br />
microk8s helm3 install csi-driver-nfs csi-driver-nfs/csi-driver-nfs --namespace kube-system --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet<br />
After deploying the Helm chart, wait for the CSI controller and node pods to come up using the following kubectl command:<br />
microk8s kubectl wait pod --selector app.kubernetes.io/name=csi-driver-nfs --for condition=ready --namespace kube-system<br />
If successful, you will see "condition met". <br />
List the available CSI drivers in the Kubernetes cluster:<br />
microk8s kubectl get csidrivers<br />
==Create a StorageClass for NFS==<br />
This creates a Kubernetes Storage Class which uses the nfs.csi.k8s.io CSI driver. Create the following file sc-nfs.yaml and change 10.0.0.42 to the NFS server:<br />
<br />
apiVersion: storage.k8s.io/v1<br />
kind: StorageClass<br />
metadata:<br />
name: nfs-csi<br />
provisioner: nfs.csi.k8s.io<br />
parameters:<br />
server: 10.0.0.42<br />
share: /srv/nfs<br />
reclaimPolicy: Delete<br />
volumeBindingMode: Immediate<br />
mountOptions:<br />
- hard<br />
- nfsvers=4.1<br />
Apply it on the MicroK8s cluster:<br />
microk8s kubectl apply -f - < sc-nfs.yaml<br />
<br />
The final step is to create a new 5gb PersistentVolumeClaim using the nfs-csi storage class. This is as simple as specifying storageClassName as nfs-csi in the PVC definition within the file pvc-nfs.yaml:<br />
apiVersion: v1<br />
kind: PersistentVolumeClaim<br />
metadata:<br />
name: my-pvc<br />
spec:<br />
storageClassName: nfs-csi<br />
accessModes: [ReadWriteOnce]<br />
resources:<br />
requests:<br />
storage: 5Gi<br />
Then create the PVC with:<br />
microk8s kubectl apply -f - < pvc-nfs.yaml<br />
Check the PVC configuration: <br />
microk8s kubectl describe pvc my-pvc<br />
<br />
== References ==<br />
<br />
* [https://microk8s.io/docs/nfs Microk8s Documentation | Use NFS for Persistent Volumes]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=338Kubernetes2023-03-20T20:21:28Z<p>Goldbolt: </p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no<br />
<br />
=Use NFS for Persistent Volumes=<br />
Provision NFS mounts as Kubernetes Persistent Volumes on MicroK8s.<br />
<br />
==NFS server==<br />
Either use a current NFS server or install a NFS server. The following is how to install to Ubuntu:<br />
apt install nfs-kernel-server<br />
Directory /srv/nfs is the share folder.<br />
mkdir -p /srv/nfs<br />
chown nobody:nogroup /srv/nfs<br />
chmod 0777 /srv/nfs<br />
Edit the /etc/exports. The following will allow all IP addresses in the 10.0.0.0/24 subnet:<br />
/srv/nfs 10.0.0.0/24(rw,sync,no_subtree_check)<br />
Restart the NFS server: <br />
systemctl restart nfs-kernel-server<br />
<br />
==Install the CSI driver for NFS==<br />
Enable the Helm3 addon (if not already enabled) and add the repository for the NFS CSI driver:<br />
microk8s enable helm3<br />
microk8s helm3 repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts<br />
microk8s helm3 repo update<br />
This will install the Helm chart under the kube-system namespace:<br />
microk8s helm3 install csi-driver-nfs csi-driver-nfs/csi-driver-nfs --namespace kube-system --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet<br />
After deploying the Helm chart, wait for the CSI controller and node pods to come up using the following kubectl command:<br />
microk8s kubectl wait pod --selector app.kubernetes.io/name=csi-driver-nfs --for condition=ready --namespace kube-system<br />
If successful, you will see "condition met". <br />
List the available CSI drivers in the Kubernetes cluster:<br />
microk8s kubectl get csidrivers<br />
==Create a StorageClass for NFS==<br />
This creates a Kubernetes Storage Class which uses the nfs.csi.k8s.io CSI driver. Create the following file sc-nfs.yaml and change 10.0.0.42 to the NFS server:<br />
<br />
apiVersion: storage.k8s.io/v1<br />
kind: StorageClass<br />
metadata:<br />
name: nfs-csi<br />
provisioner: nfs.csi.k8s.io<br />
parameters:<br />
server: 10.0.0.42<br />
share: /srv/nfs<br />
reclaimPolicy: Delete<br />
volumeBindingMode: Immediate<br />
mountOptions:<br />
- hard<br />
- nfsvers=4.1<br />
Apply it on the MicroK8s cluster:<br />
microk8s kubectl apply -f - < sc-nfs.yaml<br />
<br />
The final step is to create a new 5gb PersistentVolumeClaim using the nfs-csi storage class. This is as simple as specifying storageClassName as nfs-csi in the PVC definition within the file pvc-nfs.yaml:<br />
apiVersion: v1<br />
kind: PersistentVolumeClaim<br />
metadata:<br />
name: my-pvc<br />
spec:<br />
storageClassName: nfs-csi<br />
accessModes: [ReadWriteOnce]<br />
resources:<br />
requests:<br />
storage: 5Gi<br />
Then create the PVC with:<br />
microk8s kubectl apply -f - < pvc-nfs.yaml<br />
Check the PVC configuration: <br />
microk8s kubectl describe pvc my-pvc<br />
<br />
== References ==<br />
<br />
* [https://microk8s.io/docs/nfs Use NFS for Persistent Volumes]</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=337Kubernetes2023-03-20T20:19:43Z<p>Goldbolt: </p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no<br />
<br />
=Use NFS for Persistent Volumes=<br />
Provision NFS mounts as Kubernetes Persistent Volumes on MicroK8s.<br />
<br />
==NFS server==<br />
Either use a current NFS server or install a NFS server. The following is how to install to Ubuntu:<br />
apt install nfs-kernel-server<br />
Directory /srv/nfs is the share folder.<br />
mkdir -p /srv/nfs<br />
chown nobody:nogroup /srv/nfs<br />
chmod 0777 /srv/nfs<br />
Edit the /etc/exports. The following will allow all IP addresses in the 10.0.0.0/24 subnet:<br />
/srv/nfs 10.0.0.0/24(rw,sync,no_subtree_check)<br />
Restart the NFS server: <br />
systemctl restart nfs-kernel-server<br />
<br />
==Install the CSI driver for NFS==<br />
Enable the Helm3 addon (if not already enabled) and add the repository for the NFS CSI driver:<br />
microk8s enable helm3<br />
microk8s helm3 repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts<br />
microk8s helm3 repo update<br />
This will install the Helm chart under the kube-system namespace:<br />
microk8s helm3 install csi-driver-nfs csi-driver-nfs/csi-driver-nfs --namespace kube-system --set kubeletDir=/var/snap/microk8s/common/var/lib/kubelet<br />
After deploying the Helm chart, wait for the CSI controller and node pods to come up using the following kubectl command:<br />
microk8s kubectl wait pod --selector app.kubernetes.io/name=csi-driver-nfs --for condition=ready --namespace kube-system<br />
If successful, you will see "condition met". <br />
List the available CSI drivers in the Kubernetes cluster:<br />
microk8s kubectl get csidrivers<br />
==Create a StorageClass for NFS==<br />
This creates a Kubernetes Storage Class which uses the nfs.csi.k8s.io CSI driver. Create the following file sc-nfs.yaml and change 10.0.0.42 to the NFS server:<br />
<br />
apiVersion: storage.k8s.io/v1<br />
kind: StorageClass<br />
metadata:<br />
name: nfs-csi<br />
provisioner: nfs.csi.k8s.io<br />
parameters:<br />
server: 10.0.0.42<br />
share: /srv/nfs<br />
reclaimPolicy: Delete<br />
volumeBindingMode: Immediate<br />
mountOptions:<br />
- hard<br />
- nfsvers=4.1<br />
Apply it on the MicroK8s cluster:<br />
microk8s kubectl apply -f - < sc-nfs.yaml<br />
<br />
The final step is to create a new 5gb PersistentVolumeClaim using the nfs-csi storage class. This is as simple as specifying storageClassName as nfs-csi in the PVC definition within the file pvc-nfs.yaml:<br />
apiVersion: v1<br />
kind: PersistentVolumeClaim<br />
metadata:<br />
name: my-pvc<br />
spec:<br />
storageClassName: nfs-csi<br />
accessModes: [ReadWriteOnce]<br />
resources:<br />
requests:<br />
storage: 5Gi<br />
Then create the PVC with:<br />
microk8s kubectl apply -f - < pvc-nfs.yaml<br />
Check the PVC configuration: <br />
microk8s kubectl describe pvc my-pvc</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=336Kubernetes2023-03-16T16:42:50Z<p>Goldbolt: /* Install Kubernetes to Ubuntu */</p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=Kubernetes&diff=335Kubernetes2023-03-16T15:59:32Z<p>Goldbolt: /* Install Kubernetes to Ubuntu */</p>
<hr />
<div>Kubernetes (/ˌk(j)uːbərˈnɛtɪs, -ˈneɪtɪs, -ˈneɪtiːz, -ˈnɛtiːz/, commonly abbreviated K8s) is an open-source container orchestration system for automating software deployment, scaling, and management. Originally designed by Google, the project is now maintained by the Cloud Native Computing Foundation.<br />
<br />
The name Kubernetes originates from Greek, meaning 'helmsman' or 'pilot'. Kubernetes is often abbreviated as K8s, counting the eight letters between the K and the s (a numeronym).<br />
<br />
Kubernetes works with containerd and CRI-O. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center. There are multiple distributions of this platform – from ISVs as well as hosted-on cloud offerings from all the major public cloud vendors. <br />
<br />
=Install Kubernetes to Ubuntu=<br />
The following commands will install microk8s to Ubuntu:<br />
sudo snap install microk8s --classic<br />
<br />
Add your user to the microk8s admin group and fix permissions:<br />
sudo usermod -a -G microk8s $USER<br />
sudo chown -f -R $USER ~/.kube<br />
<br />
Log out and log back in to that user for this to take effect. <br />
<br />
Check the status of the service:<br />
microk8s status --wait-ready<br />
<br />
Enable services:<br />
microk8s enable dashboard dns ingress metallb metrics-server observability<br />
<br />
Use the following to check for available services to enable:<br />
microk8s enable --help<br />
<br />
Start using microk8s:<br />
microk8s kubectl get all --all-namespaces<br />
<br />
Access the dashboard:<br />
microk8s dashboard-proxy<br />
<br />
=Clustering=<br />
To create a cluster out of two or more already-running MicroK8s instances, use the microk8s add-node command. As of MicroK8s 1.19, clustering of three or more nodes will automatically enable high availability. The MicroK8s instance on which the command is run will host the Kubernetes control plane:<br />
microk8s add-node<br />
<br />
The add-node command prints a microk8s join command which should be executed on the MicroK8s instance(s) that you wish to join to the cluster (NOT THE NODE YOU RAN add-node FROM). For example:<br />
microk8s join ip-172-31-20-243:25000/DDOkUupkmaBezNnMheTBqFYHLWINGDbf<br />
<br />
Joining a node to the cluster should only take a few seconds. Afterwards you should be able to see the node has joined:<br />
microk8s kubectl get no</div>Goldbolthttps://wiki.tbpindustries.com/index.php?title=FreeBSD&diff=334FreeBSD2023-03-13T20:14:12Z<p>Goldbolt: </p>
<hr />
<div><strong>FreeBSD</strong><br />
[[File:FreeBSD Logo.png|thumb]]<br />
FreeBSD is a free and open-source Unix-like operating system descended from Research Unix via the Berkeley Software Distribution (BSD). FreeBSD is a direct descendant of BSD of which was historically called "BSD Unix" or "Berkeley Unix" (in violation of the UNIX trademark). The first version of FreeBSD was released in 1993 and, as of 2005, FreeBSD was the most widely used open-source BSD operating system, accounting for more than three-quarters of all installed BSD systems.<br />
<br />
FreeBSD shares similarities with Linux but has two major differences in scope and licensing; FreeBSD maintains a complete system, i.e. the project delivers a kernel, device drivers, userland utilities, and documentation, as opposed to Linux only delivering a kernel, drivers, and relying upon third-parties for system software. FreeBSD source code is generally released under a permissive BSD license, as opposed to the copyleft GPL used by Linux.<br />
<br />
The FreeBSD project includes a security team overseeing all software shipped in the base distribution. A wide range of additional third-party applications may be installed using the pkg package management system, FreeBSD Ports, or by compiling source code.<br />
<br />
Due to its licensing, much of FreeBSD's codebase has become an integral part of other operating systems, such as Apple's Darwin (the basis for macOS, iOS, watchOS, and tvOS), the open-source NAS/SAN operating system FreeNAS, the Nintendo Switch system software, and the system software for Sony's PlayStation 3 and PlayStation 4.<br />
<br />
=Pools=<br />
To list pools:<br />
zpool import<br />
To import a pool:<br />
zpool import POOLNAME<br />
This pool has to be mounted manually if moved from another system. <br />
zfs set mountpoint=/mnt/dirname poolname<br />
zfs mount -a<br />
<br />
=Attach a mirror to existing hard drive in FreeBSD/FreeNAS=<br />
Let's assume ada0 is your existing disk, ada1 is the new one, tank is the pool name.<br />
gpart create -s gpt /dev/ada1<br />
gpart add -i 1 -b 128 -t freebsd-swap -s 2g /dev/ada1<br />
gpart add -i 2 -t freebsd-zfs /dev/ada1<br />
* Run <code>zpool status</code> and note the gptid of the existing disk<br />
* Run <code>glabel status</code> and find the gptid of the newly created partition. It is the gptid associated with ada1p2.<br />
zpool attach tank /dev/gptid/[gptid_of_the_existing_disk] /dev/gptid/[gptid_of_the_new_partition]<br />
<br />
It may take a while to resilver your drive after this - you will not have access to it whilst this is running. <br />
<br />
=Encryption=<br />
Unlock Geli-encrypted ZFS Volume:<br />
geli attach -k [geli_key_file] [dev_to_unlock]<br />
<br />
Example:<br />
geli attach -k /data/geli/geli.key /dev/ada0p2<br />
To import the pool, see [https://wiki.tbpindustries.com/index.php?title=FreeBSD#Pools Pools]<br />
<br />
=Iocage/Warden Jails=<br />
To migrate jails from one pool to another:<br />
<br />
zfs snapshot -r poolname/jails@relocate<br />
zfs send -R poolname/jails@relocate | zfs receive -vF newpool/jails<br />
<br />
To migrate a jail from one computer to another:<br />
<br />
iocage stop jailname<br />
iocage export jailname<br />
<br />
Exporting jails will create a zip file "jail_name_date.zip" inside "/mnt/iocage/images/". <br />
To import these backups, copy the exported backup files into "/mnt/iocage/images/" and then restore: <br />
<br />
iocage import jailname_name_date.zip<br />
<br />
If iocage gives trouble, use the jail name instead:<br />
<br />
iocage import jailname<br />
<br />
Change iocage pool location:<br />
<br />
iocage activate NEWPOOLNAME<br />
<br />
To clone jail1 to jail2, run:<br />
<br />
iocage clone jail1 --name jail2<br />
<br />
Manual import of a jail:<br />
zfs create zpool1/iocage/jails/jail1<br />
zfs recv -F zpool1/iocage/jails/jail1 < jail1_2020-10-24<br />
zfs recv -F zpool1/iocage/jails/jail1/data < jail1_2020-10-24_data<br />
zfs recv -F zpool1/iocage/jails/jail1/root < jail1_2020-10-24_root<br />
<br />
Automatically stop, make an export backup, and start all available iocage jails in a for loop into zpool1/iocage/images:<br />
for i in $(iocage list |awk '{print $4}' |grep -vi name|awk NF); do iocage stop $i && iocage export $i && iocage start $i; done<br />
<br />
=Iohyve PCI passthrough=<br />
The following is how to get Iohyve PCI passthrough working in FreeNAS with pfsense. <br />
<br />
Get the PCI addresses for the ethernet card.<br />
<br />
pciconf -lv<br />
<br />
Find the PCI addresses for the ethernet card. A multi-port card will have several. You will need them for the pptdev2 tunable in a x/y/z format. This example is for two ethernet ports with PCI addresses x1/y1/z1 and x2/y2/z2.<br />
<br />
Go to System > Tunables and configure the following options to enable iohyve and PCI passthrough. pptdevs2 is used because regular pptdevs did not work so it depends on the setup. <br />
<br />
<br />
Variable | Value | Type<br />
<br />
iohyve_enable | YES | rc<br />
<br />
iohyve_flags | kmod=1 net=<eth0,eth1> | rc<br />
<br />
pptdevs2 | x1/y1/z1 x2/y2/z2 | loader<br />
<br />
vmm_load | YES | loader<br />
<br />
<br />
Configure the virtual machine using iohyve within terminal: <br />
<br />
iohyve setup pool=(pool name)<br />
<br />
iohyve create pfsense 8G<br />
<br />
iohyve set pfsense ram=2048mb<br />
<br />
iohyve set pfsense cpu=2<br />
<br />
iohyve set pfsense pcidev:7=passthru,x1/y1/z1<br />
<br />
iohyve set pfsense pcidev:8=passthru,x2/y2/z2<br />
<br />
iohyve set pfsense os=pfsense<br />
<br />
iohyve set pfsense bargs="-S -A -H -P"<br />
<br />
Some have to dd the image to the zvol. It can be installed any other way so long as it boots properly. Make sure the paths and files are correct. You can disregard the following if you are able to boot using other methods. <br />
<br />
iohyve fetch https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz<br />
<br />
zfs rename zeus/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz zeus/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img<br />
<br />
cd /iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/<br />
<br />
gunzip pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img.gz<br />
<br />
dd if=/iohyve/ISO/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img/pfSense-CE-memstick-serial-2.4.4-RELEASE-p1-amd64.img of=/dev/zvol/zeus/iohyve/pfsense/disk0 bs=1m<br />
<br />
<br />
Start the VM<br />
<br />
iohyve start pfsense<br />
<br />
In another shell session, connect to the console to perform the installation.<br />
<br />
iohyve console pfsense<br />
<br />
Set it to automatically boot.<br />
<br />
iohyve set pfsense boot=1<br />
<br />
<br />
Here are some good resources to use for this in case this doesn't work: <br />
<br />
https://murf.se/2016/01/05/iohyve-and-pci-passthru.html<br />
<br />
Iohyve manual man page<br />
https://github.com/pr1ntf/iohyve/wiki/Manual<br />
<br />
Iohyve wiki<br />
https://github.com/pr1ntf/iohyve/wiki<br />
<br />
USB passthrough example<br />
https://github.com/pr1ntf/iohyve/wiki/USB-3.0-PCI-Controller-Pass-through<br />
<br />
CentOS useful for tunables for FreeNAS<br />
https://github.com/pr1ntf/iohyve/wiki/Installing-CentOS-7-on-FreeNAS<br />
<br />
<br />
=Limiting Jail Resources with RCTL=<br />
Here is how you limit the amount of RAM or CPU each jail can have. <br />
A<br />
dd the following line to /boot/loader.conf:<br />
<br />
kern.racct.enable="1"<br />
<br />
Reboot to activate.<br />
<br />
The following is how to constrain CPU usage, in percentage:<br />
<br />
rctl -a jail:JAILNAME:pcpu:deny=75<br />
<br />
The following is how to constrain virtual and physical RAM usage, in percentage:<br />
<br />
rctl -a jail:JAILNAME:vmemoryuse:deny=512M<br />
<br />
rctl -a jail:JAILNAME:memoryuse:deny=1024M<br />
<br />
To view the currently applied limits:<br />
<br />
rctl<br />
<br />
To view the resources used by a jail:<br />
<br />
rctl -u jail:JAILNAME<br />
<br />
=Install Ubuntu Linux 20.04 LTS in vm-bhyve=<br />
[[Category:Linux]]<br />
[[Category:FreeBSD]]<br />
<br />
== Introduction ==<br />
This guide is how to install [https://ubuntu.com Ubuntu] in [https://github.com/churchers/vm-bhyve vm-bhyve].<br />
<br />
== Install ==<br />
<br />
pkg install vm-bhyve qemu-tools cdrkit-genisoimage<br />
pkg install grub2-bhyve bhyve-firmware<br />
<br />
=== Configure Install ===<br />
<br />
zfs create -o mountpoint=/vm tank1/vm<br />
cp /usr/local/share/examples/vm-bhyve/* /vm/.templates/<br />
<br />
Add this to rc.conf:<br />
<br />
vm_enable="YES"<br />
vm_dir="zfs:tank1/vm"0"<br />
<br />
Then run:<br />
<br />
vm init<br />
<br />
=== Configure networking ===<br />
<br />
vm switch create public<br />
vm switch add public eth0<br />
<br />
If this does not work, use the following:<br />
<br />
vm switch create -t manual -b bridge0 public<br />
<br />
== Fetch image ==<br />
<br />
Download the [https://cloud-init.io | Cloud Init] image:<br />
<br />
vm img http://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img<br />
<br />
== Resize the disk ==<br />
Resize to desired <br />
<br />
qemu-img resize /tank/bhyve/.img/focal-server-cloudimg-amd64.img +20G<br />
<br />
== Create the VM ==<br />
<br />
vm create -c 8 -m 16G -t ubuntu -i focal-server-cloudimg-amd64.img -C -k ~/.ssh/id_rsa.pub ubuntu<br />
<br />
To change the number of CPUs, change "-c 8" to desired. Value "-m 16G" is for RAM. A maximum of 16 vCPUs is currently supported in bhyve.<br />
<br />
== Start the VM ==<br />
<br />
vm start ubuntu<br />
<br />
== Log-in ==<br />
<br />
Determine the IP address and ssh to the vm:<br />
<