Informatica Archivi - Pagina 6 di 6 - Luigi Zanderighi, PMP

27 Luglio 2010

NetworkManager no wakeup on Ubuntu

Since the last six months I have an issue with my NetworkManager, sometimes it doesn’t wakup correctly after a standby or suspend. After some test I found that the problem comes out each time the suspend/standby procedure freezes the system and I have to manually shutdown. To make the NetworkManager the only way is to standby and wakup my laptop.

After several tests I found out what happens and a small workarround.

On my laptop I have an hardware issue with my webcam, the cable which connects the camera to the motherboard throught the monitor is a little bit loose, so sometimes the camera generates an error. This error causes a seg fault in the linux kernel. This seg fault prevents the webcam module to stanby corretly and my laptop freezes during standby cycle. This happens after the NetworkManger has entered the standby cycle in which the network gets disabled.

Now I have to manually power off the laptop, and turning the laptop on again doesn’t run the wakeup cycle, in the wakup cycle the NetworkManager enables the network again. So my network remains disabled until I run the wakeup cycle.

The first workarround is to standby/wakup the laptop, the second workarround is to run the wakeup command manually:

sudo dbus-send –print-reply –system –dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager.wake

I thing this issue comes out each time a suspend/standby isn’t followed by a wakeup (ex: battery runs out) .

Hope this helps others 🙂

21 Luglio 2010

Configurare una VPN con OpenVPN

Configurazione generale della rete

Ipotizziamo una rete interna che utilizza gli IP 192.168.6.X. Nella rete interna abbiamo un router al indirizzo 192.168.6.1 e un server DNS per la intranet all’indirizzo 192.168.6.2.

Il server che vogliamo utilizzare per la VPN utilizza l’IP interno 192.168.6.102 ed è visibile dall’esterno su un ip pubblico a cui è assegnata una voce sul DNS pubblico es: vpnserver.mylan.com

Una considerazione prima di procedere. A chi si collega alla rete tramite VPN viene assegnato un IP, occorre quindi prestare attenzione con non vi siano problemi di instradamento o conflitto di IP. Per la VPN scegliamo quindi di usare un set di IP completamente diverso rispetto a quelli della intranet, es 10.8.0.X.

Sul router occore quindi aggiungere una route sul router:

route add 10.8.0.0 192.168.7.102

Configurazioni sul server VPN (vpnserver.mylan.com 192.168.7.102)

modprobe tun
echo "tun" >> /etc/modules
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -p udp –dport 1194 -s 10.0.0.0/24 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

Sul router

Certificati e chiavi

Occore generare una serie di certificati e chiavi. A meno che non abbiate un contratto con un Certification Authority occorre generare una chiave e un certificato ‘self-signed’ anche per la Certification autority.

Certificati CA

mkdir ca
openssl genrsa -out ca/ca.key
openssl req -new -key ca/ca.key -out ca/ca.req
openssl x509 -req -in ca/ca.req -signkey ca/ca.key -out ca/ca.cert

Cerficati Server

mkdir server
openssl genrsa -out server/server.key
openssl req -new -key server/server.key -out server/server.req
openssl x509 -req -in server/server.req -CA ca/ca.cert -CAkey ca/ca.key -CAcreateserial -out server/server.cert
openssl dhparam -out server/dh1024.pem 1024

Certificati client

mkdir client
openssl genrsa -out client/client.key
openssl req -new -key client/client.key -out client/client.req
openssl x509 -req -in client/client.req -CA ca/ca.cert -CAkey ca/ca.key -CAcreateserial -out client/client.cert

Generazione chiavi TSL

openssl genrsa -out server.key
openssl req -new -key server.key -out rich.ser
openssl x509 -req -in rich.ca -signkey server.key –out server.cert
openssl x509 -req -in rich.ser -CA ca.cert -CAkey ca.key -CAcreateserial -out ser.cert
openssl dhparam -out dh.pem 1024

Per ogni client:

openssl genrsa -out client.key
openssl req -new -key client.key -out rich.cli

Server.conf

port 1194
proto udp
dev tun
ca ./ca/ca.cert
cert ./server/server.cert
key ./server/server.key
dh ./server/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.7.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
tls-server

Client.conf

client
dev tun
proto udp
remote 89.96.215.134
resolv-retry infinite
nobind
persist-key
persist-tun
ca ./ca/ca.cert
cert ./client/client-luigi.cert
key ./clinet/client-luigi.key
comp-lzo
verb 4
port 1194

8 Gennaio 20088 Gennaio 2008

Passwordless SSH – Mini howto

Recently I had to administer a new site on which I was not allowed to change th password for policy reasons and the password was very complex, something like this: Un&U2p3rC@s0 (not real password 😉 )

Each time I had to log on I lost a lot of time, so for the first time I decided to generate RSA public/private keys to log on a system. For many who are used to this it’s very simple and for me up to now it’s very easy too.

Basically you have to generate a key pair, a public key and a private key. The question was for me who holds the public and who the private one. It very simple the user holds the private key, whinch is private for this reason and the server holds the public one. The next big question for me was, on which machine should I generate the key pair? The answer is very simple after the generation of the key pair you have to copy one to the aothe machine so the one you can pass on internet is the public one.

After I found the answer to this questions thenext step was very easy:

1) Log on to your client machine

2) type ssh-keygen -t rsa -p ” (You can play with these parameters in many ways)

3) scp the public key to the remote ssh server (scp .ssh/id_rsa.pub remoteuser@sshserver:.ssh/authorized_keys

4) The copied file should have 0600 permissions, so one more logon to the server using the typed password and chown 0600 .ssh/authorized_keys

Bingo!!!. Now you are able to logon without typing the password.

Just some notes:

Your server administrator should allow authorized_keys in user home directories. Before following this steps do some check.

28 Dicembre 20078 Gennaio 2008

Unable to read TLD “META-INF/c.tld” from JAR file

I installed the lastest version of JasperServer on my my brand new server based on tomcat6 with jdk6 but on the first page I got the message “Unable to read TLD “META-INF/c.tld” from JAR file…”.

My first try was to downgrade tomcat and jdk to a previous version andit seemed to work. I first thought in a bug somewhere in tomcat and after some time (20 minutes of my precious time!!!!!) my attention got capured by a message in catalina.out “.. file geronimo.jar skiped … contains Servet violation spec….. ”

So JasperServer contains in WEB-INF/lib some servlet libraries?!?! Could be possible it’s not a war made by me so somebody could have made some mistake. Listing the files in WEB-INF/lib i found the entire world of web libraries, included jsp-api. Yes this is the problem!

Tomcat excludes genonimo.jar because it contains Servlet api’s but loads jsp-api located in WEB-INF/lib because no checkis made. No jsp can be compiled because jasper (not jasper reports) compiles from a classloader and jsp-api are located in a different classloader.

Removig jsp-api everything works fine again.