Tuesday, April 23, 2019

[proxmox] - online resize container partition LVM

1. click resize disk

enter increment in GB



2. # growpart /dev/sda 3
CHANGED: partition=3 start=2101248 old: size=65005568 end=67106816 new: size=85979103,end=88080351

this will grow from 32gb to 43gb

3. # pvresize /dev/sda3
  Physical volume "/dev/sda3" changed
  1 physical volume(s) resized / 0 physical volume(s) not resized

this resize volume group to new size

4. # pvs
  PV         VG        Fmt  Attr PSize    PFree
  /dev/sda3  ubuntu-vg lvm2 a--   <41 .00g="" b="" g="" nbsp="">
  /dev/sdb1  ssdMySQL  lvm2 a--    <2 .00g="" nbsp="" p="">  /dev/sdc1  ssd1gb    lvm2 a--  1016.00m 1016.00m

Done!

ref:
https://ask.fedoraproject.org/en/question/115383/need-to-resize-lv_home-to-use-remaining-space-on-pv-but-cannot/

https://askubuntu.com/questions/24027/how-can-i-resize-an-ext-root-partition-at-runtime

Thursday, February 14, 2019

implement own CA for own use

parking here: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

openssl genrsa -des3 -out myCA.key 2048
 
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
 

Creating CA-Signed Certificates for Your Dev Sites

Now that we’re a CA on all our devices, we can sign certificates for any new dev sites that need HTTPS. First, we create a private key:

openssl genrsa -out dev.mergebot.com.key 2048 
 
Then we create a CSR:
openssl req -new -key dev.mergebot.com.key -out dev.mergebot.com.csr 


create the certificate:
openssl x509 -req -in dev.mergebot.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out dev.mergebot.com.crt -days 1825 -sha256 -extfile dev.mergebot.com.ext 
 
 

Tuesday, May 16, 2017

Wednesday, April 12, 2017

setup openvpn with routing (debian)

ref: https://nikinuryadin.wordpress.com/2010/04/16/step-by-step-setting-up-openvpn-in-debian-with-routing-tun-connection/

Configure openvpn using routing (tun) connection
Configuring the server
#vim /etc/openvpn/server.conf
(add the following lines)
port 443
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnsarandi.crt
key /etc/openvpn/easy-rsa/keys/vpnsarandi.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.1.0.0 255.255.255.0
client-config-dir ccd
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
client-to-client
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
Making directory ccd:
#mkdir /etc/openvpn/ccd
Making  file client1 in ccd directory
#vim /etc/openvpn/ccd/clent1
(add the following lines)
iroute 192.168.1.0 255.255.255.0
Restart OpenVPN:
#/etc/init.d/openvpn restart
Setting up the windows client. First, download the OpenVPN client from here (at the time of writing, select 2.1 RC15). Install it, and create a file ‘client.conf’ in the config directory with the following parameters
client
dev tun
proto udp
remote x.x.x.x  443 # (replace with your server IP)
resolv-retry infinite
nobind
pkcs12 client1.p12 # (replace with the client name)
ns-cert-type server
comp-lzo
verb 3
#redirect-gateway
You can also add ‘redirect-gateway’ to the client configuration to pass all traffic down the VPN tunnel (rather than just traffic intended for the VPN itself).
copy the client1.p12 certificate file to the config directory on the client, start the gui, and connect.
If you need to create any clients in the future, do the following command:
#cd /etc/openvpn/easy-rsa
#source ./vars
#./build-key-pkcs12 clientx
Enable IP and TUN/TAP forwarding:
On  linux client
IP Forwarding

Check if IP Forwarding is enabled

#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0 
or
cat /proc/sys/net/ipv4/ip_forward
0 
As we can see in both the above examples this was disabled (as show by the value 0).

Enable IP Forwarding on the fly

#sysctl -w net.ipv4.ip_forward=1 
or
#echo 1 > /proc/sys/net/ipv4/ip_forward 

Permanent setting using /etc/sysctl.conf

#/etc/sysctl.conf:
net.ipv4.ip_forward = 1
#sysctl -p /etc/sysctl.conf
 
On RedHat based systems this is also enabled when restarting the network service:
#service network restart
 
and on Debian/Ubuntu systems this can be also done restarting the procps service:
#/etc/init.d/procps.sh restart 

Using distribution specific init scripts

Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:
 
#/etc/network/options:
ip_forward=no 
set it to yes and restart the network service.
Also RedHat distributions might set this using:
#/etc/sysconfig/network:
FORWARD_IPV4=true 
and again restart the network service.
Regardless the method you have used once you have completed this you can check it out using the same method shown above:
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1 
#cat /proc/sys/net/ipv4/ip_forward
1 
If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.
TUN/TAP forwarding:
Allow TUN interface connections to OpenVPN server
# iptables -A INPUT -i tun+ -j ACCEPT
Allow TUN interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tun+ -j ACCEPT
Allow TAP interface connections to OpenVPN server
# iptables -A INPUT -i tap+ -j ACCEPT
Allow TAP interface connections to be forwarded through other interfaces
# iptables -A FORWARD -i tap+ -j ACCEPT

** rule iptables for  internet  sharing from eth1  to  eth0.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#iptables-save
Restart Networking and OpenVPN
#/etc/init.d/networking restart
#/etc/init.d/openvpn restart

Wednesday, September 07, 2016

SMTP Relay With 'STARTTLS'

ref: https://simon.heimlicher.com/articles/2010/08/29/smtp-smarthost

A smart host is simply the SMTP server of another party, often your ISP, that is preferable to your own for reasons such as reliability or credibility.
To set the port, append :, for example smtp.example.com:587.
You may need to authenticate to the smart host. This is also possible. However, your email may still not go through—and often it is because the smart host expects a STARTTLS command. This is true for GMail SMTP.
Check if you find 530 5.7.0 Must issue a STARTTLS command first. in /var/log/mail.log.
If this is the case, try to append these two lines to /etc/postfix/main.cf:
smtp_tls_security_level = may
smtp_sasl_security_options = noanonymous
Then issue postfix reload.
Related Posts Plugin for WordPress, Blogger...