Wednesday, July 3, 2013

allowing non-root SSH

I keep logging in as root, and this is obviously not ideal, so I want to allow a user to login

Here are some steps I found here


Add a local user

We have been logging in as root, so let’s add a local user. Since I am going to be mounting my existing zpools, I do not want to go back to all of my client machines and change the user IDs. To avoid any ID mismatch I am going to create my user with the same ID as it previously was:
root@megatron:~# useradd -u 1000 -g 10 -m -d /export/home/jarret -s /bin/bash jarret
64 blocks
If you just want the default UIDs, you can run the command below. The -m and -d options create the home directory.
root@megatron:~# useradd -m -d /export/home/username username
Let’s set a password for the new user:
root@megatron:~# passwd fred
New Password:
Re-enter new Password:
passwd: password successfully changed for fred
Now I want to add this user to the sudoers file. Type visudo to safely edit the /etc/sudoers file. Find the line below and remove the ‘#’ mark to enable it:
## Uncomment to allow members of group sudo to execute any command
%sudo ALL=(ALL) ALL
This will allow any user in the sudo group to run sudo. Let’s add the sudo group:
root@megatron:~# groupadd sudo
Now we can add our newly created user to the sudo group:
root@megatron:~# usermod -G sudo fred
Now let’s verify that the user is in the sudo group:
root@megatron:~# id fred
uid=1000(fred) gid=10(staff) groups=10(staff),100(sudo)
Ok, so that looks good. Let’s switch to the jarret user and run sudo:
root@megatron:~# su - fred
OmniOS 5.11     omnios-dda4bb3  2012.06.14
jarret@megatron:~$ sudo -l
Password:
User jarret may run the following commands on this host:
    (ALL) ALL

Also, following these instructions, although they are for Synology NAS, but they go a little further.
6. Execute the following from the command line as root:
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
Change the line “#Protocol 2,1″ to “Protocol 2″ and the line “#PermitRootLogin yes” to “PermitRootLogin no”, then quit saving changes (notice we removed the “#” from both lines).
You may also want to adjust the “LoginGraceTime” and “MaxAuthTries” settings, just be sure to remove the leading “#” from those lines.
7. Restart SSHD. If you are using the beta firmware you can disable then enable the service using the web-based management interface. If not, you may be able to use the disable SSH patch, then the enable SSH patch which may restart your NAS device (I have not tested this), or you can simply execute the following from the command line as root:
svcadm restart ssh
I have not personally tested the above command either, and it may end your SSH session if that is where you execute it from. Alternatively, you could temporarily enable Telnet, login as root to execute the command above, then log out and disable Telnet.
8. Test the changes. If you use “ssh -1 user@host” when connecting to your NAS device, you should get an error that reads something like “Protocol major versions differ: 1 vs. 2″. If you try to SSH in as root, it should prompt you for the password, but give you an error like “Permission denied, please try again.” even if you supply the correct password. Finally, you should be able to login via SSH as your regular user (i.e. frank).
*Please note, that if you change your regular user’s info (like password, etc.) using the web-based management interface, the information in /etc/passwd will revert back to the defaults, which will no longer let you login via SSH using that user. If this happens, don’t panic, you can always SSH in as admin (which should have the same password as root, but not the same privileges). Unfortunately, only root can execute the “su” command, so to allow your regular user to use SSH again you will have to temporarily enable Telnet, login as root, repeat step #4 above, logout and disable Telnet.
Telnet is also the only way to regain root command line access, which is required to edit “/etc/ssh/sshd_config”, should you want to restore root SSH logins at some point. Alternatively, one could install sudo to execute commands as root, but that is beyond the scope of this post.


Now just to remember to login as user fred, and to use sudo or pfexec


APCUPSD


I have an APC Back-UPS XS 1500. I bought a new battery for it anticipating using it for my router, cable modem, and microserver. All these devices are pretty low power, and given that its got 1500W, it should provide quite a bit of run-time. While it would be possible to just let the peripherals run the UPS dry and then crash themselves out, I wanted the microserver to be able to exit gracefully into a power-off state. So, I need to install either NUT, or APCUPSD. I decided on the latter. 

I found a great tutorial here:

There were a couple niggles, first I had to get a copy of sunlibusb and sunlibusbgen (off an outdated ISO file that was hosted in the UK and was 3.6GB in size). Once I had said packages installing them was trivial.

Second I had to get my UPS to use the generic USB driver, instead of the HID driver. That required some googling.

One user here found the solution, but I actually found this more in-depth explanation first.

First up I had to change the driver [OmniOS] allocated to this device from a HID driver to a UGEN
1. Run #prtconf -v and look for your usb device – I dumped this into a text file and searched for [“Back-UPS” or "1500" since I have a model XS-1500]
2. Remove the ugen driver from memory #rem_drv ugen
3. Force the device to load with the ugen driver (find the address of the usb device from step 1)
#add_drv -i ‘”usb51d,2.106″‘ -m ‘* 0666 root sys’ ugen
4. Done – check the device is a ugen device either through #prtconf -D or #dmesg | grep ugen
Second, I had to configure /etc/apcupsd/apcupsd.conf, and then start the service.
1) After you make install, you need to first configure a couple settings in /etc/apcupsd/apcupsd.conf … there are plenty of examples on the web.
2) you need to start the daemon before you can test its status (last step of this tutorial).
# /etc/init.d/apcupsd start
# /etc/init.d/apcupsd status
I am running apcupsd-3.4.10 on OmniOS stable with an APC Back-UPS XS-1500
Of note, you can run #/etc/init.d/apcupsd status to make sure the service is up, but if you want to run 
#/usr/local/sbin/apctest
you need to STOP the service first.

Lets hope that apcupsd auto-starts on restart

OmniOS + Napp-it

I've read a lot about virtualization, and while I did originally download ECXI 5.1 hypervisor to try to run a couple of virtual machines (I was thinking linux as a server + winXP or OS X to run an iTunes instance), the microserver does not support PCI passthrough. This means that I could not use extra drives on a RAID card, or even see USB devices. It is a failure of the hardware, and I'll have to leave playing with virtualization for my next go-round of hardware.

Because this is more than just a NAS, but also a backup of my data, I wanted to ensure data integrity. I feel that although hard drive manufacturers are building bigger disks these days, they aren't terribly reliable. I've had more than my fair share of Maxtor, Western Digital, and Samsung drives die on me. The worst is when they aren't backed up and there is data loss. I'm terrible about manually doing backups, it has to be completely automatic and transparent to me. That's one of the reasons why I bought an Apple Time Capsule. But the time capsule suffers from excessive heat in its fanless environment. I did a small mod to reverse the fan and keep it turned on, but it still feels too warm for my taste. I've got a WD RE4 GP drive in there, which is supposedly a SATA enterprise-rated 5M hours mtbf drive, but I've heard that SATA, and SATA-NL (near line) are not as enterprise reliable as SAS drives. So, I wouldn't be surprised if the time capsule drive eventually failed... and while the backups wouldn't be the end of the world (hopefully the original data still exists on my laptop), it would be a case where there was no backup of the time-capsule data.

The first thing I decided on was to use a redundant backup system of drives on my microserver. I at first thought about RAID, but I've had some difficulty in the past with RAID, and apparently so have others. I've read about people having trouble rebuilding their arrays, and that if you did rebuild them they took forever. I became very intrigued with a ZFS-based storage solution, and decided this was the way I was going to roll. This ruled out Ubuntu (linux) as there is no real ZFS solution there, and led me to consider FreeNAS (BSD based), but when I learned that ZFS is native to Solaris, I decided to use that. Unfortunately, Sun Solaris is no more. After Oracle acquired Solaris, things changed. I had a couple options.
Option 1) use the old Sun Solaris 10. I ruled this out as there was no more development being done here.
Option 2) use OpenSolaris. I also ruled this out for a similar reason.
Option 3) use Oracle Solaris 11. I ruled this out as I wanted a free solution.
Option 4) use illumos. This was the way forward. There are a couple different flavors of illumos - nexenta is one, OpenIndiana is one, SmartOS, and OmniOS are others. I ruled out nexentastor because there is a hard limit on how much storage space you can use for free before you have to buy a beefier version. I tried OI, but as the lead developer recently quick and development there was going to be slow I ruled it out as well. I decided to go with OmniOS, mostly because I discovered Napp-it.

Of the various illumos iterations, most have web-based GUI interaction, and I liked this. Like FreeNAS, Nexentastor had a commercial web-GUI. Napp-it was written to provide a web GUI for OmniOS, and it was free.  I found a very recent version of Napp-it (gea, the lead maintainer, is continually doing nightly updates) and discovered that there was a flavor called Napp-it-to-go. It runs in RAM memory, loads off a USB stick, and doesn't require installing napp-it or OmniOS to a hard drive. COOL!

I loaded it onto a Patriot Rage XT 16GB USB 2 drive, and loaded it up. Configuring it was only slightly challenging. I discovered that creating a ZFS pool and a ZFS folder to share via AFP was not difficult, but that I could not actually write to the shared folder on the Mac. I discovered I had to adjust the recursive permissions for the folder, which I did via CLI, before I discovered that there was a way to do it in Napp-it.

I created a couple different ZFS folders:
Public - for general useless/temporary stuff that anyone can gain access to
Media - for Movies and iTunes library
Backup - for home movies and documents

We'll see how these work out, but creating and deleting these folders is pretty easy via the web interface. And there's even SSH for those of us with CLI skills.

New Microserver!!!

Alright, we've got our hands on a brand new HP Microserver N54L to create a new NAS for the home. This will also double as a backup of my data, which is currently pushing into 4.5TB across various internal and external USB hard drives.  While the G8 micro server is just about to be announced, the leaked specs make me feel comfortable having just picked up a G7 micro server for less than $300 on sale from Amazon (not the lowest price according to slickdeals.net, but still pretty good).

Reasons for being happy with the G7 include
- I don't love the new look of the G8
- The G8 will certainly be more expensive than the G7
- The G8 does away with the 5.25" slot, meaning it may be more difficult to add extra drives
- The G8 forces you into having a slot-load DVD (useless IMO)
- The G8 likely does away with a PCIe slot (less expansion options)
- More USB ports on the back, less on the front

What you'll get with a G8 microserver
- a faster CPU (not necessary for me as a NAS device, but useful for VM)
- built-in iLO4 (not really necessary for me, and can add with a R.A.C. on the G7)
- official support for 16GB RAM (the G7 can handle this already)
- two built-in USB3 ports (can add to a G7 with a card if you need it)

The first thing I did was upgrade the BIOS with the BIOS-mod (google it) to enable AHCI on all the SATA ports, and to enable some extra features normally hidden in the BIOS. (I love modding things to get more performance/value out them!!!)

The next thing I did was slap in 16GB of ECC RAM (Kingston KVR1333D3E9SK2/16G) for VM goodness (~$125)

Then I clipped the molex connector running to the 5.25" bay slot so I could extend it with some spare wire so it would reach the right hand side of the drive bay, and pushed in a Thermaltake 6-in-1 (not cheap @ ~$95) unit so I can cram six 9.5mm / 2.5" 1TB drives into a single 5.25" slot.

I also picked up a RocketRaid 2720SGL card for $90, and two Startech SAS-to-SATA (SAS8087S450) breakout cables so I can run an extra 8 SATA drives off the RR card.

All of this has been done before, I just followed in the footsteps of others.

I have added four 2TB HGST 7200RPM 64MB cache SATA III OEM hard ($116 ea) drives that are "Enterprise" rated (SATA, not SAS) @ 2M hours MTBF.  I also obtained six new HGST Travelstar 1TB 7200RPM 32MB cache SATA II drives that I am toying with adding up top (and still there is room for two more).
Total storage is more than I need at the moment (I need ~4.5TB, and this is 8TB + 6TB = 14TB), but with redundancy (RAID-Z ZFS file system and/or SnapRaid), it's probably more like 6TB + 4TB = 10TB.  I believe having double your requirements is a good measure for expandability in the future, but I notice I save fewer and fewer movies after I watch them, and my pictures/home movies are only growing so fast...

Still, the 6 travelstar drives were $80 each, and I'm toying with sending them back as its almost $500 that I'm putting into storage that I don't need today, and that will be likely cheaper and/or faster tomorrow.  I've learned not to invest in technology you aren't immediately using - its outdated too quickly if you aren't getting your money's worth out of it RIGHT NOW.

Cost so far:

HP Microserver - $300
16GB RAM - $125
RR2720SGL - $90
2 X SFF-8087 cables - $50
4 X 2TB HD - $460
6 x 1TB HD - $475
Thermaltake dock - $97

Total           $1,600

The hardware was cheap (excluding the hard drives), and I'm quite happy with that. It's more flexible than a synology or qnap device, and probably better value too. Then throw on four 2TB hard drives (I couldn't afford 3TB right now) and you're up into serious (for me) money for a home server. Bye-bye iPad budget, we just bought a home server instead. My budget was ~$1000, so you see why I'm thinking of turning back those 1TB boys if I don't think they'll be filled up anytime soon.

I contemplated what I would want running as an OS for my NAS. I initially thought I would go for FreeNAS. Although it is a very nice package solution, I really wanted ZFS and I thought Solaris did ZFS better than FreeBSD. So my options were Solaris 10, OpenSolaris, OpenIndiana, Nexenta, and OmniOS. After weighing all these options, each one was crossed off (for various reasons) until I decided on OmniOS.

Solaris 10 - no longer developed
OpenSolaris - no longer developed
OI - as of a few months ago when lead developer stepped down, no longer developed.
Nextena - slow web GUI, 18TB ceiling before you must pay.
OmniOS - WIN!


OmniOS has no built-in web management tools, but you can use a project called Napp-it to arrive at a 95% commercial solution for free. So, the first thing I did was install OmniOS + Napp-it via Gea's Napp-it-to-go USB solution. I have two Patriot XT Xporter drives (a 16GB and a 32GB) that I was using (mirrored) for this. But the lack of TLS support for gmail emailing over port 587 meant that I couldn't receive email alerts for problems with the NAS. That is a real bummer, although not a total show stopper.

The next thing I did today was work out how to install ESXi onto the micro server. I downloaded HP's flavor of the newest ESXi 5.1, as suggested here, which will give a little bit more info in ESXi for my hardware.  I used unetbootin to extract the ISO onto an older OCZ Rally 2GB flash drive (formatted as MS-DOS in Disk-Utility on my Mac) as the instructions indicate. Actually, these are better instructions.

Then (because the microserver does not support UEFI) I had to do a little work around....Thanks Raul!



I wanted to consolidate data across multiple NAS, including DNS-323, WD MyBook Live, so bought a HP Microserver N40L.

Planning to run NAS4Free on ESXi, so downloaded HP customized ESXi 5.1.0 (VMware-ESXi-5.1.0-799733-HP-5.32.5 (1).iso) from VMWare.

One thing at a time. For a start, followed the steps in here to get the ISO on the USB.

Plug it into the USB, boot it up, and realize it enters interactive mode.

But, I have thrown all my USB keyboards away when I moved last year, so needed a way to install without a keyboard.

So, I needed a way to run ESXi installation in scripted mode.

First, the unetbootin created 3 .cfg in the USB drive, and only 2 are important: syslinux.cfg and boot.cfg

Edit syslinux.cfg, and change DEFAULT=menu.c32 to the label for the ESXi installer. For my case, it was ubnentry0. (DEFAULT=ubnentry0)

Next, for the boot.cfg, a ks (kickstart) script is needed for the scripted install. So change the line in boot.cfg as according to the doc to

kernelopt=runweasel ks=file://etc/vmware/weasel/ks.cfg

Reboot N40L with the USB and the installation starts after boot up.

------------------------------------------------------------------------------------------------------------------------

One thing to mention, the first time I tried installing ESXi I kept getting an error message "No operating system found -- boot failure". I tried all means of solving this problem : re-formatting the USB drive in Disk Utility, re-downloading the ISO and unetbootin, re-naming the ISO to a shorter name, re-extracting the files from the ISO to the USB, removing my RR card, removing the 16GB RAM and re-installing the original 2GB of RAM, pre-launching the USB installer on my macbook pro before trying to install it on the micro server, and nothing seemed to work. Finally, the thing that seemed to work was
1) booting VirtualBox into windows, and launching the HP bios formatting tool to format the USB drive as a bootable disk to restore the firmware,
2) deleting all the files on the USB drive,
3) inserting the USB into the rear most port of the macbook pro (*previously I think I was always using the front port)
4) re-extracting the files from the ISO image
   and then I got the micro server to recognize the boot script (even without the modifications listed above to the cfg files!)

----------------------------------------------------------------------------------------------------------------------------------

I let it install ESXi onto the 2GB flash drive running off the internal USB port. After a reboot, ESXi was up and running. Next was to install OmniOS + Napp-it on top of my new Hypervisor to handle the storage of data (ZFS!), and to try to install a flavor of Hackintosh VM (mountain lion?) so I can run a "true" iTunes server for my AppleTV and my airport expresses.