Friday, August 17, 2018

Red Hat Container Development Kit 3.5 - Installation Issue with Libvirt (KVM) Group Membership

If you follow the installation instructions for Red Hat's Container Development Kit 3.5, on RHEL 7.5, most everything works well, until you get to the point of starting the virtualized minishift host:



You get a failure when trying to connect to Docker on the VM.  The problem is that, if you strictly follow the instructions, your user is not a member of the 'libvirt' group.  This is easy to rectify, though.  All you need to do is:

1) Remove the existing minishift VM:



2) Add yourself to the requisite group:



3) And relaunch minishift:



Hopefully I can get the docs updated, so this isn't necessary, in the near future.

Wednesday, August 1, 2018

Suspend Issues with the Lenovo ThinkPad X1 Carbon 6th Generation

UPDATE 2018/09/12:
And the final solution seems to be at hand!  Lenovo has released 0.1.30, and that apparently re-adds S3 sleep to the ACPI tables:

https://brauner.github.io/2018/09/08/thinkpad-6en-s3.html

UPDATE 2018/09/07:
So, it appears that there is a new firmware version available from Lenovo, 0.1.28, the patch no longer cleanly applies, and Adrian has re-rolled it:

https://lisas.de/~adrian/?p=1328

Thanks, Adrian, that's a much easier way to reliably patch the ACPI tables!

I'll update this post, later, with an updated step-by-step guide.

ORIGINAL POST:
Those of you who have the new (and very nicely built!) Lenovo ThinkPad X1 Carbon 6th generation, and who run Linux, may have noticed that suspend doesn't work properly.  I'm running Fedora 28, but this problem has been reported on Arch and Ubuntu, as well.  The issue seems to be that the X1 is using a new suspend technology called "Windows Modern Standby," or S0i3, and has removed classic S3 sleep.  S0i3 technology was added to the mainline Linux kernel with v4.13, but there is apparently a BIOS bug preventing this from working properly.

To work around this problem, we need to patch the ACPI DSDT tables, created by the BIOS, to re-add S3 sleep.  There's a fantastic guide here, which was written by Erik Sonnleitner of the University of Applied Sciences of Upper Austria.

To summarize his excellent directions:
  • In the BIOS, set "Thunderbolt BIOS Assist Mode" to Enabled, and disable secure boot.
  • Install "iasl" and "cpio"
  • Once the system has booted whichever Linux distribution that you use, dump the DSDT table
sudo cat /sys/firmware/acpi/tables/DSDT > dsdt.aml
  • Reverse compile the DSDT table
iasl -d dsdt.aml
  • Download the patch, and patch your decompiled code
    • I had to hand-patch hunk #7, by hand, but this wasn't a big deal
patch --verbose < X1C6_S3_DSDT.patch
  • Compile your updated DSDT code
iasl -ve -tc dsdt.dsl
  • Create a new ACPI override package
mkdir -p kernel/firmware/acpi
cp dsdt.aml kernel/firmware/acpi
find kernel | cpio -H newc --create > acpi_override
sudo cp acpi_override /boot

  • Now, you need to update your grub.cfg
sudo sed -i 's/quiet"/quiet mem_sleep_default=deep"/' /etc/default/grub
echo GRUB_EARLY_INITRD_LINUX_CUSTOM=acpi_override | sudo tee -a /etc/default/grub
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
  • The second change won't work immediately, on Fedora, as GRUB_EARLY_INITRD_LINUX_CUSTOM isn't yet supported
  • So, we need to update the grub boot config, and then manually update the initrd entries to add the new ACPI overlay, before booting the initial ramdisk
sudo sed -i 's/initrd16 \/initramfs/initrd16 \/acpi_override \/initramfs/' /boot/grub2/grub.cfg
  • Upon reboot, suspend should work properly.

Friday, June 29, 2018

Adding Packages to RHEL Containers on Amazon EC2 with Cloud Access

I just ran into an interesting use case, where I'd needed to be able to add packages to my RHEL containers, when they are hosted on Amazon's EC2.  Anyone else who has tried this may have run into the same problem, that RHEL subscription information isn't passed to containers, by default, when run on cloud access instances.

For example:

# podman run --rm -it registry.access.redhat.com/rhel7
[root@7a52d3bac972 /]# yum install httpd
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
This system is not receiving updates. You can use subscription-manager on the host to register and assign subscriptions.
There are no enabled repos.
 Run "yum repolist all" to see the repos you have.
 To enable Red Hat Subscription Management repositories:
     subscription-manager repos --enable <repo>
 To enable custom repositories:
     yum-config-manager --enable <repo>

In order to work around this, you can use bind mounts, as described in the podman man page, in the section on --volume.  There are a number of files and directories that you will need to mount.  In the below example, you can see a successful run:

# podman run \-v /etc/pki/rhui:/etc/pki/rhui \-v /etc/yum/pluginconf.d:/etc/yum/pluginconf.d \ -v /etc/yum/pluginconf.d/rhnplugin.conf:/etc/yum/pluginconf.d/rhnplugin.conf \-v /etc/yum.repos.d/redhat-rhui.repo:/etc/yum.repos.d/redhat-rhui.repo \-v /etc/yum.repos.d/redhat-rhui-client-config.repo:/etc/yum.repos.d/redhat-rhui-client-config.repo \-v /etc/yum.repos.d/rhui-load-balancers.conf:/etc/yum.repos.d/rhui-load-balancers.conf \-v /usr/lib/yum-plugins:/usr/lib/yum-plugins \-v /usr/share/rhn:/usr/share/rhn \-v /usr/share/yum-plugins:/usr/share/yum-plugins \--rm -it registry.access.redhat.com/rhel7

For an offline run of the container, you will need to copy in those same files.  However, if you only want to install files to a container running on persistent storage, temporary mapping of the RHUI-required files and directories is sufficient.

Monday, November 13, 2017

SSMTP and Authenticated SMTP

Related to my previous post, this page has an excellent (and short) write up of how to deal with Comcast (or any other authenticated SMTP provider) email forwarding, using a smarthost.

As recommended, I installed ssmtp (and mailx) onto Raspbian with the following:
sudo apt-get install ssmtp sudo apt-get install bsd-mailx
I edited /etc/ssmtp/ssmtp.conf, to include the following settings:
# comcast
mailhub=smtp.comcast.net:587
UseSTARTTLS=YES
UseTLS=YES
AuthUser=<username>@comcast.net
AuthPass=<plaintext password>
rewritedomain=<fqdn>
FromLineOverride=YES
hostname=<hostname + fqdn>
This was a heck of a lot easier than the alternatives, using exim4, that are documented in other places.

Monday, November 6, 2017

Manual Testing of Mail with SMTP and TLS

If you're anything like me, you've used the telnet method to verify SMTP connectivity many times, over the years:

$ telnet smtp.mail.com
EHLO domain.com
MAIL FROM: alex@mydomain
RCPT TO: alex@someotherdomain
DATA
Subject: This is a test email
This is a test email.
.

In the modern era of TLS encrypted email connectivity, this no longer works.  However, there is a similar method, only requiring Perl or BASH, and OpenSSL.  Thanks to https://www.saotn.org/test-smtp-authentication-starttls/ for the details.

First, you need to create an authentication string that the remote mail server will accept.  With Perl, do this:

$ perl -MMIME::Base64 -e 'print encode_base64("\000username\@example.com\000password")'
AHVzZXJuYW1lQGV4YW1wbGUuY29tAHBhc3N3b3Jk

With BASH, do this:

$ echo -ne '\0username@example.com\0password' | base64
AHVzZXJuYW1lQGV4YW1wbGUuY29tAHBhc3N3b3Jk

Then, you can make your test connection to the mail server, using the handy "s_client" functionality of OpenSSL:

$ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
<removed all the certificate junk>
---
250 SMTPUTF8
EHLO there
250-smtp.gmail.com at your service, [73.213.115.193]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
AUTH PLAIN AHVzZXJuYW1lQGV4YW1wbGUuY29tAHBhc3N3b3Jk235 2.7.0 Accepted

See, it really wasn't very hard, was it?

Thursday, September 14, 2017

Mounting Ubiquiti UniFi AC Access Points

I recently had my new house wired, so that I could install my long-serving Ubiquiti AC access points onto the ceiling, with no visible wiring.  I noticed, after I hired an electrician to install ceiling boxes, that Ubiquiti's rotary mount has 2 significant flaws:


  1. The holes provided for wall/ceiling mounting do not match either the US 2-3/4" or 3-1/2" ceiling box mounting holes.
  2. The rotary mounting plate has a release lever that is almost impossible to access, once it is mounted on the ceiling, as the level is almost flush with the bottom of the access point.
I created, based on the work of several other folks, a US ceiling mount adapter, with a 20mm relief height, and posted it on Thingiverse:


This is a simple part, created in OpenSCAD, but I am inordinately proud of it, as it is the first 3D printed part that I have created, without any outside assistance.

I'll probably talk more about 3D printing, in the future.  I recently acquired a used Prusa i3 Mk2 printer, and have been highly satisfied with it.

Tuesday, September 12, 2017

Scrolling and screen

I've been using screen for a heck of a long time now, and it has always bugged me that scrolling back through history isn't the easiest.  However, I just ran into a great little bit of termcap data that you can add to your .screenrc:

# Enable mouse scrolling and scroll bar history scrolling
termcapinfo xterm* ti@:te@

With that line added, you can use mouse scrolling, which makes my screening that much happier!