HowTo: Cómo poder ver The Pirate Bay si tu país está bloqueando el acceso

Hoy, tras leer: http://derechoaleer.org/blog/2014/07/the-pirate-bay-el-catalogo-de-la-biblioteca-de-babel.html, me dió por ponerme de subversivo.

No me gusta cuando un país hace cosas en favor de los intereses comerciales de empresas con moral distraída.

Así que, ahí van algunas técnicas para que puedas esquivar los intentos de bloqueo de tu país:

Acceso por medio del PirateBrowser

Si descargas el navegador, podrás accesar sin problemas: http://piratebrowser.com/

IP en tu archivo hosts

Para los que preferimos seguir usando nuestro navegador, y si tu ISP está bloqueando thepiratebay.se por medio de DNS, solo debes agregar la IP de thepiratebay.se en tu archivo de hosts. Actualmente, la IP es: 194.71.107.27 pero puede cambiar. Para averiguarla, busca un servicio de dig online.

Solo pon el dominio y te dará la IP. Luego, es fácil de agregar a tu archivo de hosts.

Para GNU & Linux:

    # agrega la IP a tu archivo /etc/hosts (en Fedora, necesitas tener bind-tools instalado)
    echo $( dig @8.8.8.8 +short thepiratebay.se ) thepiratebay.se www.thepiratebay.se > /etc/hosts

Si eso no funciona, edita, como root, el archivo /etc/hosts y agrega la entrada: 194.71.107.27 thepiratebay.se www.thepiratebay.se

Es posible que tengas que actualizar manualmente la IP de vez en cuando. Solo repite los pasos y ya.

Para usuarios de mac o windows, sigue los pasos provistos acá; pero usando el mismo tipo de entrada expuesto en este artículo: http://www.rackspace.com/es/knowledge_center/article/how-do-i-modify-my-hosts-file


HowTo: Create an interface configuration with nmcli on CentOS7 and Fedora 2

I ran through hell today!

I tried doing things the old way. You know; edit /etc/sysconfig/network-scripts/ifcfg-eth1 in order to set it to a static IP. Well, bad idea.

I had all kinds of problems when the two interfaces where online (eth0 and eth1). For example:

  • eth0, even having BOOTPROTO=dhcp, would get the static IP address of eth1.
  • eth1 would get an IPv6 address but not it’s static address.
  • network.service would NOT work at all.

So, my solution. Use NetworkManager.

I found that we have nmtui and nmcli. The former has a Terminal User Interface (TUI); which makes it friendlier to the average user. The former, is a CLI application; which makes it friendlier for scripting and nerds.

I preferred nmcli; since I like remembering stuff in scripts. So, here is how to do it:

nmcli c add type ethernet ifname eth1 con-name private autoconnect yes save yes ip4 192.168.1.10/24
nmcli c modify eth1 ipv4.ignore-auto-routes yes ipv4.ignore-auto-dns yes ipv4.may-fail no

That command will and eth1 with “private” as it’s friendly anme and will connect on boot and persist in configuration. We, also, remove auto routes and auto dns; and make it fail loudly!

Check out the man page to add more stuff like default routes and stuff.


HowTo: Two different public IPs on a single server

Ok, today, I discovered I am still an idiot.

Yep, I tried to add 2 public networks to one of my CloudSigma servers and one of them didn’t work.

I thought everything was to blame but my configuration (as always). Well, I managed to discover what the problem was and how to correct it.

The problem is that since there is only one default route, packets going through eth1 didn’t know how to go back to where they came from. This is solved by adding a rule and telling the kernel where to look for info on those packets:

How

# first my NIC configuration
## cat /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
DEFROUTE=yes

## cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
DEFROUTE=no

# my routing table
## ip route
111.111.111.0/24 dev eth0  proto kernel  scope link  src 111.111.111.111 
222.222.222.0/23 dev eth1  proto kernel  scope link  src 222.222.222.222 
169.254.0.0/16 dev eth0  scope link  metric 1002 
169.254.0.0/16 dev eth1  scope link  metric 1003 
default via 111.111.111.1 dev eth0 

# look for info on packets comming from network 222.222.222.0/23 on table 1
ip rule add from 222.222.222.0/23 tab 1 priority 500

# append to default gateway telling it to look for info on table 1
ip route add default via 222.222.222.1 dev eth1 tab 1

# flush cache
ip route flush cache

Rationalization

So, eth0 (111.111.111.111) is the default route. It is declared in ifcfg-eth0. If I do not declare DEFROUTE=no on eth1, then, the last NIC to become available becomes the default route. So, I specify which is the default so I can add rules later.

Then, there is eth1 (222.222.222.222) which is a completely different network. We add the rules needed for the info of it to be found on it’s own table and we add it to the default.

This works ipso facto. I don’t know if it will survive a reboot, but, hey, I know my readers will tell me if it does or not.


HowTo: Wait for any process to finish on Bash 1

Well, here’s a quick one.

Let’s say you’re creating a KVM/Qemu guest; using oz-install; and you’re tired, ’cause it’s 06:31 and you need some sleep.

You don’t want to wait the 2k seconds it takes to do all the work so you want to setup a bash script that waits for the process and, then, shuts down your computer.

Here’s how:

Procedure

    # become root
    su -

    # wait for oz-install to end and poweroff
    while pgrep oz-install &> /dev/null; do echo "it's running..."; sleep 5; done; poweroff

HowTo: Build and Use Fedora 20 for/on Google Cloud 1

So, in my last post, I promised to post these instructions. As if I ever kept secrets from you! ¬_¬

Update: Please, visit my repo where you can find the updated code: https://github.com/renich/gce-images

So, here’s the magic:

Initialize (last post)

This takes care of setup. Read and follow instructions carefully. Obviously, you need to take care of billing settings and stuff when you create the account. In fact, probably, you need to create the account prior to login. Let’s see how it goes if you haven’t. Let me know on the comments.

# setup google cloud sdk
curl https://sdk.cloud.google.com | bash

# activate google cloud in current shell
source ~/.bash_profile

# login
gcloud auth login --no-launch-browser

# activate it
source ~/.bash_profile

setup script (unfinished)

This one is needed by virt-builder in order to edit the distro according to Google’s recommendations. It is not finished yet. It just works. I will update this part as soon as I’m finished.

#!/usr/bin/env bash

# WARNING!
# Please, do not run this script by it's own. It can destroy some of your configuration.
# This script is a setup script for the guest we're creating.

# hosts
cat < < 'EOF' > /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
169.254.169.254 metadata.google.internal metadata
EOF

# networking
rm -fr /etc/sysconfig/networking
rm -f /etc/udev/rules.d/70-persistent-net.rules
# rm -f /etc/hostname

cat < < 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
DEVICE="eth0"
NAME="eth0"
ONBOOT="yes"
BOOTPROTO="dhcp"
IPV4_FAILURE_FATAL="yes"
DEFROUTE="yes"
MTU="1460"
DNS1="208.67.222.222"
DNS2="8.8.8.8"
EOF

# ntp
sed -ri '/^server [1-3]\.fedora.*$/d' /etc/ntp.conf
sed -ri 's@^server 0\.fedora.*$@server metadata.google.internal iburst@' /etc/ntp.conf

# disable firewall
systemctl disable firewalld.service
systemctl disable iptables.service

# yum updates
sed -ri 's@apply_updates = no@apply_updates = yes@' /etc/yum/yum-cron.conf

# ssh config
## delete the keys
rm /etc/ssh/ssh_host_key
rm /etc/ssh/ssh_host_rsa_key*
rm /etc/ssh/ssh_host_dsa_key*
rm /etc/ssh/ssh_host_ecdsa_key*

## patch sshd_config
patch sshd_config.test < <( cat << 'EOF'
18,19c18,19
< #AddressFamily any
< #ListenAddress 0.0.0.0
---
> AddressFamily inet
> ListenAddress 0.0.0.0
48c48
< #PermitRootLogin yes
---
> PermitRootLogin without-password
78c78
< PasswordAuthentication yes
---
> PasswordAuthentication yes
114c114
< #AllowTcpForwarding yes
---
> AllowTcpForwarding no
127c127
< #ClientAliveInterval 0
---
> ClientAliveInterval 420
133c133
< #PermitTunnel no
---
> PermitTunnel no
EOF
)

## lock root
# usermod -L root

# kernel
## remove symbol table
rm -f /boot/System.map*

## configuration
### strongly recommended
cat < < 'EOF' > /etc/sysctl.d/11-google-strongly_recommended.conf
# Google-recommended kernel parameters

# Reboot the machine soon after a kernel panic.
kernel.panic=10

# Addresses of mmap base, heap, stack and VDSO page are randomized.
kernel.randomize_va_space=2

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.secure_redirects=1

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

# Don't pass traffic between networks or act as a router
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.ip_forward=0

# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts=1

# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1

# RFC 1337 fix
net.ipv4.tcp_rfc1337=1

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
EOF

cat < < 'EOF' > /etc/sysctl.d/12-google-recommended.conf
# provides protection from ToCToU races
fs.protected_hardlinks=1

# provides protection from ToCToU races
fs.protected_symlinks=1

# makes locating kernel addresses more difficult
kernel.kptr_restrict=1

# set ptrace protections
kernel.yama.ptrace_scope=1

# set perf only available to root
kernel.perf_event_paranoid=2
EOF

# google things
# todo:
#   * google-daemon depends on syslog.service; which does not exist in fedora

exit 0

Name this one “setup”. The build commands should be able to access the setup script.

build

Ok, this one takes care of building stuff. We will use the mighty virt-builder; from libguestfs-tools-c; by Mr. Richard WM Jones!

By the way, analyze and change accordingly. Do NOT copy/paste it. Understand it first, change it and use it.

#!/usr/bin/env bash

date=$( date +%Y%m%d%H%M%S )
project='evalinux-test'

# f1-micro
# g1-small
# n1-highcpu-2
# n1-highcpu-4
# n1-highcpu-8
# n1-highcpu-16
# n1-highmem-2
# n1-highmem-4
# n1-highmem-8
# n1-highmem-16
# n1-standard-1
# n1-standard-2
# n1-standard-4
# n1-standard-8
# n1-standard-16
machine_type='n1-highcpu-8'

# asia-east1-a
# asia-east1-b
# europe-west1-a
# europe-west1-b
# us-central1-a
# us-central1-b
zone='us-central1-b'

# virt-builder -l
## centos-6
## cirros-0.3.1
## debian-6
## debian-7
## fedora-18
## fedora-19
## fedora-20
## rhel-7rc
## scientificlinux-6
## ubuntu-10.04
## ubuntu-12.04
## ubuntu-14.04
os='fedora-20'

# Your Google Storage
gs='fedora-images'


function ask_continue
{
    # skip for now
    return
    shopt -s extglob

    echo -n 'Do you want to continue?: '
    read answer

    if [[ "${answer,,}" != @(yes|y|yep|sure|aha|yeah|yea) ]]; then
        exit 0;
    fi
}


# build image
echo 'building...'
virt-builder \
    --format raw \
    --size 10G \
    --timezone Etc/UTC \
    --password-crypto sha512 \
    --root-password password:fedoraadminpass \
    --install "irqbalance,openssh-server,openssh-clients,rsync,git,ntp,python,yum-plugin-fastestmirror,yum-plugin-merge-conf,yum-plugin-remove-with-leaves" \
    --install "yum-cron-daily,yum-utils" \
    --firstboot setup \
    --update \
    --selinux-relabel \
    -o disk.raw \
    ${os}

echo
echo 'done building. Next: compress'
ask_continue

# compress
echo 'compressing...'
tar -Szcf ${date}-image.${os}.tar.gz disk.raw

echo
echo 'done compressing. Next: upload'
ask_continue

# upload
echo 'uploading...'
gsutil cp ./${date}-image.${os}.tar.gz gs://${gs}

echo
echo 'done uploading. Next: add image'
ask_continue

# add test image
echo 'adding image...'
gcutil --project=${project} addimage ${os}-v${date} gs://${gs}/${date}-image.${os}.tar.gz

echo
echo 'done adding image. Next: create instance'
ask_continue

# create test instance
gcutil --project=${project} addinstance \
    --image=${os}-v${date} \
    --machine_type=${machine_type} \
    --zone=${zone} \
    ${os}-v${date}-test

echo 'done creating instance.'

exit 0

This sample script will generate an 8 CPU, ~8 GB RAM, 10 GB HDD instance @ USA. Tweak it if you need something else.

Alternatives