Linux

GPG high CPU usage

Today I had a very high CPU usage while using GPG.

I found the answer inside the following ticket https://dev.gnupg.org/T3972

The high CPU usage was caused by a process like this

/usr/bin/gpg –charset utf-8 –display-charset utf-8 –no-auto-check-trustdb –batch –no-tty –status-fd 2 –with-fingerprint –fixed-list-mode –with-colons –list-secret-keys *****

The reason is a huge key in ~/.gnupg/pubring.gpg. Mine was 37MB!!!

Thanks to “dkg” who publish the following awk script:

< ${GNUPGHOME:-~/.gnupg}/pubring.gpg gpg –list-packets | awk -F= -v oldoff=-1 -v keyid=unset ‘
/^# off=/{ off = $2 + 0 }
/^:public key/{
if (oldoff>-1) { print (off – oldoff) ” ” keyid };
oldoff = off; keyid = “unset”;
}
/keyid:/ {if (keyid == “unset”) { keyid = $1; } }
END { print (off – oldoff) ” ” keyid ; };’ | sort -n

There I get

36117 keyid: 6986401191B2164B
37146 keyid: 6BC26A17B9B7018A
51387 keyid: 702353E0F7E48EDB
53777 keyid: 3804BB82D39DC0E3
84346 keyid: 38DBBDC86092693E
94924 keyid: 79BE3E4300411886
902529 keyid: 2F3898CEDEE958CF
16676203 keyid: DB1187B9DD5F693B
20237699 keyid: 4E2C6E8793298290

The last lines are the problematic ones, there you can see that the keys are very huge. It’s time to wipe them out of the keyring

gpg –delete-key DB1187B9DD5F693B​

After deleting the two broken keys the filesize are reduced to 590K and GPG works like a charm.

Nautilus stopped mounting USB disk

Weeks ago Nautilus stopped mounting USB devices/disks when they are plugged in.

Here you find the solutions 🙂

Environment:

  • Arch Linux (8.2.2019)
  • Gnome (3.30.2)
  • Nautilus (3.30.5)

Solution:

  1. Open dconf and navigate to “org.gnome.desktop.media-handling”
  2. Set ‘x-content/unix-software’ for “autorun-x-content-start-app” or set as default value

Matomo und die DSGVO

Folgende Einstellungen müssen bei Matomo ehemals Piwik angepasst werden um DSGVO-konform zu sein.

1. IP Adressen anonymisieren

  • Als Administrator anmelden
  • In den Einstellungen den Punkt “Daten anonymisieren” auswählen
  • Einstellungen wie im Screenshot ersichtlich anpassen

  • WICHTIG: Alte Daten müssen anonymisiert werden. Das benötigte Tool ist auf der gleichen Seite etwas unterhalb zu finden

2. Auf den jeweiligen Seiten muss der Datenschutz iFrame eingebettet werden

  • Als Administrator anmelden
  • In den Einstellungen den Punkt “Users opt-out” auswählen und den entsprechenden in eurer Webseite einbauen

Mehr Informationen findest du auf https://matomo.org/docs/privacy/

Gnome 3: Missing ownCloud-client tray icon

If you use Gnome 3 under Arch Linux with ownCloud client you will see no tray icon by default.

Here are the steps to get to the tray icon like you see in the screenshot

  • Install gnome-Tweaks

yaourt gnome-tweaks

  • Install the Appindicator extension

yaourt gnome-shell-extension-appindicator

  • Open gnome tweaks and enable the extension

  • Restart ownCloud-client or login and logout

Use HP iLO2 Remote Console with Linux in 2018

Today I have to reinstall an old HP ProLiant 350 G5 which uses Integrated Lights-Out 2 (iLO2). For the re-installation I need to use the Remote Console which runs as Java Applet. A long time ago Firefox dropped the support of NPAPI and therefore Java Applets will not work anymore (Official statement). Here is my solution how to use Java Applets. Environment:
  • OS: Arch Linux
  • Browser: Firefox ESR
  • Java: JRE7
  • HP ProLiant ML350 G5 with iLO2

Install Firefox ESR

yaourt firefox-esr
Choose version: aur/firefox-esr-bin 52.6.0-1

Install JRE7

yaourt jre7
Choose version: aur/jre7 7u80-1

Configure JRE7 for Firefox

cd /usr/lib/mozilla/plugins sudo rm libnpjp* sudo ln -s /usr/lib/jvm/java-7-jre/jre/lib/amd64/libnpjp2.so

Add the iLO2 to the security exceptions

  1. Start the Java Control Panel: /usr/lib/jvm/java-7-jre/jre/bin/ControlPanel
  2. Add the URL to the exception list

Open iLO2

  1. Open Firefox-ESR
  2. Open about:addons
  3. Verify if the plugin is listed
  4. Open the iLO page and start the remote console
Finally you should get a screen like this

Gnome: Start ownCloud Desktop Client minimized

Today I solved the annoying behave of not minimized ownCloud Desktop Client under Gnome during logon startup.

System: Arch Linux
Gnome: 3.26.2
ownCloud Desktop Client: 2.4.0

1. Create a helper script

touch ~/scripts/start_owncloud_minimized.sh
chmod u+x ~/scripts/start_owncloud_minimized.sh
vim ~/scripts/start_owncloud_minimized.sh

Content of start_owncloud_minimized.sh:

#!/bin/bash
FULLSCREEN_TIMEOUT=5
WINDOW_NAME="ownCloud"

owncloud &

sleep $FULLSCREEN_TIMEOUT
wmid=`wmctrl -l | grep $WINDOW_NAME | cut -f 1 -d " "`
for i in $wmid; do
    xdotool windowfocus $i; xdotool key "Escape"
done</pre

2. Create the startup routine

 

vim ~/.config/autostart/ownCloud.desktop

Content of ownCloud.desktop:

IMPORTANT: Set your home folder in “Exec” line.

[Desktop Entry]
Name=ownCloud
GenericName=File Synchronizer
Exec=/home/username/scripts/start_owncloud_minimized.sh
Terminal=false
Icon=owncloud
Categories=Network
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=true

3. Done

Re-Login and see how the ownCloud Desktop Client magically disappear into the background.

UniFi Security Gateway: Add an additional public IP with NAT

The UniFi Controller has no UI configuration to assign an additional IP for the UniFi Security Gateway (USG). Hopefully this will be added from Ubiquiti in the future.

Date: 25.12.2017
Controller Version: 5.6.26
Firmware: 4.4.12.5032482

 

After many hours of reading, try and error I was able to solve this task. This guide is focused on people with network basics, therefore I will not cover technically explanations.

UPDATE:  Important, set only the values for the second IP inside config.gateway.json the settings like Port Forwarding for the first IP have to configured on the webinterface.

Attention: After following this guide you will see the first IP inside the USG Overview/Details pane and the second IP inside the Config pane in the webinterface. This looks like a bug UniFi Controller which can be ignored.

Goal:

NAT Public IP 10.0.0.2 on Port 80/TCP to internal server 192.168.0.2 on Port 8080/TCP.

Solution:

Overview:

  1. Test if the Port is closed
  2. Add the additional IP to the gateway
  3. Create a DNAT rule from WAN to LAN
  4. Create a SNAT rule from LAN to WAN
  5. Create a Firewall rule to allow traffic from WAN to LAN
  6. Apply changes
  7. Test if the Port is now open

NOTE: You can also add this with CLI commands but it will not persist after changes made from the Web-Interface.

Step 1

Test with NMAP from WAN/Internet

nmap -n -Pn -p 80 10.0.0.2

If this Port is open you should check your network setup because something is responding to 80/TCP and the next steps will potentially lead to undesired results.

Step 2-4

We need to create or append config.gateway.json inside the UniFi Controller. Place this file inside the site configuration, e.g. for the default page but the file inside “data/sites/default”

Content of config.gateway.json:

{
    "interfaces": {
        "ethernet": {
            "eth0": {
                "address": [
                    "10.0.0.1/29",
                    "10.0.0.2/29"
                ],
                "firewall": {
                    "in": {
                        "name": "WAN_IN"
                    },   
                    "local": {
                        "name": "WAN_LOCAL"
                    },   
                    "out": {
                        "name": "WAN_OUT"
                    }
                }
            }
        }
    },
    "service": {
        "nat": {
            "rule": {
                "3000": {
                    "description": "DNAT 10.0.0.2 TCP/8080 to 192.168.0.2",
                    "destination": {
                        "address": "10.0.0.2",
                        "port": "80"
                    },   
                    "inbound-interface": "eth0",
                    "inside-address": {
                        "address": "192.168.0.2",
                        "port": "8080"
                    },   
                    "log": "enable",
                    "protocol": "tcp",
                    "type": "destination"
                },
                "5000": {
                    "description": "SNAT 192.168.0.2 TCP/8080 to 10.0.0.2",
                    "log": "enable",
                    "outbound-interface": "eth0",
                    "outside-address": {
                        "address": "10.0.0.2",
                        "port": "80"
                    },   
                    "protocol": "tcp",
                    "source": {
                        "address": "192.168.0.2",
                        "port": "8080"
                    },   
                    "type": "source"
                }
            }
        }
    },
    "firewall": {
        "name": {
            "WAN_IN": {
                "default-action": "drop",
                "rule": {
                    "1000": {
                        "action": "accept",
                        "description": "NAT 10.0.0.2 TCP/8080 to 192.168.0.2",
                        "destination": {
                            "address": "192.168.0.2",
                            "port": "8080"
                        },
                        "log": "enable",
                        "protocol": "tcp"
                    },   
                }
            }
        }
    }
}

Step 5

Now it’s time to apply these rules to the USG. To do this log in to your UniFi Controller and force provisioning

Step 6

Test with NMAP from WAN/Internet

nmap -n -Pn -p 80 10.0.0.2

Install self-signed certificate for curl (and others)

These are the steps to install a self-signed certificate so you can avoid using the “–insecure” switch for curl and others which communicate over SSL/TLS.

For me it was necessary to communicate safe over the network with my tool written in  ruby

Test environment:

  • Server: debian 7 (Raspberry PI) with owncloud 9
  • Client: centOS 7

HOST=rpi01
PORT=443
FILE=$HOST.pem
# Test first if you get an certificate error
curl -v -O remote.php https://$HOST/owncloud/remote.php
# Download the certificate
openssl s_client -showcerts -connect $HOST:$PORT </dev/null | openssl x509 -outform PEM > $FILE
# Install the certificate into nssdb
certutil -d sql:/etc/pki/nssdb -A -t “P,,” -n $HOST -i $FILE
# List if the certificate are inside the database
certutil -d sql:/etc/pki/nssdb -L -n $HOST
# Download the test file again.
curl -v -O remote.php https://$HOST/owncloud/remote.php

Scroll to Top