Category Archives: Linux

My wireguard cheatsheet

I always search for this so I will write it down here.

Client

cd /etc/wireguard
wg genkey | tee privatekey | wg pubkey > publickey
vi wg0.conf
[Interface]
PrivateKey = 
Address = 10.9.0.X/24

[Peer]
PublicKey = dg1cKCId81d6h5cWUQ61BMHksBbi0FdFnitjxDuOuno=
Endpoint = vpn.danman.eu:51820
AllowedIPs = 10.9.0.0/24
PersistentKeepalive = 25
wg-quick up /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl edit wg-quick@wg0.service
[Service]
Restart=on-failure
RestartSec=5s

Server

systemctl stop wg-quick@wg0.service
vi /etc/wireguard/wg0
systemctl start wg-quick@wg0.service

Reload

wg syncconf wg0 <(wg-quick strip wg0)

OpenShift 4: Automatic LDAP group synchronization

If you need to use LDAP for authentication in OpenShift 4, the documentation is pretty clear and everything works nicely [1].

But if you need to grant privileges based on LDAP groups [2], the situation gets complicated.
The synchronization from [2] works ok but you need to run it manually. I was searching for an automated solution and I have found a definition [3] which works for OpenShift 3.x so I updated it work with OpenShift 4 and here it is [4]:

Continue reading OpenShift 4: Automatic LDAP group synchronization

Enable system site packages in virtualenv

I started using virtualenv for all python apps I run (because I hate to make mess with pip in system site-packages). Later I’ve found out that some dependencies can not be installed via pip but are included in standard system packages installed via apt or yum. To use these imports inside your venv, you need to specify parameter –system-site-packages when creating your venv. If you only find out that you really need them later, you can enable them by deleting following file:
your_venv_dir/lib/pythonXXX/no-global-site-packages.txt

Happy pythoning!

Source: https://virtualenv.pypa.io/en/latest/userguide/#the-system-site-packages-option

Automatic letsencrypt wildcard cert renewal with nsupdate

I’m using a wildcard cert from letsencrypt. Currently there is only one way how to verify that you hold the domain you are requesting cert for: creating TXT record in that domain. You can do it by hand when asked by certbot but you don’t want to do this each 90 days. If you are running your own DNS servers with PowerDNS like me there’s an elegant solution: RFC2136. This allows you to update your zones without writing config files and restarting anything.

Continue reading Automatic letsencrypt wildcard cert renewal with nsupdate

My git cheatsheet

Show git log as tree

$ git log --oneline --graph --decorate --all
| * 0255f78c (HEAD -> qmtech, my/qmtech) added support for qm_xc6slx16_sdram board
| * dae037cf (my/spisingle, spisingle) added spi 1-bit mode, code from litex
|/
* 1325aff6 (origin/master, origin/HEAD, master) correctly use result of Record.connect in Converter (#81)

Rebasing

git rebase --onto <where-to> <where-from> <what>
$ git rebase --onto master spisingle qmtech
First, rewinding head to replay your work on top of it...
Applying: added support for qm_xc6slx16_sdram board

$ git log --oneline --graph --decorate --all
* 37d2eff0 (HEAD -> qmtech) added support for qm_xc6slx16_sdram board
| * 0255f78c (my/qmtech) added support for qm_xc6slx16_sdram board
| * dae037cf (my/spisingle, spisingle) added spi 1-bit mode, code from litex
|/
* 1325aff6 (origin/master, origin/HEAD, master) correctly use result of Record.connect in Converter (#81)

Push changed branch

$ git push my qmtech -f
Counting objects: 7, done.
Delta compression using up to 12 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.86 KiB | 1.86 MiB/s, done.
Total 7 (delta 5), reused 0 (delta 0)
remote: Resolving deltas: 100% (5/5), completed with 5 local objects.
To https://github.com/danielkucera/misoc.git
+ 0255f78c...37d2eff0 qmtech -> qmtech (forced update)

$ git log --oneline --graph --decorate --all
* 37d2eff0 (HEAD -> qmtech, my/qmtech) added support for qm_xc6slx16_sdram board
| * dae037cf (my/spisingle, spisingle) added spi 1-bit mode, code from litex
|/
* 1325aff6 (origin/master, origin/HEAD, master) correctly use result of Record.connect in Converter (#81)

Set default github username

$ git config --global credential.https://github.com.username danielkucera

Squash commits

git rebase -i <after-this-commit>

replace “pick” on the second and subsequent commits with “squash” or “fixup”

Ignore line endings

git config --global core.autocrlf true

Getting root access on ZyXEL VMG1312-B30B

Nothing special, just use undocumented command sh and you are there (I found it out by a mistake):

danman@silverhorse:~$ nmap 10.0.0.138

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 22:54 CEST
Nmap scan report for 10.0.0.138
Host is up (0.013s latency).
Not shown: 996 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds
danman@silverhorse:~$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
ZyXEL VDSL Router
Login: admin
Password: admin
 > help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
loglevel
logdest
virtualserver
ddns
df
dumpcfg
dumpmdm
meminfo
psp
kill
dumpsysinfo
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
snmp
sysinfo
tftp
wlctl
arp
defaultgateway
dhcpserver
dhcpcondserv
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
rip
igmp
wlan
telnetd
natp
sysstate
sipalgctl
celld
autoexec
fileShare
igmp
btt
ledctl
 > sh
shell Password: admin
~ # ls
bin         etc         linuxrc     proc        tmp         vmlinux.lz
data        firmware    mnt         sbin        usr         webs
dev         lib         opt         sys         var

Continue reading Getting root access on ZyXEL VMG1312-B30B