For the astute pioneers of experimental system administration and hallucinogenic programming… here is the newest Linux Without Borders. The journal you never signed up for. Which reminds you how broken things are. And which makes sure you don’t get to enjoy the peace and quiet of the formidable ergonomic always responsive Windows Desktop experience! Because Linux on the Desktop is dead. Always.
- Network Manager and OpenVPN auto-connect
- rclone mounts for SSHfs, Dropbox, Google Drive…
- Systemd OpenSSH phone-home - the way of the corkscrew
- Oracle Ksplice Desktop Edition on a Ubuntu 16.04 host with VMware Workstation 14
- VMware Workstation 14 - how do I mount the shared folders using open-vm-tools?
Network Manager and OpenVPN auto-connect
For optimal and encrypted inter-connectivity between multiple endpoints on different locations I use OpenVPN. OpenVPN has clients for Linux, Windows, and mobile phones. It can encapsulate SSH, NX, RDP etc. in order to secure remote (administration) connections and to prevent issues with Men In the Middle attacks, credential loss etc…
It also allows transparent networking between various endpoints on different locations. It can simplify things.
On many Linux distributions, including various flavors from Canonical such as Ubuntu, Kubuntu etc. Network Manager can be extended with VPN plugins. You can get OpenConnect (for Cisco AnyConnect e.g.) and OpenVPN for example.
If you have an OpenVPN server, using a profile by default is one tick-box away.
Summary: if you like your VMs to phone-home via SSH (next section), OpenVPN can help you to make the other services of the various endpoints in your lab network available in a secure and transparent fashion.
My lab is in various clouds, on laptops and workstations. It’s not a room anywhere, where I can have a dedicated switch.
rclone mounts for SSHfs, Dropbox, Google Drive...
clone is an almost magical utility, written in Go. It’s a self-contained bridge towards many different cloud and remote services.
rclone has got a mount option, which will use a FUSE (Filesystem in User Space). That means you can use GNU coreutils etc. and freely move data around, similar to having local files on local disks.
rclone's performance is quite outstanding, and it also offers SSH / SFTP support like SSHfs. I have tested it with Google Drive, Amazon Cloud Drive, Dropbox and SFTP.
I prefix any mount of a remote file-system with
remote-… so that I can enumerate these mounts easily.
Check it out:
--- ~/scripts » cat gdrive_* #! /bin/bash rclone mount --allow-other gdrive_bs:/ ~/remote_gdrive > /dev/null 2>&1 & #! /bin/bash rclone mount --allow-other gdrive_wishinet:/ ~/remote_gdrive_wnet > /dev/null 2>&1 &
Now to see all these
--- ~/scripts » mount | grep remote gdrive_bs: on /home/marius/remote_gdrive type fuse.rclone (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,allow_other) dbox: on /home/marius/remote_dbox type fuse.rclone (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,allow_other
Summary: Ok, so
dbox (probably Dropbox) and a
gdrive_bs (probably Goog Drive) are mounted. No extra utility is needed. The FUSE mount is “remote only”: I don’t have a local copy.
Let’s say I want to spin up a Docker container, do some magic, and save the magic somewhere…
rclone is the binary I’d drop in to do that.
Systemd OpenSSH phone-home - the way of the corkscrew
ystemd is can do things. Too many. Some well. Others not so well.
Take a look:
--- ~ » cat /etc/systemd/system/phome.service ---
The service file:
[Unit] Description=Phone Home Reverse SSH Service ConditionPathExists=|/usr/bin After=network.target [Service] User=localhuser ExecStart=/usr/bin/ssh -NTC -F /home/localuser/.ssh/config -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i /home/localuser/.ssh/id_rsa -R 12345:localhost:22 shell # Restart every >2 seconds to avoid StartLimitInterval failure RestartSec=3 Restart=always [Install] WantedBy=multi-user.target
localuser is /me, or preferably you if you copy-paste this. I am assuming you ran
ssh-copy-id. Since we are passing the user’s
.ssh the host aliases are available.
shell is only reachable via a jump-host. Check it out:
--- ~ » sudo systemctl status phome ● phome.service - Phone Home Reverse SSH Service Loaded: loaded (/etc/systemd/system/phome.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2017-11-28 18:38:29 UTC; 12min ago Main PID: 35256 (ssh) CGroup: /system.slice/phome.service ├─35256 /usr/bin/ssh -NTC -F /home/marius/.ssh/config -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i └─35257 ssh osroad nc -w 120 192.168.1.2 22 Nov 28 18:38:29 ubuntu systemd: Started Phone Home Reverse SSH Service.
Does this look weird? Let’s check out the user’s
--- ~ » grep shell -A 4 -B 1 .ssh/config Host shell HostName 192.168.1.2 User marius ProxyCommand ssh osroad nc -w 120 %h %p
Fantastic… so the ProxyCommand uses
netcat, and another host alias. Typical. Well, let’s at least use this reverse shell, and take it for a spin. Where ever it goes to…
--- ~ » ssh shell Last login: Tue Nov 28 19:39:23 2017 from 192.168.1.22 [email protected] ~ [19:56:52] > $ ssh -p 12345 [email protected]
Summary: this is some sort of corkscrew setup. A phone-home SSH service via a jump host, with OpenSSH host aliases. It works with
systemd, and appears to be reliable enough.
Use Case 1: Linux RDP a la NX with OpenSSH
Since X11-forwarding on Linux is slow and dead, I tend to install NX, and use it via OpenVPN or SSH.
Alternatives may include
xpra (which has got a HTML5 client), that can be started in conjunction with the OpenSSH phone-home trick.
Let’s play around with
[email protected]_1 % xpra start :77 --no-daemon --xvfb="/usr/bin/Xvfb" [email protected]_1 % DISPLAY=:77 terminator [email protected]_2: % xpra attach ssh:[email protected]:77
Assuming that the OpenVPN network is 10.1.2.0/24 (for example) we may have a xpra connection via SSH within the VPN network.
client_1 has a reverse shell to the server, which is called
shell. Assuming there is no VPN, can I tunnel the xpra connection via SSH jump hosts?
Summary: Yes. Xpra even has got Windows clients. You can use the pivoting tricks I outlined in another blog post. Or just use the HTML5 client with
websockets. Many options. NX is the more mature option, but it isn’t OpenSource afaik.
Oracle Ksplice Desktop Edition on a Ubuntu 16.04 host with VMware Workstation 14
I privately use
ksplice on some re-purposed laptops, which host a couple of VMs with VMware Workstation.
As you might know VMware Workstation needs kernel modules in order to manage virtual machine networks, memory etc…
In order to have as little issues as possible I run Ubuntu LTS on these laptops (mostly old Thinkpads).
You can get the free ksplice Desktop version here for these kinds of use cases. After each update run you might need to start the Workstation app with elevated privileges in order to rebuild and load the Linux kernel modules.
Summary: there is some level of coexistence between Oracle Ksplice and VMware Workstation. But not a very good one. Sometimes there are explainable crashes.
VMware Workstation 14 - how do I mount the shared folders using open-vm-tools?
This seems to be a topic VMware ignores. People cannot mount the shared folders. It just doesn’t work reliably enough.
The internet is full of questions about this topic. No one wants to solve the issue.
Either VMware is very ignorant and doesn’t need the money… or they have too many other problems… Who knows. VMware… you gotta love it as it is.
Here is how you have to mount the Shared Folders on an Ubuntu 16 (it always changes, no clue why):
--- ~/scripts » vmware-hgfsclient Shared --- ~/scripts » vmhgfs-fuse .host:/$(vmware-hgfsclient) ~/Shared/ -o allow_other
Summary: this isn’t great. If you have multiple shared folders you need to adapt this, obviously. In a perfect world these get auto-mounted, and you don’t need a command-line utility. I highly doubt the typical Ubuntu user knows how to use a terminal. But VMware primarily targets those users. As to why they don’t fix this: no idea. As usual.