Linux Without Borders, Edition 1 (Nov 2017): network-ergonomics and cloud-mounts for the impatient

Tags: #<Tag:0x00007f0cabc770e0> #<Tag:0x00007f0cabc76f78> #<Tag:0x00007f0cabc76e38> #<Tag:0x00007f0cabc76ca8> #<Tag:0x00007f0cabc76ac8>


For the astute pioneers of experimental system administration and hallucinogenic programming… here is the newest Linux Without Borders. The journal you never signed up for. Which reminds you how broken things are. And which makes sure you don’t get to enjoy the peace and quiet of the formidable ergonomic always responsive Windows Desktop experience! Because Linux on the Desktop is dead. Always.


Network Manager and OpenVPN auto-connect

For optimal and encrypted inter-connectivity between multiple endpoints on different locations I use OpenVPN. OpenVPN has clients for Linux, Windows, and mobile phones. It can encapsulate SSH, NX, RDP etc. in order to secure remote (administration) connections and to prevent issues with Men In the Middle attacks, credential loss etc…

It also allows transparent networking between various endpoints on different locations. It can simplify things.

On many Linux distributions, including various flavors from Canonical such as Ubuntu, Kubuntu etc. Network Manager can be extended with VPN plugins. You can get OpenConnect (for Cisco AnyConnect e.g.) and OpenVPN for example.

If you have an OpenVPN server, using a profile by default is one tick-box away.


Summary: if you like your VMs to phone-home via SSH (next section), OpenVPN can help you to make the other services of the various endpoints in your lab network available in a secure and transparent fashion.
My lab is in various clouds, on laptops and workstations. It’s not a room anywhere, where I can have a dedicated switch.

rclone mounts for SSHfs, Dropbox, Google Drive...

rclone is an almost magical utility, written in Go. It’s a self-contained bridge towards many different cloud and remote services. rclone has got a mount option, which will use a FUSE (Filesystem in User Space). That means you can use GNU coreutils etc. and freely move data around, similar to having local files on local disks.

On Microsoft Windows you can use WinFSP. This way you can either have the same experience from Bash for Windows, or you use Powershell / cmd.exe etc.

rclone's performance is quite outstanding, and it also offers SSH / SFTP support like SSHfs. I have tested it with Google Drive, Amazon Cloud Drive, Dropbox and SFTP.

I prefix any mount of a remote file-system with remote-… so that I can enumerate these mounts easily.

Check it out:

--- ~/scripts » cat gdrive_*                   
#! /bin/bash
rclone mount --allow-other gdrive_bs:/ ~/remote_gdrive > /dev/null 2>&1 &

#! /bin/bash
rclone mount --allow-other gdrive_wishinet:/ ~/remote_gdrive_wnet > /dev/null 2>&1 &

Now to see all these remote_* mounts:

--- ~/scripts » mount | grep remote 
gdrive_bs: on /home/marius/remote_gdrive type fuse.rclone (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,allow_other)
dbox: on /home/marius/remote_dbox type fuse.rclone (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000,allow_other

Summary: Ok, so dbox (probably Dropbox) and a gdrive_bs (probably Goog Drive) are mounted. No extra utility is needed. The FUSE mount is “remote only”: I don’t have a local copy.
Let’s say I want to spin up a Docker container, do some magic, and save the magic somewhere… rclone is the binary I’d drop in to do that.

Systemd OpenSSH phone-home - the way of the corkscrew

systemd is can do things. Too many. Some well. Others not so well.

With systemd you do not need to use autossh any more. You can easily create a startup init service and use OpenSSH reverse connections to maintain a continuous shell channel.

Take a look:

--- ~ » cat /etc/systemd/system/phome.service

The service file:

Description=Phone Home Reverse SSH Service

ExecStart=/usr/bin/ssh -NTC -F /home/localuser/.ssh/config -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i /home/localuser/.ssh/id_rsa -R 12345:localhost:22 shell

# Restart every >2 seconds to avoid StartLimitInterval failure


localuser is /me, or preferably you if you copy-paste this. I am assuming you ran ssh-keygen / ssh-copy-id. Since we are passing the user’s .ssh the host aliases are available. shell is only reachable via a jump-host. Check it out:

--- ~ » sudo systemctl status phome                                                                                                               
● phome.service - Phone Home Reverse SSH Service
   Loaded: loaded (/etc/systemd/system/phome.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-11-28 18:38:29 UTC; 12min ago
 Main PID: 35256 (ssh)
   CGroup: /system.slice/phome.service
           ├─35256 /usr/bin/ssh -NTC -F /home/marius/.ssh/config -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -i 
           └─35257 ssh osroad nc -w 120 22

Nov 28 18:38:29 ubuntu systemd[1]: Started Phone Home Reverse SSH Service.

Does this look weird? Let’s check out the user’s .ssh:

--- ~ » grep shell -A 4 -B 1 .ssh/config                                                                                                          
Host shell
   User marius
   ProxyCommand ssh osroad nc -w 120 %h %p

Fantastic… so the ProxyCommand uses netcat, and another host alias. Typical. Well, let’s at least use this reverse shell, and take it for a spin. Where ever it goes to…

--- ~ » ssh shell                  
Last login: Tue Nov 28 19:39:23 2017 from
[email protected] ~                                                                                                                             [19:56:52] 
> $ ssh -p 12345 [email protected]   

Summary: this is some sort of corkscrew setup. A phone-home SSH service via a jump host, with OpenSSH host aliases. It works with systemd, and appears to be reliable enough.

Use Case 1: Linux RDP a la NX with OpenSSH

Since X11-forwarding on Linux is slow and dead, I tend to install NX, and use it via OpenVPN or SSH.

Alternatives may include xpra (which has got a HTML5 client), that can be started in conjunction with the OpenSSH phone-home trick.

Let’s play around with xpra.

[email protected]_1 % xpra start :77 --no-daemon --xvfb="/usr/bin/Xvfb"
[email protected]_1 % DISPLAY=:77 terminator

[email protected]_2: % xpra attach ssh:[email protected]:77

Assuming that the OpenVPN network is (for example) we may have a xpra connection via SSH within the VPN network.

client_1 has a reverse shell to the server, which is called shell. Assuming there is no VPN, can I tunnel the xpra connection via SSH jump hosts?

Summary: Yes. Xpra even has got Windows clients. You can use the pivoting tricks I outlined in another blog post. Or just use the HTML5 client with websockets. Many options. NX is the more mature option, but it isn’t OpenSource afaik.

Oracle Ksplice Desktop Edition on a Ubuntu 16.04 host with VMware Workstation 14

I privately use ksplice on some re-purposed laptops, which host a couple of VMs with VMware Workstation.

As you might know VMware Workstation needs kernel modules in order to manage virtual machine networks, memory etc…

In order to have as little issues as possible I run Ubuntu LTS on these laptops (mostly old Thinkpads).

You can get the free ksplice Desktop version here for these kinds of use cases. After each update run you might need to start the Workstation app with elevated privileges in order to rebuild and load the Linux kernel modules.

Summary: there is some level of coexistence between Oracle Ksplice and VMware Workstation. But not a very good one. Sometimes there are explainable crashes.

VMware Workstation 14 - how do I mount the shared folders using open-vm-tools?

This seems to be a topic VMware ignores. People cannot mount the shared folders. It just doesn’t work reliably enough.
The internet is full of questions about this topic. No one wants to solve the issue.

Either VMware is very ignorant and doesn’t need the money… or they have too many other problems… Who knows. VMware… you gotta love it as it is.

Here is how you have to mount the Shared Folders on an Ubuntu 16 (it always changes, no clue why):

--- ~/scripts » vmware-hgfsclient                                               

--- ~/scripts » vmhgfs-fuse .host:/$(vmware-hgfsclient) ~/Shared/ -o allow_other

Summary: this isn’t great. If you have multiple shared folders you need to adapt this, obviously. In a perfect world these get auto-mounted, and you don’t need a command-line utility. I highly doubt the typical Ubuntu user knows how to use a terminal. But VMware primarily targets those users. As to why they don’t fix this: no idea. As usual.

The Zero-Trust proxy hype - can we reverse-proxify everything and ditch VPNs?
Let your Mac phone home via SSH and launchd