Category Archives: Computer

All Computer Stuff

Install most basic Debian Jessie container for use as a template for LXC or similar

To create a most basic Debian Jessie container, you can follow these steps:

You should not forget to set the root password as it is good to have a known value later.

Now that we are within the container, we can configure the most basic settings that we will need for all containers:

Here I am usually generating

and set the default to en_US.UTF-8 .

To get the full repository contents, you should change your repository sources to look as below:

and then do an aptitude update .

You should also install an SSH server by entering

Enable root logins via SSH by changing one line in its configuration:

Unfortunately systemd is not yet working easily with LXC, so it should be replaced by the old sysvinit:

Edit initial DNS resolver configuration so it looks like this:

Then also configure the main network interface configuration:

Replace /etc/inittab with the following short version which is enough for a container:

Should the network not come up automatically, you can set the IP address in the config file of the container:

After a first start, you should also configure the mail server so it can send all system mail to your main mail server:

and answer all the questions.

Shut the machine down again, cleanup all the log files and make a copy which you can then use as your template for further containers.

Remotely disabling Firewall of Mac OS X

I just happened to be unable to log in to my Mac using ScreenSharing (VNC). It is enabled, but probably the firewall is asking if ScreenSharing should be allowed to receive incoming connections… Bummer!

If at least SSH is working, it is possible to disable the firewall completely from the command line. Please be sure to only do this in a secured environment:

After this you will have to restart the firewall agent:

You should now be able to use ScreenSharing.

Do not forget to re-enable the firewall again after you have finished your work, same procedure, but with 1 instead of 0, of course 🙂

To enable ScreenSharing in general, please read this older post: Activate screen sharing on Mac OS X when you only have SSH enabled

FhGFS glitches

Installing FhGFS leads to little glitches. I am installing on Debian 7.0 running XQuartz on Mac OS X.

  • to avoid the XTEST error message when starting the Java GUI, follow the instructions on http://xquartz.macosforge.org/trac/ticket/414 and enter defaults write org.macosforge.xquartz.X11 enable_test_extensions -bool yes in a terminal window before starting the GUI
  • if you are using a proxy, be sure to define it in /etc/environment before starting the admon process or else the automatic wget downloads will fail

IPSEC using Strongswan for iPhones and Mac computers

If you want to use the built-in IPSEC VPN clients of iPhones and Mac computers, there is a very good documentation at the Strongswan site itself.

Most important are two things – you have to make sure your binaries have been built using the --enable-cisco-quirks option. Then it will behave like a Cisco router and you can make an IPSEC only tunnel. [This is not necessary anymore.]

The second issue (which is important for the Mac computers, iPhones seem to ignore this) is the server certificate. You must add the server’s full qualified domain name as it is seen by the clients to the certificate’s common name (which is normal) and the “X509v3 Subject Alternative Name” as “DNS:your.domain.tld”. Otherwise you will get the message that your server’s certificate is not correct.

Since my ipsec binaries were unable to add the “Subject Alternative Name”, I went back to good old openssl to create my CA and certificates. It is all standard, but you have to add the option “subjectAltName = DNS:copy:commonName” to openssl.cnf (server_cert section).

If you follow the documentation mentioned above and the two issues explained here you will be able to use the tunnel for both iPhones and Macs!

Mophie!

Today I can report another story of excellent customer service!

Last year in November I have ordered a Hip holster directly from Mophie since it was not directly available within Europe. Unfortunately this raised UPS fees and import taxes which almost doubled the price.

Last week I found the holster was broken – and I asked the people at Mophie if they now had a German distributor doing warranty exchanges – and guess what, they asked for a more detailed description. Once they received that, they sent out a replacement for free which I just received today.

No need to send the broken holster back – which would have been expensive again.

This is what I call service. Extraordinary good service. Thanks, David Hertz!

Temporary IPv6 address not MAC based

If you want to get a temporary IPv6 address which is not MAC based (so you do not always surf with the same address and can be tracked), you should enter

sudo sysctl -w net.inet6.ip6.use_tempaddr=1

on your Mac’s commandline. You will then get an additional temporary IPv6 address which does not reveal your network card’s MAC address as part of it. This gives a bit more privacy!

Should also work on iPhone/iPad in case of a JB!

Great support for my Berofix ISDN-to-SIP card

Today I need to tell you about some great support experience I had with a Berlin company called beroNet. They are manufacturing all kinds of telecommunications hardware, I personally run multiple ISDN BRI cards at home and at work for years now, no problems at all.

Yesterday, on Sunday, I plugged in my currently unused berofix card to try it out with new versions of Asterisk or FreeSwitch. This card appears like a network card (from the OS point of view) and does all the work on its own (ISDN to SIP and back). All you need in your OS is a simple network driver which is available for all OSes I know of and usually already included. No special ISDN drivers and timing modules required under Linux.

The card is running its own (Linux-) OS which I haven’t upgraded for more than 15 months I guess – so I had a very early release on it. In fact I was beta testing the card before its official release and still had the beta software on it. I decided to upgrade the card to have a current version for my tests. Flashing the card is very easy, just upload the update file with a web browser, wait a bit – and – usually – all is done. My software release was so old that the current version just did not expect the very different file system structure from the beta test on my old card – and failed. No GUI anymore. And the entire card can be configured via its GUI.

After a trying around a bit (getting only GUI errors) I decided to ask the beroNet support for help – and got a first answer at noon today. I could have repaired the card myself (by following this procedure) but when I mentioned that my card OS was really very old, Christian Richter, one of their support specialists, offered to have a look at the card if I could just give him access to a special port. I opened my firewall for him – and an hour later my card was up and running again.

That’s what I call support. All I had to do was asking for help – and it was fixed the easiest way possible for me. Thanks for the fast and competent support!

iPhone Certificates

Today I was worrying how to get my own CA’s root certificate AND a certificate signed by my own CA into my iPhone.

After reading lots of stuff I finally made it:

First, send an email containing your CA’s root certificate (the .crt file) to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that Certificate. Do it 🙂

Your “Identity” – which consists of your client’s .crt and .key files need to be converted into a single PKCS12 .p12 file to be understood by the iPhone.

This conversion can be done by the following command (taken from http://shib.kuleuven.be/docs/ssl_commands.shtml):

openssl pkcs12 -export -in your_iphone_s.crt -inkey your_iphone_s.key -out your_iphone_s.p12 -name “name_of_your_iphone” -CAfile your_ca_s.crt -caname “your_ca_s_name” -chain

You will be asked for an export password which will protect your identity during transmission via email later. If your_iphone_s.key is protected with a password you will probably be asked for that one, too – but this was not the case with my file, so I cannot tell you.

Again, mail the resulting your_iphone_s.p12 to an address which you will receive on your iPhone. Open this mail, click onto the attachment – and voila, you will be asked to install that PKCS12 identity. Do it 🙂

You will be asked for the export password which you entered when creating the .p12 file.

How to compile the client of Bacula 5.0.2 on Mac OS X Snow Leopard 64bit

After a fiddling around quite a while I finally managed to compile a working 64bit client of Bacula 5.0.2 for Mac OS X Snow Leopard (10.6.4).

After downloading the source tar.gz from http://www.bacula.org you would untar the file, enter the directory – and there is a special make command make -C platforms/osx to compile the client. This does not work on 10.6.4 and not with 64bit.

My patch (bacula-5.0.2-snowleopard-64bit.patch.gz) can be applied as follows:

  • Download bacula-5.0.2.tar.gz from http://www.bacula.org
  • tar xvzf bacula-5.0.2.tar.gz
  • cd bacula-5.0.2/platforms/osx
  • zcat ../../../wherever_you_saved_the_patch/bacula-5.0.2-snowleopard-64bit.patch.gz | patch -p1
  • make dmg

You will then find a mountable DMG within the products directory.

My patch is changing the following:

  • Runs the file daemon as root after startup of the system
  • Creates the config file with a director name of bacula-dir – to change this edit the file resources/postflight.in AFTER patching and replace bacula-dir by your_director_host-dir. This way all your clients already know the director host!
  • Compiles a native 64bit executable under 10.6.4 with current SDKs

Hope this will help others!

iPhone refusing to re-pair with headset

For whatever reason today my iPhone and my Sennheiser MM 450 did not want to communicate with each other anymore via Bluetooth. I managed to factory reset my headset, but of course wanted to avoid this on my iPhone. But no chance, no new pairing happened and I could not get rid of the old entry of the headset in my iPhone list.

After a lot of searching and playing around I found two files on the iPhone you have to edit:

Convert the first file into editable XML format:

plutil -convert xml1 /private/var/mobile/Library/Preferences/com.apple.MobileBluetooth.devices.plist

Here you will find your device’s MAC address (00:16:94:09:AA:AA) which you will need for the second file:

sqlite3 /Library/Keychains/keychain-2.db

Look for your MAC address in the output of the command

select * from genp;

It will look like this:

54||||||||||||||00:16:94:09:AA:AA|MobileBluetooth||h######a;#########9Hx###fd######a####zo####

To remove that line having a 54 in the first column (with name rowid), enter

delete from genp where rowid=54;

and your iPhone will not know how to talk to your headset anymore and ask for re-pairing.

Of course you will need to have a JB iPhone and the packages com.ericasadun.utilities and sqlite3 available via Cydia!

I hope this saves you a reset of your networking settings as it did for me!