Author Topic: Kamilion's Ebox Tweaks  (Read 22127 times)

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Kamilion's Ebox Tweaks
« on: December 02, 2009, 10:57:38 pm »
This is gonna be a big thread, once I document all the hacks and tweaks I've done to my installation.

To start off, some links to the Installer Improvements threads:
Main Thread:
http://forum.ebox-platform.com/index.php?topic=2153
My Installer:
http://forum.ebox-platform.com/index.php?topic=1963.0

Some background on my situation:

I work for a subcontractor for NASA Ames Research Center (ARC).
ARC has good, decently configured firewalls with a default-deny policy. (Always Best)

However, this means that lots of stuff breaks. So, we're going to have to get creative to fix it.
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
One OpenVPN Server to find them, and in the darkness, bind them
« Reply #1 on: December 02, 2009, 10:57:56 pm »
First Hack:
One Ebox to rule them, One OpenVPN Server to find them, and in the darkness, bind them...

I don't want to have to go through the hassle of configuring multiple OpenVPN servers, because eBox uses OpenVPN in 'routed' mode, not 'bridged' mode, so each OpenVPN server must have it's own subnet and doesn't share well.

Here's how to set up multiple port redirection to your single OpenVPN UDP Server port.
You must have the following modules enabled: ebox-network, ebox-firewall, ebox-openvpn.
Verify your OpenVPN server is operational on UDP port 1194. (Or change my instructions to suit.)
Go to UTM -> Firewall -> Redirects
Add a new redirect.

Settings:
Interface: Internet
Original Destination: eBox
Original destination port: Single Port, 443
Protocol: UDP
Source: Any
Destination IP: <Your External IP Here>
Port: Other, 1194

Click Add, then Save Changes.

Change your OpenVPN's client configuration from
remote <hostname> 1194
to
remote <hostname> 443

Test your new setup by connecting from another external network.

This should not impact an HTTPS server running on the same port, as HTTPS is TCP based, and OpenVPN is UDP based.
Make sure if you're redirecting port 443 for HTTPS that you use "TCP" as the protocol and not the default "TCP/UDP" as this will pass BOTH protocols.
« Last Edit: December 02, 2009, 11:00:15 pm by Kamilion »
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Network Booting and You
« Reply #2 on: December 02, 2009, 11:26:16 pm »
Second Hack:
Network Booting and You

eBox has support for serving a bootfile over TFTP.

Only it's broken. Oops.

Here's my quick fix:
sudo nano /etc/inetd.conf

Code: [Select]
tftp           dgram   udp     wait    root  /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/tftpboot

That /var/lib/tftpboot is where tftp will serve files from.
eBox expects it to be serving a file such as:
/var/lib/ebox/conf/dhcp/eth0/firmware

Code: [Select]
tftp           dgram   udp     wait    root  /usr/sbin/in.tftpd /usr/sbin/in.tftpd -s /var/lib/ebox/conf/dhcp/eth0

Now when you 'upload' a new boot file to eBox's dashboard,
/var/lib/ebox/conf/dhcp/ethX/firmware
gets replaced with whatever you've uploaded.

But eBox won't set the dhcp-option 'filename' to serve it.

sudo nano /usr/share/ebox/stubs/dhcp/subnet.mas

Look for
Code: [Select]
% if(defined($info{'nextServer'})) {
                next-server <% $info{'nextServer'} %>;
% }
% if(defined($info{'filename'})) {
                filename "<% $info{'filename'} %>";
% }

And change it to

Code: [Select]
% if(defined($info{'nextServer'})) {
                next-server <% $info{'nextServer'} %>;
                # Filename entry added by Kamilion (dec 01 2009)
                filename firmware;
% }
% if(defined($info{'filename'})) {
                filename "<% $info{'filename'} %>";
% }

Now we need something to boot.

Go pick up the latest gPXE from here:
http://www.rom-o-matic.net/gpxe/gpxe-git/gpxe.git/contrib/rom-o-matic/build.php

Click Customize.

Change the following Settings:

[X] DOWNLOAD_PROTO_HTTPS
[X] DOWNLOAD_PROTO_FTP

[X] TIME_CMD
[X] DIGEST_CMD

And paste in the following Embedded Script: (Good base, but edit if you wish)
Code: [Select]
#!gpxe
echo "Greetings! Hit Ctrl-C to bail out."
sleep 5
echo "Going to DHCP on primary network adapter"
ifopen net0
dhcp net0
echo "Going to try http://netboot/default.gpxe"
chain http://netboot/default.gpxe
echo "Didn't work, we're still here. Falling back to http://boot/default.gpxe"
chain http://boot/default.gpxe
echo "Didn't work, we're still here. Falling back to BKO"
set 209:string pxelinux.cfg/default
set 210:string http://boot.kernel.org/bko/
echo "Here we go, off to boot.kernel.org!"
chain http://boot.kernel.org/bko/pxelinux.0
echo "Didn't work, we're still here. No Internet connection? Falling back to next BIOS Boot device"

You should get a single .pxe file back after clicking Get Image.

Go to DHCP -> Interface -> Advanced Options -> Thin Client.
Settings:
Next server: eBox
File Name [browse] <Choose gpxe-x.x.x+-gpxe.pxe>
File path in next server: <blank>

Click "Change" to complete the settings, then Save Changes.

Place this file in the root of your HTTP server, named default.gpxe, and create a DNS alias to that machine named 'netboot'.
Code: [Select]
#!gpxe
imgfree
chain http://netboot/boot/menu.gpxe

Here's an example you can use to load Parted Magic:
Code: [Select]
#!gpxe
imgfree
kernel -n img http://bigblock/boot/pmagic/4.5/bzImage load_ramdisk=1 prompt_ramdisk=0 keymap=us loglevel=0 rw sleep=4
initrd http://bigblock/boot/pmagic/4.5/initramfs
boot img

Here's an example you can use to boot from iSCSI.
Code: [Select]
#!gpxe
imgfree
#dhcp net0
set keep-san 1
sanboot iscsi:10.10.10.250::::iqn.bigblock:storage.iscsikarmic-one
chain http://10.10.10.250/boot/iscsi.gpxe

More examples here: http://files.sllabs.com/boot/
« Last Edit: July 11, 2010, 12:53:37 am by Kamilion »
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
OpenVPN and DNS, a pushy combination
« Reply #3 on: December 02, 2009, 11:30:11 pm »
Third hack:
OpenVPN and DNS, a pushy combination...

eBox doesn't tell OpenVPN to push certain DHCP Options.

So we're going to have to edit the mason templates manually to do so.

sudo nano /usr/share/ebox/stubs/openvpn/openvpn.conf.mas

Scroll all the way down.

Before:
Code: [Select]
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

<& advertisedNets, nets => \@advertisedNets &>

After:
Code: [Select]
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Push options added by Kamilion (nov 03 2009)
push "dhcp-option DOMAIN it.mydomain.com"
push "dhcp-option DNS 10.10.10.254"
push "dhcp-option WINS 10.10.10.254"

<& advertisedNets, nets => \@advertisedNets &>

Now you can resolve internal hostnames from external OpenVPN clients!
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Kamilion's Ebox Tweaks
« Reply #4 on: December 03, 2009, 01:21:31 am »
Thank you again for your contributions!
Zentyal Server Lead Developer

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Re: Kamilion's Ebox Tweaks
« Reply #5 on: December 03, 2009, 01:23:44 am »
Thank you again for your contributions!

No problem. More on the way. Once I hit 5-10, this may be useful enough to sticky.

Google
« Last Edit: March 15, 2010, 07:38:13 pm by Kamilion »
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

martinb

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Kamilion's Ebox Tweaks
« Reply #6 on: December 05, 2009, 02:23:14 am »
Man oh man! The OpenVPN hack is just what I needed! Many thanks!  ;)

c4rdinal

  • Zen Samurai
  • ****
  • Posts: 341
  • Karma: +4/-0
    • View Profile
Re: Kamilion's Ebox Tweaks
« Reply #7 on: December 05, 2009, 04:12:18 pm »
Kamilion,

These are very useful stuff. Many thanks and keep it coming!

Rgds,

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: Kamilion's Ebox Tweaks
« Reply #8 on: December 21, 2009, 10:11:49 am »
Thanks very much for your contributions o:)

I especially like the one for thin clients :)

Cheers,
My secret is my silence...

cl0s

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Kamilion's Ebox Tweaks
« Reply #9 on: December 23, 2009, 08:36:58 pm »
yes... the network boot is golden. Thanks!

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Re: Kamilion's Ebox Tweaks
« Reply #10 on: February 23, 2010, 12:08:36 am »
Hope these've been useful for 1.3 users.

Busy updating everything for 1.4. Expect new content soon.
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Backing up components and Restoring individual components
« Reply #11 on: February 23, 2010, 09:44:46 pm »
First one in a while!

In upgrading to version 1.4, you may run into some issues with restoring old configurations.
The best way to avoid this is to do a clean install and only restore the module configurations you need.
In my case, the only thing I absolutely needed to save was openvpn.

Back up all Enabled Modules from the shell:
Code: [Select]
$ sudo /usr/share/ebox/ebox-make-backup --config-backup --description "OpenVPN Backup"
This will babble on about a bunch of redefined perl subroutines and then spit back something like:
Code: [Select]
Backup stored into file /var/lib/ebox/conf//backups/195129.tarat the end. At this point, the backup will also show up in the web interface.

You can get information on a backup tar like this:
Code: [Select]
$ sudo /usr/share/ebox/ebox-restore-backup --info /var/lib/ebox/conf//backups/195129.tar
      OpenVPN Backup
      Date: 2010-02-23 12:32:44
      Backup type: configuration backup
      Modules in backup: sysinfo network firewall apache ca dhcp dns events global logs ntp objects openvpn samba services squid usercorner users

These are the module names you need to give ebox-restore-backup.
You must import configurations for dependencies yourself, as in the next example, where I have to restore the CA configuration before OpenVPN.

Restore CA & OpenVPN:
Code: [Select]
$ sudo /usr/share/ebox/ebox-restore-backup --module ca /home/eboxadmin/eboxbackup.tar
$ sudo /usr/share/ebox/ebox-restore-backup --module openvpn /home/eboxadmin/eboxbackup.tar

Once this is complete, you can connect to the web interface, where you will have pending changes to save, and ebox should work out the kinks of most restores itself. (EG, when I restored OpenVPN above, the firewall rules were automatically updated the same as if I had created a brand new OpenVPN Configuration.)

If it requires something else, usually the error will be informative enough, I attempted to restore OpenVPN without the CA config first, and when I went to "Save Changes", it barfed because it had no certs to operate with, and aborted the save. So, be mindful of this.

Documentation on the tools themselves:
Restoring a backup:
Code: [Select]
root@cnc:/usr/share/ebox# ./ebox-restore-backup -help
  Usage:
  ./ebox-restore-backup  [OPTION]... [--module NAME]...   ARCHIVE_FILE
  ./ebox-restore-backup  --info ARCHIVE_FILE
  ./ebox-restore-backup  --help
  
  Options:
    --config-restore
    --data-restore
    --full-restore

    --force-dependencies

    --delete-backup

Making a backup:
Code: [Select]
root@cnc:/usr/share/ebox# ./ebox-make-backup -help
  Usage:
  ./ebox-make-backup  [OPTION]...
  ./ebox-make-backup  --help

  Options:
    --config-backup (default backup mode)
    --full-backup
    --bug-report

    --description <description>
    --remote-backup <name>

Many Thanks to Sixstone for quickly answering my question!
If you only want to back up the OpenVPN and CA modules. You must do a configuration backup and then in the new machine. Perform the following command:
Code: [Select]
$ sudo /usr/share/ebox/ebox-restore-backup --module openvpn <archive_file>
You have more information in our documentation.
« Last Edit: February 23, 2010, 09:58:16 pm by Kamilion »
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Setting up Firefox Desktop mode in a better way for eBox 1.4
« Reply #12 on: February 24, 2010, 12:00:54 am »
Setting up Firefox Desktop mode in a better way for eBox 1.4

Great for KVM switches!

The user you created during the ebox-installer (first reboot, not ubiquity CD installer) is the account that runs firefox. It's configured for automatic login with that account on boot.

It's started from ~/.xsession and the default looks like this:
Code: [Select]
#!/bin/bash
firefox https://localhost &
exec blackbox

I change my admin port; so I had to change mine to something like:

Code: [Select]
#!/bin/bash
firefox https://localhost:443/LOGIN &
xset s off
xset -dpms
xset s noblank
exec blackbox

The xset stuff disables XOrg's built in screen blanking before launching blackbox.

Set this to false to prevent firefox from whining about restoring sessions after using 'halt' or 'reboot' from the web interface: about:config
browser.sessionstore.resume_from_crash

Put this Blackbox Menu here: /etc/X11/blackbox/blackbox-menu
Code: [Select]
[begin]
  [sep]
  [exec] (eBox Firefox) {firefox https://localhost:443/LOGIN}
  [exec] (eBox root xterm) {gksudo xterm}
  [exec] (eBox xterm) {xterm}
  [sep]
  [config] (Configure Blackbox)
  [restart] (Restart Blackbox)
  #[include] (|/path/to/bash/script.sh)
  [sep]
  [exit] (Exit and Logout)
  [sep]
[end]

Set your firefox homepage/startpage to "https://localhost:443/LOGIN".

Firefox should now *always* go to the eBox login screen correctly after a reboot, halt, logout, firefox crash, or firefox close/reopen.

Some good firefox Addons:
Full Fullscreen (Disable toolbars)
Fullscreen Statusbar
secureFox (Password Exit)
Refresh2Page (Go to homepage on timeout)
TerminalRun (Highlight text to run in terminal, with nice warnings!)

I'll be adding more to this as I figure out better ways to set up firefox as a configuration kiosk.

Next hack: Setting up FreeNX or NeatX to allow for remote GUI configuration over SSH. I need to play with NeatX first; otherwise I'll fall back to FreeNX which I've already gotten working.
« Last Edit: February 24, 2010, 10:39:48 pm by Kamilion »
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

Kamilion

  • Zen Monk
  • **
  • Posts: 82
  • Karma: +2/-0
  • NASA System Administrator
    • View Profile
Fun with FreeNX
« Reply #13 on: March 08, 2010, 01:17:03 pm »
Fun with FreeNX

Well, NeatX didn't want to play well with hardy, oh well!

Code: [Select]
sudo nano /etc/apt/sources.list
and append the two lines for the repository

Code: [Select]
deb http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main
deb-src http://ppa.launchpad.net/freenx-team/ppa/ubuntu hardy main

Save it and then exit nano. ( Ctrl-X, Y, enter)

To add the public key of FreeNX PPA run:

Code: [Select]
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 2a8e3034d018a4ce
If you get timeouts with the above command, you may have to add a HKP entry to your firewall config.

Core -> Services
Create a new service.
Service name: hkp
Service Description: hkp for apt-key
Don't check "Internal". Add it, and edit the configuration with the notepad icon.
Add new.
Protocol: TCP/UDP
Source port: any
Destination port: 11371
Click Add.

UTM -> Firewall -> Packet Filter -> Filtering rules for traffic coming out from eBox
Add new.
Accept, Destination Any, Service hkp, inverse match unchecked, description hkp.
Click Add.

Try the apt-key command again until it adds the key.
You may need to add an outgoing http rule the same way as well; that service is already defined thankfully.
Make sure to disable them after you're finished adding keys and updating.

Code: [Select]
sudo apt-get update
After you add the repository, then install the freenx-server package.

Code: [Select]
sudo apt-get install freenx-serverIt'll pull in a mess of deps.

Now use nxsetup to install necessary files and create the special user "nx"

Code: [Select]
sudo /usr/lib/nx/nxsetup --install
Badabing -- grab the nxclient from NoMachine and you should be able to remotely login and use firefox just like a local console, protected by ssh2!
"Never feel stupid for asking questions, feel stupid for ignoring answers."
"You're arrogant for thinking you can, ignorant for thinking you cannot."
"Asking questions is important,
because that's when intuition gets converted into inspiration."

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Re: Setting up Firefox Desktop mode in a better way for eBox 1.4
« Reply #14 on: March 12, 2010, 10:28:21 am »
Setting up Firefox Desktop mode in a better way for eBox 1.4

The 1.4-1 installer that has been just released includes all these suggestions by default. Thank you very much for your contribution!
Zentyal Server Lead Developer