Artur Pędziwilk

AppJail on FreeBSD

2024-01-22T00:00:00+01:00

FreeBSD is a free and open-source Unix-like operating system known for its reliability and stability. It is optimized for performance, especially for networking and disk storage.

AppJail Framework

AppJail is an open source framework to create isolated, portable and easy to deploy environments using FreeBSD jails that behaves like an application.

$ pkg install appjail;
$ sysrc appjail_enable="YES";

Linux Binary Compatibility

Enable and start the Linux ABI. The Linux service will load necessary kernel modules and mount filesystems expected by Linux applications under /compat/linux.

$ sysrc linux_enable="YES";
$ sysrc linux_mounts_enable="YES";
$ service linux start;

Linux software requires more than just an ABI to work. In order to run Linux software an userland must be installed and local timezone must be set.

$ pkg install debootstrap;
$ tzsetup;

Ubuntu Linux

Ubuntu Linux is praised for its stability, security, and ease of use.

$ printf \
  'exec.start: "/bin/true"\nexec.stop: "/bin/true"\npersist\n' \
  > /etc/linux.template;
$ appjail fetch debootstrap jammy;
$ appjail quick jammy \
  osversion=jammy type=linux+debootstrap \
  start linuxfs alias ip4_inherit devfs_ruleset=0 template=/etc/linux.template \
  login;

References

FreeBSD Jails and Containers - FreeBSD Community; 1994-2024
FreeBSD Linux Binary Compatibility - FreeBSD Community; 1994-2024
AppJail is a framework to create isolated, portable, and easy-to-deploy environments - Jesús Daniel Colmenares Oviedo; 2022-2023

BOINC on Kubernetes cluster

2023-12-12T00:00:00+01:00

Berkeley Open Infrastructure for Network Computing (BOINC) is an open-source volunteer oriented computing grid that combines the processing power of individual users for the purposes of scientific research. It uses computer’s processors and graphics cards to cure diseases, study global warming, discover pulsars, and do many other types of scientific research.

Kubernetes (K8S) is an open-source container orchestration system for automating software deployment, scaling, and management. Its suitability for running and managing large cloud-native workloads has led to widespread adoption of it in the data center.

Kubernetes manifest universe.yaml for Universe@Home project.

apiVersion: v1
kind: Pod
metadata:
  name: universe
spec:
  containers:
  - name: universe
    image: osgiliath/boinc:nvidia
    volumeMounts:
    - name: universe-storage
      mountPath: /var/lib/boinc
  volumes:
  - name: universe-storage
    emptyDir: {}

Create an universe application resources in a cluster.

# kubectl apply -f universe.yaml;

Attach to the universe@home project with your weak account key.

# kubectl exec universe -- boinccmd --project_attach https://universeathome.pl/universe/ WEAKACCOUNTKEY;
# kubectl logs universe;

Kubernetes manifest einstein.yaml for Einstein@Home project.

apiVersion: v1
kind: Pod
metadata:
  name: einstein
spec:
  containers:
  - name: einstein
    image: osgiliath/boinc:nvidia
    volumeMounts:
    - name: einstein-storage
      mountPath: /var/lib/boinc
  volumes:
  - name: einstein-storage
    emptyDir: {}

Create an einstein application resources in a cluster.

# kubectl apply -f einstein.yaml;

Attach to the einstein@home project with your weak account key.

# kubectl exec einstein -- boinccmd --project_attach https://einstein.phys.uwm.edu/ WEAKACCOUNTKEY;
# kubectl logs einstein;

FreeBSD at Hetzner on AMD Ryzen

2020-12-29T00:00:00+01:00

FreeBSD is an operating system which focuses on features, speed, and stability. It provides robust network services under the heaviest loads and uses memory efficiently to maintain good response times for thousands of simultaneous user processes. FreeBSD/amd64 supports the AMD64 platform which is expected to be production quality with respects to all aspects of the FreeBSD operating system, including installation and development environments.

Thankfully to Hetzner’s idea to reuse hardware of terminated products it is possible to find an economic yet powerful system.

Inspired by BOINC Projects with FreeBSD support I run a BOINC rig on AMD Ryzen Threadripper 2950X processor with maximum possible load on the system.

The ordered server is delivered in rescue system. Connecting over SSH with tunneling of VNC port makes the whole installation easy.

# ssh root@46.4.23.49 -L 6900:localhost:5900;

Rescue System up since 2020-12-29 14:00 +01:00

Hardware data:

   CPU1: AMD Ryzen Threadripper 2950X 16-Core Processor (Cores 32)
   Memory:  128712 MB
   Disk /dev/sda: 512 GB (=> 476 GiB)
   Total capacity 476 GiB with 1 Disk

Network data:
   eth0  LINK: yes
         MAC:  00:d8:61:56:51:dc
         IP:   46.4.23.49
         IPv6: 2a01:4f8:221:3895::2/64
         Intel(R) Gigabit Ethernet Network Driver

Note down the DNS resolvers, the default gateway, IP and IPv6 addresses, and ethernet driver.

# cat /etc/resolv.conf;
# ip route show;
# ifconfig eth0;
# lspci | grep Ethernet;

Install QEMU. It is a generic and open source machine emulator and virtualizer.

# apt-get install qemu;

Download FreeBSD ISO image to install a new system from.

# wget https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.2/FreeBSD-12.2-RELEASE-amd64-disc1.iso;

Boot dual proccessor virtual machine with 2GB of memory and first disk attached to it. The ISO image is mounted as a CD-ROM and there is a VNC enabled.

# qemu-system-x86_64 -smp cpus=2 -m 2048 -hda /dev/sda -net nic -boot d -vnc localhost:0 -cdrom /root/FreeBSD-12.2-RELEASE-amd64-disc1.iso;

Connect the VNC client to localhost:6900 and continue installation normally. Refer to the official handbook of Installing FreeBSD.

ZFS configuration for pool type is “stripe: 1 disk” with encrypted swap. More hard drives can be enabled in Qemu by

# [...] -hda /dev/sda -hdb /dev/sdb -hdd /dev/sdc [...]

The FreeBSD installer will ask to configure em0 virtual network device. Use DHCP to change that later for Intel(R) Gigabit Ethernet Network Driver.

At the end of installation open a shell in the new system to make final manual modifications. Add networking configuration to /etc/rc.conf for igb0.

# ee /etc/rc.conf;

gateway_enable="YES"
gateway_if="igb0"
gateway_ip="46.4.23.1"
ifconfig_igb0="inet 46.4.23.49 netmask 255.255.255.192"
ifconfig_igb0_ipv6="inet6 2a01:4f8:221:3895::2 prefixlen 64"

ipv6_default_interface="igb0"
ipv6_defaultrouter="fe80::1%igb0"
route_default="default $gateway_ip"
route_gateway="-host $gateway_ip -interface $gateway_if"
static_routes="default gateway"

Verify the final SSH daemon configuration.

# ee /etc/ssh/sshd_config;

Halt the QEMU virtual machine and reboot the rescue system.

Next SSH connection to the IP will offer a new SSH keys and connects to the newly installed FreeBSD.

# uname -a;

FreeBSD akatorea.wilkart.online 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC  amd64

OpenBSD at Hetzner on AMD Athlon

2019-06-10T00:00:00+02:00

OpenBSD is one of the most secure operating systems on the market. Impressive consistency and documentation through man-pages makes this OS one of the easiest to maintain too. OpenBSD/amd64 runs on AMD’s Athlon-64 family of processors in 64-bit mode. It also runs on processors made by other manufacturers which have cloned the AMD64 extensions.

Thankfully to Hetzner’s idea to reuse hardware of terminated products it is possible to find an economic yet powerful system.

Inspired by The Tor BSD Diversity Project I run a Tor relay on AMD Athlon 64 6000+ X2 processor.

The ordered server is delivered in rescue system. Connecting over SSH with tunneling of VNC port makes the whole installation easy.

# ssh root@85.10.201.218 -L 6900:localhost:5900;

Rescue System up since 2019-05-18 12:10 +02:00

Hardware data:

   CPU1: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (Cores 2)
   Memory:  7729 MB
   Disk /dev/sda: 750 GB doesn't contain a valid partition table
   Disk /dev/sdb: 750 GB doesn't contain a valid partition table
   Total capacity 1397 GiB with 2 Disks

Network data:
   eth0  LINK: yes
         MAC:  00:24:21:2c:62:0d
         IP:   85.10.201.218
         IPv6: 2a01:4f8:a0:5163::2/64
         RealTek RTL-8169 Gigabit Ethernet driver

Note down the DNS resolvers, the default gateway, IP and IPv6 addresses, and ethernet driver.

# cat /etc/resolv.conf;
# ip route show;
# ifconfig eth0;
# lspci | grep Ethernet;

Install QEMU. It is a generic and open source machine emulator and virtualizer.

# apt-get install qemu;

Download OpenBSD ISO image to install a new system from.

# wget https://ftp.eu.openbsd.org/pub/OpenBSD/6.5/amd64/install65.iso;

Boot dual proccessor virtual machine with 2GB of memory and first disk attached to it. The ISO image is mounted as a CD-ROM and there is a VNC enabled.

# qemu-system-x86_64 -smp cpus=2 -m 2048 -hda /dev/sda -net nic -boot d -vnc localhost:0 -cdrom /root/install65.iso;

Connect the VNC client to localhost:6900 and continue installation normally. Refer to the official INSTALLATION NOTES for OpenBSD/amd64.

The OpenBSD installer will configure virtual network device what needs to be copied to the Realtek later.

# cp hostname.em0 hostname.re0;

Check default gateway and hostname.

# cat /etc/mygate;
# cat /etc/myname;

Verify the final SSH daemon configuration.

# vi /etc/ssh/sshd_config;

Halt the QEMU virtual machine and reboot the rescue system.

Next SSH connection to the IP will offer a new SSH keys and connects to the newly installed OpenBSD.

# uname -a;

OpenBSD artoria.wilkart.online 6.5 GENERIC.MP#3 amd64

Tor 0.3.4.8 for OpenBSD 6.3

2018-10-10T00:00:00+02:00

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

Package includes Tor 0.3.4.8 built for OpenBSD 6.3 for the following platforms - amd64. Fully tested on Incloudibly and Exoscale.

Retrieve signify key the packages are signed off.

# ftp -MVo /etc/signify/wilkart-pkg.pub https://openbsd.wilkart.online/wilkart-pkg.pub;

Install the package for your platform (amd64).

# pkg_add https://openbsd.wilkart.online/6.3/$(uname -m)/tor-0.3.4.8.tgz;

Startup Tor daemon.

# rcctl start tor;

Consult /etc/tor/torrc with the Tor manual and ‘man tor’.

Build Tor on FreeBSD powerpc

2018-01-05T00:00:00+01:00

The ports tree of FreeBSD 11 has the Tor 0.3.1.9 marked broken as “BROKEN_powerpc64= does not build: error: Need a uint128_t implementation!” The port can be successfuly built using GNU Compiler Collection 5.

Install GCC5 on your FreeBSD.

# pkg install gcc5;

Add the following settings to the /etc/make.conf to be applied to every build where “make” is used.

.if !empty(.CURDIR:M/usr/ports/*) && exists(/usr/local/bin/gcc5)
CC=gcc5
CXX=g++5
CPP=cpp5
.endif

Comment out the “BROKEN_powerpc64=” line in the /usr/ports/security/tor/Makefile.

#BROKEN_powerpc64= does not build: error: Need a uint128_t implementation!

Make and install the Tor port.

# cd /usr/ports/security/tor;
# make install clean;

Building should begin with no errors and in very first lines you should notice the following.

checking for gcc... gcc5

Verify if desired version has be installed.

# pkg info | grep ^tor-;
tor-0.3.1.9_1                  Anonymizing overlay network for TCP

Startup the Tor daemon.

# service tor start;

Read and understand the Tor manual before enabling the service.

Tor 0.3.1.9 for OpenBSD 6.1

2017-12-21T00:00:00+01:00

Package includes Tor 0.3.1.9 built for OpenBSD 6.1 for the following platforms - amd64. Fully tested on Vultr.

Retrieve signify key the packages are signed off.

# ftp -MVo /etc/signify/wilkart-pkg.pub https://openbsd.wilkart.online/wilkart-pkg.pub;

Install the package for your platform (amd64).

# pkg_add https://openbsd.wilkart.online/6.1/$(uname -m)/tor-0.3.1.9.tgz;

Startup Tor daemon.

# rcctl start tor;

Consult /etc/tor/torrc with the Tor manual and ‘man tor’.

Monit 5.24 for OpenBSD 6.1

2017-09-29T00:00:00+02:00

Monit is a free open source utility for managing and monitoring processes, programs, files, directories and filesystems on a UNIX system. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.

Package includes Monit 5.24 built for OpenBSD 6.1 for following platforms - amd64. Fully tested on Incloudibly.

Retrieve signify key the packages are signed off.

# ftp -MVo /etc/signify/wilkart-pkg.pub https://openbsd.wilkart.online/wilkart-pkg.pub;

Install the package for your platform (amd64).

# pkg_add https://openbsd.wilkart.online/6.1/$(uname -m)/monit-5.24.0.tgz;

Startup monit daemon with example configuration.

# cp /usr/local/share/examples/monit/monitrc /etc/;
# rcctl start monit;
# monit status;
# rcctl enable monit;

Consult /etc/monitrc with the Monit documentation.

Tor 0.3.0.10 for OpenBSD 6.1

2017-08-04T00:00:00+02:00

Package includes Tor 0.3.0.10 built for OpenBSD 6.1 for the following platforms - amd64, sparc64 and macppc. Fully tested on CloudSigma.

Retrieve signify key the packages are signed off.

# ftp -MVo /etc/signify/wilkart-pkg.pub https://openbsd.wilkart.online/wilkart-pkg.pub;

Install the package for your platform (amd64, sparc64, macppc).

# pkg_add https://openbsd.wilkart.online/6.1/$(uname -m)/tor-0.3.0.10.tgz;

Startup Tor daemon.

# rcctl start tor;

Consult /etc/tor/torrc with the Tor manual and ‘man tor’.

Monit 5.23 for OpenBSD 6.1

2017-06-21T00:00:00+02:00

Package includes Monit 5.23 built for OpenBSD 6.1 for the following platforms - amd64, sparc64 and macppc. Fully tested on CloudSigma.

Retrieve signify key the packages are signed off.

# ftp -MVo /etc/signify/wilkart-pkg.pub https://openbsd.wilkart.online/wilkart-pkg.pub;

Install the package for your platform (amd64, sparc64, macppc).

# pkg_add https://openbsd.wilkart.online/6.1/$(uname -m)/monit-5.23.0.tgz;

Startup monit daemon with example configuration.

# cp /usr/local/share/examples/monit/monitrc /etc/;
# rcctl start monit;
# monit status;
# rcctl enable monit;

Consult /etc/monitrc with the Monit documentation.

Monit 5.20 for OpenBSD 6.0

2017-01-12T00:00:00+01:00

Package includes Monit 5.20 built for OpenBSD 6.0 amd64. Fully tested on CloudSigma.

SHA256 (monit-5.20.0.tgz) = c6ThE2FM/71LbCtJZCN9/zEW281tNrIoyUPTMT2eDp0=

# pkg_add https://openbsd.wilkart.online/6.0/amd64/monit-5.20.0.tgz;
# cp /usr/local/share/examples/monit/monitrc /etc/;
# rcctl start monit;
# monit status;
# rcctl enable monit;

Installed daemon runs with default configuration. Check Monit documentation.

Why I run Tor relays?

2016-08-14T00:00:00+02:00

The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security in the Internet. Ongoing trends in law, policy, and technology threaten anonymity as never before.

The only concern I have is the crime commited through the Tor network. But at the same time there is a corruption in governments and authorities. I fear corruption, hypocrisy and censorship more than the crime in the Tor network.

I trust in education and technology much more than control and censorship.

And the following resources convinced me too:
Why we need Tor
Peace, Prosperity and the Case for the Open Internet
Cryptopolitik and the Darknet
Jacques Fresco - Corruption
ProtonMail against Internet Censorship
Marta Peirano at TEDxMadrid
Dark web doesn’t exist. And folks use network for privacy, not crime
Roger Dingledine at DEF CON 25
Technical and Legal Overview of the Tor Anonymity Network
Dubioza Kolektiv - Whistleblower

Install Monit 5.13 on SmartOS

2015-05-14T00:00:00+02:00

Released version 5.13 (05/May/2015) with features described in changelog.

Building from source on SmartOS operating system.

# cd /tmp;
# wget https://mmonit.com/monit/dist/monit-5.13.tar.gz;
# tar -xzvf monit-5.13.tar.gz;
# cd monit-5.13;
# ./configure --with-ssl-incl-dir=/opt/local/include \ 
 --with-ssl-lib-dir=/opt/local/lib --prefix=/opt/monit-5.13;

Building will finish with following information.

Architecture: SOLARIS SSL include directory: /opt/local/include SSL library directory: /opt/local/lib Compiler flags: -Wno-address -Wno-pointer-sign -g -O2
-Wall -Wunused -Wno-unused-label -funsigned-char -D_GNU_SOURCE
-std=c99 -D _REENTRANT -D_POSIX_PTHREAD_SEMANTICS -D__EXTENSIONS__
-m64 -mtune=opteron -I/opt/local/include Linker flags: -lpam -lpthread -lresolv -lnsl -lsocket
-lkstat -L/opt/local/lib -lssl -lcrypto pid file location: /var/run Install directory: /opt/monit-5.13

Installation and running.

# cd /tmp/monit-5.13;
# make;
# make install;
# /opt/monit-5.13/bin/monit -h;

Read the Monit documentation to configure your monitoring.

Install Monit 5.8 on SmartOS

2014-05-11T00:00:00+02:00

Released version 5.8 (27/Mar/2014) with features described in changelog.

Building from source on SmartOS operating system.

# cd /tmp;
# wget http://mmonit.com/monit/dist/monit-5.8.tar.gz;
# tar -xzvf monit-5.8.tar.gz;
# cd monit-5.8;
# ./configure --with-ssl-incl-dir=/opt/local/include \ 
 --with-ssl-lib-dir=/opt/local/lib --prefix=/opt/monit-5.8;

Building will finish with following information.

Monit Build Information:

           Architecture: SOLARIS
  SSL include directory: /opt/local/include
  SSL library directory: /opt/local/lib
         Compiler flags: -Wno-address -Wno-pointer-sign -g -O2 -Wall \ 
                         -Wunused -Wno-unused-label -funsigned-char \ 
                         -D_GNU_SOURCE -std=c99 -D _REENTRANT \
                         -D_POSIX_PTHREAD_SEMANTICS -D__EXTENSIONS__ \
                         -m64 -mtune=opteron -I/opt/local/include \
           Linker flags: -lpam -lpthread -lresolv -lnsl -lsocket \
                         -lkstat -L/opt/local/lib -lssl -lcrypto
      pid file location: /var/run
      Install directory: /opt/monit-5.8

Installation and running.

# cd /tmp/monit-5.8;
# make;
# make install;
# /opt/monit-5.8/bin/monit -h;

Read the Monit documentation to configure your monitoring.

Pronunciation Poem

2013-08-23T00:00:00+02:00

I take it you already know
Of though and bough and cough and dough?
Others may stumble, but not you
On hiccough, thorough, slough, and through.
Well don't! And now you wish, perhaps,
To learn of less familiar traps.
Beware of heard, a dreadful word
That looks like beard but sound like bird.
And dead: it's said like bed, not bead,
For goodness sake don't call it deed!
Watch out for meat and great and threat
(They rhyme with suite and straight and debt).
A moth is not a moth as in mother
Nor both as in bother, nor broth as in brother,
And here is not a match for there,
Nor dear and fear, for bear and pear.
And then there's dose and rose and lose --
Just look them up -- and goose and choose
And cork and work and card and ward
And font and front and word and sword
And do and go, then thwart and cart,
Come, come! I've hardly made a start.
A dreadful Language? Why man alive!
I learned to talk it when I was five.
And yet to write it, the more I tried,
I hadn't learned it at fifty-five.

From Tumblr to Jekyll

2013-08-03T00:00:00+02:00

Jekyll - a simple, blog aware, static site generator.
Tom Preston-Werner

Goodbye Tumblr and Welcome Jekyll!