Abandoned projects
obsolet unfinished
- CheckMK
- Introduction
- Installation
- Securing the webinterface
- checkmk Agent installation on linux
- Agent installation on TrueNAS
- SNMP Configuration for mikrotik routers
- Integration of Proxmox VE
- Monitoring of docker services
- Description of the machine
- Backup to USB Drive
- Registrierung
- PWM Password Management
- LDAP Account Manager
- Introduction
- Installation on Turnkey Debian
- Installation on Ubuntu Server 22.04
- Configuration of the LDAP Account Manager
- Bacula
- NEVIS
CheckMK
Monitoring Software
Introduction
Introduction
Checkmk is a comprehensive solution for monitoring of applications, servers, and networks. This vast set of features was designed in collaboration with our customers over many years. Checkmk is easy to learn and use, but powerful enough for the most complex IT environments.
Checkmk is available in four editions:
- an open source edition (Checkmk Raw Edition)
- a commercial enterprise-grade edition (Checkmk Enterprise Edition)
- a commercial edition with advanced cloud monitoring features (Checkmk Cloud Edition)
- an edition for managed services providers (Checkmk Managed Services Edition)
These Checkmk Editions are available for a range of platforms, in particular for various versions of Debian, Ubuntu, SLES and Red Hat, and also as a Docker Image. In addition, physical appliances of various sizes as well as a virtual appliance are offered to simplify the administration of the underlying operating system through a graphical user interface and to enable high-availability solutions.
The agents used by Checkmk to collect data are available for 11 platforms, including Windows.
This manual describes the installation on portainer.
Features
- Monitoring
- Highly automated
- Massively scalable
- Extensible
checkmk provides integrations for important products, such as:
- Proxmox
- Linux
- Apache
- MikroTik
- Dell
- Qnap
- docker
Requirements
- Ubuntu Server 22.04 LTS
- Apache
- ssh
History
I installed the "free" enterprise edition, however, after 30 days it is not so free after all. The amount of hosts is limited to 25. After I enabled another feature, it counted PVE subsystems as hosts and the host count was suddenly 59. The whole suite stopped working. Therefore it is necessary to install it again. This time I will use the raw edition on portainer.
Installation
Installation on Linux
Download
You can download the current version here:
After selecting the desired version it will create a command. Copy the command and execute in a Linux terminal. It looks like this:
wget https://download.checkmk.com/checkmk/2.2.0p20/check-mk-raw-2.2.0p20_0.bookworm_amd64.deb
Installation
copy the command from the webpage and execute in a Linux terminal
sudo apt install ./check-mk-raw-2.2.0p17_0.bookworm_amd64.deb
Create a checkmk monitoring site
sudo omd create monitoring
The output will look like this:
Output
Adding /opt/omd/sites/monitoring/tmp to /etc/fstab.
Creating temporary filesystem /omd/sites/monitoring/tmp...OK
Restarting Apache...OK
Created new site monitoring with version 2.2.0p17.cre.
The site can be started with omd start monitoring.
The default web UI is available at http://your_server/monitoring/
The admin user for the web applications is cmkadmin with password: generated-password
(It can be changed with 'htpasswd -m ~/etc/htpasswd cmkadmin' as site user.)
Please do a su - monitoring for administration of this site.
Grab the password and change it.
omd start monitoring
Installation on Portainer
I grabbed a nice cocker compose file, created a new stack and copied the contents of the docker compose file.
version: '3.1'
services:
controll:
image: checkmk/check-mk-raw:2.0.0-latest
tmpfs:
- /opt/omd/sites/cmk/tmp:uid=1000,gid=1000
ulimits:
nofile: 1024
container_name: checkmk
restart: always
volumes:
- '/etc/localtime:/etc/localtime:ro'
- './odm-sites:/omd/sites'
ports:
- '8095:5000'
- '6557:6557'
The password can be seen in the log (Quick actions). And the password can be changed on the console (Quick actions).
htpasswd /opt/omd/sites/cmk/etc/htpasswd cmkadmin
You can login here:
http://portainer.simmy.ch:8095
Securing the webinterface
So far I couldn't make that working.
Useful link
Docs: Securing the Webinterface
Activating the Apache modules
a2enmod ssl
systemctl restart apache2
locate the certificate file:
find /etc/apache2/ -type f -exec grep -Hn '^\s*SSLCertificate.*File' {} \;
/etc/apache2/sites-enabled/000-default
RewriteEngine On
# Never forward request for .well-known (important when using Let's Encrypt)
RewriteCond %{REQUEST_URI} !^/.well-known
# Next 2 lines: Force redirection if incoming request is not on 443
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]
# This section passes the system Apaches connection mode to the
# instance Apache. Make sure mod_headers is enabled, otherwise it
# will be ignored and "Analyze configuration" will issue "WARN".
<IfModule headers_module>
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Forwarded-SSL expr=%{HTTPS}
</IfModule>
checkmk Agent installation on linux
Download the Agent
Setup --> Agents --> "Windows, Linux, Solaris, AIX" --> Related --> "Linux, Solaris, AIX" --> right click on the file --> Copy link address
Install the Agent
For Debian based systems
wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent_2.2.0p17-1_all.deb
apt install ./check-mk-agent_2.2.0p17-1_all.deb
if ufw is active, then you have to enable the service port:
ufw allow 6556
For Red Hat/Fedora based systems
wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent-2.2.0p17-1.noarch.rpm
sudo yum install -y -q check-mk-agent-2.2.0p17-1.noarch.rpm -y
Open the firewall for checkmk-agent on port 6556
For Univention based systems
Installationsanleitung checkmk 2.0 check_mk_agent auf UCS 5.0
Register agent to the monitoring server
cmk-agent-ctl register --hostname $(hostname -f) --server syslog.simmy.ch --site monitoring2 --user cmkadmin
Useful commands
ss -tulpn | grep 6556
echo | nc <localhost> 6556
cmk-agent-ctl status
Agent installation on TrueNAS
Download the Agent
Setup --> Agents --> "Windows, Linux, Solaris, AIX" --> Related --> "Linux, Solaris, AIX" --> right click on .deb file --> Copy link address
Then you will have the address of the .deb file, which can be downloaded with wget:
wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent_2.2.0p17-1_all.deb
Install the Agent
For some reason the apt program is not an executable. So the first step is to make this file executable.
chmod +x /usr/bin/apt
apt install ./check-mk-agent_2.2.0p17-1_all.deb
if ufw is active, then you have to enable the service port:
ufw allow 6556
Register agent to the monitoring server
cmk-agent-ctl register --hostname $HOSTNAME.simmy.ch --server syslog.simmy.ch --site monitoring2 --user cmkadmin
Useful commands
ss -tulpn | grep 6556
echo | nc <localhost> 6556
cmk-agent-ctl status
SNMP Configuration for mikrotik routers
Configuration on mikrotik
IP --> SNMP --> Communities
Create community simmy with high encryption
Enable and select the trap community
Configuration on checkmk
I created a folder for all mikrotik devices.
Use the same community and passwords as above!
For the network scan I limited the IP-Range to the range where all mikrotik devices have their IP address.
On most of the devices I disabled the "Filesystem system disk" check, hence it would always trigger an alarm on the mikrotik defaults.
Integration of Proxmox VE
Configuration on Proxmox VE
Create a group named read_only.
Create a user named checkmk_user and add it to the group read_only.
Add a group Permission:
Install the Linux client.
Configuration on checkmk
Setup --> Hosts --> find and select properties of host
Setup --> Agents --> VM, Cloud, Container --> Proxmox VE --> Add rule
Useful links
https://docs.checkmk.com/latest/en/
Monitoring of docker services
Configuration
A very good description can be found here:
Install the agent
You will need the mk_docker.py
agent plug-in, which you can find here: Setup > Agents > Other operating systems > Plugins
wget http://syslog.simmy.ch/monitoring2/check_mk/agents/plugins/mk_docker.py
Install the plug-in to the agent’s plug-in folder (usually /usr/lib/check_mk_agent/plugins
).
install -m 0755 mk_docker.py /usr/lib/check_mk_agent/plugins
create the config file
Create the configuration file /etc/check_mk/docker.cfg
on the Docker host. A template with detailed explanations can be found in the Checkmk directory ~/share/check_mk/agents/cfg_examples/docker.cfg
.
# Copyright (C) 2019 tribe29 GmbH - License: GNU General Public License v2
# This file is part of Checkmk (https://checkmk.com). It is subject to the terms and
# conditions defined in the file COPYING, which is part of this source code package.
# This is an exaple configuration file for the plugin
#
# mk_docker.py
#
# It is designed to give you an impression of available
# options. The specific choice in this file is a valid setup,
# but probably not suitable for your use case.
# If you intend to run the plugin with the default options,
# you do not need any configuration file at all.
# You must specify one section of the name DOCKER (additional sections are ignored).
[DOCKER]
# SELECTION OF AGENT SECTIONS (SERVICES) TO CREATE
# If some of the sections take too long to run, and you don't need them, you
# can disable them by specifying a comma separated list (Default: empty string
# - run all sections). To disable the sections <<<docker_node_disk_usage>>>
# and <<<docker_node_images>>>, for example, provide:
skip_sections: docker_node_disk_usage,docker_node_images
# You may skip any of the following sections:
# * docker_node_disk_usage: get df like info of disk usage (may take long)
# * docker_node_images: get detailed information on all images and containers
# (for HW/SW inventory)
# * docker_node_network: get network information
# The following sections send piggyback information to monitored containers:
# * docker_container_node_name: display nodes name on container
# * docker_container_status: container status/health according to docker health API
# * docker_container_labels: containers labels
# * docker_container_network: containers network configuration
# * docker_container_agent: retrieve information by running the
# check_mk_agent inside the container
# If no agent was installed on the container:
# * docker_container_mem: container memory stats
# * docker_container_cpu: container cpu utilization
# * docker_container_diskstat container disk stats
# CONTAINER ID
# You can choose what to use as the container identifier. This will
# affect the name used for the piggyback host corresponding to the
# container, as well as items for services created on the node for each
# container.
# By default, the identifier is assumed to be the first 12 characters
# of the container UUID. You can choose to use the full ID or the containers
# name instead. Allowed values are "short" (the default), "long" and "name".
container_id: name
# BASE URL
# By default we are trying to connect to the docker API engine
# via the unix socket:
base_url: unix://var/run/docker.sock
Settings in the GUI
In addition I created a folder with the name docker-services:
I had to add hosts with the names of the docker containers.
That's all.
Description of the machine
Hardware
OS
MX Linux 23.2 Libretto fluxbox based on Debian Linux 12 bookworm
Configuration
Installation
Straight forward using these settings:
- Keyboard German
- encrypted disk with password
- filesystem btrfs
- disk with swap partition
Added Software
- VNC Server
The Desktop can be remotely controlled by either VNC or IPMI (HTML5, MegaRAC)
Install VNC on Manjaro
Installation of VNC Server on MX Linux - SSH server
- Bitwarden
- conky (not really necessary)
Tweaks
join the sync queue of Firefox for the favorites
misc
default file manager Thunar
Add pci=noaer to the default Kernel parameter in the grub configuration
USB Drive mounting
This is not yet finally. When one of those drives is not available, the system will hang at system start.
I created two mount points:
- /mnt/lacie
- /mnt/armorlock
https://linuxconfig.org/automatically-mount-usb-external-drive-with-autofs
I added these two lines to /etc/fstab:
UUID=A9B7-5D47 /mnt/armorlock exfat auto,nofail,rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0
UUID=FFDF-F997 /mnt/lacie exfat auto,nofail,rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0
Then I executed these commands:
systemctl daemon-reload
mount -a
Description of networking
This machine uses altogether 4 network interfaces:
Backup to USB Drive
Introduction
For same applications it might be necessary to use an external drive without adding this drive to a ZPool. E.g. if you want to copy from or to an external device. TrueNAS did not play well with this USB Bavkup solution. So finally I created another Hardware with a Linux client OS (MXLinux) to get the job dons.
Setup / mounting
TrueNAS will not mount a drive automatically when plugged into an USB Port. This has to be done manually. In this example I will use an external drive from LaCie.
- Plug in the drive to any USB Port
- Figure out the name of the device. It can be seen in Storage --> Disks. It is usually the drive without pool.
- Enter
It will show show the exact name of the partition you want to mount.lsblk -p | grep "disk\|part"
In this case it is sdd2. - Enter
blkid /dev/sdd2
It will show you the UUID of the partition you want to mount
root@nas04[/home/admin]# blkid /dev/sdd2 /dev/sdd2: LABEL_FATBOOT="EFI" LABEL="EFI" UUID="B7D1-A689" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="5545caa6-b0c3-4558-b222-aac5fb9c0026"
- Create a mountpoint
mkdir /mnt/LaCie
- add to fstab
UUID=B7D1-A689 /mnt/LaCie vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0
- Mount the device
mount -a
Explanation
It seems to be awkward to make so many steps to mount an USB device. However, TrueNAS does no auto mount. So a permanent mount must be added manually to the fstab. And furthermore, TrueNAS seems to change the name of the partition frequently, so the UUID of the partition has to be used.
Create an rsync job
Create the file /root/rsync_exclude.txt with this content:
ix-applications
replika
.~tmp~
*/._*
*/.DocumentRevisions-V100/
*/.DS_Store
*/.fseventsd/
*/.Spotlight-V100/
*/.TemporaryItems/
*/.Trashes/
.@*
.*
@Recycle
*.@__thumb
sync.ffs_lock
All these files/directories will not be copied to the target drive. These items are created by MacOS and will automaticall re-created, when these objects in the backup are used by MacOS.
The command for the rsync job looks like this:
rsync -av --delete --log-file="/var/log/rsyncd.LaCie.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" /mnt/N4pool/ /mnt/LaCie/backup
If you want to run it over the network:
create a passwordless ssh connection
Enable ssh login with a public key
rsync -av --delete --log-file="/var/log/rsyncd.LaCie.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" rsync@nas04.simmy.ch:/mnt/N4pool/ /mnt/lacie/backup
Add to cron
sudo crontab -e
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
0 1 * * * /root/nas04_backup.sh
0 3 * * * /root/hcloud_backup.sh
0 1 * * * /root/dyndns.sh
0 4 * * * /root/hcloud2_backup.sh
Job descriptions
Currently therea are four jobs executed:
Job |
description |
nas04_backup.sh | Backup all data in unencrypted from nas04 to external USB Drive |
hcloud_backup.sh | old unencrypted backup of hCloud |
hcloud2_backup.sh | backup from hCloud on nas02 to encrypted exteranal usb drive |
dyndns.sh | Update for hosting.de DynDNS service |
hcloud2_backup.sh
The data is located on nas02.simmy.ch in an encrypted dataset. rsyncd is installed and configured on nas02.simmy.ch. This docker container is not listening on port 22, but on port 30026. Therefore it was necessary to modify the rsync job:
rsync -av --delete --log-file="/var/log/rsyncd.armorlock2.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" rsync://nas02.simmy.ch:30026/hcloud_simmy /mnt/armorlock/backup/hcloud2
Useful links
Manually mount a USB drive in the Linux terminal
How To Use Rsync to Sync Local and Remote Directories
How to use UUID to mount a volume
Registrierung
Step-by-step
Die Registrierung für neue Benutzer befindet sich hier:
Das ist auch gleichzeitig die Adresse des Self Service Portals um sein Passwort zurück zu setzen, sollte man es vergessen haben.
Möchte man sich registrieren, klickt man auf den Menüeintrag rechts: "Registrierung eines neuen Benutzers".
So sollte die nächste Seite aussehen:
So sieht die nächste Maske aus:
Anschliessend erhält man eine Email mit einem Link und einem Code. Klickt man auf dem Link, erscheint nach kurzer Zeit folgende Maske:
Umleitungsfehler
Es kann jedoch Probleme bei Browsern oder E-Mail Programmen geben. In diesem Falle kann man einfach den Code aus der E-Mail markieren und kopiren. Die Überprüfungsmaske kann man mit
https://portal.simmy.org/pwm/public/newuser
nochmals aufrufen. Dann kann man den Code in das Feld einfügen. Manchmal reicht es auch, auf die Adresszeile des Browsers zu klicken und Enter zu drücken.
PWM Password Management
Introduction
Introduction
PWM is an open source password self-service application for LDAP directories
It includes:
- LDAP Directory Support
- Change Password module for Self-Service
- Account Activation / First time password assignment
- Password reset
- User registration
Multiple Deployment Options
- Java WAR file (bring your own application server, tested with Apache Tomcat)
- Java single JAR file (bring your own Java VM)
- Docker container
Multiple SSO options
- Basic Authentication
- HTTP header username injection
- Central Authentication Service (CAS)
- OAuth client
REST Server APIs for most functionality
- Password set
- Forgotten password
- Password policy reading
- User attribute updates
- Password policy verification
Installation / Architecture
The service is installed on portainer.simmy.ch. It is simply the default installation of the docker container.
Useful links
https://github.com/pwm-project/pwm
https://groups.google.com/g/pwm-general?pli=1
https://www.pwm-project.org/pwm/public/reference/
Installation
Introduction
There three different ways for the installation. I choose the docker deployment.
Requirements
- Debian Linux Server
- pre-installed docker
Installation
The PWM docker image includes Java and Tomcat. It listens using https on port 8443, and has a volume exposed as /config. You will need to map the /config volume to some type of persistent docker volume for PWM to retain configuration.
Download the newest version
Goto https://github.com/pwm-project/pwm/releases
find and download the most recent .tar file. In my case it was pwm-docker-image-2.0.6.tar.
Load the docker image
Load your docker image with image name of default pwm/pwm-webapp:
docker load --input=pwm-docker-image-v2.0.0.tar
Create file structure
I worked in the root path.
mkdir pwm-config
This subdirectoy will become very useful, hence there will be all fiels for configuration and debugging puposes.
Create docker image
Create docker image named mypwm, map to the server's 8443 port, and set the config volume to use the server's local file system /home/user/pwm-config folder (this will be the PWM application path for the container):
docker create --name mypwm -p '8443:8443' --mount 'type=bind,source=/root/pwm-config,destination=/config' pwm/pwm-webapp
Start the mypwm container:
docker start mypwm
Configuration
Introduction
After the installation it is necessary to configure several parameters and options to ensure the system works properly.
How To change values
The PWM can run in two different modes:
- config read only
- config editable
New registration are only working in the read only mode. If there is the need to change any configuration setting, the PWM config has to be set to editable. To do this, got to the directory /root/pwm-config, edit the file PwmConfiguration.xml and change the following property:
<property key="configIsEditable">false</property>
Fortunately this is the first property of the file.
The key has to be changed from false to true. Save the file and exit the editor. After that open the webpage https://portal.simmy.org and you will find on the upper right corner a new menu, that enables you to edit any configuration setting. When you finished editing, safe. All changes are written to the file PwmConfiguration.xml. Reopen the file PwmConfiguration.xml and change the property Key configIsEditable to true.
In theory all settings can be changed directly in of the file PwmConfiguration.xml. The changes are applied immediately to the application. However, this is not recommended.
Password policy
It appears that the solution here (in case anyone else ever runs into this) is to change Settings...Password Settings...Password Policy Source to "Local".
https://groups.google.com/g/pwm-general/c/dQN9irsCZ2w/m/ESp9RLfdCAAJ
Valid E-Mail address
The original settings did not allow to enter E-mails with "_"s. So I had to change the corresponding regex that checks the entered E-Mail address for valid characters. I simply added the "_" to the list of allowed characters.
Regex:^[a-zA-Z0-9 .,'@]*$
Regex:^[a-zA-Z0-9_ .,'@]*$
Bug at user registration
For some reasons the Token that is sent out by pwm gets changed by some web handlers or the E-mail software itself. I could at least partially solve it by overriding some defaults directly in the file PwmConfiguration.xml:
<setting key="pwm.appProperty.overrides" modifyTime="2024-02-21T16:26:32Z" syntax="STRING_ARRAY" syntaxVersion="0">
<label>Settings ^g Application ^g Application ^g App Property Overrides</label>
<value>security.http.permittedUrlPathCharacters=^[a-zA-Z0-9-_=]*$</value>
</setting>
If there is still an error message, just press enter.
LDAP Account Manager
Introduction
What is the LDAP account manager?
LDAP Account Manager (LAM) is a web frontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. LAM was designed to make LDAP management as easy as possible for the user. It abstracts from the technical details of LDAP and allows persons without technical background to manage LDAP entries. If needed, power users may still directly edit LDAP entries via the integrated LDAP browser.
Features
The most important account types which are supported by LAM are Samba, Unix, Zarafa and PPolicy. The user can define profiles for all account types to set default values. Account information can be exported as PDF files. There is also the possibility to create users via file upload. It also includes the tree view of PhpLDAPadmin to access the raw LDAP attributes. LAM is translated to 16 languages.
Supported account types:
- Unix
- Samba 3,4
- Kolab
- Address book entries
- Asterisk (incl. voicemail and Asterisk extensions)
- Mail routing
- IMAP mailboxes (non-LDAP, via IMAP protocol)
- Hosts
- FreeRadius
- Authorized services
- SSH keys
- File system quota (in LDAP (systemQuotas) and via external script)
- DHCP entries
- NIS netgroups
Installation on Turnkey Debian
Installation
apt -y install ldap-account-manager
The account manager is available on http://lamp.simmy.ch/lam.
Useful links
https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/
https://www.ldap-account-manager.org/lamcms/howto
https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/
https://www.ldap-account-manager.org/lamcms/documentation
Installation on Ubuntu Server 22.04
Install Apache Webserver and PHP
apt -y install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear
Then enable php-cgi PHP extension:
a2enconf php*-cgi
systemctl reload apache2
Install LDAP Account Manager
apt -y install ldap-account-manager
The account manager is available on http://lam.simmy.ch/lam.
Useful links
https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/
https://www.ldap-account-manager.org/lamcms/howto
https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/
https://www.ldap-account-manager.org/lamcms/documentation
Configuration of the LDAP Account Manager
Change master password
Click on LAM configuration on the upper right corner.
"Edit general settings"
The Master password is "lam".
Scroll down to "Change master password" and enter your desired password two times.
The password will be saved in cleartext in a configuration file of LAM
Add certificates
The communication with the the OpenLDAP server over SSL didn't work. So finally I added two certificates. The CA, which I simply uploaded (Choose file --> "Upload") and the certificate of the Domain Controller (enter ldaps://openldap.simmy.ch --> "Import from server").
Scroll down and click "Ok". Restart the apache server:
systemctl restart apache2
Create a profile for OpenLDAP
Click on LAM configuration on the upper right corner.
Click on "Edit server profiles".
Click on "Manage server profiles".
Enter these options:
- Profile name --> OpenLDAP
- Profile password --> your password here
- Reenter password --> your password here
- Template --> choose Template "unix" for OpenLDAP
- Add
The password will be saved in cleartext in a configuration file of LAM
Configuration of the profile for OpenLDAP
General settings
Server settings
Server address --> ldap://openldap.simmy.ch:389
Tool settings
Tree suffix: DC=simmy,DC=ch
Security settings
Login method: Fixed list
List of valid users:
cn=admin,dc=simmy,dc=ch
cn=binduser,ou=Users,dc=simmy,dc=ch
cn=Holger Schindler,ou=Users,dc=simmy,dc=ch
Account types
Create the OU groups before doing this:
These two LDAP suffixes have to be set:
- CN=Users,DC=simmy,DC=ch
- OU=Groups,DC=simmy,DC=ch
Modules
Nothing to change here.
Module settings
Nothing to change here.
Final
"Save" and login to your profile "OpenLDAP. You will have to enter the password of the Administrator.
Useful links
https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/
https://www.ldap-account-manager.org/lamcms/howto
https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/
https://www.ldap-account-manager.org/lamcms/documentation
https://www.ldap-account-manager.org/static/doc/manual.pdf
Bacula
Introduction Bacula
Introduction
Bacula is an open-source, enterprise-level computer backup system for heterogeneous networks. It is designed to automate backup tasks that had often required intervention from a systems administrator or computer operator.
Architecture
Components
Bacula Director
Server component. Supervisor.
Bacula Console/Admin
Interface for the Director. There are text versions and GUIs:
- BWeb
- BAT
- bConsole
Bacula Client
File daemon installed on the client.
Bacula Storage
Interface to the storage components. Here a share on the NAS.
Catalog
SQL database.
Bacula Monitor
Monitor program. Works with GTK+ (GNOME, KDE, FreeDesktop.org system tray standard).
Installation server components
Introduction
In general, you should get the binary packages from your download area on www.bacula.org. You can either download what you need or setup a repository pointing to the download area that will allow you to use your installer program such as apt to ensure that all the dependencies a met.
This will install these components:
- Database Server PostgreSQL
- Bacula Director
- Bacula Storage Server
Setup the repository
apt-get install apt-transport-https
wget https://bacula.org/downloads/Bacula-4096-Distribution-Verification-key.asc
apt-key add Bacula-4096-Distribution-Verification-key.asc
Add to your /etc/apt/sources.list file the following entries:
# Bacula
deb https://www.bacula.org/packages/65f518dfc0382/debs/13.0.4 bookworm main
Installation
apt-get update
apt-get install dbconfig-common postgresql
apt-get install bacula-postgresql
I choose the name of the application as password for the Postgre Database. There is small untilitiy installed with the director: bconsole.
Useful links
Configuration
The configuration files are located in /opt/bacula/etc/.
Evaluation
Despite the fact that the architecture looks very promising, I finally abandoned the project. There are three reasons:
- The client app for Archlinux is broken
- It's difficult to install on Debian
- The interesting parts of the project are taken by a commercial company (https://www.baculasystems.com/company/)
NEVIS
Installation of NEVIS
Introduction
I decided to install NEVIS inside a kubernetes cluster.
Installation in Kubernetes Cluster
Installation of kubernetes
Fedora installation of kubernetes
sudo dnf install kubernetes kubernetes-kubeadm kubernetes-client
sudo systemctl enable kubelet.service
sudo systemctl enable containerd
sudo systemctl start containerd
sudo swapoff -a
sudo dnf install iproute-tc
sudo cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
sudo modprobe overlay
sudo modprobe br_netfilter
# sysctl params required by setup, params persist across reboots
sudo cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# setting DNS correcly
sudo mkdir -p /etc/systemd/resolved.conf.d/
sudo cat <<EOF | sudo tee /etc/systemd/resolved.conf.d/stub-listener.conf
[Resolve]
DNSStubListener=no
EOF
sudo sysctl --system
sudo systemctl enable --now kubelet
sudo kubeadm init
# set KUBELET_KUBEADM_ARGS
sudo tee -a /etc/kubernetes/kubelet.conf <<EOF
KUBELET_LOG_LEVEL=5
KUBELET_KUBEADM_ARGS="--v=4 --logtostderr=true"
EOF
Kubelet configuration
Accessing the cluster as normal user
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# Allow the control plane machine to also run pods for applications. Otherwise more than one machine is needed in the cluster.
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
# Install flannel into the cluster to provide cluster networking. There are many other networking solutions besides flannel. Flannel is straightforward and suitable for this guide.
kubectl apply -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel.yml
Useful commands
sudo systemctl restart kubelet
sudo systemctl status kubelet
sudo journalctl -u kubelet
ss -tlnp | grep 6443
kubectl config use-context
kubectl config view
kubectl cluster-info
kubectl get pods --all-namespaces
kubectl get svc -A
kubectl get events --namespace=kube-system
kubectl get nodes -o wide
Additional .conf files:
The kubernetes-kubeadm rpm installs an overriding kubelet
unit file at:
/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
We strongly recommend to not modify either file as any changes could be lost during an update.
As documented by the Kubernetes team (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd), create the following directory for user managed, system-level systemd kubelet
overrides:
$ sudo mkdir -p /etc/systemd/system/kubelet.service.d/
Then create a unit file (.conf
extension required) and copy the file to the directory listed above. Settings in this file will override settings from either or both of the default systemd files.
misc
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.1.35:6443 --token dapwn1.21bvsun7tw95b6j7 \
--discovery-token-ca-cert-hash sha256:bc878aa0a8db726627f0be2a9bfbec584bde1156114e1af61aa727e2e39302b5