Abandoned projects

obsolet unfinished

CheckMK

Monitoring Software

CheckMK

Introduction

checkmk_logo_neg_v2_vertical.png

Introduction

Checkmk is a comprehensive solution for monitoring of applications, servers, and networks. This vast set of features was designed in collaboration with our customers over many years. Checkmk is easy to learn and use, but powerful enough for the most complex IT environments.

Checkmk is available in four editions:

These Checkmk Editions are available for a range of platforms, in particular for various versions of Debian, Ubuntu, SLES and Red Hat, and also as a Docker Image. In addition, physical appliances of various sizes as well as a virtual appliance are offered to simplify the administration of the underlying operating system through a graphical user interface and to enable high-availability solutions.

The agents used by Checkmk to collect data are available for 11 platforms, including Windows.

This manual describes the installation on portainer. 

Features

checkmk provides integrations for important products, such as:

Requirements

History

I installed the "free" enterprise edition, however, after 30 days it is not so free after all. The amount of hosts is limited to 25. After I enabled another feature, it counted PVE subsystems as hosts and the host count was suddenly 59. The whole suite stopped working. Therefore it is necessary to install it again. This time I will use the raw edition on portainer.

CheckMK

Installation

Installation on Linux

Download

You can download the current version here:

Checkmk download

After selecting the desired version it will create a command. Copy the command and execute in a Linux terminal. It looks like this:

wget https://download.checkmk.com/checkmk/2.2.0p20/check-mk-raw-2.2.0p20_0.bookworm_amd64.deb

Installation

copy the command from the webpage and execute in a Linux terminal

sudo apt install ./check-mk-raw-2.2.0p17_0.bookworm_amd64.deb

Create a checkmk monitoring site

sudo omd create monitoring

The output will look like this:

Output
Adding /opt/omd/sites/monitoring/tmp to /etc/fstab.
Creating temporary filesystem /omd/sites/monitoring/tmp...OK
Restarting Apache...OK
Created new site monitoring with version 2.2.0p17.cre.

    The site can be started with omd start monitoring.
    The default web UI is available at http://your_server/monitoring/

    The admin user for the web applications is cmkadmin with password: generated-password
    (It can be changed with 'htpasswd -m ~/etc/htpasswd cmkadmin' as site user.)
    Please do a su - monitoring for administration of this site.

Grab the password and change it.

omd start monitoring

Installation on Portainer

Docker Compose file

I grabbed a nice cocker compose file, created a new stack and copied the contents of the docker compose file.

version: '3.1'
services:
  controll:
    image: checkmk/check-mk-raw:2.0.0-latest
    tmpfs:
     - /opt/omd/sites/cmk/tmp:uid=1000,gid=1000
    ulimits:
      nofile: 1024
    container_name: checkmk
    restart: always
    volumes:
      - '/etc/localtime:/etc/localtime:ro'
      - './odm-sites:/omd/sites'
    ports:
      - '8095:5000'
      - '6557:6557'

The password can be seen in the log  (Quick actions). And the password can be changed on the console (Quick actions).

htpasswd /opt/omd/sites/cmk/etc/htpasswd cmkadmin

You can login here:

http://portainer.simmy.ch:8095


CheckMK

Securing the webinterface

So far I couldn't make that working. 

Docs: Securing the Webinterface

Activating the Apache modules

a2enmod ssl
systemctl restart apache2

locate the certificate file:

find /etc/apache2/ -type f -exec grep -Hn '^\s*SSLCertificate.*File' {} \;

/etc/apache2/sites-enabled/000-default

RewriteEngine On
# Never forward request for .well-known (important when using Let's Encrypt)
RewriteCond %{REQUEST_URI} !^/.well-known
# Next 2 lines: Force redirection if incoming request is not on 443
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}$1 [L]
# This section passes the system Apaches connection mode to the
# instance Apache. Make sure mod_headers is enabled, otherwise it
# will be ignored and "Analyze configuration" will issue "WARN".
<IfModule headers_module>
    RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
    RequestHeader set X-Forwarded-SSL expr=%{HTTPS}
</IfModule>



CheckMK

checkmk Agent installation on linux

Download the Agent

Setup --> Agents --> "Windows, Linux, Solaris, AIX" --> Related --> "Linux, Solaris, AIX" --> right click on the file --> Copy link address

Install the Agent

For Debian based systems

wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent_2.2.0p17-1_all.deb
apt install ./check-mk-agent_2.2.0p17-1_all.deb

if ufw is active, then you have to enable the service port:

ufw allow 6556

For Red Hat/Fedora based systems

wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent-2.2.0p17-1.noarch.rpm
sudo yum install -y -q check-mk-agent-2.2.0p17-1.noarch.rpm -y

Open the firewall for checkmk-agent on port 6556

For Univention based systems

Installationsanleitung checkmk 2.0 check_mk_agent auf UCS 5.0

Register agent to the monitoring server

cmk-agent-ctl register --hostname $(hostname -f) --server syslog.simmy.ch --site monitoring2 --user cmkadmin

Useful commands

ss -tulpn | grep 6556
echo | nc <localhost> 6556
cmk-agent-ctl status



CheckMK

Agent installation on TrueNAS

Download the Agent

Setup --> Agents --> "Windows, Linux, Solaris, AIX" --> Related --> "Linux, Solaris, AIX" --> right click on .deb file --> Copy link address

Then you will have the address of the .deb file, which can be downloaded with wget:

wget http://syslog.simmy.ch/monitoring2/check_mk/agents/check-mk-agent_2.2.0p17-1_all.deb

Install the Agent

For some reason the apt program is not an executable. So the first step is to make this file executable.

chmod +x /usr/bin/apt
apt install ./check-mk-agent_2.2.0p17-1_all.deb

if ufw is active, then you have to enable the service port:

ufw allow 6556

Register agent to the monitoring server

cmk-agent-ctl register --hostname $HOSTNAME.simmy.ch --server syslog.simmy.ch --site monitoring2 --user cmkadmin

Useful commands

ss -tulpn | grep 6556
echo | nc <localhost> 6556
cmk-agent-ctl status



CheckMK

SNMP Configuration for mikrotik routers

Configuration on mikrotik

IP --> SNMP --> Communities

Create community simmy with high encryption

Bildschirmfoto 2023-12-16 um 15.05.24.png

Enable and select the trap community

Bildschirmfoto 2023-12-16 um 15.06.29.png

Configuration on checkmk

I created a folder for all mikrotik devices.

Bildschirmfoto 2023-12-16 um 15.08.41.png

Use the same community and passwords as above!

For the network scan I limited the IP-Range to the range where all mikrotik devices have their IP address.

On most of the devices I disabled the "Filesystem system disk" check, hence it would always trigger an alarm on the mikrotik defaults.

Bildschirmfoto 2023-12-16 um 15.14.16.png

 

CheckMK

Integration of Proxmox VE

Configuration on Proxmox VE

Create a group named read_only.

Bildschirmfoto 2023-12-16 um 15.16.30.png

Create a user named checkmk_user and add it to the group read_only.

Bildschirmfoto 2023-12-16 um 15.17.50.png

Add a group Permission:

Bildschirmfoto 2023-12-16 um 15.20.47.png

Install the Linux client.

Configuration on checkmk

Setup --> Hosts --> find and select properties of host

Bildschirmfoto 2023-12-16 um 15.31.05.png

Setup --> Agents --> VM, Cloud, Container --> Proxmox VE --> Add rule

Bildschirmfoto 2023-12-16 um 15.36.38.png

 

https://docs.checkmk.com/latest/en/

https://checkmk.com/de

 

 

 

 

CheckMK

Monitoring of docker services

Configuration

A very good description can be found here:

How-to-monitoring docker

Install the agent

You will need the mk_docker.py agent plug-in, which you can find here: Setup > Agents > Other operating systems > Plugins

wget http://syslog.simmy.ch/monitoring2/check_mk/agents/plugins/mk_docker.py

Install the plug-in to the agent’s plug-in folder (usually /usr/lib/check_mk_agent/plugins). 

install -m 0755 mk_docker.py /usr/lib/check_mk_agent/plugins

create the config file

Create the configuration file /etc/check_mk/docker.cfg on the Docker host. A template with detailed explanations can be found in the Checkmk directory ~/share/check_mk/agents/cfg_examples/docker.cfg.

Settings in the GUI

In addition I created a folder with the name docker-services:

Setup  --> Hosts --> Main --> add folder

Bildschirmfoto 2023-12-27 um 17.18.35.png

I had to add hosts with the names of the docker containers. 

That's all.

Description of the machine

Hardware

Gigabyte embedded AMD Epyc

OS

MX Linux 23.2 Libretto fluxbox based on Debian Linux 12 bookworm

Configuration

Installation

Straight forward using these settings:

Added Software

Tweaks

join the sync queue of Firefox for the favorites

misc

default file manager Thunar

Add pci=noaer to the default Kernel parameter in the grub configuration

USB Drive mounting

This is not yet finally. When one of those drives is not available, the system will hang at system start.

I created two mount points:

https://linuxconfig.org/automatically-mount-usb-external-drive-with-autofs

I added these two lines to /etc/fstab:

UUID=A9B7-5D47 /mnt/armorlock exfat auto,nofail,rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0
UUID=FFDF-F997 /mnt/lacie exfat     auto,nofail,rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0

Then I executed these commands:

systemctl daemon-reload
mount -a

Description of networking

This machine uses altogether 4 network interfaces:

Backup to USB Drive

Introduction

For same applications it might be necessary to use an external drive without adding this drive to a ZPool. E.g. if you want to copy from or to an external device. TrueNAS did not play well with this USB Bavkup solution. So finally I created another Hardware with a Linux client OS (MXLinux) to get the job dons.

Setup / mounting

TrueNAS will not mount a drive automatically when plugged into an USB Port. This has to be done manually. In this example I will use an external drive from LaCie. 

  1. Plug in the drive to any USB Port
  2. Figure out the name of the device. It can be seen in Storage --> Disks. It is usually the drive without pool.
  3. Enter 
    lsblk -p | grep "disk\|part"
    It will show show the exact name of the partition you want to mount. Bildschirmfoto 2023-12-17 um 17.54.37.png
    In this case it is sdd2.
  4. Enter 
    blkid /dev/sdd2

    It will show you the UUID of the partition you want to mount
    root@nas04[/home/admin]# blkid /dev/sdd2
/dev/sdd2: LABEL_FATBOOT="EFI" LABEL="EFI" UUID="B7D1-A689" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="5545caa6-b0c3-4558-b222-aac5fb9c0026"
  5. Create a mountpoint 
    mkdir /mnt/LaCie

  6. add to fstab
    UUID=B7D1-A689 /mnt/LaCie vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0

  7. Mount the device
    mount -a

Explanation

It seems to be awkward to make so many steps to mount an USB device. However, TrueNAS does no auto mount. So a permanent mount must be added manually to the fstab. And furthermore, TrueNAS seems to change the name of the partition frequently, so the UUID of the partition has to be used.

Create an rsync job

Create the file /root/rsync_exclude.txt with this content:

ix-applications
replika
.~tmp~
*/._*
*/.DocumentRevisions-V100/
*/.DS_Store
*/.fseventsd/
*/.Spotlight-V100/
*/.TemporaryItems/
*/.Trashes/
.@*
.*
@Recycle
*.@__thumb
sync.ffs_lock

All these files/directories will not be copied to the target drive. These items are created by MacOS and will automaticall re-created, when these objects in the backup are used by MacOS.

The command for the rsync job looks like this:

rsync -av --delete --log-file="/var/log/rsyncd.LaCie.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" /mnt/N4pool/ /mnt/LaCie/backup 

If you want to run it over the network:

create a passwordless ssh connection

Enable ssh login with a public key

rsync -av --delete --log-file="/var/log/rsyncd.LaCie.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" rsync@nas04.simmy.ch:/mnt/N4pool/ /mnt/lacie/backup 

Add to cron

sudo crontab -e
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
0 1 * * * /root/nas04_backup.sh
0 3 * * * /root/hcloud_backup.sh
0 1 * * * /root/dyndns.sh
0 4 * * * /root/hcloud2_backup.sh

Job descriptions

Currently therea are four jobs executed:

Job
 description
nas04_backup.sh Backup all data in unencrypted from nas04 to external USB Drive
hcloud_backup.sh old unencrypted backup of hCloud
hcloud2_backup.sh backup from hCloud on nas02 to encrypted exteranal usb drive
dyndns.sh Update for hosting.de DynDNS service




hcloud2_backup.sh

The data is located on nas02.simmy.ch in an encrypted dataset. rsyncd is installed and configured on nas02.simmy.ch. This docker container is not listening on port 22, but on port 30026. Therefore it was necessary to modify the rsync job:

rsync -av --delete --log-file="/var/log/rsyncd.armorlock2.log" --no-perms --no-owner --no-group --exclude-from "/root/rsync_exclude.txt" rsync://nas02.simmy.ch:30026/hcloud_simmy /mnt/armorlock/backup/hcloud2

rsync documentation

Manually mount a USB drive in the Linux terminal

How To Use Rsync to Sync Local and Remote Directories

How to use UUID to mount a volume

Registrierung

Step-by-step

Die Registrierung für neue Benutzer befindet sich hier:

https://portal.simmy.org

Das ist auch gleichzeitig die Adresse des Self Service Portals um sein Passwort zurück zu setzen, sollte man es vergessen haben.

grafik.png

Möchte man sich registrieren, klickt man auf den Menüeintrag rechts: "Registrierung eines neuen Benutzers".

So sollte die nächste Seite aussehen:

grafik.png

So sieht die nächste Maske aus:

grafik.png

Anschliessend erhält man eine Email mit einem Link und einem Code. Klickt man auf dem Link, erscheint nach kurzer Zeit folgende Maske:

grafik.png

Umleitungsfehler

grafik.png

Es kann jedoch Probleme bei Browsern oder E-Mail Programmen geben. In diesem Falle kann man einfach den Code aus der E-Mail markieren und kopiren. Die Überprüfungsmaske kann man mit 

https://portal.simmy.org/pwm/public/newuser

nochmals aufrufen. Dann kann man den Code in das Feld einfügen. Manchmal reicht es auch, auf die Adresszeile des Browsers zu klicken und Enter zu drücken.

PWM Password Management

PWM Password Management

Introduction

Introduction

PWM is an open source password self-service application for LDAP directories

It includes:

Multiple Deployment Options

Multiple SSO options

REST Server APIs for most functionality

Installation / Architecture

The service is installed on portainer.simmy.ch. It is simply the default installation of the docker container.

Install experience

https://github.com/pwm-project/pwm

https://groups.google.com/g/pwm-general?pli=1

https://www.pwm-project.org/pwm/public/reference/

Downloads

PWM Password Management

Installation

Introduction

There three different ways for the installation. I choose the docker deployment.

Requirements

Installation

The PWM docker image includes Java and Tomcat. It listens using https on port 8443, and has a volume exposed as /config. You will need to map the /config volume to some type of persistent docker volume for PWM to retain configuration.

Download the newest version

Goto https://github.com/pwm-project/pwm/releases

find and download the most recent .tar file. In my case it was  pwm-docker-image-2.0.6.tar.

Load the docker image

Load your docker image with image name of default pwm/pwm-webapp:

docker load --input=pwm-docker-image-v2.0.0.tar

Create file structure

I worked in the root path.

mkdir pwm-config

This subdirectoy will become very useful, hence there will be all fiels for configuration and debugging puposes.

Create docker image

Create docker image named mypwm, map to the server's 8443 port, and set the config volume to use the server's local file system /home/user/pwm-config folder (this will be the PWM application path for the container):

docker create --name mypwm -p '8443:8443' --mount 'type=bind,source=/root/pwm-config,destination=/config' pwm/pwm-webapp

Start the mypwm container:

docker start mypwm


 

PWM Password Management

Configuration

Introduction

After the installation it is necessary to configure several parameters and options to ensure the system works properly.

How To change values

The PWM can run in two different modes:

New registration are only working in the read only mode. If there is the need to change any configuration setting, the PWM config has to be set to editable. To do this, got to the directory /root/pwm-config, edit the file PwmConfiguration.xml and change the following property:

        <property key="configIsEditable">false</property>

Fortunately this is the first property of the file.

The key has to be changed from false to true. Save the file and exit the editor. After that open the webpage https://portal.simmy.org and you will find on the upper right corner a new menu, that enables you to edit any configuration setting. When you finished editing, safe. All changes are written  to the file PwmConfiguration.xml. Reopen the file PwmConfiguration.xml and change the property Key configIsEditable to true.

In theory all settings can be changed directly in of the file PwmConfiguration.xml. The changes are applied immediately to the application. However, this is not recommended.

Password policy

It appears that the solution here (in case anyone else ever runs into this) is to change Settings...Password Settings...Password Policy Source to "Local".

https://groups.google.com/g/pwm-general/c/dQN9irsCZ2w/m/ESp9RLfdCAAJ

Valid E-Mail address

The original settings did not allow to enter E-mails with "_"s. So I had to change the corresponding regex that checks the entered E-Mail address for valid characters. I simply added the "_" to the list of allowed characters.

Regex:^[a-zA-Z0-9 .,'@]*$

Regex:^[a-zA-Z0-9_ .,'@]*$

Bug at user registration

For some reasons the Token that is sent out by pwm gets changed by some web handlers or the E-mail software itself. I could at least partially solve it by overriding some defaults directly in the file PwmConfiguration.xml:

        <setting key="pwm.appProperty.overrides" modifyTime="2024-02-21T16:26:32Z" syntax="STRING_ARRAY" syntaxVersion="0">
            <label>Settings    ^g    Application    ^g    Application    ^g    App Property Overrides</label>
            <value>security.http.permittedUrlPathCharacters=^[a-zA-Z0-9-_=]*$</value>
        </setting>

If there is still an error message, just press enter.

 

 

LDAP Account Manager

LDAP Account Manager

Introduction

image.png

What is the LDAP account manager?

LDAP Account Manager (LAM) is a web frontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. LAM was designed to make LDAP management as easy as possible for the user. It abstracts from the technical details of LDAP and allows persons without technical background to manage LDAP entries. If needed, power users may still directly edit LDAP entries via the integrated LDAP browser.

LDAP Account Manager

Features

The most important account types which are supported by LAM are Samba, Unix, Zarafa and PPolicy. The user can define profiles for all account types to set default values. Account information can be exported as PDF files. There is also the possibility to create users via file upload. It also includes the tree view of PhpLDAPadmin to access the raw LDAP attributes. LAM is translated to 16 languages.

Supported account types:

LDAP Account Manager

Installation on Turnkey Debian

Installation

apt -y install ldap-account-manager

The account manager is available on http://lamp.simmy.ch/lam.

https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/

https://www.ldap-account-manager.org/lamcms/howto

https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/

https://www.ldap-account-manager.org/lamcms/documentation

LDAP Account Manager

Installation on Ubuntu Server 22.04

Install Apache Webserver and PHP

apt -y install apache2 php php-cgi libapache2-mod-php php-mbstring php-common php-pear

Then enable php-cgi PHP extension:

a2enconf php*-cgi
systemctl reload apache2

Install LDAP Account Manager

apt -y install ldap-account-manager

The account manager is available on http://lam.simmy.ch/lam.

https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/

https://www.ldap-account-manager.org/lamcms/howto

https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/

https://www.ldap-account-manager.org/lamcms/documentation

 

 

LDAP Account Manager

Configuration of the LDAP Account Manager

Change master password

image.png

Click on LAM configuration on the upper right corner.

image.png

"Edit general settings"

image.png

The Master password is "lam".

Scroll down to "Change master password"  and enter your desired password two times.

The password will be saved in cleartext in a configuration file of LAM

Add certificates

image.png

The communication with the the OpenLDAP server over SSL didn't work. So finally I added two certificates. The CA, which I simply uploaded (Choose file --> "Upload") and the certificate of the Domain Controller (enter ldaps://openldap.simmy.ch --> "Import from server"). 

Scroll down and click "Ok". Restart the apache server:

systemctl restart apache2

Create a profile for OpenLDAP

Click on LAM configuration on the upper right corner.

Click on "Edit server profiles".

Click on "Manage server profiles".

image.png

Enter these options:

  1. Profile name --> OpenLDAP
  2. Profile password --> your password here
  3. Reenter password --> your password here
  4. Template --> choose Template "unix" for OpenLDAP
  5. Add

The password will be saved in cleartext in a configuration file of LAM

Configuration of the profile for OpenLDAP

image.png

General settings

Server settings

image.png

Server address --> ldap://openldap.simmy.ch:389

Tool settings

image.png

Tree suffix: DC=simmy,DC=ch

Security settings

image.png

Login method: Fixed list

List of valid users: 

cn=admin,dc=simmy,dc=ch
cn=binduser,ou=Users,dc=simmy,dc=ch
cn=Holger Schindler,ou=Users,dc=simmy,dc=ch

Account types

Create the OU groups before doing this:

image.png

These two LDAP suffixes have to be set:

Modules

Nothing to change here.

Module settings

Nothing to change here.

Final

"Save" and login to your profile "OpenLDAP. You will have to enter the password of the Administrator.

https://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/

https://www.ldap-account-manager.org/lamcms/howto

https://computingforgeeks.com/install-and-configure-ldap-account-manager-on-ubuntu/

https://www.ldap-account-manager.org/lamcms/documentation

https://www.ldap-account-manager.org/static/doc/manual.pdf

 

 

 

 

Bacula

Bacula

Introduction Bacula

Introduction

Bacula is an open-source, enterprise-level computer backup system for heterogeneous networks. It is designed to automate backup tasks that had often required intervention from a systems administrator or computer operator. 

Architecture

image.png

Components

Bacula Director

Server component. Supervisor.

Bacula Console/Admin

Interface for the Director. There are text versions and GUIs:

Bacula Client

File daemon installed on the client.

Bacula Storage

Interface to the storage components. Here a share on the NAS.

Catalog

SQL database.

Bacula Monitor

Monitor program. Works with GTK+ (GNOME, KDE, FreeDesktop.org system tray standard).

Bacula

Installation server components

Introduction

In general, you should get the binary packages from your download area on www.bacula.org.  You can either download what you need or setup a repository pointing to the download area that will allow you to use your installer program such as apt to ensure that all the dependencies a met.

This will install these components:

Setup the repository

apt-get install apt-transport-https
wget https://bacula.org/downloads/Bacula-4096-Distribution-Verification-key.asc
apt-key add Bacula-4096-Distribution-Verification-key.asc

Add to your /etc/apt/sources.list file the following entries:

# Bacula
deb https://www.bacula.org/packages/65f518dfc0382/debs/13.0.4 bookworm main

Installation

apt-get update
apt-get install dbconfig-common postgresql
apt-get install bacula-postgresql

I choose the name of the application as password for the Postgre Database. There is small untilitiy installed with the director: bconsole.

bacula binaries

Installation guide

Bacula

Configuration

 

The configuration files are located in /opt/bacula/etc/.

image.png

Bacula

Evaluation

Despite the fact that the architecture looks very promising, I finally abandoned the project. There are three reasons:

  1. The client app for Archlinux is broken
  2. It's difficult to install on Debian
  3. The interesting parts of the project are taken by a commercial company (https://www.baculasystems.com/company/)

 

NEVIS

NEVIS

Installation of NEVIS

Introduction

I decided to install NEVIS inside a kubernetes cluster.

Installation in Kubernetes Cluster

Installation of kubernetes

Fedora installation of kubernetes 

sudo dnf install kubernetes kubernetes-kubeadm kubernetes-client
Open firewall ports 6443, 10250

sudo systemctl enable kubelet.service
sudo systemctl enable containerd
sudo systemctl start containerd
sudo swapoff -a
sudo dnf install iproute-tc

sudo cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF


sudo modprobe overlay
sudo modprobe br_netfilter

# sysctl params required by setup, params persist across reboots
sudo cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF


# setting DNS correcly
sudo mkdir -p /etc/systemd/resolved.conf.d/
sudo cat <<EOF | sudo tee /etc/systemd/resolved.conf.d/stub-listener.conf
[Resolve]
DNSStubListener=no
EOF

sudo sysctl --system

sudo systemctl enable --now kubelet

sudo kubeadm init

# set KUBELET_KUBEADM_ARGS
sudo tee -a /etc/kubernetes/kubelet.conf <<EOF
KUBELET_LOG_LEVEL=5
KUBELET_KUBEADM_ARGS="--v=4 --logtostderr=true"
EOF

Kubelet configuration

using-kubernetes-kubelet

Accessing the cluster as normal user

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# Allow the control plane machine to also run pods for applications. Otherwise more than one machine is needed in the cluster.
kubectl taint nodes --all node-role.kubernetes.io/control-plane-

# Install flannel into the cluster to provide cluster networking. There are many other networking solutions besides flannel. Flannel is straightforward and suitable for this guide.
kubectl apply -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel.yml

Useful commands

sudo systemctl restart kubelet
sudo systemctl status kubelet
sudo journalctl -u kubelet
ss -tlnp | grep 6443
kubectl config use-context
kubectl config view
kubectl cluster-info
kubectl get pods --all-namespaces
kubectl get svc -A
kubectl get events --namespace=kube-system
kubectl get nodes -o wide

Additional .conf files:

The kubernetes-kubeadm rpm installs an overriding kubelet unit file at:

/usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf

We strongly recommend to not modify either file as any changes could be lost during an update.

As documented by the Kubernetes team (https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd), create the following directory for user managed, system-level systemd kubelet overrides:

$ sudo mkdir -p /etc/systemd/system/kubelet.service.d/

Then create a unit file (.conf extension required) and copy the file to the directory listed above. Settings in this file will override settings from either or both of the default systemd files.

misc

Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.1.35:6443 --token dapwn1.21bvsun7tw95b6j7 \
	--discovery-token-ca-cert-hash sha256:bc878aa0a8db726627f0be2a9bfbec584bde1156114e1af61aa727e2e39302b5