Sunday, 5 April 2020

Removing netplan from Ubuntu

For the last year or more I have been confused by a problem where LXC containers get two IP addresses assigned.

Naturally you want static IPs for server containers defined in lxc/$name/config

lxc.net.0.ipv4.address = 10.0.3.2/24
lxc.net.0.ipv4.gateway = 10.0.3.1

would get two ip addresses on boot, the statically assigned one by lxc and another randomly assigned one.

I never really understood the root cause.

I fixed this by disabling files here and there, removing ip config from lxc/$name/config, and then and in /etc/rc.local running ip addr add 10.0.3.2/24 scope global dev eth0
ip route add default via 10.0.3.1 dev eth0

Some of my containers use Ubuntu, most use lxinitd, I did not notice that the problem was limited to Ubuntu.

The above solution requires installing iproute2 i.e. /sbin/ip in containers, which in tern, requires mounting /lib lib64 /usr/lib and not being able to run a fully statically compiled container.

This fella has a much simpler solution

https://www.claudiokuenzler.com/blog/938/lxc-container-not-getting-ip-address-netplan

Netplan is root cause of the problem, and it can be removed.

apt-get remove netplan.io

Now setting the IP address in lxc/$name/config works across all my containers.

Sunday, 23 February 2020

Two factor auth with bash

I have a couple of servers that I ssh into from different locations, I don't always have my ssh keys. I have come up with what I think is a fairly secure 2fa using ssh and bash. RSVP if you see a flaw in this.

Server's /home/myuser/.profile has
if [ "$PASSWORD" != longanddifficulttotypepassword ]
then
  exit 0
fi
Server's /etc/ssh/sshd_config forces use of a bash login shell
Match User myuser
    ForceCommand /bin/bash -l
and allows sending environment variables
AcceptEnv LANG LC_* PASSWORD
When I login I supply PASSWORD as an environment variable, e.g. in ~/.ssh/config containing...
Host home
    User myuser
    SetEnv PASSWORD=longanddifficulttotypepassword
As long as I can remember my long and short passwords when I travel, I can login without SSH keys.

All I have to type to login is ssh home and my short password.

I'd like to build this feature into PAM but I've not yet found a way to pass a second token without user input.

If a hacker knows you are doing these things, the security weakens but it does not disappear. Telling everybody that your logins support !@#$%^&*()_+ in usernames makes dictionary attacks harder, even if you don't use those characters. Of course simple 2fa should not replace a functioning first layer.
  • Don't use very weak passwords.
  • PermitRootLogin prohibit-password
  • AllowUsers ...
  • Don't run ssh on port 22.
In your local /etc/ssh/ssh_config you probably want to ensure you dont accidentally send an env variable to a server that isn't your own
Host onlymyserver
    SendEnv LANG LC_* PASSWORD

Tuesday, 14 January 2020

Changing Ubuntu's royale purple

It seems like Ubuntu uses a lot of purple, but it turns out it only in 5 places.
  • grub - i.e. the boot screens
  • plymouth
  • terminal background 
  • desktop background
  • login greeter background
Presuming you want to change the background to something dark, i.e.  you don't want to invert light and dark tones, the job is pretty easy.

Grub

Create a background image match the size to native screen resolution. Save it to /boot/grub/background.png

Edit /etc/default/grub adding

GRUB_BACKGROUND="/boot/grub/background.png"

Run sudo update-grub

Plymouth

Plymouth is the screen that shows after grub while the laptop loads.  I remove quiet from grub boot lines so I get to see the steps of the Linux boot process. I have nothing to change here, if you prefer the Ubuntu logo and loading dots its configurable and easy to test changes https://wiki.ubuntu.com/Plymouth

Terminal

Edit > Preferences > profile > Color (tab)
uncheck "use colors from the system theme"
Change only the background. Set something below #303030

Login Screen

The theme for gdm is written in CSS, files in /usr/share/gnome-shell/theme/, you may have more than one option.

Find existing backgrounds

cd /usr/share/gnome-shell/theme/
grep -r -A4 lockDialogGroup .


The #lockDialogGroup elements define the background.

To just make it black

echo '#lockDialogGroup { background: #000; }' > ubuntu.css

Desktop background

Right mouse click on the desktop and "change background".



Et voila,  No purple.

I imagine this is subject to change over time, I have done the same steps on 18.04 and 20.04. Despite the change in Ubuntu its not lost its twiddleability.
 

Saturday, 11 January 2020

Ubuntu Linux on the Asus ZenBook 13"

Ubuntu Linux on the Asus ZenBook 13"

A.K.A Zen flipbook
A.K.A UX362F
 
Short story is Ubuntu works fine.

Install Process

A couple of tricks.

If you turned on the laptop you need to properly shutdown, power button is a soft key. Hold down the off button for ages (like 10 or 20 seconds) to properly hard reset.

The screen should go blank and then start hitting F2 repeatedly.
The ASUS logo shows for a what seems like a long time, keep hitting F2, finally you enter the BIOS.

Insert the pendrive with Ubuntu on (USB Disk Creator if you dont have one) I was using 18.04 LTS but I plan to upgrade to 19.10 since the UI is good looking.

Disable Secure Boot

Delete the Windows Boot Option  (fear not it can be recreated)

Add a new boot Option e.g. called usblinux and find the efi file   <efi> <boot> bootx64.efi

Save & Exit

The system should boot to a terminal UI select * Try Ubuntu

Ubuntu should load and show you the familiar fancy dekstop, with the Install Ubuntu Icon.  Using Try and Install, saves you rebooting and BIOS nonsense if the install fails.

Attempt 1

First time I tried to install Ubuntu into the C: drive space (the largest partition) leaving the repair partitions, something I have done with other laptops. This initially worked and booted successfully but somehow during  a subsequent boot the BIOS found Windows, Windows found Linux and before I could stop it, it "repaired" my system by removing the Linux boot option and reinstalling the Windows boot option.  Naturally windows would not boot since I'd wiped C: data.

Arguably this is virus behaviour!

Attempt 2

Second time wiped the main disks partition table, and created a new partition table.  Adios Windows and its viral "repair" features.

I needed to re-create an efi partition, this is important or install will fail at the grub stage.  ref:.  Creating EFI partition is hidden in the "something else" option, for manually creating partitions.

I created a 200Mb EFI system partition, 8Gb /swap, and the rest etx4 /.

<rant>So much Junk gets put in $HOME these days its not worth separating out that partition.  Particularly I code rust and rustup installs the whole tool-chain and all libs inside $HOME. The days of having user data in $HOME, it seems, are over.
I create a /data directory and put all my user data there, where helpful automated tools can not find it :) </rant>

Peripherals

Ethernet

This laptop has a decent amount of connectivity options but no RJ45, so a dongle of some sort is needed.  The left side has a regular USB3 port and cheapo  Gigabit Ethernet dongle inserted there works fine, no config needed.  Plug it in and the network auto-configures.
On the other side are 2 x USB-C ports. I consider USB-C too small and flimsy for everyday use but I did try a dongle with Gigabit Ethernet HDMI and 2 x USB3 ports.  Everything auto-configured with no effort.  USB peripherals connected to the USB-C dongle also auto-configure.

Wifi


Works.

Audio

Works. <rant>Harmon Kardon pretty much pwn the entire audio industry these days, they are owned by Samsung and they have a great many sub-brands.  Harmon Kardon branded stuff is a pretty good guarantee of quality and certainly no gripes on the audio output. N.B. real mini jack with a proper head phone amp, no noise and good quality sound. </rant>

Keyb


Keybord function keys all work except the on/off for the back-lighting in 18.04, fixed in later versions.  Back-lighting works. You can run the preinstalled script /etc/acpi/asus-keyboard-backlight.sh instead of the button.
Layout in Europe is US style small Enter key which I much prefer, one of the reasons I accepted a Spanish layout.  If you can touch type on a US keyb this is a good option when purchasing on the continent.

Mouse

Works. The mouse pad is painted with a keyboard which does not work. Not investigated that yet

Display

<rant>Have to remove an annoying sticker on the screen without damaging the screen.  What you might call a bad un-boxing experience.  I remove the other little sticker on the from panel too, except Karmon Hardon is printed on.<rant>

Display is sexy: 1920 x 1080 and touch screen works.  I've not owned a touch screen laptop before but from familiarity with phone I have found myself poking at laptop screens before so I suspect it will become a much loved feature.

On screen keyboard automatically pops up when needed like on a phone, but is a bit patchy, does not work in FireFox for example.  Apparently there are some tool to install to make table mode more comfortable.


<rant> N.B. this Laptop has Intel Graphics so no Optimus woes, I believe those things are fixed in newer Ubuntus (with no little from NVidia itself) once bitten twice shy. I will not buy NVidia hard ware if I can avoid it.<rant>




All in quite happy.  I recommend the ASUS ZenBook UX362F if you are looking for a powerful ultra-portable Linux Laptop, Intel i7, 16GB of RAM, should be enough for everyone.