Category Archives: Too Good To

Too Good To

Too Good To #014

In today’s installment:

  • dmesg from before the machine crashed
  • Kill process ID from pidfile
  • Let systemd retry a task
  • Set MTU on OpenVPN connections in Networkmanager

dmesg from before the machine crashed

Super helpful and complete after most kernel panics and Magic SysRq resets:

journalctl --dmesg --boot -1

Kill process ID from pidfile

pkill --pidfile foo.pid

I use this in this wacky systemd user unit:

[Unit]
Description=nginx restreamer

[Service]
ExecStart=/usr/sbin/nginx \
        -c %h/.local/nginx/nginx.conf \
        -g "pid %h/.local/nginx/nginx.pid;"
ExecReload=pkill -HUP --pidfile %h/.local/nginx/nginx.pid

[Install]
WantedBy=default.target

Let systemd retry a task

Not the first appearance of systemd-run in this category, and probably not the last. Here’s how to hand a task to systemd-run in order to be retried a number of times.

My bro math for interval calculation goes like this:

  • RestartSec = Time to wait between end of a failed attempt and start of the next attempt
  • RuntimeMaxSec = Allowed time for each attempt
  • StartLimitBurst = Number of attempts to make
  • StartLimitIntervalSec = (RestartSec + RuntimeMaxSec) x StartLimitBurst x 10

So for a service that shall retry every 5 minutes (RestartSec), 12 times (StartLimitBurst), and shall be timed out after 30 seconds (RuntimeMaxSec):

systemd-run \
    --user \
    --property=Restart=on-failure\
    --property=RestartSec=300 \
    --property=RuntimeMaxSec=30
    --property=StartLimitBurst=12 \
    --property=StartLimitIntervalSec=39600 \
    sh -c 'test -e /tmp/1 && touch /tmp/1'

Set MTU on OpenVPN connections in Networkmanager

Is this really still required?

sudo install -m 0755 /dev/stdin /etc/NetworkManager/dispatcher.d/vpn-up << "Here"
#!/bin/sh

if [ "$2" = "vpn-up" ]; then
        ip link set dev "$1" mtu 1392
fi
Here
Too Good To, UNIX & Linux

Too good to #0013

In this installment:

  • Pipewire Easyeffects with RNNoise on Debian 12 / Bookworm
  • Gnome Night Light from Sunrise to Sunset, without Location Services
  • Revisiting ratarmount

Pipewire Easyeffects with RNNoise on Debian 12 / Bookworm

RNNoise for removing background sound on your microphone is not included in Debian 12, due to licensing issues around its training data. The least painful way to work around this is to install the Easyeffects Flatpak instead of the packaged easyeffects:

sudo apt-get install flatpak gnome-software-plugin-flatpak
sudo apt-get remove easyeffects
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.github.wwmm.easyeffects

Gnome Night Light from Sunrise to Sunset, without Location Services

Set latitude and longitude manually (coordinates shown are for Frankfurt, Germany: 50° 6′ 38″ N, 8° 40′ 56″ E):

gsettings set \
  org.gnome.settings-daemon.plugins.color \
  night-light-last-coordinates '(50.0, 9.0)'

Revisiting ratarmount

Since my previous look at ratarmount, it went from 0.6.3 to 1.0.0, had the most interesting developments and now mounts archives via HTTP:

virtualenv ~/.local/ratarmount
~/.local/ratarmount/bin/pip3 install -U ratarmount[fsspec]
~/.local/ratarmount/bin/ratarmount
install -D ~/.local/ratarmount/bin/ratarmount ~/bin/

ratarmount -f https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.13.4.tar.xz ~/mnt
Too Good To, UNIX & Linux

Too good to #0011

Mozilla Firefox APT special

The Mozilla Firefox APT repository is incompatible with legacy apt-mirror. Here’s how I install apt-mirror2 as a dedicated python-virtualenv

# apt-get install virtualenv
# virtualenv --no-setuptools /usr/local/apt-mirror2/
# /usr/local/apt-mirror2/bin/pip3 install -U apt-mirror
# /usr/local/apt-mirror2/bin/apt-mirror --help
  • Repeat as-is to update.
  • Here’s the bug that neccessitates the --no-setuptools option: “ModuleNotFoundError: No module named ‘debian'”

mirror.list entry for the Mozilla Firefox APT repository:

deb-all [signed-by=/path/to/packages-mozilla-org.gpg] https://packages.mozilla.org/apt mozilla main
deb-amd64 [signed-by=/path/to/packages-mozilla-org.gpg] https://packages.mozilla.org/apt mozilla main

How to convert Mozilla’s sloppy ASCII-armored PGP key:

$ curl -s -O https://packages.mozilla.org/apt/repo-signing-key.gpg
$ file repo-signing-key.gpg
repo-signing-key.gpg: PGP public key block Secret-Key
$ mv repo-signing-key.gpg repo-signing-key
$ gpg --dearmor repo-signing-key
$ file repo-signing-key.gpg
repo-signing-key.gpg: OpenPGP Public Key Version 4, Created Tue May 4 21:08:03 2021, RSA (Encrypt or Sign, 2048 bits); User ID; Signature; OpenPGP Certificate
Too Good To, UNIX & Linux

Too good to #0010

In today’s installment:

  • “Headless” Nextcloud
  • Monitoring of fork activity

Mount Nextcloud files via rclone+Webdav, as a systemd user unit

# ~/.config/systemd/user/nextcloud-mount.service
[Unit]
Description=Mount Nextcloud via rclone-webdav

[Service]
ExecStartPre=mkdir -p %h/Nextcloud
ExecStart=rclone mount --vfs-cache-mode full --verbose nextcloud_webdav: %h/Nextcloud/
ExecStop=fusermount -u %h/Nextcloud/
ExecStopPost=rmdir %h/Nextcloud

[Install]
WantedBy=default.target

Sync instead of mount

Nextcloud via Webdav is absurdly slow, so maybe use nextcloudcmd instead, which unfortunately does not have its own daemonization:

# ~/.netrc (chmod 600)
machine my.nextcloud.example.com
login myuser
password *** (app password)

# ~/.config/systemd/user/nextcloudcmd.service
[Unit]
Description=nextcloudcmd (service)

[Service]
ExecStart=nextcloudcmd -n --silent %h/Nextcloud https://my.nextcloud.example.com

# ~/.config/systemd/user/nextcloudcmd.timer
[Unit]
Description=nextcloudcmd (timer)

[Timer]
OnStartupSec=60
OnUnitInactiveSec=300

[Install]
WantedBy=default.target

forkstat (8) – a tool to show process fork/exec/exit activity

High load without a single obvious CPU consuming process (not related to the Nextcloud shenanigans above) led me to forkstat(8):

Forkstat is a program that logs process fork(), exec(), exit(), coredump and process name change activity. It is useful for monitoring system behaviour and to track down rogue processes that are spawning off processes and potentially abusing the system.

$ sudo forkstat # (that's all)
Too Good To, UNIX & Linux

Too good to #0009

1 Comment

In this episode:

  • urlwatch for new daily Ubuntu Server ISO
  • systemd-run ephemeral timers as replacement for at
  • Mozillateam Firefox on Debian
  • systemd service: ExecStartPre as root
  • gdm3 autosuspend/shutdown behaviour

urlwatch for new daily Ubuntu Server ISO

Somewhat desparate because at the time of starting this post, the (pre-beta, non-LTS, not blaming anyone) server image in question was badly broken.

---
name: Ubuntu Server Daily ISO
url: https://cdimage.ubuntu.com/ubuntu-server/daily-live/current/SHA256SUMS
filter:
  - grep: .*-live-server-amd64.iso
---

systemd-run ephemeral timers as replacement for at

Goes great with “hardened” systems that deny use of at(1).

Run a command 60 seconds from now, via the user’s private systemd (after logout only if session lingering is enabled).

systemd-run --user --on-active=60s -- logger --tag foo "Hello world"

Run a command 2 minutes from now, privileged or as a specific user via the global systemd:

sudo systemd-run --uid="${LOGNAME}" --on-active=2m -- touch /tmp/hello

Insights

systemctl --user list-timers
journalctl --user -u 'run-*.timer'
sudo systemctl list-timers
sudo journalctl -u 'run-*.timer'

Mozillateam Firefox on Debian

$ sudo tee /etc/apt/sources.list.d/mozillateam-ppa.list <<Here
deb https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy main
deb-src https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu jammy main
Here

$ sudo tee /etc/apt/trusted.gpg.d/mozillateam.asc < <(curl 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x0ab215679c571d1c8325275b9bdb3d89ce49ec21')

systemd service: ExecStartPre as root

[Service]
...
User=nonroot
Group=nonroot
ExecStartPre=+install -d /var/lib/theservice -o nonroot -g nonroot
ExecStart=/usr/sbin/theservice

See systemd.service, “special executable prefixes”.

gdm3 autosuspend/shutdown behaviour

Debian:

$ sudo apt-get install dbus-x11
$ sudo chsh -s /bin/bash Debian-gdm
$ sudo -i -u Debian-gdm
$ gsettings get org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type
'suspend'
$ dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type nothing
$ gsettings get org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type
$ exit
$ sudo chsh -s /bin/false Debian-gdm

Arch/Garuda:

$ sudo chsh -s /bin/bash gdm
$ gsettings get org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type
'suspend'
$ dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type nothing
$ gsettings get org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type
$ exit
$ sudo chsh -s /usr/bin/nologin gdm
Too Good To, UNIX & Linux

Too good to #0008

rinetd-style circuit level gateway in systemd

This accepts port 465/tcp and forwards all connections to a service running somewhere else on 1194/tcp.

The socket unit accepts the connection on port 465:

# /etc/systemd/system/tcp465-to-tcp1194.socket
[Unit]
Description="openvpn 465/tcp to 1194/tcp (socket)"

[Socket]
ListenStream=465

[Install]
WantedBy=sockets.target

systemd-socket-proxyd connects to the backend:

# /etc/systemd/system/tcp465-to-tcp1194.service
[Unit]
Description="openvpn 465/tcp to 1194/tcp (service)"

[Service]
ExecStart=/lib/systemd/systemd-socket-proxyd 10.12.13.14:1194
User=proxy

(Anyone old enough to remember that this was called a plug-gateway in the TIS Firewall Toolkit?)

Python pip/virtualenv/pipenv micro-HOWTO

Clone project with wacky dependencies:

git clone https://github.com/example/project.git

Install dependencies (from requirements.txt):

pipenv install (-r requirements.txt)

Run:

pipenv run ./script

Template for git commit message

Create the template, I prefer it outside the repository:

(blank line)
(blank line)
foo#1234 is the neverending story I'm constantly working on

Configure the path, relative to the repository root:

git config commit.template ../commit-template-for-foo.txt
python, Too Good To, UNIX & Linux

Too good to #0007

Disable the dynamic motd on Ubuntu and everywhere else

This is without messing around in /etc/pam.d or doing things that may be reverted by future updates. Remember to systemctl enable disable-dynamic-motd.timer.

# /etc/systemd/system/disable-dynamic-motd.timer
[Unit]
Description=Disable all the dynamic-motd scriptlets (timer)

[Timer]
OnBootSec=10
OnActiveSec=3600

[Install]
WantedBy=timers.target

# /etc/systemd/system/disable-dynamic-motd.service
[Unit]
Description=Disable all the dynamic-motd scriptlets (service)

[Service]
Type=oneshot
ExecStart=sh -c 'chmod -v -x /etc/update-motd.d/*'

Disable verbose logging on realmd.service

Problem on AD-member Linux client, realmd logs thousands of redundant messages:

Feb 01 11:11:34 kvm-28ca realmd[22302]: client using service: :1.1042
Feb 01 11:11:34 kvm-28ca realmd[22302]: holding daemon: :1.1042
Feb 01 11:11:34 kvm-28ca realmd[22302]: client gone away: :1.1042
Feb 01 11:11:34 kvm-28ca realmd[22302]: released daemon: :1.1042

Solution, disable debug logging in the systemd unit by introducing this drop-in:

# /etc/systemd/system/realmd.service.d/override.conf
[Service]
LogLevelMax=info

Sorting Debian package versions

dpkg –compare-versions is not exactly a secret, but I’ve wrapped a script around it to visualize and better wrap my head around non-straightforward naming schemes:

$ cat test.txt
2.1
2.2~pre01
1.0
2022-01.1~pre03
2.1-bugfix-foo
2.1~bugfix-foo
2.2
2022-01~foo~bar
2022-01
1.0
0
3
2022-01~foo

$ ./dpkg-sort-versions < test.txt
Sorted from lowest (oldest) to highest (latest):
0
1.0
1.0
2.1~bugfix-foo
2.1
2.1-bugfix-foo
2.2~pre01
2.2
3
2022-01~foo~bar
2022-01~foo
2022-01
2022-01.1~pre03

Script is here.

Too Good To, UNIX & Linux

Too good to #0006

1 Comment

“Sudo on demand” from TGT0003 considered more useful for downgrading privileges on the fly

#!/usr/bin/env bash

want_user=letsencrypt
am_user="$(id -un)"
printf "Running as: %s\n" "${am_user}"
if [[ "${want_user}" != "${am_user}" ]]
then
        printf "Re-executing with sudo.\n"
        exec sudo -u "${want_user}" "${0}"
fi
...

JSON export of all installed packages on Debian/Ubuntu

#!/bin/bash

function dpkg_json(){
    printf "{\n"
    format='"${Package}": { "Version": "${Version}", "Architecture": "${Architecture}", "Status": "${db:Status-Abbrev}" },\n'
    dpkg-query --show --showformat="${format}" | sed '$s/,$//'
    printf "}\n"
}

dpkg_json | jq .

Urlwatch for a new version of a package in the Ubuntu package pool

---
name: "Ubuntu Curtin package (waiting for apt-key fix)"
url: http://archive.ubuntu.com/ubuntu/pool/main/c/curtin/
filter:
  - xpath: //table//td[2]
  - html2text
  - grep: ^curtin.*\.deb$
---
Too Good To, UNIX & Linux

Too good to #0005

Prioritizing own NTP servers for systemd-timesyncd

# cat /etc/systemd/timesyncd.conf.d/timesyncd-corporate.conf 
[Time]
NTP=ntp1.example.com ntp2.example.com ntp.ubuntu.com

Test if text is empty (even if it does contain a linebreak)

Good job by: https://unix.stackexchange.com/q/386499/2028

if ! grep -q '[^[:space:]]' "${file}"; then echo "Text is empty"; fi

Watch for changes in the Gnome registry

(To reproduce manual changes, for configuration management.)

dconf watch / # (Sorry, thats all)

Trigger Debian/Ubuntu unattended-upgrade

(For testing configuration changes)

rm /var/lib/apt/periodic/*
systemctl start apt-daily.service 
systemctl start apt-daily-upgrade.service

And remember:

tail -f /var/log/unattended-upgrades/*log
Too Good To, UNIX & Linux

Too good to #0004

1 Comment

systemd, the good parts: monotonic timers

When systemd makes you suffer because “run job every 10 minutes” is infinitely harder to specify than in crontab, remember there are monotonic timers in systemd that aren’t derived from wallclock time, or “Calendar Events” as they call it.

Run timer once 60 seconds after system startup, then every 10 minutes after the job finished:

# /etc/systemd/system/demo.timer
[Unit]
Description=demo monotonic timer

[Timer]
OnStartupSec=60
OnUnitInactiveSec=600

[Install]
WantedBy=timers.target    # When in a system session
# WantedBy=default.target # When in a user session (~/.config/systemd, systemctl --user etc.)

Python: Use tabulate to format output in columns 

#!/usr/bin/env python3
from tabulate import tabulate

data = [
	[ 'foo', 'bar', 'baz' ],
	[ 'spam', 'eggs', 'bacon' ]
]

headers = ['Eine', '2', 'Whatever']

print(tabulate(data, headers=headers, tablefmt='simple'))

Output:

$ ./tab.py 
Eine    2     Whatever
------  ----  ----------
foo     bar   baz
spam    eggs  bacon

virsh/libvirt, automate key presses

(* Updated to sleep 5 seconds after each keypress.)

for key in R E I S U B; do virsh send-key "${domain}" KEY_LEFTALT KEY_SYSRQ KEY_${key}; sleep 5; done