[DIY] - SmallNetworks - Learning by Doing

[sfx2000]

Tossing this out - original post might not be found, but there's value here...

Simple Containers on the DYI platform in this thread - DokuWiki format...

 

[sfx2000]

Reviewing my doku wiki I put together from the posts provided here I still have some unfinished contents. Specifically "Network Monitoring", "Monitoring", "Simple NAS Server" and "Extras".

Just wondering if I missed something or are they not quite finished yet?

I still owe a couple of posts here - restructuring things to remove SNB references - but the content will be the same...

 

[sfx2000]

It's been a while - Raspbian has evolved, and things go on...

Here's a quick post on managing users...

==== Raspbian Jessie - Add new privileged user ====

As part of hardening the RPi - we add a new user with admin rights, deprecating the "pi" user (just set a long/robust password for pi, use the new account instead for daily stuff)

For SSH - review the SSH section - for allowusers on sshd, ensure that pi is not an allowed user to reduce the threat from brute force attacks

Add a new user, and give it the right perms/access

Below, we add "testuser" as the replacement user - once that userid is created, we need to include the same groups as the "pi" user...

# sudo useradd testuser -s /bin/bash -m -G adm,sudo,dialout,cdrom,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi
# sudo passwd testuser
Enter new UNIX password:  
Retype new UNIX password:  
passwd: password updated successfully

**edit sudoers**

With Raspbian - we need to add/modify sudoers file to ensure that the Pixel GUI still works for BT/WiFI config, along with the Raspi-Config GUI - this is a specific item for Raspbian-Jessie and the Pixel UI

NOTE - I'd like to not do this, as we still want to honor the rule of least privilege, and having to enter the sudo password helps out much, but as Raspbian is now, the GUI breaks if we don't do this...

edit the /etc/sudoers file - in that file, look for the line that says "ALL=(ALL:ALL) ALL" and comment and add new line like below;

# Allow members of group sudo to execute any command
# %sudo    ALL=(ALL:ALL) ALL
%sudo    ALL=(ALL) NOPASSWD: ALL

**Remove the pi user**

This is not recommended as it will break things in the GUI config - better to leave pi user in place, and use a robust password - see pwgen

But if one must...

# sudo userdel pi
# sudo rm -rf /home/pi

 

[sfx2000]

Install ssmtp - this is handy for scripts that need to reach out via email for results...

ssmtp is very lightweight - less than Sendmail/Postfix/Qmail/etc...

==== Install ssmpt - simple mail agent ====

sSMTP is an extremely simple MTA to get mail off the system to a mail hub. It contains no suid-binaries or other dangerous things – no mail spool to poke around in, and no daemons running in the background. Mail is simply forwarded to the configured mailhost. Extremely easy configuration.

This is ideal for web servers to avoid running MTA daemons like sendmail, Exim and Postfix which use up resources on the server.

Install sSMTP (Note: Any previously installed MTA will be removed)

apt-get install ssmtp

Configure the server (pico /etc/ssmtp/ssmtp.conf)

mailhub=mail.example.org
FromLineOverride=YES

Replace mail.example.org with the external mail server that you want to relay all mail to.

**Using gmail with ssmtp**

If you would like to relay through Google Mail servers, change these configuration values:

mailhub=smtp.gmail.com:587
UseSTARTTLS=Yes
AuthUser=gmailuser@gmail.com
AuthPass=gmailpassword
FromLineOverride=YES

Replace <gmailuser> with your Gmail username and <gmailpassword> with your Gmail password.

That’s all! sSMTP doesn’t run as service so there’s no restart required. sSMTP creates a link to /usr/sbin/sendmail which most programs use by default to send mail including PHP.

**Create aliases for local usernames (optional)**

edit the /etc/ssmtp/revaliases file

sudo nano /etc/ssmtp/revaliases

And add into it the desired translation which in our Gmail examples case will be

root:gmailuser@gmail.com:smtp.gmail.com:587
localuser:gmailuser@gmail.com:smtp.gmail.com:587

From now on, the machine will Email when requested through command line or script.

**Check setup**

Lets test that our ssmtp setup was correct by sending an Email - The “-vvv” turns on verbosity output.

echo "Test message from Linux server using ssmtp" | sudo ssmtp -vvv destination-email-address@some-domain.com

**Errors**

Unfortunately a few thing can go wrong.
* Check username and password again
* Check google is not blocking your new device
* Check Two Factor Auth on Google Account

 

[sfx2000]

Linux and some kernel tuning for best performance - client and server on 1GB connections on ipv4...

Kernel Tuning

This is more about keeping latency low

/etc/sysctl.conf
# these might not work for everyone
# Some kernel tweaks for Network performance
# a bit aggressive, but good for gigabit
#
# socket buffer space - sounds like a lota at  16MB per socket. it isn't
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# These are the corresponding settings for the IP protocol, in the format
# (min, default, max) bytes. The max value can’t be larger than the
# equivalent net.core.{r,w}mem_max.
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Increase the number of outstanding syn requests allowed.
net.ipv4.tcp_max_syn_backlog = 4096
# tell kernal to keep 64MB RAM free at all times
vm.min_free_kbytes = 65536
# Keep VM calm when hitting the swap file when you’re running
# under high memory pressure with software
# that tries to do its own memory management (i.e. MySQL).
vm.swappiness = 10

 

[sfx2000]

Mem Stuff... Raspbian doesn't support this (yet, I have an open ticket with them), but debian/redhat distro's generally do implement this feature currently....

KSM

Kernel Samepage Merging is a kernel feature which merges identical pages in memory. If you are using different virtual machines, with the same operating system and applications running in it, lots of memory pages will actually be identical. KSM will save memory by merging the identical pages.

To enable this on Debian, I have put this in my /etc/rc.local script:

echo 1 > /sys/kernel/mm/ksm/run
echo 1000 > /sys/kernel/mm/ksm/sleep_millisecs

The last line is optional. It raises the interval during two different memory scans, so that the CPU is not too busy scanning for duplicate memory pages all the time.

 

[sfx2000]

With Pi's and Raspbian - ZRAM can help out a lot - keeps swap from hammering the SD card...

This works with Jessie kernel 4.4 and later...

==== Enable Zram ====

#!/bin/bash

# Raspberry Pi ZRAM script
# Tuned for quad core, 1 GB RAM models
# put me in /etc/init.d/zram.sh and make me executable
# then run "sudo update-rc.d zram.sh defaults"

modprobe zram
echo 3 >/sys/devices/virtual/block/zram0/max_comp_streams
echo lz4 >/sys/devices/virtual/block/zram0/comp_algorithm
echo 268435456 >/sys/devices/virtual/block/zram0/mem_limit
echo 536870912 >/sys/devices/virtual/block/zram0/disksize
mkswap /dev/zram0
swapon -p 0 /dev/zram0
sysctl vm.swappiness=10

You can check /etc/sysctl.conf there... dmesg should show the device added - demsg | grep zram

 

[sfx2000]

Making test files with Linux... this is useful for bandwidth testing for various services (file tranfer protocol, simple message block, etc...)

Cloudflare for some reason blocks most of this... so we'll drop a screenshot in...

 

[sfx2000]

Mem Stuff... Raspbian doesn't support this (yet, I have an open ticket with them), but debian/redhat distro's generally do implement this feature currently....

Here's the github ticket for KSM...

piggybacking on netdata's ticket there...

https://github.com/raspberrypi/linux/issues/1238

It's low risk, double opt-in there... android uses the same approach for KSM/ZRAM on small memory devices...

 

[sfx2000]

The Pi3 for this series is still active...

 

[john9527]

@sfx2000

Browsed through this entire thread, but had trouble locating all the sections (and what was the latest). Any chance you can make up a tar file of your final doc for download? Thanks!

 

[sfx2000]

@sfx2000

Browsed through this entire thread, but had trouble locating all the sections (and what was the latest). Any chance you can make up a tar file of your final doc for download? Thanks!

Been thinking about just spinning up a dokuwiki instance and hosting it...

 

[john9527]

Been thinking about just spinning up a dokuwiki instance and hosting it...

That works ... Just picked up a Pi 3B+ to play with

Does dokywiki have a way to print out the content?

 

[sfx2000]

That works ... Just picked up a Pi 3B+ to play with

Does dokywiki have a way to print out the content?

Yep, and the style sheet is pretty honest to the markup... see attached (warning, PDF file)