FreeNas, Transmission and Corrupted Files – Part 2

This is continuation of FreeNas, Transmission and Corrupted Files – Part 1

When corruption started to hit it was bad… few of seeded torrent were crying about error, and each time I did Verify local files they end up cleaning them to 0%. It was very annoying, because after verification it want to redownload same file over and over again.

I started thinking… Could it be because of someone abusing tracker? I read multiply time about poisoning tracker and sending corrupted segments, but the more I read about that possibility the less it looked to be even possible, because of all those checksum inside bittorrent clients and microTP (uTP). It was more and more strange… I even reach out to mod of that tracker, but that didn’t yell any more information – but I did notice same IP sending same file so I reported that IPs as possible culprit – just in case because It would be faster and simpler for them to check if those few IPs are getting strange upload stats for less popular torrents (very rare Linux distributions)

I updated transmission by hand because I wanted to be sure its not a software issue – that did not helped.

I wanted to exclude possibility of external process modifying those files – I used AuditD…. and it was horror… It was horror because this is not suite for processes that run as deamons, its designed the way you could audit living/automated login into shell and then interrogate aka audit users/accounts.

Gladly someone said ‘I WANT TO USE IT THAT WAY’ and made a wrapper setaudit and it was a godsend. As Transmission is running inside Jail setaudit overcome any issue I had with auditd.

# setaudit command to lunch updated transmission inside first jail
./setaudit -a transmission -m fw jexec 1 /usr/pbi/transmission-amd64/bin/transmission-daemon -g /var/db/transmission -x /var/run/transmission/daemon.pid

1 2	# setaudit command to lunch updated transmission inside first jail ./setaudit -a transmission -m fw jexec 1 /usr/pbi/transmission-amd64/bin/transmission-daemon -g /var/db/transmission -x /var/run/transmission/daemon.pid

Running auditd gave me confirmation that the transmission indeed is overwriting files that I already had (basically nuke them).

It was time to check for hardware failure – but the strange thing was that always the same files got corrupted. But we live in strange times … anything is possible if you believe hard enough.

And after many-many hours and many-many tests later nothing came up from them I was still in middle of nowhere…

Then It hit me like a track… I tweak the jail because I was trying to overcome the issue with network and bypass limits of that container that In the end were not container fault, but I did not reverse those tweaks because they didn’t harm anyone, right?

Maybe it was cosmic radiation, maybe it was a lucky guess or conflict with upgraded version but after removing allow.raw_sockets=trueand rebooting I never had those corruptions issue ever again.

FreeNas, Transmission and Corrupted Files – Part 1

After many years of just ‘taking’ I mature and upgraded my setup to be able to give community back what I took.

I setup RAID 6 FreeNas machine. Thanks to playing with those I understood why everybody in FreeNas community hate Realtek and why people just say to throw it away and get something that works (FreeNas: Realtek 8111F and re0: Watchdog Timeout Error and FreeNas: Realtek 8111F and “re0: Watchdog Timeout Error” – universal solution). In the end I join the ‘hate club’ and bought Intel PRO 1000 PT Dual Port NIC. Fun part is that Linux handle Realtek with ease but I been with Linux when It didn’t like most of hardware that Windows support so I can understand that there are still hardware issues with FreeBSD.

Cool, FreeNAS install without any issues.

If you unfamiliar with FreeNAS it comes with ‘plugins’ that are basically jails with pre-configured application that ‘just works’.

I slap that Install button and almost instantaneous I had working Transmission 2.93 (FreeNAS should work about pushing updates to plugins faster but yeah, nothing to complicate that we cannot fix ourself if needed)

I mounted needed directories, slap few torrent files that I already had there and enjoyed how transmission is handling all those sweet, sweet files out there.

And Tranmission was working and it was doing good. But after many, many torrent more that join the seeding happy farm not many people did connect to share the love from me. I started tweaking Transmission. Setting by setting I scope documentation looking for holy grail, some magic setting that would boost simultaneous connections. I found few. So I created new config file, and it was good. Not the best but I notice some connection increase. But I was thinking that maybe its because the application is inside jail aka virtual network interface. Few threads on popular forums, many many blog post later I saw the solution allow.raw_sockets=true. Great I saw a big improvement with connections – but who know if that was really all this tweaking doing or just someone join the swarm.

Few days later I notice big (I could even say tremendous) packet drop from/in my network. What was happening ? Router that is used between NAS and WAN have working QoS rules so it shouldn’t be a problem with using to much of bandwidth… So what was it ?

Culprit here was the CPU inside the router – we need to remember that using fancy feature that make router even smarter use CPU. QoS, Firewall, VPN all of them take some of that sweet-sweet pie (CPU). But why its dropping packets you ask? Simple, there is less and less CPU power to handle all the traffic that is going to and from network so everything is super slow. But wait, didn’t it work before Transmission? Yes it did – and we could disable some functions but we can do better. Lets optimize some firewall rules, we can cut QoS from 10 types to 5 without big sacrifices. Is that enough? No, but we can tweak both Transmission and firewall rule for it. Let set ‘Max connections’ to smaller number and double that with same (or 1% more on firewall rule so we are double sure that anything that is marked as ‘new connection’ and is about our limit get dropped).

And this gave enough room for that sweet-sweet pie named CPU could handle ‘few’ packets more.

And it was good for months and months…

Until the corruption start to show !

(continue in part 2)

Add second IP address

You can add address to any network adapter, but that change can be temporary or permanent

Temporary:

# ifconfig <network adapter>:0 <ip> netmask <netmask> up
# example:
ifconfig eth0:0 192.168.0.23 netmask 255.255.255.0 up

# or 
# ip address add <ip>/<netmask> dev <network adapter>
ip address add 192.168.0.23/24 dev eth0

# ifconfig <network adapter>:0 <ip> netmask <netmask> up

# example:

ifconfig eth0:0 192.168.0.23 netmask 255.255.255.0 up

# or

# ip address add <ip>/<netmask> dev <network adapter>

ip address add 192.168.0.23/24 dev eth0

Permanently:

#edit /etc/network/interfaces
# auto <network adapter>:<number>
# iface <network adapter>:<number> inet static
# address <ip>
# gateway <gateway ip>
# netmask <netmask>
# example:

auto eth0:1
iface eth0:1 inet static
address 192.168.0.23
gateway 192.168.0.1
netmask 255.255.255.0

#edit /etc/network/interfaces

# auto <network adapter>:<number>

# iface <network adapter>:<number> inet static

# address <ip>

# gateway <gateway ip>

# netmask <netmask>

# example:

auto eth0:1

iface eth0:1 inet static

address 192.168.0.23

gateway 192.168.0.1

netmask 255.255.255.0

How to find all non ascii characters

Regular expression (RegEx) is like magic book, and this is the spell you need to cast for all those country related character that are out of A-Z English scope (ex. Polish, German, Japanese, Chinese characters):

[^\x00-\x7F]+

1	[^\x00-\x7F]+

Works great with vim or notepad++

MySQL row size too large (>8126)

This is something to do with bad table design, where you are using multiply columns with Text values, the best solution would be redesign tables, but from time to time you need to patch it at-hoc without redesigning application that use that database.

Solution that usually works:

# to my.conf mysql configuration file add/replace:
innodb_file_per_table
innodb_file_format = Barracuda

# and alter table that throw error with
ALTER TABLE your_table ENGINE=InnoDB ROW_FORMAT=DYNAMIC

# to my.conf mysql configuration file add/replace:

innodb_file_per_table

innodb_file_format = Barracuda

# and alter table that throw error with

ALTER TABLE your_table ENGINE=InnoDB ROW_FORMAT=DYNAMIC

Extract specific file from tar.gz

tar -zxvf archive.tar.gz full-file-path-inside-archive

# to get that specific file you need full path try
tar -tzf archive.tar.gz | grep file-to-extract
# you will end up with 
./file-to-extract or similar then use that full path with first command

tar -zxvf archive.tar.gz full-file-path-inside-archive

# to get that specific file you need full path try

tar -tzf archive.tar.gz | grep file-to-extract

# you will end up with

./file-to-extract or similar then use that full path with first command

Side note its not super fast for big archives, sadly.

Export or save Putty configuration

From time to time we need migrate our putty configuration/sessions that we saved (configurations, IPs etc).

Putty store those data inside system register and those are some methods to extract them and save to new pc:

# cmd
regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

# powershell
reg export HKCU\Software\SimonTatham ([Environment]::GetFolderPath("Desktop") + "\putty.reg")

# regedit
HKEY_CURRENT_USER -> Software -> SimonTatham -> PuTTY

# cmd

regedit /e "%USERPROFILE%\Desktop\putty.reg" HKEY_CURRENT_USER\Software\SimonTatham

# powershell

reg export HKCU\Software\SimonTatham ([Environment]::GetFolderPath("Desktop") + "\putty.reg")

# regedit

HKEY_CURRENT_USER -> Software -> SimonTatham -> PuTTY

We end up with putty.reg on our Desktop which we can execute on new computer and enjoy with same settings/sessions as before.

FreeNas: Realtek 8111F and “re0: Watchdog Timeout Error” – universal solution

This is continuation from FreeNas: Realtek 8111F and re0: Watchdog Timeout Error

Last solution was only for FreeNas 9.1 which is now a bit outdated.

Below I will show you how to fix the issue (by compiling your own drivers that are dedicated for your os version):

# I prefer making this inside jail so there is no extra leftovers
# so I created jail named 'test' which is my jail number 1
jls
jailme 1 /bin/csh
curl -o /tmp/rtlv194.01.tgz http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0007-rtl_bsd_drv_v194.01.tgz
tar -xf /tmp/rtlv194.01.tgz -C /tmp/
cp /tmp/rtl_bsd_drv_v194.01/if_re* /usr/src/sys/dev/re/
cp /tmp/rtl_bsd_drv_v194.01/Makefile /usr/src/sys/modules/re/
cd /usr/src/sys/modules/re/
make
cp /usr/src/sys/modules/re/if_re.ko /if_re_194.ko
exit
cp /mnt/***/jails/test/if_re_194.ko /boot/kernel/if_re.ko

# Enable with the FreeNAS GUI in System/Tunables. Variable if_re_load, Value YES, Type loader, Enabled true
# reboot

# I prefer making this inside jail so there is no extra leftovers

# so I created jail named 'test' which is my jail number 1

jls

jailme 1 /bin/csh

curl -o /tmp/rtlv194.01.tgz http://12244.wpc.azureedge.net/8012244/drivers/rtdrivers/cn/nic/0007-rtl_bsd_drv_v194.01.tgz

tar -xf /tmp/rtlv194.01.tgz -C /tmp/

cp /tmp/rtl_bsd_drv_v194.01/if_re* /usr/src/sys/dev/re/

cp /tmp/rtl_bsd_drv_v194.01/Makefile /usr/src/sys/modules/re/

cd /usr/src/sys/modules/re/

make

cp /usr/src/sys/modules/re/if_re.ko /if_re_194.ko

exit

cp /mnt/***/jails/test/if_re_194.ko /boot/kernel/if_re.ko

# Enable with the FreeNAS GUI in System/Tunables. Variable if_re_load, Value YES, Type loader, Enabled true

# reboot

In case the official link to tgz is down, here is mirror I made: 007-rtl_bsd_drv_v194.01.tgz

Nagios – network/device configuration

If you don’t have working Nagios installation fell free to follow Nagios – New installation on Debian 9 link.

We will need to add folder structure (for better organization) to nagios config file:

# edit nagios.cfg
mcedit /usr/local/nagios/etc/nagios.cfg

# lets add out root dir that will store our config files for device/network
# this way we don't need to type cfg_file for each .cfg file out there
cfg_dir=/usr/local/nagios/etc/devices

# save file and create proper directory
mkdir /usr/local/nagios/etc/devices
cd /usr/local/nagios/etc/devices

# edit nagios.cfg

mcedit /usr/local/nagios/etc/nagios.cfg

# lets add out root dir that will store our config files for device/network

# this way we don't need to type cfg_file for each .cfg file out there

cfg_dir=/usr/local/nagios/etc/devices

# save file and create proper directory

mkdir /usr/local/nagios/etc/devices

cd /usr/local/nagios/etc/devices

Not everyone have luxury to always use smart switches around network – those make live a lot easier, but life is not a dream 🙂

Let us make a template for non-smart aka no-ping switches:

define host{
        name                            noping-host    ; The name of this host template
        notifications_enabled           1       
        event_handler_enabled           1       
        flap_detection_enabled          1      
        process_perf_data               1      
        retain_status_information       1       
        retain_nonstatus_information    1       
        notification_interval           0
        notification_period             24x7
        notification_options            d,u,r
        contact_groups                  admins
        max_check_attempts              5
        address                         127.0.0.1      ; Just so we don't have to write it all the time
        register                        0      
        }

define host{

name noping-host ; The name of this host template

notifications_enabled 1

event_handler_enabled 1

flap_detection_enabled 1

process_perf_data 1

retain_status_information 1

retain_nonstatus_information 1

notification_interval 0

notification_period 24x7

notification_options d,u,r

contact_groups admins

max_check_attempts 5

address 127.0.0.1 ; Just so we don't have to write it all the time

}

Now we can define few switches like this:

define host{
            use noping-host
            host_name switch-number-1
            alias Switch Number 1
            icon_image switch40.png
            statusmap_image switch40.gd2
            parent name_of_parent_host_name  ; use this to make tree on map
            initial_status u
}

define host{

use noping-host

host_name switch-number-1

alias Switch Number 1

icon_image switch40.png

statusmap_image switch40.gd2

parent name_of_parent_host_name ; use this to make tree on map

initial_status u

}

You can most variables put to template file so there will be even less writing

Most common type of templete is: linux-server (you can check others in /usr/local/nagios/etc/objects/templates.cfg )

After making few .cfg files inside our directory remamber to chown nagios:nagios -R /usr/local/nagios/etc/devices/ to avoid erros and restart nagios

Nagios – New installation on Debian 9

If you have to install a really great network those such as Nagios those will be steps needed:

1.Installing Apache2 + PHP (Skip if you already have one):

apt-get install apache2 libapache2-mod-php7.0 php7.0
# enable cgi
a2enmod rewrite headers cgi
systemctl restart apache2

# setup correct timezone in php
mcedit /etc/php/7.0/apache2/php.ini
# set date.timezone according to http://php.net/manual/en/timezones.php
systemctl restart apache2

# info.php
echo '<?php phpinfo(); ?>' >/var/www/html/info.php

# open browser apache_server_ip/info.php and check 'default timezone'

apt-get install apache2 libapache2-mod-php7.0 php7.0

# enable cgi

a2enmod rewrite headers cgi

systemctl restart apache2

# setup correct timezone in php

mcedit /etc/php/7.0/apache2/php.ini

# set date.timezone according to http://php.net/manual/en/timezones.php

systemctl restart apache2

# info.php

echo '<?php phpinfo(); ?>' >/var/www/html/info.php

# open browser apache_server_ip/info.php and check 'default timezone'

2.Installing Nagios core:

# pre-request to build nagios from source:
apt-get install autoconf gcc libc6 make apache2-utils libgd-dev

# get source from https://www.nagios.org/downloads/nagios-core/
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz
tar xzf nagios-4.3.4.tar.gz
cd nagios-4.3.4/
./configure --with-httpd-conf=/etc/apache2/sites-enabled

# Output should look like this:
*** Configuration summary for nagios 4.3.4 2017-08-24 ***:

 General Options:
 -------------------------
        Nagios executable:  nagios
        Nagios user/group:  nagios,nagios
       Command user/group:  nagios,nagios
             Event Broker:  yes
        Install ${prefix}:  /usr/local/nagios
    Install ${includedir}:  /usr/local/nagios/include/nagios
                Lock file:  /run/nagios.lock
   Check result directory:  ${prefix}/var/spool/checkresults
           Init directory:  /etc/init.d
  Apache conf.d directory:  /etc/apache2/sites-enabled
             Mail program:  /usr/bin/mail
                  Host OS:  linux-gnu
          IOBroker Method:  epoll

 Web Interface Options:
 ------------------------
                 HTML URL:  http://localhost/nagios/
                  CGI URL:  http://localhost/nagios/cgi-bin/
 Traceroute (used by WAP):  /usr/sbin/traceroute


Review the options above for accuracy.  If they look okay,
type 'make all' to compile the main program and CGIs.

##################

# next we need to 'make' it ;-)
make all

# Output should look like this:
Enjoy.

# and we will in few minutes
# lets us create user for nagios
useradd nagios
# we will add him to apache group
usermod -a -G nagios www-data

# last but not least:
make install

# Output should look like this:

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/archives
/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/spool/checkresults
chmod g+s /usr/local/nagios/var/spool/checkresults

*** Main program, CGIs and HTML files installed ***

You can continue with installing Nagios as follows (type 'make'
without any arguments for a list of all possible options):

  make install-init
     - This installs the init script in /etc/init.d

  make install-commandmode
     - This installs and configures permissions on the
       directory for holding the external command file

  make install-config
     - This installs sample config files in /usr/local/nagios/etc


##############

# let's add init script
make install-init
# and enable init script
systemctl enable nagios.service

# install and configure permissions for external command file:
make install-commandmode

# and add sample configuration so nagios will start:
make install-config

# add nagios-site apache configuration file:
make install-webconf

# we need to create nagiosadmin account for http
htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

# finally we can restart apache and start nagios:
systemctl restart apache2
systemctl start nagios

# open browser and type: nagios_ip_address/nagios/

100

101

102

103

# pre-request to build nagios from source:

apt-get install autoconf gcc libc6 make apache2-utils libgd-dev

# get source from https://www.nagios.org/downloads/nagios-core/

wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz

tar xzf nagios-4.3.4.tar.gz

cd nagios-4.3.4/

./configure --with-httpd-conf=/etc/apache2/sites-enabled

# Output should look like this:

*** Configuration summary for nagios 4.3.4 2017-08-24 ***:

General Options:

-------------------------

Nagios executable: nagios

Nagios user/group: nagios,nagios

Command user/group: nagios,nagios

Event Broker: yes

Install ${prefix}: /usr/local/nagios

Install ${includedir}: /usr/local/nagios/include/nagios

Lock file: /run/nagios.lock

Check result directory: ${prefix}/var/spool/checkresults

Init directory: /etc/init.d

Apache conf.d directory: /etc/apache2/sites-enabled

Mail program: /usr/bin/mail

Host OS: linux-gnu

IOBroker Method: epoll

Web Interface Options:

------------------------

HTML URL: http://localhost/nagios/

CGI URL: http://localhost/nagios/cgi-bin/

Traceroute (used by WAP): /usr/sbin/traceroute

Review the options above for accuracy. If they look okay,

type 'make all' to compile the main program and CGIs.

##################

# next we need to 'make' it ;-)

make all

# Output should look like this:

Enjoy.

# and we will in few minutes

# lets us create user for nagios

useradd nagios

# we will add him to apache group

usermod -a -G nagios www-data

# last but not least:

make install

# Output should look like this:

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/libexec

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/archives

/usr/bin/install -c -m 775 -o nagios -g nagios -d /usr/local/nagios/var/spool/checkresults

chmod g+s /usr/local/nagios/var/spool/checkresults

*** Main program, CGIs and HTML files installed ***

You can continue with installing Nagios as follows (type 'make'

without any arguments for a list of all possible options):

make install-init

- This installs the init script in /etc/init.d

make install-commandmode

- This installs and configures permissions on the

directory for holding the external command file

make install-config

- This installs sample config files in /usr/local/nagios/etc

##############

# let's add init script

make install-init

# and enable init script

systemctl enable nagios.service

# install and configure permissions for external command file:

make install-commandmode

# and add sample configuration so nagios will start:

make install-config

# add nagios-site apache configuration file:

make install-webconf

# we need to create nagiosadmin account for http

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

# finally we can restart apache and start nagios:

systemctl restart apache2

systemctl start nagios

# open browser and type: nagios_ip_address/nagios/

3.Installing Nagios Plugins (needed !)

# pre-require
apt-get install libmcrypt-dev make libssl-dev bc gawk dc build-essential snmp libnet-snmp-perl gettext libldap2-dev smbclient fping default-libmysqlclient-dev

# get latest source file! from https://github.com/nagios-plugins/nagios-plugins/releases
wget https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz
tar zxvf release-2.2.1.tar.gz
cd nagios-plugins-release-2.2.1/
./tools/setup
./configure
make
make install

# now we should have all commands in /usr/local/nagios/libexec/
ls /usr/local/nagios/libexec/

# restart nagios so he can load those:
systemctl restart nagios.service

# pre-require

apt-get install libmcrypt-dev make libssl-dev bc gawk dc build-essential snmp libnet-snmp-perl gettext libldap2-dev smbclient fping default-libmysqlclient-dev

# get latest source file! from https://github.com/nagios-plugins/nagios-plugins/releases

wget https://github.com/nagios-plugins/nagios-plugins/archive/release-2.2.1.tar.gz

tar zxvf release-2.2.1.tar.gz

cd nagios-plugins-release-2.2.1/

./tools/setup

./configure

make

make install

# now we should have all commands in /usr/local/nagios/libexec/

ls /usr/local/nagios/libexec/

# restart nagios so he can load those:

systemctl restart nagios.service

4.Enable SSL for Nagios (and not only)

# enable module
a2enmod ssl
systemctl restart apache2

# edit apache to redirect traffic to ssl
mcedit /etc/apache2/sites-enabled/000-default.conf
# add this to VirtualHost:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*) https://%{HTTP_HOST}/$1

# after modification file should look like this:
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        RewriteEngine on
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*) https://%{HTTP_HOST}/$1

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# enable ssl apache config file without it you will get SSL_ERROR_RX_RECORD_TOO_LONG error
a2ensite default-ssl.conf

# let us restart apache
systemctl restart apache2.service

# enable module

a2enmod ssl

systemctl restart apache2

# edit apache to redirect traffic to ssl

mcedit /etc/apache2/sites-enabled/000-default.conf

# add this to VirtualHost:

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule ^(.*) https://%{HTTP_HOST}/$1

# after modification file should look like this:

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule ^(.*) https://%{HTTP_HOST}/$1

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# enable ssl apache config file without it you will get SSL_ERROR_RX_RECORD_TOO_LONG error

a2ensite default-ssl.conf

# let us restart apache

systemctl restart apache2.service

November 2018
M	T	W	T	F	S	S
« Oct
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30