APT sources list

Problem: when debian goes from “testing” to “stable” to “oldstable” the package sources change. eg. jessie-updates are remove, same happened to jessie-backports

The current file /etc/apt/sources.list for jessie (currently oldstable) could look like this

deb http://ftp.debian.org/debian/ jessie main contrib non-free
deb http://security.debian.org/ jessie/updates main contrib non-free

Configure WLAN Statically in Debian/Linux

If you want to configure WLAN settings on a Linux machine statically you can use the normal /etc/network/interfaces configuration method of Debian. For WPA-PSK you can use this 3 steps:

Install the “wpasupplicant” package

Generate a psk line with “wpa_passphrase” and copy the hex string after “psk=”

root@server:~# wpa_passphrase WLANNAME
# reading passphrase from stdin
thepassword
network={
ssid="WLANNAME"
#psk="thepassword"
psk=fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3
}

Add some lines to /etc/network/interfaces using this hex string

allow-hotplug wlan0
iface wlan0 inet dhcp
metric 4
wpa-essid WLANNAME
wpa-scan-ssid 1
wpa-psk fe5409c4831b3daafff41fe2e6ed15ba7ed18c87bab254315e0be5f9180573d3

The line “wpa-scan-ssid 1” allows to use hidden WLAN that are not broadcasted. With “metric 4” you can make WLAN less preferred if there is a second LAN connection that should be preferred (default is “metric 1”).

MikroTik Automatic IPSec Failover

Problem: Mikrotik allows only one ipsec policy per network-to-network pair. If you want to have redundant tunnels between two locations with two upstreams you cannot configure ipsec redundancy on Mikrotik because one ipsec policy is always marked as “invalid” by the OS.

Solution: I made a Mikrotik script that checks the status and reachabilty of the ipsec tunnel and endpoint, and switches between a primary and secondary tunnel policy and peer. You can add this script to the scheduler, for automatic failover. (Source: “/system script run 0” if this script is script “0”)

{
:local PrimaryPolicy 2
:local SecondaryPolicy 3
:local PrimaryPeer 0
:local SecondaryPeer 1

:local PrimaryOK [:ping count=3 src-address=localAip remoteAip];
:local SecondaryOK [:ping count=3 src-address=localBip remoteBip];
:local PrimaryActive [/ip ipsec policy get $PrimaryPolicy active];

# :log info "Status: $PrimaryOK $SecondaryOK $PrimaryActive";
# Test case: set $PrimaryOK 0;

:if ($PrimaryOK < 1 && $SecondaryOK > 1 && $PrimaryActive) do={
:log warn "switch to failover";
/ip ipsec policy disable $PrimaryPolicy;
/ip ipsec policy enable $SecondaryPolicy;
/ip ipsec peer disable $PrimaryPeer;
/ip ipsec peer enable $SecondaryPeer;
}
:if ($PrimaryOK = 3 && !$PrimaryActive) do={
:log warn "switch to primary";
/ip ipsec policy disable $SecondaryPolicy;
/ip ipsec policy enable $PrimaryPolicy;
/ip ipsec peer disable $SecondaryPeer;
/ip ipsec peer enable $PrimaryPeer;
}
}

Version: tested with RouterOS 6.44.1

No Text Console After NVME Storage Upgrade

Problem: After upgrading a system to NVME, Linux boots without textconsole, or sends the text console to the wrong graphics card.

Discussion: The NVME upgrade needed to change from BIOS boot to UEFI boot. UEFI boot disables the pure text console, and the kernel uses whatever frame buffer is available, or without text console if no frame buffer is available. That means the kernel config item “CONFIG_VGA_CONSOLE” does not work any longer in UEFI, at least on my hardware.

Solution: I activated a framebuffer console driver with this kernel config item: CONFIG_FB_EFI

Versions: Debian9, Linux 4.9, ASUS Z170-A, Nvidia GPU

New Vim 8 on Debian 9 Stretch has buggy Mouse/Paste/Syntax handling

The new Vim 8 on Debian tries again to appeal to the 95% of the people (the noobs) and adds features the are annoying to professionals. When these new features are buggy it’s even worse.

Problem: vim 8 on debian 9 has some annoying default settings for vim

  1. paste uses a vim internal clipboard instead the system clipboard (when not using shift). This is totally stupid because if you copy something from the browser to the editor you get something else. It might even be some thing you copied hours ago from a different file logged in from a different client
  2. The cursor jumps to the mouse cursor when clicking into vim. This sounds correct for non professional geeks but it’s actually annoying because I use “hjkl” to move the cursor and use the mouse to copy/paste and I hate it when I loose the cursor position when selecting text for copy/paste
  3. Syntax highlighting is so ugly and hard to read. Noobs may like this but again for professional geeks that’s annoying.

Changing this system wide should be easy by adding these two lines to /etc/vim/vimrc. But this fails.

syntax off
set mouse=

Settings in /etc/vim/vimrc are ignored because settings in /etc/vim/vimrc are overruled by “/usr/share/vim/vim80/defaults.vim”

Workaround: until Debian fixes this bug, you have two ways to change this.

Add the lines from above to “/usr/share/vim/vim80/defaults.vim” directly.

Remember that this change might be over written when vim is updated.

When you don’t like the autoindent feature you can also add this line:

filetype plugin indent off

If you want to be save for system updates you can ignore default.vim all together by adding “/etc/vim/vimrc.local” to your system with this content:

let g:skip_defaults_vim = 1
set mouse=””

FlexFabric 5700 Backup Config to TFTP in MGMT VPN-Instance

Problem: if you separate the management from the normal traffic on a switch you will usually configure the swtich via this mgmt vpn-instance and also backup and restore config files via this mgmt vpn-instance. But if you use the “backup startup-configuration to ..” it always tries to find the tftp server on the normal network Even after changing the tftp configuration with “tftp client source interface M-GigabitEthernet 0/0/0” tftp still does not work.

Solution: The backup command has no vpn-instance parameter, but the “tftp put” command has. So you can use:

tftp 172.16.100.100 put startup.cfg switchbackup.cfg vpn-instance MGMT

Version: HP/HPE FlexFabric System image version: 7.1.045, Release 2422P02

Check Raid Status for Dell Raids on Linux

Linux support from dell is still very poor. They still support only RedHat$ and SuSE$.

But there are ways to check the Raid status of Dell server on debian. http://hwraid.le-vert.net/ is doing a good job in collecting information and building Debian style packages.

Example: 

A Dell server “PowerEdge T130” with “LSI Logic / Symbios Logic MegaRAID SAS-3 3008”  also called “PERC H330” running Debian 8.7.

The kernel uses the megaraid_sas driver. At http://hwraid.le-vert.net/debian/pool-jessie you can find a package called “megacli_8.07.14-1_amd64.deb”

You can check your raid status with:

megacli -LDInfo -Lall -a0

or add this to your crontab file, to receive mails when not all raids are in “optimal” state:

7 * * * *    /usr/sbinmegacli -LDInfo -Lall -a0 | grep “^State” | grep -v ” Optimal$”

 

Autosave for VIM

I believe that it’s a good idea that vi does not auto save during editing. Think of config files or src files that should never be in an inconsistent state. The programmer or sysadmin should decide when he wants to save data.

But sometime auto save is handy, while typing lists like todo lists or outlines etc. Every version is OK and you don’t want to save after every change and still don’t want to loos data on connection or power loss.

Use this in you current VIM session to make this current buffer autosave:

:au TextChanged,TextChangedI <buffer> silent w

Wget Ignores its Timeout

Problem: wget has an option to configure the timeout for dns, connect, and read or a combined timeout option “-T”. This option usually works, but it does not work during SSL handshake. You can test it with these commands:

in one terminal start a dummy tcp service:

nc -l 7777

and then try to connect to this service:

wget -T 10 https://localhost:7777/

wget should give up after 10 seconds (per retry). But it doesn’t. It waits for a server response for ever.

Workarround: I changed the wget call to:

timeout 10 wget https://localhost:7777/

Now wget gets kicked “from outside” when it does not finish within 10 seconds. Keep in mind that this timeout is not the same as the -T option, because it’s a timeout for the full web request and not every step and data packet.

Version: The bug exists at least in wget 1.12 and 1.13.4 (Debian 6.0 and 7.0)

Update: The bug-wget mailing list shows that other people had the same issue. It seems the wget 1.14 fixed this bug. I haven’t tested this yet.