Installing pfSense version >2.4 on an APU2c4


Introduction

The older installations of pfSense in an APU2c4 from PCEngines required a few more steps than the installation does as of release 2.4. pfSense 2.4 and later no longer supports the nanobsd based installation. This howto partly shows how to install pfSense, with the main focus on creating the boot USB stick on a Mac, OSX, MacOS or whatever they call it today.

You need the following:

  • http://www.pcengines.ch/newshop.php?c=48881
  • APU2C4 – http://www.pcengines.ch/apu2c4.htm
  • Enclosure – http://www.pcengines.ch/case1d2bluu.htm
  • Powersupply – http://www.pcengines.ch/ac12veur3.htm
  • 16GB mSATA module – http://www.pcengines.ch/msata16g.htm
  • Total cost: ca 160 CHF (about the same in USD)

To install pfSense on your APU2c4, you do the following:

  • Download the latest MEMSTICK serial installation image, as per today https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.gz
  • Write this image to a USB stick
  • Connect to your APU2c4 per serial port, 115200, 8N1
  • Boot from the USB stick
  • Install the software

Creating the boot media

First, you will have to figure out which /dev/disk device your USB stick is. Failure to choose the correct one will probably break stuff, for example you might overwrite your backup disk or whatever other disks you have connected to your computer. Please don’t blame me for it. You are hereby warned. Choose the correct /dev/disk device. This is how you find it.

diskutil list

/dev/disk5 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *3.9 GB disk2
1: DOS_FAT_32 USB_STICK 3.9 GB disk2s1

That 3.9GB disk that has the name USB_STICK just have to be my USB stick, so I use the disk /dev/rdisk5 in my example. Very often this just happens to be /dev/rdisk2 or /dev/rdisk3, but I probably break less computers by using rdisk5 as example below.

 

disk=5
diskutil unmountdisk /dev/disk${disk}

mkdir -p /temp/pfsense
cd /temp/pfsense
wget https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.gz
gzcat pfSense-CE-memstick-serial-2.4.2-RELEASE-amd64.img.gz | dd of=/dev/rdisk${disk} bs=1m

 

Did you notice the following?

  • You usually reference disks in OSX (or MacOS) by /dev/diskX.
  • In my example, I write to /dev/rdiskX

Why is that? Well, the difference is well described here, for now you should just remember that writing images to a disk is much faster to an R-disk than a disk device. Much faster.

Connecting per Serial port

In any case, it is now time to connect your shiny USB to Serial adapter to the serial port of the APU2c4. I use an Aten UC232A Serial converter. It is cheap and it works. It does require you to install a driver (see below), so it does not work out of the box in OSX (MacOS) High Sierra. The trick is, that if the device file /dev/tty.UC-232AC does not appear when you connect the dongle to your computer, you will need to install the driver. Simple as that. And yes, just like in Windows you will have to reboot your computer to finish the driver installation. Man, do they ever learn?

Now you start your favorite terminal program and connect to the /dev/tty-device at 115200, 8N1. My favorite is the program “screen”, which works well for me.

screen /dev/tty.UC-232AC 115200 8N1

 

Installation

  • When you connect the power to the APU2C4, you should more or less immediately (within a couple of seconds) see the following on your terminal:
PCEngines apu2
 coreboot build 20160307
 ...
 PCengines Press F10 key now for boot menu:

Press <F10> to get the boot menu:

Select boot device:

1. USB MSC Drive JetFlash Transcend 16GB 1.00
2. ata0-0: SATA SSD ATA-10 Hard-Disk (15272 MiBytes)
3. Payload [memtest]
4. Payload [setup]
  • Chose <1> for your USB key, which will boot up your APU2c4 from the USB stick.
  • Follow the instructions (default on all questions will be ok)
  • Wait for the installation to finish
  • Reboot the APU2c4
  • Done

References

Catch exit codes in bash – pipefail vs PIPESTATUS


Introduction

The other day I caught a bug in one of my scripts, where I wanted to both act on the exit code of a command at the same time as I sent the output from it to a log file. The construct:

myCommand | tee -a file.log
rc=$?

Simple enough. I expected that I would be able to catch the exit code of “myCommand” and act on the $rc variable at a later stage in my script. I was wrong. As long as I can write to file.log, my $rc variable will always be 0.

At first it annoyed me a bit, as I had completely forgotten about this. Well, this is the expected behaviour, and the way it works is quite useful in other cases. For example, consider the following example:

$ if cat /etc/passwd | grep --silent "^root" ; then echo "Root is in /etc/passwd"; fi
Root is in /etc/passwd

Here we really want the exit code of the second statement, the “grep” statement after the pipe, to be evaluated. So in most cases the default behavior works to our advantage. But how do we change this to catch the command feeding the pipe? The answer is:

  • set -pipefail
  • the builtin array PIPESTATUS

When setting “pipefail” in your script, the return code will be the first non zero exit code when working yourself backwards in the statement. Example:

$ $(exit 2) | $(exit 1) | $(exit 0)
$ echo $?
0
$ set -o pipefail
$ $(exit 2) | $(exit 1) | $(exit 0)
$ echo $?
1
$ $(exit 1) | $(exit 2) | $(exit 0)
$ echo $?
2
$ $(exit 1) | $(exit 0) | $(exit 0)
$ echo $?
1

While “pipefail” might be tempting to use, I would rather avoid it since most people who will read your scripts and chase bugs will not be used to it.

Enter: PIPESTATUS

PIPESTATUS is a builtin array in bash (and zsh) that catches all exit codes of your piped commands:

vagrant@dash:~$ $(exit 1) | $(exit 2) | $(exit 0)
vagrant@dash:~$ echo ${PIPESTATUS[@]}
1 2 0

This is very useful, but the array is reset as soon as you run a command (i.e after you display it with “echo”). To copy the whole array, you will have to do the following:

$ $(exit 1) | $(exit 2) | $(exit 0)
$ echo ${PIPESTATUS[@]}
1 2 0
$ echo ${PIPESTATUS[@]}
0

$ $(exit 1) | $(exit 2) | $(exit 0)
$ allRc=("${PIPESTATUS[@]}")
$ echo ${allRc[@]}
1 2 0
$ echo ${allRc[0]}
1
$ echo ${allRc[1]}
2
$ echo ${allRc[2]}
0

And finally, I updated my script to become:

myCommand | tee -a file.log
rc=${PIPESTATUS[0]}

op5 widgets for Smashing released on github


example smashing dashboard for op5

We (say Niklas) developed a set of widgets to integrate op5 (nagios derivate) with the smashing.io dashboard, which is now available on github.

https://github.com/kmggroup/op5widgets

References

Quickly clean up your Wifi connections in OSX


Introduction

Today I realized that I had connected to a couple of hundred wifi networks over the last couple of years. This had clogged up my network preferences, and I no longer had a good overview of my favorite network locations.

To clean this up, I did not feel like clicking through each and every one of these, so I found this (http://www.techrepublic.com/article/pro-tip-manage-wi-fi-with-terminal-commands-on-os-x/) which helped me with the CLI. Now I could:

  • List all networks to a file
  • Edit this file and remove my favorite networks from this file
  • Use this file to remove the unwanted networks
#--- count networks
malu@kmg-mcp001.local:/Users/malu $networksetup -listpreferredwirelessnetworks en0 | sort -f | sed -e 's/^[[:space:]]*//g' | grep -v "Preferred networks"  | wc -l
197

#--- list networks into a file
networksetup -listpreferredwirelessnetworks en0 | sort -f | sed -e 's/^[[:space:]]*//g' | grep -v "Preferred networks" > wifinetworks.txt

#--- edit the wifinetworks and remove your favorites, the ones to keep
vi wifinetworks.txt

#--- the next command will create a script to remove the networks in wifinetworks.txt, so use it with care
cat wifinetworks.txt | xargs -L1 -IX echo sudo networksetup -removepreferredwirelessnetwork en0 "X" > removewifi.sh

#--- check the removewifi.sh script and remove any favorites, then execute it
bash removewifi.sh

#--- count networks
malu@kmg-mcp001.local:/Users/malu $networksetup -listpreferredwirelessnetworks en0 | wc -l
   19

 

Physical firewall for VMWare networks


Introduction

Sometimes you need to figure out some weird configurations. In this post I will try and justify the joy of VLANs in the following setup.

  • A VMWare host with only one network interface (NIC), like a Intel NUC SWIFT CANYON NUC6I5SYH, which is an excellent lab computer. It also takes on VMWare out of the box like a charm, with no hassle.
  • An APU2C4 with pfSense
  • A perimeter (DMZ) network for internet facing systems
  • A secure(r) network for application servers etc

I want to have a perimeter network with my proxy server, and my application servers on a secured network. I also want to use a physical firewall outside my VMWare environment, which is the odd bird in this cage.

Normally, I would be setting up a pfSense in a virtual machine, which is easy enough and would have saved me quite some headaches. But now I want to use my physical box, the APU2C4, as firewall, so I have to share the network card on my VM Host system.

This setup is classic and simple. No magic, but since we only have one network interface on the VMWare host, you will need to use some tricks to make this happen.

I created two networks, kmg-perimeter with VLAN id 90 and kmg-secure with VLAN id 91. These are both connected to the same network card (the one and only NIC on the VM host).

On the firewall, I set up two VLAN interfaces with the corresponding VLAN id tagging on the same interface. Physically, I connected the NIC on the firewall to the NIC on the Intel NUC.

From here on, you are good to go. You pretend that you have two networks, which are firewalled just as you would normally do it if you had multiple physical network cards on your VMWare server.

As an example, I add one more VLAN interface, which I will call DEMONETWORK.

  • Interfaces->Assign->VLANs->Add

  • Interfaces->Assign->Interface Assignments->Add

  • Interfaces->OPT3 (your interface might have gotten a different name).
    • Enable the interface and give it a proper name (i.e DEMONETWORK)

  • Firewall->Rules->DEMONETWORK
    • Here you define the rules coming into this new interface

That’s it!

 

 

Quickly create an img file from a raspbian SD card on OSX


Introduction

Bottom line (given that your SD card is /dev/disk2):

$ ddCount=$(sudo fdisk /dev/disk2 | grep Linux | awk '{printf "%i", ($11+$13)*512/1024/1024 + 1}')
$ diskutil unmountdisk /dev/disk2

Unmount of all volumes on disk2 was successful

$sudo dd if=/dev/rdisk2 bs=1m count=$ddCount | gzip > myimage.img.gz

Long story:

Sometimes you need to make a backup of an SD card with your favorite installation on it. This recipe will show you how to do this in the most efficient way on Apple, Mac OSX. This is of course not a good replacement of making notes and automating your installations. But for the times when you really need to make an image copy of your SD card, it is helpful.

Most recipes online will simply tell you to use “dd” to make an image of the whole card. This will create an image that is the size of your SD card, which is rarely necessary. A base installation of Raspbian Lite clocks in at around 1 GB, and the base partition created when you first install Raspbian on an SD card is “only” 1.7GB. If you can keep the root (/) partition at this size until you make your backup, you save both time and space on your harddrive. Most people use larger SD cards than 1.7GB nowadays, often 32GB – 128GB. I personally try and get as small SD cards as I can, and the current sweet spot for price/performance is found around 16GB. That will change.

The first thing that normally happens when you start up your Raspberry Pi, is that rasbpian will resize your root partition from 1.7 GB to the size of your SD card. In the good old days you had to do this yourself though the use of the “raspi-config” command. In the later releases, the resize is done at the first boot.

So, the basic recipe for optimizing

  • Create your initial installation (install Raspbian on an SD card)
  • Make sure that you do not expand the root filesystem at first boot (edit /boot/cmdline.txt)
  • Do your stuff/set up your environment
  • Make a backup of the SD card
    • Get the size of the partitions
    • Use dd to get only the good parts

Initial installation

  • Download the image
  • Unzip it
  • dd the image to your SD card

Be cautious. Make sure you use the correct “/dev/rdiskX” file, as you _WILL_ destoy the destination, replacing it with your image. You figure out the correct disk name by using “diskutil list”. When you “dd” the image, use the “/dev/rdiskX” device, NOT the “/dev/diskX” device. The latter will be much slower.

$ diskutil list
...
/dev/disk2 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *16.1 GB    disk2
   1:             Windows_FAT_32 boot                    43.7 MB    disk2s1
   2:                      Linux                         1.7 GB     disk2s2

$ sudo dd if=2017-09-07-raspbian-stretch-lite.img of=/dev/rdisk2 bs=1m

 

Root filesystem expansion

The root filesystem expansion will happen at first boot. It is initialized through a script called by _init=/usr/lib/raspi-config/init_ressize.sh in the /boot/cmdline.txt. After it has resized the filesystem, it removes the init= clause and reboots. You should remove this from the cmdline.txt file before booting the first time, in order to keep the root filesystem as small as possible.

$cat /Volumes/boot/cmdline.txt 

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=a8790229-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait quiet init=/usr/lib/raspi-config/init_resize.sh


#--- edit the file and remove init=...

$cat /Volumes/boot/cmdline.txt 

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=PARTUUID=a8790229-02 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait quiet

Whenever you would like to expand the filesystem, you can do so by running “sudo raspi-config” on the command line of your raspberry pi, and resize it.

Setup your environment

This is where you do your thing. Install some software, play around. Go wild!

Backup SD card

This is where the magic happens. Or at least the essence of this blog entry. You will need to figure out the last block of the linux partition (your root partition), and only create an image until that point.

  • Figure out the SD card partition layout
  • Calculate the number of MB you should read from the SD card
  • Create the image, using “dd” and a block size of 1MB

You get this from the partition table, which you display by using the “fdisk” command.

$ sudo fdisk /dev/disk2
Disk: /dev/disk2 geometry: 1955/255/63 [31422464 sectors]
Signature: 0xAA55

         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: 0C    0 130   3 -    5 210  42 [      8192 -      85405] Win95 FAT32L
 2: 83    5 220  24 -  209 202  59 [     94208 -    3276162] Linux files*
 3: 00    0   0   0 -    0   0   0 [         0 -          0] unused      
 4: 00    0   0   0 -    0   0   0 [         0 -          0] unused      

Here you can see that the linux partition starts at block 94208 and goes on for another 3276162 blocks.

Use the “hdiutil imageinfo” command to get the block size:

$ sudo hdiutil imageinfo /dev/disk2 | grep block-size
 block-size: 512

You now have all info needed to calculate the end of your SD card partitions, numMB = round((94208 + 3276162) * 512 / 1024 / 1024) + 1. The +1 is for when the number of blocks does not and at an even MB boundary. I throw in one more MB for good measure. You could in principle skip part of the calculation, if your dd-command would use the disk block size (bs=512) instead of “bs=1m”, but the copy would take forever to complete. In my example, I will read 1646 MB from the card, which is a few kB too much, but you can skip the calculation and use 1700, 1800, or 2000 MB as well without over shooting too much.

$ diskutil unmountdisk /dev/disk2 
$ #--- jessie: sudo dd if=/dev/rdisk2 bs=1m count=1646 | gzip > myimage.img.gz
#--- stretch
$ sudo dd if=/dev/rdisk2 bs=1m count=1800 | gzip > myimage.img.gz

To write this image back to your SD card:

$ diskutil unmountdisk /dev/disk2
$ gzcat myimage.img.gz | sudo dd of=/dev/rdisk2 bs=1m

Edits:

  • Mats Karlsson noted that one can use “xz -e9v” instead of gzip, to produce a file that is ca 30%
  • malu@kmg-mcp001.local:/temp/raspberry/raspiMake $ls -latrh my* -rw-r–r–  1 malu  wheel   347M Sep 19 11:48 myimage.img.gz -rw-r–r–  1 malu  wheel   225M Sep 19 11:58 myimage.img.xz

    Raspbian Stretch (September 2017) is just a bit larger than Jessie, add a few MB toyour dd command (I use 1800)

Rsync faster with AES-NI and ssh options


Introduction

Copying files per ssh is very convenient, but the default encryption(1) usually takes its toll on the CPU, and the result is that you do not fill the available network bandwidth. The solution is to use a less CPU intensive cipher, which often leads to using a less secure encryption scheme. On a local network this is rarely an issue.

Earlier I was often using blowfish or arc4 as preferred ciphers, but in newer Linux distros (i.e Ubuntu 16.04LTS) these are no longer supported. Nowadays there are some default ciphers that are supported using hardware accelerated AES-NI instructions, helping to offload the ciphering in the CPU. aes128-gmc@openssh.com and aes256-gcm@openssh.com is such ciphers.

  • Quick and easy
cd /path/to/your/files
time rsync -av --delete -e "ssh -T -o Compression=no -x -c aes256-gcm@openssh.com" . someuser@remote.system:/mnt/remote_filesystem
time rsync -av --delete -e "ssh -T -o Compression=no -x -c aes128-gcm@openssh.com" . someuser@remote.system:/mnt/remote_filesystem

On a 1gbit connection, I often see >110MB/s with the command line above.

References

  • https://turecki.net/content/getting-most-out-ssh-hardware-acceleration-tuning-aes-ni
  • man ssh_config => Default ciphers
maglub@myserver:~$ ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

Installing pfSense on an APU2C4


Introduction

NOTE: As per pfSense 2.4, the nonobsd installation described here is no longer supported. This page is kept for historical reasons.

 

This will describe how I installed pfSense on a APU2C4. The culprit in my case is that I use OSX (10.11, El Capitan), so the creation of the boot USB stick and the serial console access is a bit different than for Linux and Windows.

  • PC Engines APU2C4 -> http://www.pcengines.ch/apu2c4.htm
  • 16GB, msata16d
  • OSX 10.11 (El Capitan)
  • My serial port is /dev/tty.UC-232AC (Aten UC232A USB Serial Konverter Kabel, Roline Nullmodem-Kabel, BU-BU)

Steps:

  • Download
  • Create the USB key (Windows and OSX) with TinyCore (http://www.pcengines.ch/tinycore.htm)
  • Boot from the USB stick with Serial console access
  • Write pfSense image to your boot media for the APU2C4

 

Recipe

  • Format the USB key as FAT32, Master Boot Record, using Disk Utility

 

malu@kmg-mcp001.local $ diskutil list

...

Unencrypted /dev/disk2 (external, physical): 
#: TYPE NAME SIZE IDENTIFIER 
0: FDisk_partition_scheme *7.8 GB disk2 
1: DOS_FAT_32 TINY 7.8 GB disk2s1 


malu@kmg-mcp001.local $ disk=2

malu@kmg-mcp001.local:$ diskutil unmountdisk /dev/disk${disk} 
Unmount of all volumes on disk2 was successful

  • Copy a boot sector to the USB stick as described here: http://www.pyrosoft.co.uk/blog/2013/01/09/creating-a-bootable-usb-stick-from-osx/
 mkdir mbr
 cd mbr
 curl -L -O http://www.kernel.org/pub/linux/utils/boot/syslinux/syslinux-5.00.zip
 unzip syslinux-5.00.zip 'mbr/mbr.bin'

diskutil unmountdisk /dev/disk${disk} 

sudo dd conv=notrunc bs=440 count=1 if=mbr/mbr.bin of=/dev/disk${disk}
  • Make the USB disk bootable (my USB disk is /dev/disk2, you must find your own through “diskutil list”) (print, f 1, write, print, exit)

 

malu@kmg-mcp001.local $ diskutil unmountdisk /dev/disk${disk}
malu@kmg-mcp001.local $ sudo fdisk -e /dev/disk${disk} 

 fdisk: could not open MBR file /usr/standalone/i386/boot0: No such file or directory
 Enter 'help' for information

fdisk: 1> print

Disk: /dev/disk2 geometry: 949/255/63 [15248832 sectors]
 Offset: 0 Signature: 0xAA55
 Starting Ending
 #: id cyl hd sec - cyl hd sec [ start - size]
 ------------------------------------------------------------------------
 1: 0B 1023 254 63 - 1023 254 63 [ 2 - 15248830] Win95 FAT-32
 2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
 3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
 4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

fdisk: 1> f   1

Partition 1 marked active.

fdisk:*1> write

Writing MBR at offset 0.

fdisk: 1> print

Disk: /dev/disk2 geometry: 949/255/63 [15248832 sectors]
 Offset: 0 Signature: 0xAA55
 Starting Ending
 #: id cyl hd sec - cyl hd sec [ start - size]
 ------------------------------------------------------------------------
 *1: 0B 1023 254 63 - 1023 254 63 [ 2 - 15248830] Win95 FAT-32
 2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
 3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
 4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

fdisk: 1> exit

  • Download a TinyCore iso image (any image will do)
wget http://distro.ibiblio.org/tinycorelinux/4.x/x86/release/TinyCore-4.7.7.iso

  • Use Unetbootin to write this image to your USB stick, which will result in this:

 

malu@kmg-mcp001.local:/Volumes/TINY $ls -la
 total 15592
 drwxrwxrwx@ 1 malu staff 4096 Sep 6 10:57 .
 drwxrwxrwt@ 6 root admin 204 Sep 6 10:57 ..
 drwxrwxrwx 1 malu staff 4096 Sep 6 10:55 .Spotlight-V100
 drwxrwxrwx@ 1 malu staff 4096 Sep 6 10:55 .Trashes
 -rwxrwxrwx 1 malu staff 4096 Sep 6 10:55 ._.Trashes
 drwxrwxrwx 1 malu staff 4096 Sep 6 10:57 .fseventsd
 drwxrwxrwx 1 malu staff 4096 Sep 6 10:57 boot
 drwxrwxrwx 1 malu staff 4096 Sep 6 10:57 cde
 -rwxrwxrwx 1 malu staff 60928 Sep 6 10:57 menu.c32
 -rwxrwxrwx 1 malu staff 684 Sep 6 10:57 syslinux.cfg
 -rwxrwxrwx 1 malu staff 612 Sep 6 10:57 ubnfilel.txt
 -rwxrwxrwx 1 malu staff 5385191 May 10 2013 ubninit
 -rwxrwxrwx 1 malu staff 2491968 May 10 2013 ubnkern
 -rwxrwxrwx 1 malu staff 36 Sep 6 10:57 ubnpathl.txt
  • Download pfSense media
#--- pre 2.4 - nanobsd
wget https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-2.3.4-RELEASE-4g-amd64-nanobsd.img.gz

##--- 2.4+ - nanobsd is no longer supported by pfSense
#wget https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-2.4.2-RELEASE-amd64.iso.gz
  • Copy TinyCore files from PCEngines over to the USB stick
mkdir -p /temp/pcengines
cd /temp/pcengines
wget http://www.pcengines.ch/file/apu_tinycore.tar.bz2 
cd /Volumes/TINY
tar xvzf /temp/pcengines/apu_tinycore.tar.bz2 

  • Copy the pfSense image to the USB stick
cp /temp/pfSense/pfSense-CE-2.4.2-RELEASE-amd64.iso.gz .
cd
diskutil unmountdisk /dev/disk${disk}
  • Start up the serial terminal.
screen /dev/tty.UC-232AC 115200 8N1
  • When you connect the power, you should more or less immediately (within a couple of seconds) see the following:
PCEngines apu2
 coreboot build 20160307
 ...
 PCengines Press F10 key now for boot menu:

Press <F10> to get the boot menu:

Select boot device:

1. USB MSC Drive JetFlash Transcend 16GB 1.00
2. ata0-0: SATA SSD ATA-10 Hard-Disk (15272 MiBytes)
3. Payload [memtest]
4. Payload [setup]
  • Chose <1> for your USB key.
gzip -dc pfSense-CE-2.3.2-RELEASE-4g-amd64-nanobsd.img.gz | pv | dd of=/dev/sda bs=10M
  • Unplug the USB key, power cycle, and you are done!

References:

  • https://unetbootin.github.io/
  • http://www.pcengines.ch/newshop.php?c=48881
  • http://www.pcengines.ch/pdf/apu2.pdf
  • http://www.pyrosoft.co.uk/blog/2013/01/09/creating-a-bootable-usb-stick-from-osx/
  • https://forum.pfsense.org/index.php?topic=106444.0
  • Driver for the UC232-A USB to serial converter (i.e for Sierra/High Sierra): http://www.aten.com/global/en/products/release-note//?action=release_note&type=driver&eid=412

Install Domoticz and Razberry2 on Raspbian 2017-01-11


I just installed domoticz with the following setup:

  • Razberry2
  • Raspberry Pi 3
  • Raspbian Jessie, 2017-01-11

There are a couple of things to keep in mind, for the Razberry2 to work properly, especially with the later jessie releases:

  • The serial port has to be turned ON
  • Console on the serial port has to be turned OFF
  • Bluetooth has to be disabled
  • hciuart.service can optionally be disable (to get rid of an error message during boot)

So, the minor issue is that when you use “raspi-config” to turn off the serial console, it does not only turn off the console output on the serial port. It also turns off the serial port, which is not really what we want. That is why most people get a bit confused and fiddle around until they figure out that the “enable_uart=0” entry in /boot/configure.txt should be “enable_uart=1”, and never think of why it happened to be that way.

The “console output” to serial is configured in /boot/cmdline.txt with the entry “console=serial0,115200”, which we need to get rid of, but still make sure that there is no “enable_uart=0” in /boot/config.txt.

Unless you really want to, there is no need to redistribute the GPU RAM mapping.

So, a working setup (as of 2017-01-20) is:

  • Create an SD card with 2017-01-11-raspbian-jessie.img
  • Before you unmount it from your PC, change the following files on the SD card:

/boot/cmdline.txt

cat /boot/cmdline.txt
 dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait

/boot/configure.txt

 enable_uart=1
 dtoverlay=pi3-disable-bt

  • Boot the raspberry pi
  • Disable the hciuart service
 sudo systemctl stop hciuart
 sudo systemctl disable hciuart

  • Ensure you have a /dev/ttyAMA0 file
 ls -la /dev/ttyAMA0
 crw-rw---- 1 root dialout 204, 64 Jan 20 08:19 /dev/ttyAMA0
  •  Install domoticz as described above by kent
 mkdir ~/domoticz
 cd ~/domoticz
 wget https://releases.domoticz.com/releases/release/domoticz_linux_armv7l.tgz
 tar xvfz domoticz_linux_armv7l.tgz
 rm domoticz_linux_armv7l.tgz
 sudo cp domoticz.sh /etc/init.d
 sudo chmod +x /etc/init.d/domoticz.sh
 sudo update-rc.d domoticz.sh defaults
 sudo service domoticz.sh start
  • Go to “Setup”->”Hardware”
  • Add a OpenZWave USB device with the serial port: /dev/ttyAMA0

Done.

Monitoring Synology DS1511+ with OP5/Nagios


The basics: https://www.nickebo.net/monitoring-a-synology-nas-from-op5/

root@op5-system:~# snmpwalk -c public -v2c 192.168.2.85 SYNOLOGY-SYSTEM-MIB::synoSystem
SYNOLOGY-SYSTEM-MIB::SystemStatus.0 = INTEGER: Normal(1)
SYNOLOGY-SYSTEM-MIB::Temperature.0 = INTEGER: 48
SYNOLOGY-SYSTEM-MIB::PowerStatus.0 = INTEGER: Normal(1)
SYNOLOGY-SYSTEM-MIB::SystemFanStatus.0 = INTEGER: Normal(1)
SYNOLOGY-SYSTEM-MIB::CPUFanStatus.0 = INTEGER: Normal(1)
SYNOLOGY-SYSTEM-MIB::ModelName.0 = STRING: “DS1511+”
SYNOLOGY-SYSTEM-MIB::SerialNumber.0 = STRING: “B1J4N00273”
SYNOLOGY-SYSTEM-MIB::Version.0 = STRING: “DSM 4.3-3776”
SYNOLOGY-SYSTEM-MIB::UpgradeAvailable.0 = INTEGER: Checking(3)

snmpwalk -c public -v2c 192.168.2.85 SYNOLOGY-DISK-MIB::synoDisk

root@op5-system:/usr/share/snmp/mibs# grep “OBJECT IDENTIFIER” SYNO*.txt
SYNOLOGY-DISK-MIB.txt:synoDisk OBJECT IDENTIFIER
SYNOLOGY-RAID-MIB.txt:synoRaid OBJECT IDENTIFIER
SYNOLOGY-SPACEIO-MIB.txt:SpaceIO OBJECT IDENTIFIER
SYNOLOGY-STORAGEIO-MIB.txt:StorageIO OBJECT IDENTIFIER
SYNOLOGY-SYSTEM-MIB.txt:synology OBJECT IDENTIFIER
SYNOLOGY-SYSTEM-MIB.txt:synoSystem OBJECT IDENTIFIER ::= { synology 1 }
SYNOLOGY-SYSTEM-MIB.txt:Fan OBJECT IDENTIFIER ::= { synoSystem 4 }
SYNOLOGY-SYSTEM-MIB.txt:DSMInfo OBJECT IDENTIFIER ::= { synoSystem 5 }
SYNOLOGY-UPS-MIB.txt:synoUPS OBJECT IDENTIFIER
SYNOLOGY-UPS-MIB.txt:upsDevice OBJECT IDENTIFIER ::= { synoUPS 1 }
SYNOLOGY-UPS-MIB.txt:upsInfo OBJECT IDENTIFIER ::= { synoUPS 2 }
SYNOLOGY-UPS-MIB.txt:upsInfoMfr OBJECT IDENTIFIER ::= { upsInfo 6 }
SYNOLOGY-UPS-MIB.txt:upsInfoFirmware OBJECT IDENTIFIER ::= { upsInfo 10 }
SYNOLOGY-UPS-MIB.txt:upsInfoLoad OBJECT IDENTIFIER ::= { upsInfo 12 }
SYNOLOGY-UPS-MIB.txt:upsInfoDelay OBJECT IDENTIFIER ::= { upsInfo 14 }
SYNOLOGY-UPS-MIB.txt:upsInfoTimer OBJECT IDENTIFIER ::= { upsInfo 15 }
SYNOLOGY-UPS-MIB.txt:upsInfoTest OBJECT IDENTIFIER ::= { upsInfo 16 }
SYNOLOGY-UPS-MIB.txt:upsInfoPower OBJECT IDENTIFIER ::= { upsInfo 20 }
SYNOLOGY-UPS-MIB.txt:upsInfoRealPower OBJECT IDENTIFIER ::= { upsInfo 21 }
SYNOLOGY-UPS-MIB.txt:upsInfoStart OBJECT IDENTIFIER ::= { upsInfo 25 }
SYNOLOGY-UPS-MIB.txt:upsBattery OBJECT IDENTIFIER ::= { synoUPS 3 }
SYNOLOGY-UPS-MIB.txt:upsBatteryCharge OBJECT IDENTIFIER ::= { upsBattery 1 }
SYNOLOGY-UPS-MIB.txt:upsBatteryVoltage OBJECT IDENTIFIER ::= { upsBattery 2 }
SYNOLOGY-UPS-MIB.txt:upsBatteryRuntime OBJECT IDENTIFIER ::= { upsBattery 6 }
SYNOLOGY-UPS-MIB.txt:upsInput OBJECT IDENTIFIER ::= { synoUPS 4 }
SYNOLOGY-UPS-MIB.txt:upsInputVoltage OBJECT IDENTIFIER ::= { upsInput 1 }
SYNOLOGY-UPS-MIB.txt:upsInputTransfer OBJECT IDENTIFIER ::= { upsInput 2 }
SYNOLOGY-UPS-MIB.txt:upsInputCurrent OBJECT IDENTIFIER ::= { upsInput 5 }
SYNOLOGY-UPS-MIB.txt:upsInputFrequency OBJECT IDENTIFIER ::= { upsInput 6 }
SYNOLOGY-UPS-MIB.txt:upsOutput OBJECT IDENTIFIER ::= { synoUPS 5 }
SYNOLOGY-UPS-MIB.txt:upsOutputVoltage OBJECT IDENTIFIER ::= { upsOutput 1 }
SYNOLOGY-UPS-MIB.txt:upsOutputFrequency OBJECT IDENTIFIER ::= { upsOutput 2 }
SYNOLOGY-UPS-MIB.txt:upsOutputCurrent OBJECT IDENTIFIER ::= { upsOutput 3 }
SYNOLOGY-UPS-MIB.txt:upsAmbient OBJECT IDENTIFIER ::= { synoUPS 6 }
SYNOLOGY-UPS-MIB.txt:upsAmbientTemperature OBJECT IDENTIFIER ::= { upsAmbient 1 }
SYNOLOGY-UPS-MIB.txt:upsAmbientHumidity OBJECT IDENTIFIER ::= { upsAmbient 2 }
SYNOLOGY-UPS-MIB.txt:upsDriver OBJECT IDENTIFIER ::= { synoUPS 7 }
SYNOLOGY-UPS-MIB.txt:upsServer OBJECT IDENTIFIER ::= { synoUPS 8 }

The MIBs are found on the Synology:

synology02> pwd
/usr/syno/share/snmp/mibs
synology02> find . -type f -name ‘SYNOLOGY*MIB.txt’
./SYNOLOGY-SPACEIO-MIB.txt
./SYNOLOGY-DISK-MIB.txt
./SYNOLOGY-STORAGEIO-MIB.txt
./SYNOLOGY-SYSTEM-MIB.txt
./SYNOLOGY-UPS-MIB.txt
./SYNOLOGY-RAID-MIB.txt

On the OP5 server, the MIBs has to be copied to /usr/share/snmp/mibs, after which they are available for snmpwalk and check_snmp.

Two additional snmp check commands (which I picked up from http://www.it-slav.net/blogs/2013/12/15/howto-monitor-netgear-readynas-rn104-with-op5-monitor-or-nagios/#more-2314):

# command ‘custom_check_snmp_v2c_ranges’
define command{
command_name custom_check_snmp_v2c_ranges
command_line $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -o $ARG1$ -w $ARG2$ -c $ARG3
$ -C$ARG4$ -m: -l $ARG5$
}

# command ‘custom_check_snmp_v2c_regexp’
define command{
command_name custom_check_snmp_v2c_regexp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ -P 2c -o $ARG1$ -R $ARG2$ -C$ARG3
$ -m: -l $ARG4$
}

# service ‘L0 syno – Disk 1’
define service{
use default-service
host_name synology02
service_description L0 syno – Disk 1
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-DISK-MIB::DiskStatus.0!Normal!public!”Disk 1:”
}

# service ‘L0 syno – Disk 2’
define service{
use default-service
host_name synology02
service_description L0 syno – Disk 2
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-DISK-MIB::DiskStatus.1!Normal!public!”Disk 2:”
}

# service ‘L0 syno – Disk 3’
define service{
use default-service
host_name synology02
service_description L0 syno – Disk 3
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-DISK-MIB::DiskStatus.2!Normal!public!”Disk 3:”
}

# service ‘L0 syno – Disk 4’
define service{
use default-service
host_name synology02
service_description L0 syno – Disk 4
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-DISK-MIB::DiskStatus.3!Normal!public!”Disk 4:”
}

# service ‘L0 syno – Disk 5’
define service{
use default-service
host_name synology02
service_description L0 syno – Disk 5
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-DISK-MIB::DiskStatus.4!Normal!public!”Disk 5:”
}

# service ‘L0 syno – Power Status’
define service{
use default-service
host_name synology02
service_description L0 syno – Power Status
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-SYSTEM-MIB::PowerStatus.0!Normal!public!”Power:”
}

# service ‘L0 syno – System Status’
define service{
use default-service
host_name synology02
service_description L0 syno – System Status
check_command custom_check_snmp_v2c_regexp!SYNOLOGY-SYSTEM-MIB::SystemStatus.0!Normal!public!”Status:”
}

# service ‘L0 syno – Temperature Disk 1’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature Disk 1
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-DISK-MIB::DiskTemperature.0!45!50!public!”Disk 1 temperature”
}

# service ‘L0 syno – Temperature Disk 2’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature Disk 2
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-DISK-MIB::DiskTemperature.1!45!50!public!”Disk 2 temperature”
}

# service ‘L0 syno – Temperature Disk 3’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature Disk 3
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-DISK-MIB::DiskTemperature.2!45!50!public!”Disk 3 temperature”
}

# service ‘L0 syno – Temperature Disk 4’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature Disk 4
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-DISK-MIB::DiskTemperature.3!45!50!public!”Disk 4 temperature”
}

# service ‘L0 syno – Temperature Disk 5’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature Disk 5
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-DISK-MIB::DiskTemperature.4!45!50!public!”Disk 5 temperature”
}

# service ‘L0 syno – Temperature System’
define service{
use default-service
host_name synology02
service_description L0 syno – Temperature System
check_command custom_check_snmp_v2c_ranges!SYNOLOGY-SYSTEM-MIB::Temperature.0!50!55!public!”System temperature”
}

1 2 3 4