Sunday, April 27, 2014

owncloud 5->6 migration

You had some old owncloud VM kicking around for awhile.  You want to save the data but trash the VM and start over - you're not sure how you installed owncloud any more and you just don't want to deal with old VM baggage.  Or maybe your VM took a shit and all you have are the data and config files from the old release.

Either way, here's how to take some old owncloud 5 data files and get them operational with a new owncloud 6 install on debian jessie:

(From here on out our backups are assumed to be in the directory in the $ocbak variable.  Before running these commands just export that to be your actual backup location:

slice@own $ export ocbak='/mnt/ocbak'

Note also that you may be able to omit some of these steps, but this is the way I did it and it worked.

Also note that this guide doesn't cover apache config at all; a standard owncloud config should work fine, and make sure everything under /var/www can be served.)

Installation the first

First you need to find out what old owncloud version you were running.  Try running this command if you don't care:

slice@own $ wget http://download.owncloud.org/community/owncloud-`cat $ocbak/config/config.php | grep "'version'" | cut -d'=' -f2 | sed "s/.*'\\(.*\\)'.*/\\1/g"`.tar.bz2

That may fail - if so, take a look at the config file to get your version number.

slice@own $ vi $ocbak/config/config.php

Somewhere you'll see a line that looks like this:

'version' => '5.0.14',

Hit google for the download link for that tar file, or just do this:

slice@own $ wget http://download.owncloud.org/community/owncloud-5.0.14a.tar.bz2
slice@own $ tar xjf owncloud-5.0.14a.tar.bz2
slice@own $ mv owncloud /var/www/owncloud-5
slice@own $ cp -rfv $ocbak/* /var/www/owncloud-5
slice@own $ chown -Rc www-data:www-data owncloud-5

Edit the config file (/var/www/owncloud-5/config/config.php) to point to new data dir  (/var/www/owncloud-5/data).  Then restart apache and log in to the site and make sure everything is good.

slice@own $ /etc/init.d/apache2 restart

Installation the second

Now we basically do the same thing over again with owncloud 6.  (Right now this is the latest - in the far future you might want to go to version 6 before going to whatever the current version in your unimaginable future time is.)

slice@own $ wget http://download.owncloud.org/community/owncloud-latest.tar.bz2
slice@own $ tar xjf owncloud-latest.tar.bz2
slice@own $ mv owncloud /var/www/owncloud-6
slice@own $ cp -rfv /var/www/owncloud-5/data /var/www/owncloud-5/config /var/www/owncloud-6/
slice@own $ chown -Rc www-data:www-data owncloud-6

Edit the config file (/var/www/owncloud-6/config/config.php) to point to new data dir  (/var/www/owncloud-6/data).  Then restart apache and log in to the site and make sure everything is good.

slice@own $ /etc/init.d/apache2 restart

Installation the third (?)

You now have a working owncloud 6 setup, so you could just stop here.  However, a little extra work now should make future upgrades as simple as a aptitude update && aptitude upgrade.

Just to make sure some old configs don't get in the way, we'll try to purge owncloud before we install:

slice@own $ aptitude update
slice@own $ aptitude purge owncloud
slice@own $ aptitude install owncloud
slice@own $ cp -fv /var/www/owncloud-6/config/* /etc/owncloud/
slice@own $ cp -rfv /var/www/owncloud-6/data /usr/share/owncloud/
slice@own $ chown -Rc www-data:www-data /usr/share/owncloud/data /etc/owncloud/

Edit the config file (/etc/owncloud/config.php) to point to new data dir  (/usr/share/owncloud/data).  Then restart apache and log in to the site and make sure everything is good.

slice@own $ /etc/init.d/apache2 restart

Cleanup

If everything worked ok, we can get rid of the intermediate installations and the tar files:

slice@own $ rm -rfv owncloud-5.0.14a.tar.bz2 owncloud-latest.tar.bz2 /var/www/owncloud-5 /var/www/owncloud-6
slice@own $ /etc/init.d/apache2 restart

I'm pretty sure some steps could be skipped - you may be able to skip both manual installations and just drop your old data files in the debian install directories.  If you're brave, try it and leave a comment.  But this way certainly works.

Friday, April 25, 2014

what exchange server version is my company using?

You have to use an Exchange server someone else administers.  You want to configure some other piece of software to talk to it, but all you have is your outlook web access page.  The other piece of software depends on the Exchange version.  Read on:

Pull up OWA.  In the relatively recent version I'm using, which does not list a year, the menu choices are Options->About, and then you look at the value for the "Version" field.  How to get to "About" may differ for you, but just click around a bit - OWA doesn't usually have a lot of menus, so it shouldn't be too hard to find.

Once you have your version string (mine was 14.1.438.0, but yours may differ), compare it to the following table to find the actual product version:

Product nameBuild numberDate
 Microsoft Exchange Server 2003 6.5.6944233 03
 Microsoft Exchange Server 2003 SP1 6.5.7226 5/25/2004
 Microsoft Exchange Server 2003 SP2 6.5.7638 10/19/2005
 Microsoft Exchange Server 2007 8.0.685.24 12/9/2006
 Microsoft Exchange Server 2007 8.0.685.25 12/9/2006
 Microsoft Exchange Server 2007 SP1 8.1.240.6 11/29/2007
 Microsoft Exchange Server 2007 SP2 8.2.176.2 8/24/2009
 Microsoft Exchange Server 2007 SP3 8.3.083.6 6/20/2010
 Microsoft Exchange Server 2010 14.0.639.21 11/9/2009
 Microsoft Exchange Server 2010 SP1 14.1.218.15 8/24/2010
 Microsoft Exchange Server 2010 SP2 14.2.247.5 12/4/2011
 Microsoft Exchange Server 2010 SP3 14.3.123.4 2/12/2013
 Microsoft Exchange Server 2013 15.0.516.32 10/11/2012

(table from Technet)

So the version I'm using is 2010 SP1 with some patches applied.

Good luck; with Exchange interoperability, you'll need it.

Wednesday, April 23, 2014

running an openvpn server from home

After beating down my sysadmin ego by pouring days into alternate setups, I finally got an OpenVPN server running exactly as I wanted it on my home network.  If you need complete(-ish) local network access from remote devices, want to run it in a virtual environment, and only want to expose the single VPN port, here's how to do it.  Note that some of these steps assume you're using a VM server on the LAN running qemu-kvm, and your local machine connects to it with virt-manager.

    1. Download the i386 LiveCD w/ Installer pfsense image to your server.


root@server $ wget https://www.pfsense.org/download/download.php?url=http%3A%2F%2Ffiles.bgn.pfsense.org%2Fmirror%2Fdownloads%2FpfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz
root@server $ mv download.php?url=http%3A%2F%2Ffiles.bgn.pfsense.org%2Fmirror%2Fdownloads%2FpfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz /var/lib/libvirt/images/pfSense-LiveCD-2.1.2-RELEASE-i386.iso.gz

    2. Spin up the VM with pfsense.

lol@workstation $ virt-manager &

Connect to the server and make a new VM.  Choose local install media -> iso image -> choose the pfsense image.  OS type=UNIX, Version should autodetect to FreeBSD 8.x.  512MB RAM and a single core has been plenty for me, if my host gets strapped I'll probably drop the pfsense guest down to 256 and see how it does.  5GB hard disk is more than enough also.

Once the VM comes up, choosing all defaults is fine for installation.  Once the ncurses install is complete, the configurator will ask for the primary network interface, or try to do some kind of autodetection.  We created the VM with the default single interface because there is upstream DHCP coming from the home router and we're only using pfsense for the OpenVPN features, so the answer to the interface question is probably "em0".  Choose sensible options for everything else.

Note that after you choose what hostname pfsense will tell the upstream DHCP server, you will likely get a new IP after reboot, so check your DHCP logs for what the new IP is.

    3. Use this youtube video to configure the OpenVPN server.

I think I did everything exactly the same as the guy in the video, except I chose max key lengths, a longer AES cipher, and 9999 days for everything.  Stop when he gets to the client export/configuration part.

Make sure the "Local network" option is set to your local subnet, and the IPv4 tunnel network" option is NOT set to your local subnet.  Not sure why the guy in the video used 192.168.2.0/24; I chose 10.0.0.0/24 since it's also designated for private networks and it's way more visible at a glance.

    4. Open the port on your router.

My router (a D-Link DIR-655) has a "virtual servers" option, which is like port forwarding on steroids.  Either way, this part is simple - make sure UDP port 1194 is open and points to your pfsense server.  It's probably a good idea to make sure the pfsense VM has a static IP at this point too.

    5. Set up dynamic DNS pointing at your house.

pfsense comes with clients for many free dynamic DNS services - I'm using no-ip.com.  Make an account and grab some trashy xxx.no-ip.biz domain.  In pfsense, go to services -> dynamic DNS and add your account.  Super simple, now your no-ip subdomain will always point at your house no matter how often your ISP changes your WAN IP.

    6. Make the Android client work.

The OpenVPN Connect app worked on the first try for me, and it's free, small, has few permissions and has a clean interface.  Plug your phone into the computer you're checking out pfsense on, then in the pfsense web UI go to VPN -> OpenVPN -> Client Export.  This will only be there if you installed the "export" package from the youtube video.

Make sure to choose the DynDNS option for your domain under Host name resolution.  If it isn't there for some reason, or if you don't want to run the dynamic DNS client on pfsense or whatever, just choose "other" and enter the domain manually there.

At the bottom, under the "Client Install Packages" section, click the "OpenVPN Connect (iOS/Android)" link.  The downloaded .ovpn file has "iOS" in the name, but don't worry about that.  Copy that file to your phone's storage (SD or onboard).  Pull up the OpenVPN app, choose Menu (the vertical ellipsis (...) button) ->Import Profile from SD card -> enter your username and password, and boom!  It should just work.

EDIT FOR T-MOBILE USERS: It just worked when I was on Verizon, because they're a lumbering behemoth and are still using IPv4 everyplace - if you're on T-Mobile, you'll need to follow a substep that I wrote up here.

    7. Make the Linux (NetworkManager) client work.

From the same client export page that we used in the last step, under the "Client Install Packages" section, click the "Standard Configurations: Archive" link.  Unzip the downloaded file somewhere in your home directory - default permissions were not cool, so take away everything but rx on the dir for owner, and just r for the owner on the files inside:

lol@vpnclient $ mv downloads/vpn-files.zip vpn-stuff/
lol@vpnclient $ unzip vpn-files.zip
lol@vpnclient $ sudo chmod -Rc a-rwx vpn-files
lol@vpnclient $ sudo chmod -Rc u+rx vpn-files
lol@vpnclient $ sudo chmod -c u-x vpn-files/*

(The chmod steps in the above are optional.  I know it could have been done more succinctly, but I don't typically use masks for chmod - of course I'm familiar with 0777, 0655 etc, but for non-standard permissions sets they seem obfuscating.  In ten years they probably won't, but I'm just not there yet.)

Click Network Manager icon -> VPN connections -> Configure VPN -> Import -> Choose the unzipped .ovpn file.  Everything except username and the two password boxes should be filled in, enter the user credentials you chose on pfsense and enter the same password again for the "private key password".  The three file pickers were all pointed at the same .p12 file - this is ok.

Remember that weird stuff might happen if you try to connect to the VPN while the client is already attached to the network you're attaching to.  To test, I just shut down the Android VPN client, created a wifi hotspot with my phone, attached to that with my laptop, and then connected just the laptop to the home VPN.

Hope it works for you!

Thursday, April 17, 2014

fun times with the ASRock Rack C2550D4I

An Intel Atom board with 4 cores, passively cooled, ~20 watt TDP, with 12 onboard SATA, one PCI-E 8x, and serious management features?  What's not to like?  This is a perfect board for a NAS build.

So, I got one.  Everything looked cool - it posted with no hassle, I went through and tweaked the BIOS for the heck of it, and then hit a brick wall when trying to install an operating system.

The thing would not boot from USB.  The motherboard only has one USB controller but can only do three ports - they probably used up the other one internally for something or other, maybe the DRAC stuff, this board has a lot of connectivity.  A jumper controls whether you only get one port on the rear or one port through the header.  But I tried all the ports - the devices showed up in the boot menu, but would not boot.  USB DVD drive, multiple flash drives, a USB Micro SD card adapter.  All of these things showed up in the boot menu, but when I chose them there was no read indicator on the device and the screen showed just a lonely, infinitely blinking underscore in the top left corner.

So I went back to read the newegg reviews to see if anyone could help.  The first reviewer was talking all "console redirection" and "remote media" and "you have to install Java".  So I realized I had to use the weird dedicated third Ethernet port to install the OS.  Seems convenient.

Buuuuut... it wasn't.  Here's what you have to do to install an OS ISO via the web management interface (also known as a "DRAC"):

1. Find it

Basically trivial - the C255 Drac uses DHCP so it'll be on your subnet no matter how it's configured.  You can grab the IP from the BIOS (Server Mgmt -> BMC network configuration) or from your DHCP log.  Conveniently, Asrock decided not to give this interface a name, but it has Asrock's OUI (first half of the MAC), which is bc:5f:f4, so you should be able to narrow it down from there.  Or set a reservation from the BIOS, or any other fucking thing you'd like to do.

2. Access it

Go to the IP for the Drac page with a web browser.  This may be the worst embedded webpage I've ever seen.  It almost has it all - you have to accept a self-signed (or otherwise invalid) certificate for the page, install a recent Java (v7), add this certificate as an exception in Java, allow popups, and either allow all downloads automatically or widen popups and accept executable downloads (JNLP) any time you want to do something.  Let's go over that in more detail:
  • Accept the certificate:
This was much easier in Firefox - you just had to access the site via HTTPS and click the correct buttons a couple times.  In Chrome, this is what I had to do: go to the site via https by prepending "https://" to the IP, click the red broken evil lock icon to the left of the URL, then click Certificate Information -> Details tab -> Copy to File button -> Next -> choose option "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" -> choose a filename.

Then you have to import this certificate file: Chrome Menu -> Settings -> Show Advanced -> Manage certificates button under the HTTPS/SSL heading -> Import -> Next -> Choose the file we just exported.
  • Install Java:
I'm sure you can figure this out.  Java.com, make sure it's at least Java 7.  Don't forget to untick the "turn my computer into a turd" box(es).
  • Allow Java to accept the site's bullshit:
Trying to use most any feature of the site will cause some supposedly friendly application to start shouting boxes at you, not identifying itself and talking all this trash about the Megarac SP and the folks that vouched for it.  Eventually I realized this is Java itself.  Fix it (on Windows) by going to Start Menu -> Java -> Configure Java -> Security tab -> Edit Site List button -> type your Megarac IP prefixed with "https://" in the weird box under the word "Location" -> click Add.
  • Allow popups:
When you go to the management page in Chrome, to the right of the address bar there's a little angry icon.  Click this and tick all the little things that you would never tick if you weren't forced to.

What the fuck, right?

3. Do it

Now you're in and the site will allegedly work for some features some of the time.  There's a gazillion options, but if you're trying to install an OS to that mother(board), you want Remote Control -> Console Redirection -> Java Console button.  This pops up a popup that you'll need to expand so you can click that you want to execute the binary file from unknown internet sources, and then you have to manually execute that binary file yourself by clicking it.  That spawns a popup which may itself have had a litter of popups - a grandpopup - and the whole family comes at you.   Just tell them all that you're fine, you don't need your windows washed, don't look them in the eyes, give them a fiver to go away or whatever.  Eventually, you get to something pretty cool, which for me is a Java app displaying the BIOS screen over my network.


Five seconds later, this effect wears off.  You realize that this feature would be cool if the server itself were downstairs, or in Pakistan, but when you have the board sitting in an open case right next to you, why do you have to use some of the shittiest software in the world to do it?  Why did those poor developers have to go to all the effort to build this?  It took them so much work they didn't even have time to replace the default Java Swing/AWT/IDGAF skin.  Furthermore, if I wanted my server in Pakistan, I would have gone there and paid like five dollars for it.

Now you click the Media menu option and the only suboption, Virtual Media Wizard.  It isn't a wizard, but that's ok because this is just about the simplest thing we've had to do this whole time.  Browse for your install ISO, connect the virtual DVD drive if you need to, and close the box.  Choose the Power menu option and reboot the server.

When it comes back, hit F11 to choose the boot device, and lo and behold, there's the virtual CDROM.  Choose it.  Install your operating system, and enjoy.

It would be worth it if your server were located in Pakistan.

P.S.: It turned out my failure to boot issue stopped happening when I pulled out the HighPoint RocketRaid 2680SGL that had been in the PCI slot.  Still working on that one, but it's cool that I'll be able to reinstall my operating system or reboot my server later without going downstairs.

P.S.S.: The RocketRaid needed to be flashed to the latest BIOS.  This card claims to have support on Windows, Linux, and Mac, but the flash utility only worked on Windows - extensive searching revealed a Linux version, but this never seemed to see the card.  Fortunately I had a Windows machine, otherwise that motherfucker would have been returned.  When flashing, you need to turn off the "INT13" option, but this didn't really do the trick either.  Finally, I found some sort of "disable option ROM" option in the motherboard BIOS.  Now I don't get to see the status of my attached drives when booting, but that's ok because I'm not using this thing for hardware RAID anyway.  But if you want to do hardware RAID for some reason, watch out - the RocketRaid was damn finnicky, and if I had to do it over again I would have shelled the extra $50 out for the low-tier eight-port LSI card.