At first my use case was pretty simple. It wasn’t the host I needed to connect to which behind a firewall, but, as it turned out, I was.

I’ve got a box at home listening on a high port, as my provider is blocking the low <1024 ports, Which is a problem when I'm on a network which only allows outbound SSH connections on port 22. It's easy to hop around by first connecting to another server on regular port 22, but automating that with Patrick's proxycommand-plus-netcat trick proved to be handy in this situation, too.

I could easily add an entry to .ssh/config to manage this specific situation.

Now, the typical firewalled networks I need to use, I often work on them either by being on its premises, or remotely. When I need to connect remotely, especially for a longer period, I can often use a dedicated VPN for that, but very often I just want quickly check something on one host, and entering the network not by launching a full-blown VPN stack, but hopping through a SSH gateway, tends to be the preferred solution.

Normally, you then need separate .ssh/config entries for each host. And then you need a separate .ssh/config entry for each host using a specific ProxyCommand.

But this doesn’t scale well. One would need to manage redundant information. I don’t want to configure .ssh/config entries for each server separately to be reached from within its own LAN and remotely through SSH hopping.

I didn’t find a way to handle this with a config in .ssh/config only, but adding following little (Bash) function to my environment lets me use an extra ssh command which lets me use the same .ssh/config entries for both situations:

ssh-via () { proxy=$1 ; shift ; ssh -o Proxycommand="ssh $proxy nc %h %p" $* ; }

Just use ssh-via instead of plain ssh, and let the first parameter be the name of the .ssh/config entry for the gateway you need to use.

No fancy new flash website, just some simple pages, with some links to the git repository with the Docbook source code, the download page and some more stuff. I should add a short introduction about how to download the source and ‘compile’ a pdf.

From now on you also can download the latest version of the books, which are rebuild nightly after an updated was pushed. There’s also an online HTML version of the Fundamentals course for you to browse.

Paul kindly publishes his book under the Gnu Free Documentation license, which leanse you can freely download the books and update them. Don’t forget to send us the patches to your updates!

Thanks Paul!

Lots of howto’s tell you to update the standard PAM login service to use ldap, and to have openvpn use that login service for authentication. I expect in most cases you’ll probably just want to have a dedicated vpn server, and not having users logging in on the system wide login. At least, that’s what I needed today to migrate away from that password file based config.

That turned out to be quite easy once you get the pam config right, though I’m still not 100% positive this particular pam config is the most optimal. In the end I just defined a new openvpn pam service by creating /etc/pam.d/openvpn with a very short and simple config.

Here’s the configuration notes which reflect this config update. All users with an ldap account, and member of the remoteaccess group are granted access to openvpn.

--- openvpn_installation_howto.txt 31 Mar 2010 12:37:42 -0000 1.16
+++ openvpn_installation_howto.txt 23 Apr 2010 14:53:23 -0000
@@ -167,6 +167,25 @@
# Server configuration
######################

+## config update to authenticate & authorise through ldap
+aptitude install libpam-ldap
+
+- edit /etc/pam_ldap.conf
+ uri ldaps://ldap.server
+ base dc=division,dc=corp,dc=be
+ ldap_version 3
+ pam_groupdn cn=remoteaccess,ou=groups,dc=division,dc=corp,dc=be
+ pam_member_attribute memberUid
+ pam_password crypt
+ tls_checkpeer no
+- create /etc/pam.d/openvpn
+ auth required pam_ldap.so
+ account required pam_ldap.so
+- edit server-udp.conf and server-tcp.conf
+ #auth-user-pass-verify /etc/openvpn/fileauth.pl via-file
+ plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn


Being a proprietary tool, VMWare has a problem in common with Windows: it’s full off proprietary API’s you have to go through to be able to pull a backup. Also, whilst VMWare (ESX, but in practice also ESXi) has a unix/Linux like management environment, you don’t get all the tools you’d want to do your thing. Rsync to name one.

Of course, I you walk the line, buy sufficient licenses and extra software, you get to use VCB and can interconnect with “Supported” software like Symantec Backup Exec and the like.

But here and know, all I wanted, next to regular backups, was being able to easily pull backups to a Linux backup server (just a host with plent of disk space, and all the standard software I wanted.) Now, I found it hard to find the right solution to do that. Lots of custom scripts, but nothing that quickly worked. Often ugly scripts or hacks.

So far, the best solution i sticked to is the GhettoVCB script. Add a an NFS export from the Linux backup server to VMWare as a Datastore, and after a simple config, just run the script.

Downside of this approach, when used for a full ESX with SAN environment, is that you have to run in on the virtual host machines themselves, you can’t grab it over a separate VCB host which can haz its own SAN connection.

It works, but I still feel it’s awkward, not sure why. Anybody other suggestions for plain and simple backup tools for vmware?

I’m having fun

The exam procedure changed recently, and contains now only one single session of 3.5 hours. The topics by themselves are not hard, and should be easily mastered by every sysadmin with some decent experience. Some things are Red Hat specifics of course, so don’t try it if you never worked on a Red Hat (or obviously CentOS) box. What makes it hard though, is that you get a lot of topics you need to handle within a relatively short period. If you need to start diving in man pages to figure out how to configure things, better prepare yourself a bit more.

Oh, and yes, I passed . The RHCE part was pretty good actually, but I was in luck to just have slightly over the needed 70% for the RHCT part though. Thanks to one topic I didn’t master well enough.. oh well.

(If someone needs RHCE training books, send me a note!)

Ze hebben ook te kort op mijn toestel gestaan op er een backup van te hebben. Ik werk met een sync systeem die ieder uur mijn data van mijn desktop naar mijn server versast, en de laatste versie van die dag komt dan in de normale server backup terecht, waar met rsnapshot een historiek wordt van bijgehouden. Blijkbaar heb ik die foto’s dus geïmporteerd en gewist op dezelfde dag.

Uiteraard heb ik mijn 3 maandelijkse “Empty Trash” net in de voorbije maand gedaan. Of had ik die foto’s commandline en niet via mijn desktop file manager gewist.

Maar gezien dat mijn $HOME volledig in de backup zit, zit dus ook ~/.local/share/Trash/files . En in de daily.5/daily.6/weekly.0/weekly.1 versies van die Trash zaten wel nog mijn foto’s

Handig die backups waar je niet moet naar omzien en die je dus niet kan vergeten.

Lees hier het originele verhaal.