Bellman: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
Brian Wilson (talk | contribs)
 
(186 intermediate revisions by the same user not shown)
Line 1: Line 1:
Bellman is a Debian Linux server. It is on a UPS and lives in my electronics lab.
Bellman is a very small Linux server. Currently its primary job is to run Docker containers.


[[File:bellman.jpg|left]]
[[File:bellman.jpg|left]]
Line 10: Line 10:
<br clear=all/>
<br clear=all/>


== Jessie to Stretch ==
== todo ==


Following advice on this page, https://linuxconfig.org/how-to-upgrade-debian-8-jessie-to-debian-9-stretch I am upgrading from 8.x to 9.x
complete backups (see section below)


Special things I did
8/5/20 There is a partial rsync of Supermicro Bellman on Wenda in ~bwilson/bellman.


To update the kernel,
== Stupid AppArmor complaint ==
dpkg --remove hll2320dcupswrapper:i386
dpkg --remove hll2320dlpr:i386
apt-get remove mongodb-clients mongodb-server **
apt-get remove python-samba
apt-get install linux-headers-4.9.0-3-amd64


Using "apt-get install linux-image-amd64" did not work;
I finally fixed the error that was being logged once per minute endlessly,
I could not get it to trigger the dependency on linux-headers-4.9.0-3-amd64
until I told it to install the specific version. This step required "repeal and replace" of 404 MB of packages; but it worked!


** This triggered the removal of unifi, which will be in a docker container soon anyway.
[192526.044351] audit: type=1400 audit(1649031318.465:3607): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/snap/bin/" pid=845699 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0


=== Back ups ===
I put this in /etc/apparmor.d/local/usr.sbin.ntpd


Disk
  /snap/bin/ r,
sudo mkdir bellman
bwilson@bellman:/green/BACKUPS$ cd bellman
bwilson@bellman:/green/BACKUPS/bellman$ sudo rsync -av --exclude proc --exclude /var/tmp -exclude /proc --exclude /sys --exclude /dev --exclude /home --exclude /green / .


Back up mysql - important ones are asterisk and owncloud, everything else can go.
then I did this and checked for errors.. I deleted /etc/apparmor.d/disable/usr.sbin.rsyslogd to eliminate a whine
Well okay I guess maybe phpmyadmin can stay too.


  sudo mkdir bellman_mysql
  systemctl reload apparmor.service
  cd bellman_mysql
systemctl status apparmor.service
  for i in asterisk mysql owncloud phpmyadmin yaris ; do  
 
  mysqldump $i > $i.sql
 
  done
== Audio notes ==
 
For a few months Bellman lived in my structured media panel. Now he and [[Wenda]] are back in the lab again where they can be on a UPS.
 
Bellman is powered on all the time so it should look like this,
 
[[Murre]] line out => line in [[Bellman]] line out => Speakers
 
But there is no line out on Bellman. I have a single headphone jack for an audio connector. So much for that idea.
 
=== Streaming audio to speakers connected directly. ===
 
# Test bellman audio.
## Output to speakers, set up alsamixer and play a file and see if sound comes out.
* play /usr/share/sounds/sound-icons/violoncello-7.wav
## Input from microphone array
They say there is one?
 
In the old Supermicro days, it was possible to route the audio through Bellman via this magic command
from https://askubuntu.com/questions/211136/get-the-audio-from-line-in-to-output-to-the-speaker
 
#manually start the module-loopback
pactl load-module module-loopback
 
#configure your system to load module-loopback on startup
#this places load-module module-loopback at the end of
#the /etc/pulse/default.pa pulseaudio configuration file.
sudo sh -c ' echo "load-module module-loopback" >>  /etc/pulse/default.pa '
 
Now sound can pass through. Since Bellman is always running, he gets to be connected directly to the speakers.
This command will not work without a display,
 
pavucontrol
 
=== Streaming audio to another sink ===
 
How I can route audio from Docker containers to a speaker somewhere else in the house?
I want the Pi Zero living in the kitchen needs to accept a stream over WiFi.
https://bbs.archlinux.org/viewtopic.php?id=136474
 
== Software ==
 
* 2023-11-30 Debian 12 "Bookworm"
* 202? Ubuntu Server 20.04 LTS ("focal"), upgraded to 22.04 LTS ("jammy")
 
=== apt packages ===
 
This is a list of things added after a basic installation of Ubuntu.
The goal this time out is to put ''every service'' into a Docker container,
so packages added is minimal.
 
autofs
emacs-nox fail2ban mlocate
net-tools
nfs-common (needed to mount synology volumes locally, notably /green/music)
lm-sensors (use "sensors-detect" to config and "sensors" to read core temperatures)
rsync sudo
 
Left over from Ubuntu Bellman
  pulseaudio pulseaudio-utils avahi-daemon
  pavumeter pavucontrol ubuntu-sounds
timeshift
 
=== additional software ===
 
Not installed from the standard Debian repositories
 
Conda - Miniconda3 is installed in my home directory.
 
Docker: https://docs.docker.com/engine/install/debian/
Remember to add your account to the docker group.
 
== Disable IPV6 ==
 
Create this file, then reload sysctl
 
root@bellman:/etc/sysctl.d# cat 10-disable_ipv6.conf
# 2024-11-24
# Disabling the IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.wlan0.disable_ipv6 = 1
 
sysctl --system
 
Check with ip addr command, look for ipv6 addresses. They should be gone.
 
== Firewall ==
This is all different under Ubuntu. Hmm.
 
See https://blog.daknob.net/debian-firewall-docker/ for ideas.
 
I use my own bash script to load iptables rules. See /usr/local/bin,
/etc/network, and /var/lib/vastra.
 
== Email ==
 
I gave up on Dockerizing this for now. Ubuntu wisely switched from exim4 to postfix at Jammy.
 
But Bellman is currently running exim4 so anyways I set it up as a smarthost https://askubuntu.com/questions/167043/how-do-i-configure-exim4-to-send-mail-through-a-password-protected-ssl-smtp-mail using Porkbun. https://kb.porkbun.com/article/146-email-client-configuration-settings
 
 
I had to change the exim4 config with '''dpkg-reconfigure exim4-config''' followed by '''update-exim4.conf''' and '''systemctl restart exim4'''
 
I had to login to porkbun in /etc/exim4/passwd.client
 
I had to rewrite the sender in /etc/exim4/conf.d/rewrite/00_exim4-config_header like this
 
 
== Printing ==
 
The Brother printer is currently connected to [[Wenda]] not Bellman.
When it ''was'', I found the Linux drivers for my HL-L2320D printer didn't work,
so I set up a raw driver on Bellman and then used the appropriate driver
(manually selected) on client computers. It works fine.
 
=== Allow remote access ===
 
cupsctl --remote-admin --remote-any --share-printers
 
I also had to edit and add to /etc/cups/cupsd.conf
 
HostNameLookups on
 
and then
 
systemctl restart cups
 
== NFS mounts ==
 
The Synology is automounted via the autofs package on /net/wenda/volume1/*
I had to uncomment the /net line in /etc/auto.master to enable this.
 
== Backups ==
 
Strategy -- back up to one of three USB drives. Keep one offsite, someplace?
 
=== borgjs setup ===
 
See ~bwilson/Backups/README.md. Output goes to an attached USB drive.
 
First time out, you must initialize the repository.
 
fdisk /dev/sdb
mkfs.btrfs /dev/sdb1
mount /dev/sdb1 /media/Backups
borg init -e none /media/Backups
 
I opt for no encryption when going to an attached hard drive.
 
See https://github.com/vesparny/borgjs
 
My system is not smart enough yet to mount the drives itself, so when I swap them out I have to do a mount operation, (first make sure you have the right device.)
mount /dev/sdb1 /media/Backups
I tried putting it in a Docker and gave up. It's installed on Bellman, directly. The docker seemed to run and never terminate, this is disturbing. How can I check the status? I wrote a script for that, run "./check_status.sh". But the script does not need docker.
 
=== Recovery ===
If I can't recover a file from a backup, I need to find a different strategy.
 
Today I pretend I want just one file, so I do this: list the backups and pick one, mount it, copy.
 
sudo borg list /media/Backups
  sudo borg mount /media/Backups::20240822-125406 /mnt
 
Don't forget when you are done to unmount.
 
sudo umount /mnt
 
=== Home Assistant backups ===
2023-1-1 working
 
Nightly backup of sqlite3 databases and loose files in config directory, to /net/wenda/volume1/Wildsong/Backups/home-assistant/
 
== BBR congestion ==
 
See https://www.cyberciti.biz/cloud-computing/increase-your-linux-server-internet-speed-with-tcp-bbr-congestion-control/
for example.
 
Is kernel ready?


<pre>
<pre>
aptitude search '~o'
uname -a
i A cpp-4.6                                          - GNU C preprocessor                                       
Linux bellman 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux
i  deb-multimedia-keyring                          - GnuPG archive key of the deb-multimedia repository       
grep 'CONFIG_TCP_CONG_BBR' /boot/config-$(uname -r)
i A emacs23                                          - The GNU Emacs editor (with GTK+ user interface)           
grep 'CONFIG_NET_SCH_FQ' /boot/config-$(uname -r)
i A emacs23-bin-common                              - The GNU Emacs editor's shared, architecture dependent files
egrep 'CONFIG_TCP_CONG_BBR|CONFIG_NET_SCH_FQ' /boot/config-$(uname -r)
i A emacs23-common                                  - The GNU Emacs editor's shared, architecture independent inf
 
i  freeradius-dialupadmin                          - set of PHP scripts for administering a FreeRADIUS server 
sudo -s
i A gcc-4.6                                          - GNU C compiler                                           
cat > /etc/sysctl.d/10-custom-kernel-bbr.conf <<EOF
i A gcc-4.6-base                                    - GCC, the GNU Compiler Collection (base package)           
net.core.default_qdisc=fq
i A libaacplus2                                      - AAC+ encoding library - runtime files                     
net.ipv4.tcp_congestion_control=bbr
i  libatalk18                                      - AppleTalk library used by Netatalk                       
EOF
i A libavdevice56                                    - FFmpeg device handling library                           
i  libboost-iostreams1.49.0                        - Boost.Iostreams Library                                   
i  libexiv2-12                                      - EXIF/IPTC metadata manipulation library                   
i A libfdk-aac1                                      - Fraunhofer FDK AAC codec library.                         
i A libffi5                                          - Foreign Function Interface library runtime               
i  libgcrypt11                                      - LGPL Crypto library - runtime library                     
i  libgnutls26                                      - GNU TLS library - runtime library                         
i A libjpeg8                                        - Independent JPEG Group's JPEG runtime library             
i A libjpeg8-dev                                    - Development files for the IJG JPEG library               
i  libmagickcore5                                  - low-level image manipulation library                     
i  libmagickcore5-extra                            - low-level image manipulation library - extra codecs       
i  libmagickwand5                                  - image manipulation library                               
i A libmpc2                                          - multiple precision complex floating-point library         
i A libpostproc53                                    - postproc shared libraries                                 
i  libprocps0                                      - library for accessing process information from /proc     
i A libruby1.9.1                                    - Libraries necessary to run Ruby 1.9.1                     
i A libswresample1                                  - FFmpeg audio rescaling library                           
i  libtasn1-3                                      - Manage ASN.1 structures (runtime)                         
i A libtiff4                                        - Tag Image File Format (TIFF) library (old version)        
i  libudev0                                        - libudev shared library                                   
i A libutvideo15                                    - Ut Video Codec Suite library                             
i A libvidstab1.0                                    - Video stabilization library.                             
i A libx264-146                                      - x264 video coding library                                 
i A libx265-51                                      - x265 video coding library                                 
i  linux-headers-3.2.0-4-amd64                      - Header files for Linux 3.2.0-4-amd64                     
i A linux-headers-3.2.0-4-common                    - Common header files for Linux 3.2.0-4                     
i A linux-image-3.2.0-4-amd64                        - Linux 3.2 for 64-bit PCs                                 
i A linux-kbuild-3.2                                - Kbuild infrastructure for Linux 3.2                       
i  logitechmediaserver                              - Streaming Audio Server                                   
i  mysql-apt-config                                - Auto configuration for MySQL APT Repo.                   
i  netatalk                                        - AppleTalk user binaries                                   
i  python2.6-minimal                                - Minimal subset of the Python language (version 2.6)       
i A ruby1.9.1                                        - Interpreter of object-oriented scripting language Ruby   
i  unifi                                            - Ubiquiti UniFi server                                     
i  virtualbox-5.0                                  - Oracle VM VirtualBox       
</pre>


Sigh... printers... sigh... will have to deal with it again.
'''sysctl --system'''
<pre>
* Applying /etc/sysctl.d/10-custom-kernel-bbr.conf ...
dpkg -C
net.core.default_qdisc = fq
The following packages have an unknown foreign architecture, which will
net.ipv4.tcp_congestion_control = bbr
cause dependency issues on front-ends. This can be fixed by registering
* Applying /etc/sysctl.d/30-postgresql-shm.conf ...
the foreign architecture with dpkg --add-architecture:
* Applying /etc/sysctl.d/99-sysctl.conf ...
hll2320dcupswrapper  Brother HL-L2320D CUPS wrapper driver
net.ipv4.ip_forward = 1
hll2320dlpr          Brother HL-L2320D LPR driver
* Applying /etc/sysctl.d/asterisk.conf ...
kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1
</pre>
</pre>


Not sure why I enabled backports. Will find out someday, perhaps.
That's that.


== Services that run here ==
== Services that run here ==


I am in the process of migrating some of these services to run in Docker containers.
* git moved to Synology [[Wenda]] (see [[Running my own git server]])
 
* Brother printer moved to [[Wenda]]
* [[Asterisk]] to run our phones
* [[gpsd]] welll --- not in Astoria, not yet anyway. :-(
* Festival for text to speech in Asterisk
* mysql for asterisk and [[Owncloud]]
* [[Owncloud]] server
* [[Nginx]] for munin and [[Owncloud]]
* cups to share Brother and Canon printers
* Logitech squeezebox server [http://bellman.wildsong.biz:9000/ SqueezeBox] See [[Streaming media]] for installation notes.
* ssh to allow remote access
* ssh to allow remote access
* fail2ban to cut off break in attempts via ssh
* fail2ban to cut off break in attempts via ssh
* UPS daemon to monitor UPS
* [[Netatalk]] to support Timemachine backups


== Router migration ==
=== DNS ===
 
I tried to get dnsmasq to happily live in a container and failed (it would not come back up on reboots.)
So dnsmasq runs on the host.
 
=== Network syslog ===
 
To allow devices such as [[Granstream GXV3240] phones to spit out logging information, I enable rsyslog from remote hosts: In /etc/rsyslog.conf
you must uncomment 2 lines and restart rsyslogd:
 
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
 
=== Services in Docker containers ===


I dumped my little Mikrotik router and currently use Bellman as a router and firewall.
/etc/docker/daemon.json looks like this
The main reason is that MT does not support OpenVPN over UDP and I need to set up a connection
{
to a remote site with OpenVPN. I want to do site-to-site.
    "data-root": "/var/lib/docker",
    "storage-driver": "overlay2",
    "dns" : ["127.0.0.11", "1.0.0.1", "1.1.1.1"],
    "dns-search":["wildsong.biz"]
}


# DHCP migration was easy.
{| border=1
# DNS migration: same
|-
# Firewall: meh, probably easier to maintain in Bellman, I have scripts there already; replicated the same rules
| service || containers || notes
# L2TP: in progress
|-
| [[Home Assistant]] || home-assistant, node red, mosquitto || Compose
|-
| Proxy || proxy, letsencrypt || Stack
|-
| Squeezebox || squeezebox compose || Squeezebox server [http://bellman.wildsong.biz:9000/ SqueezeBox] See [[Streaming media]] for installation notes.
|-
| Traccar || traccar anyd mysql || Stack
|-
| [[Unifi]] || || Stack
|}


First capture all existing settings from Mikrotik: can't be easier, just do an export like this:
$ docker stack ls
  ssh 192.168.1.1 export > mt_export_20170406
NAME                SERVICES            ORCHESTRATOR
  dnsmasq            1                   Swarm
proxy              3                  Swarm
traccar            2                  Swarm


=== DHCP migration ===
See also, [[Asterisk in Docker]]
geoserver
Vault
and others...


I had to open port 67 on Bellman's firewall, after that it was done.
== History ==


See /etc/dnsmasq.d/wildsong.biz
2023-11 Replaced NVME with a new one and installed Debian 12 (Bookworm).


=== DNS migration ===
2022-03-02 Installed Docker from the Docker repo per https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository so I can use buildx now.


I read out the mappings from the MT and put them into /etc/hosts and it works.
2020-12-03 Installed exim4 and configured to use Sendgrid.


Since dnsmasq is doing DHCP on Bellman, it catches names when devices register and puts them into DNS too. Slick.
2020-12-01 Moved dnsmasq from Docker container to host, it just was not restarting properly when I rebooted and that would take my entire network offline.


=== Firewall migration ===
2020-10-18 Moved from garage to structured media panel.


Most of the Mikrotik port forwarding rules simply passed traffic to Bellman, so instead of NAT
2020-08-05 Intel NUC edition hardware arrived. Installed Ubuntu Server 20.04.1 LTS.
I have to open outside ports for access to Twilio. I had already done that as part of the
[[Vastra]] installation.


These services run on Bellman, so they no longer require NAT and port forwarding. This makes life a lot easier.
2020-07-29 Bellman, Supermicro edition completely went dark. I set up [[Tern]] as a temporary replacement and ordered an Intel NUC.


* SIP over TCP
2020-01-20 - started generating errors: '''NMI: IOCK error (debug interrupt?) for reason 61 on CPU 0.'''
* SIP over UDP
Then it would not restart. I ended up replacing the CR2032 (did not help) and then reseating the connectors. '''Fixed'''. This system is getting long in the tooth.
* RTP for VOIP
* IAX (disabled)
* HTTP


Bellman has to do NAT for LAN traffic outbound.  
2019-10-04 - fix for networking, applied on [[Dart]] too.


To configure the firewall, I implemented two bash scripts, one fires on eth0 (LAN port) and
update-alternatives --set iptables /usr/sbin/iptables-legacy
the other fires on eth1 (WAN port).
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy


I continue to use eth0 as the LAN port
2019-10-03 - Upgraded to Debian Buster (10) and this broke Docker because of the move from iptables to nftables. Must fix ASAP. All Dockers are broken. How dismaying. Repeat after me: "It's only a hobby."
and I put DHCLIENT onto eth1 and it is the WAN port.


=== L2TP migration ===
2019-05-09 - Added docker-compose for elasticsearch and per recommendations of ElasticSearch docker docs, changed vm.max_map_count; it was 65530 and I set it: sysctl -w vm.max_map_count=262144


https://firstdigest.com/2014/12/ipsec-vpn-mikrotik-to-linux/
2019-04-26 - Moving NVMe WDC Black drive from Murre to Bellman.


ip ipsec
2018-03-20 - Installed 8TB Archive drive, for TimeMachine and Owncloud storage. Moved from 120GB SSD to 750GB Samsung Evo 840.
proposal add name=Bellman auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none
Installed clean copy of Stretch on the SSD.
policy add src-address=192.168.89.0/24 dst-address=192.168.1.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=11.11.11.11 sa-dst-address=22.22.22.22 proposal=Bellman
peer add address=22.22.22.22 port=500 auth-method=pre-shared-key secret='''my_preshared_key''' exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024 generate-policy=no


=== OpenVPN configuration ===
2017-09-06 - Upgrade to 32GB RAM, yay! I need to do something with all that space. I did move /tmp to RAM; see [[SSD optimizations]]. I also removed a lot of dead code including lightdm (how'd that get in there?)
[/cdn-cgi/l/email-protection <nowiki>[email protected]</nowiki>]:~$ free
              total        used        free      shared  buff/cache  available
Mem:      32937080    2287376    '''27811208'''      25700    2838496    30153064


[[OpenVPN]]


== Additional software tools installed ==
2017-08-25 - Migrated mariabdb and owncloud to Docker


* X11 desktop so I can use it from my workbench.
2017-07-25 - Migrated logitech media server to Docker


== History ==
2017-07-25 - Upgraded to Debian 9 (Stretch)


2016-10-16 - Seeing disk errors in the WDC. It's 6 years old! REPLACE!!! ''Installed new Seagate Barracuda ST2000DM006 2TB $70 10-26-16''
2016-10-16 - Seeing disk errors in the WDC. It's 6 years old! REPLACE!!! ''Installed new Seagate Barracuda ST2000DM006 2TB $70 10-26-16''
Line 236: Line 394:
where '''X''' is the appropriate drive letter, do NOT use the wrong letter!
where '''X''' is the appropriate drive letter, do NOT use the wrong letter!


Step 2. Boot Bellman with the thumbdrive
Step 2. Boot Bellman with the thumb drive


Step 3. Look around
Step 3. Look around
Line 398: Line 556:


== Hardware ==
== Hardware ==
Newegg 10/16/2016 Inv 143374043
* sdb = Seagate BarraCuda ST2000DM006 2TB 64MB (Installed 10-26-16)
Newegg 11/21/2014 Inv #120335149
* SUPERMICRO SYS-5018A-FTN4 1U Rackmount Server Barebone FCBGA 1283 DDR3 1600/1333
* SUPERMICRO MCP-220-00051-0N Single 2.5" Fixed HDD Mounting Bracket
* Kingston 8GB 204-Pin DDR3 SO-DIMM ECC Unbuffered DDR3 1600 (PC3 12800) Server Memory Model KVR16LSE11/8KF
* sda = Samsung MZ7WD120HCFV-00003 120GB
eth0 00:25:90:F7:37:72
Bellman is configured to bring up a management interface on this ethernet interface too. (Optionally there is a separate management interface. This server has 5 ethernet ports, 4 on the motherboard and 1 on the management card.)
== Operating system ==
* Debian 8
Using BTRFS now on the Seagate drive. Sort of just to be consistent with what is on [[Tern]] though this is not RAID 0. Just one drive.
I partitioned the Seagate this time, partition 1 could be a 50GB OS install, 2 is 50GB swap, and 3 is data (/green)
fstab
<pre>
<pre>
bellman:~$ inxi -Fx
System:
  Host: bellman Kernel: 6.1.0-21-amd64 arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    Console: pty pts/0 Distro: Debian GNU/Linux 12 (bookworm)
Machine:
  Type: Mini-pc System: Intel Client Systems product: NUC10i5FNH v: K61160-303
    serial: <superuser required>
  Mobo: Intel model: NUC10i5FNB v: K61361-303 serial: <superuser required> UEFI: Intel
    v: FNCML357.0038.2020.0131.1422 date: 01/31/2020
CPU:
  Info: quad core model: Intel Core i5-10210U bits: 64 type: MT MCP arch: Comet/Whiskey Lake
    note: check rev: C cache: L1: 256 KiB L2: 1024 KiB L3: 6 MiB
  Speed (MHz): avg: 500 high: 800 min/max: 400/4200 cores: 1: 400 2: 400 3: 800 4: 800 5: 400
    6: 400 7: 400 8: 400 bogomips: 33599
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel CometLake-U GT2 [UHD Graphics] driver: i915 v: kernel arch: Gen-9.5
    bus-ID: 00:02.0
  Display: server: No display server data found. Headless machine? tty: 112x24
  API: OpenGL Message: GL data unavailable in console. Try -G --display
Audio:
  Device-1: Intel Comet Lake PCH-LP cAVS driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
  API: ALSA v: k6.1.0-21-amd64 status: kernel-api
Network:
  Device-1: Intel Ethernet I219-V driver: e1000e v: kernel port: N/A bus-ID: 00:1f.6
  IF: eno1 state: up speed: 1000 Mbps duplex: full mac: 1c:69:7a:67:a9:76
  IF-ID-1: br-0deef3cf3b16 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:ea:ed:30:4d
  IF-ID-2: br-1abc8acede4e state: down mac: 02:42:28:b1:11:35
  IF-ID-3: br-3596ed8c023f state: up speed: 10000 Mbps duplex: unknown mac: 02:42:ab:f9:d2:52
  IF-ID-4: br-3a14003316ab state: up speed: 10000 Mbps duplex: unknown mac: 02:42:96:9a:03:cb
  IF-ID-5: br-53d612b820e4 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:64:bf:2f:5e
  IF-ID-6: br-76e52b16b02c state: down mac: 02:42:2d:12:cc:8a
  IF-ID-7: br-7f875566c220 state: down mac: 02:42:7e:19:cc:d8
  IF-ID-8: br-a2f5bc89e1f9 state: down mac: 02:42:ad:87:11:41
  IF-ID-9: br-d98f5362c5c1 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:d2:91:ed:18
  IF-ID-10: docker0 state: down mac: 02:42:39:5e:2c:b4
  IF-ID-11: veth1b63b5b state: up speed: 10000 Mbps duplex: full mac: 32:8c:f1:c3:a3:3e
  IF-ID-12: veth20059e6 state: up speed: 10000 Mbps duplex: full mac: 96:b2:5e:72:41:4a
  IF-ID-13: veth3c22098 state: up speed: 10000 Mbps duplex: full mac: e6:d2:d6:4d:6e:2e
  IF-ID-14: veth70f35dd state: up speed: 10000 Mbps duplex: full mac: 8e:5d:2c:2d:dd:41
  IF-ID-15: veth71476e6 state: up speed: 10000 Mbps duplex: full mac: ee:7c:c8:f9:2f:36
  IF-ID-16: veth835c0e3 state: up speed: 10000 Mbps duplex: full mac: 12:aa:36:a2:26:c6
  IF-ID-17: veth838f419 state: up speed: 10000 Mbps duplex: full mac: 4a:7b:ad:1c:58:6a
  IF-ID-18: veth9c763bb state: up speed: 10000 Mbps duplex: full mac: 6e:60:7c:0b:ad:4e
  IF-ID-19: vethb2eb4bf state: up speed: 10000 Mbps duplex: full mac: 52:dd:e6:0d:e7:41
  IF-ID-20: vethbf1c6b9 state: up speed: 10000 Mbps duplex: full mac: fa:cb:12:b2:17:e8
  IF-ID-21: vethe236ee0 state: up speed: 10000 Mbps duplex: full mac: ea:4e:61:03:02:64
  IF-ID-22: vethe725186 state: up speed: 10000 Mbps duplex: full mac: a2:e3:35:fc:30:cc
  IF-ID-23: vethfa384da state: up speed: 10000 Mbps duplex: full mac: 42:48:c3:7f:c4:87
Bluetooth:
  Device-1: Intel AX201 Bluetooth type: USB driver: btusb v: 0.8 bus-ID: 1-10:2
  Report: rfkill ID: hci0 rfk-id: 0 state: down bt-service: not found rfk-block: hardware: no
    software: no address: see --recommends
Drives:
  Local Storage: total: 2.75 TiB used: 243.34 GiB (8.6%)
  ID-1: /dev/nvme0n1 vendor: TeamGroup model: TM8FPD001T size: 953.87 GiB temp: 30.9 C
  ID-2: /dev/sda type: USB vendor: Seagate model: ST2000DM 006-2DM164 size: 1.82 TiB
Partition:
  ID-1: / size: 952.41 GiB used: 124.27 GiB (13.0%) fs: btrfs dev: /dev/nvme0n1p2
  ID-2: /boot/efi size: 511 MiB used: 5.8 MiB (1.1%) fs: vfat dev: /dev/nvme0n1p1
Swap:
  ID-1: swap-1 type: partition size: 977 MiB used: 332.8 MiB (34.1%) dev: /dev/nvme0n1p3
Sensors:
  System Temperatures: cpu: 46.0 C pch: 42.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 324 Uptime: 104d 23h 33m Memory: 31.06 GiB used: 2.31 GiB (7.4%) Init: systemd
  target: graphical (5) Compilers: gcc: 12.2.0 Packages: 1191 Shell: Bash v: 5.2.15 inxi: 3.3.26
</pre>
</pre>


=== Printing ===
=== Intel NUC edition, born 8/5/2020 ===
* [https://www.intel.com/content/www/us/en/products/sku/189239/intel-nuc-10-performance-kit-nuc10i5fnh/specifications.html Intel NUC10i5FNH] (Newegg 7/29/20)
** 4 core i5 CPU (hyperthreaded, 8 threads)
** WiFi (Intel Wi-Fi 6 AX201)
** Bluetooth 5.2
** IR sensor
** Thunderbolt 3 (USB-C)
** 7.1 HD Audio
** Digital mic array
* Kingston Technology Corp. HX429S17IBK2/32 '''32GB''' 2933MHZ DDR4 (2 16GB SODIMM) (Newegg 7/29/20) Note, MAX is 64GB
* Team Group MP33 PRO M.2 2280 '''1TB''' S/N TPBF2308210070300362 5 year warranty (Newegg 11/23) 
* '''REPLACED 11/23''' - WD Black '''512GB''' Performance SSD - M.2 2280 PCIe NVMe Solid State Drive - WDS512G1X0C (moved from Supermicro)
* '''REMOVED --''' Corsair Neutron at /workspace '''240GB''' /dev/sda s/n 124479060000190702E2
It has GEN3 PCIe which means this WD Black NVME is about as fast as it will ever get.


Canon MX330 "All in one" -- CUPS finds and sets it up if you plug it in and power it on.
==== Audio ====


This is my current /etc/cups/printers.conf
I note that it says it has a microphone array, and that appears to show up in dmesg so I guess it's true?
<pre>
This might mean I need to move the computer up someplace where it can listen to me?
# Written by cupsd
# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
<Printer Brother_HL-2140_series>
UUID urn:uuid:24067d9a-1b41-370d-5ecf-dbb408aaa659
Info Brother HL-2140 series
Location Electronic Chronometry Laboratory
MakeModel Brother HL-2140 Foomatic/hl1250
DeviceURI usb://Brother/HL-2140%20series?serial=J8J894840
State Idle
StateTime 1388723199
Type 8433668
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>
<Printer MX330-series>
UUID urn:uuid:54a86dc0-0994-37af-7d65-f084999a7307
Info Canon MX330 series
Location Electronic Chronometry Laboratory
MakeModel Canon PIXMA MX330 - CUPS+Gutenprint v5.2.9
DeviceURI usb://Canon/MX330%20series?serial=22F601&interface=1
State Idle
StateTime 1388637781
Type 4
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy retry-job
</Printer>
</pre>


== Software ==
It says it has a DSP too.


'''Media server:''' it hosts my music collection. I keep the files in MP3 format, having transferred them from my CD's using grip. [[Music collection]]
=== Supermicro version, deceased 7/29/20 ===


'''File server:''' I keep my home directory here and NFS mount it on the desktop machine [[Raven]]. I removed Samba when upgrading to Stretch, I was not using it.
Local copy of motherboard manual [[File:SuperMicro_SYS5018A.pdf]]  


I edit files with '''emacs23'''
Audio output: NuForce UDAC 2


== Spin down the Seagate drive ==
Newegg 03/26/2019 2 Noctua 40mm x 20mm system fans <br />
Newegg 09/03/2017 Inv 153021116 <br />
Newegg 10/16/2016 Inv 143374043 <br />
Newegg 11/21/2014 Inv 120335149 <br />


To reduce wear on the spinning hard drive,
* [https://www.supermicro.com/products/system/1U/5018/SYS-5018A-FTN4.cfm SUPERMICRO SYS-5018A-FTN4 1U Rackmount Server Barebone FCBGA 1283 DDR3 1600/1333]
I am setting "apm" down to 127 (default is 254) so that it can spin down the drive.
* SUPERMICRO MCP-220-00051-0N Single 2.5" Fixed HDD Mounting Bracket
I use the server mostly for ownCloud and media storage so it can go to sleep at night and during long breaks
* 4 x Kingston 8GB 204-Pin DDR3 SO-DIMM ECC Unbuffered DDR3 1600 (PC3 12800) Server Memory Model KVR16LSE11 (3 added 2017-09-07)
this should make it last longer.
* sda = Samsung SSD 840 EVO 750GB
* sdb = Seagate Archive 8TB (Installed 3/18/18, purchased 9/03/17)
* WD Black 512GB Performance SSD - M.2 2280 PCIe NVMe Solid State Drive - WDS512G1X0C (moved from [[Murre]])


smartctl -s apm,127 /dev/sdb
eth0 00:25:90:F7:37:72
=== START OF ENABLE/DISABLE COMMANDS SECTION ===
APM set to level 127 (intermediate level with standby)
 
smartctl -A /dev/sdb
<pre>
=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG    VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate    0x000f  115  100  006    Pre-fail  Always      -      92858576
  3 Spin_Up_Time            0x0003  095  094  000    Pre-fail  Always      -      0
  4 Start_Stop_Count        0x0032  100  100  020    Old_age  Always      -      32
  5 Reallocated_Sector_Ct  0x0033  100  100  010    Pre-fail  Always      -      0
  7 Seek_Error_Rate        0x000f  100  253  030    Pre-fail  Always      -      149013
  9 Power_On_Hours          0x0032  100  100  000    Old_age  Always      -      619
10 Spin_Retry_Count        0x0013  100  100  097    Pre-fail  Always      -      0
12 Power_Cycle_Count      0x0032  100  100  020    Old_age  Always      -      32
183 Runtime_Bad_Block      0x0032  100  100  000    Old_age  Always      -      0
184 End-to-End_Error        0x0032  100  100  099    Old_age  Always      -      0
187 Reported_Uncorrect      0x0032  100  100  000    Old_age  Always      -      0
188 Command_Timeout        0x0032  100  100  000    Old_age  Always      -      0
189 High_Fly_Writes        0x003a  100  100  000    Old_age  Always      -      0
190 Airflow_Temperature_Cel 0x0022  065  056  045    Old_age  Always      -      35 (Min/Max 19/35)
191 G-Sense_Error_Rate      0x0032  100  100  000    Old_age  Always      -      0
192 Power-Off_Retract_Count 0x0032  100  100  000    Old_age  Always      -      2
193 Load_Cycle_Count        0x0032  100  100  000    Old_age  Always      -      67
194 Temperature_Celsius    0x0022  035  044  000    Old_age  Always      -      35 (0 17 0 0 0)
197 Current_Pending_Sector  0x0012  100  100  000    Old_age  Always      -      0
198 Offline_Uncorrectable  0x0010  100  100  000    Old_age  Offline      -      0
199 UDMA_CRC_Error_Count    0x003e  200  200  000    Old_age  Always      -      0
240 Head_Flying_Hours      0x0000  100  253  000    Old_age  Offline      -      619 (178 156 0)
241 Total_LBAs_Written      0x0000  100  253  000    Old_age  Offline      -      1169083792
242 Total_LBAs_Read        0x0000  100  253  000    Old_age  Offline      -      156038821
</pre>
 
== Automatic boot ==
 
I know it's possible to get this system to boot every day at a specific time because it's set to do that right now.
I cannot find the setting! It's not in BIOS anywhere that I can see and I can't find in ipmitool either.
 
Sometimes I shut Bellman down at night, but it needs to boot in the morning before we get up
so that the Logitech radio will work. The way to set it is NOT from BIOS, there is no user interface there.
It's not from the [http://192.168.1.3 IPMI web page] either.
 
Maybe it's in here http://www.accuratesolution.net/asd/resume.htm
 
== IPMI ==
 
Tips from Oracle: http://docs.oracle.com/cd/E19464-01/820-6850-11/IPMItool.html
 
Using ipmitool you can connect remotely so if the system is off you can turn it on.
This means I could just script the turn on from another server...
 
ipmitool -H 192.168.1.3 -U ADMIN -P '''password''' chassis status
System Power        : off
Power Overload      : false
Power Interlock      : inactive
Main Power Fault    : false
Power Control Fault  : false
Power Restore Policy : always-off
Last Power Event    :
Chassis Intrusion    : inactive
Front-Panel Lockout  : inactive
Drive Fault          : false
Cooling/Fan Fault    : false
 
=== Read environmental sensors ===
 
ipmitool -I lanplus  -H 192.168.1.3 -P '''password''' -U ADMIN sdr elist full
<pre>
CPU Temp        | 01h | lnr |  3.1 | 36 degrees C
System Temp      | 0Bh | ok  |  7.1 | 33 degrees C
Peripheral Temp  | 0Ch | ok  |  7.2 | 34 degrees C
DIMMA1 Temp      | B0h | ok  | 32.64 | 29 degrees C
DIMMA2 Temp      | B1h | ns  | 32.65 | No Reading
DIMMB1 Temp      | B4h | ns  | 32.68 | No Reading
DIMMB2 Temp      | B5h | ns  | 32.69 | No Reading
FAN1            | 41h | ok  | 29.1 | 3200 RPM
FAN2            | 42h | ns  | 29.2 | No Reading
FAN3            | 43h | ns  | 29.3 | No Reading
VCCP            | 20h | ok  |  3.2 | 0.82 Volts
VDIMM            | 24h | ok  | 32.1 | 1.33 Volts
12V              | 30h | ok  |  7.17 | 12.32 Volts
5VCC            | 31h | ok  |  7.33 | 4.95 Volts
3.3VCC          | 32h | ok  |  7.32 | 3.30 Volts
VBAT            | 33h | ok  |  7.18 | 2.97 Volts
5V Dual          | 37h | ok  |  7.15 | 4.95 Volts
3.3V AUX        | 38h | ok  |  7.12 | 3.28 Volts
Chassis Intru    | AAh | ok  | 23.1 |
</pre>
 
=== System event log (SEL) ===
 
ipmitool -I lanplus  -H 192.168.1.3 -P '''password''' -U ADMIN sel list last 10
<pre>
  43 |  Pre-Init  |0004692099| Unknown #0xff |  | Asserted
  44 |  Pre-Init  |0004692100| Unknown #0xff |  | Asserted
  45 |  Pre-Init  |0004692106| Unknown #0xff |  | Asserted
  46 |  Pre-Init  |0004692108| Unknown #0xff |  | Asserted
  47 |  Pre-Init  |0004692109| Unknown #0xff |  | Asserted
  48 |  Pre-Init  |0004692110| Unknown #0xff |  | Asserted
  49 |  Pre-Init  |0004692116| Unknown #0xff |  | Asserted
  4a |  Pre-Init  |0004692118| Unknown #0xff |  | Asserted
  4b |  Pre-Init  |0004692119| Unknown #0xff |  | Asserted
  4c |  Pre-Init  |0004692120| Unknown #0xff |  | Asserted
</pre>
 
== Backups ==


I am about to try [[Using Bacula for backups]]
Bellman is configured to bring up a management interface on this ethernet interface too. (Optionally there is a separate management interface. This server has 5 ethernet ports, 4 on the motherboard and 1 on the management card.) Since it's a Supermicro possibly it can be pwned at any time by the Chinese. Since I don't use Bellman to control centrifuges or do weapons research I live with it.


[[Category: Don't Panic!]]
[[Category: Don't Panic!]]
[[Category: System Administration]]
[[Category: System Administration]]
[[Category: Computers]]

Latest revision as of 22:23, 24 November 2024

Bellman is a very small Linux server. Currently its primary job is to run Docker containers.

"What's the good of Mercator's North Poles and Equators,
Tropics, Zones, and Meridian Lines?"'
So the Bellman would cry: and the crew would reply
"They are merely conventional signs!"
--Lewis Carroll, The Hunting of the Snark

todo

complete backups (see section below)

8/5/20 There is a partial rsync of Supermicro Bellman on Wenda in ~bwilson/bellman.

Stupid AppArmor complaint

I finally fixed the error that was being logged once per minute endlessly,

[192526.044351] audit: type=1400 audit(1649031318.465:3607): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/snap/bin/" pid=845699 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I put this in /etc/apparmor.d/local/usr.sbin.ntpd

 /snap/bin/ r,

then I did this and checked for errors.. I deleted /etc/apparmor.d/disable/usr.sbin.rsyslogd to eliminate a whine

systemctl reload apparmor.service
systemctl status apparmor.service


Audio notes

For a few months Bellman lived in my structured media panel. Now he and Wenda are back in the lab again where they can be on a UPS.

Bellman is powered on all the time so it should look like this,

Murre line out => line in Bellman line out => Speakers

But there is no line out on Bellman. I have a single headphone jack for an audio connector. So much for that idea.

Streaming audio to speakers connected directly.

  1. Test bellman audio.
    1. Output to speakers, set up alsamixer and play a file and see if sound comes out.
  • play /usr/share/sounds/sound-icons/violoncello-7.wav
    1. Input from microphone array

They say there is one?

In the old Supermicro days, it was possible to route the audio through Bellman via this magic command from https://askubuntu.com/questions/211136/get-the-audio-from-line-in-to-output-to-the-speaker

#manually start the module-loopback
pactl load-module module-loopback
#configure your system to load module-loopback on startup
#this places load-module module-loopback at the end of
#the /etc/pulse/default.pa pulseaudio configuration file.
sudo sh -c ' echo "load-module module-loopback" >>  /etc/pulse/default.pa '

Now sound can pass through. Since Bellman is always running, he gets to be connected directly to the speakers. This command will not work without a display,

pavucontrol

Streaming audio to another sink

How I can route audio from Docker containers to a speaker somewhere else in the house? I want the Pi Zero living in the kitchen needs to accept a stream over WiFi. https://bbs.archlinux.org/viewtopic.php?id=136474

Software

  • 2023-11-30 Debian 12 "Bookworm"
  • 202? Ubuntu Server 20.04 LTS ("focal"), upgraded to 22.04 LTS ("jammy")

apt packages

This is a list of things added after a basic installation of Ubuntu. The goal this time out is to put every service into a Docker container, so packages added is minimal.

autofs
emacs-nox fail2ban mlocate 
net-tools
nfs-common (needed to mount synology volumes locally, notably /green/music)
lm-sensors (use "sensors-detect" to config and "sensors" to read core temperatures)
rsync sudo

Left over from Ubuntu Bellman

pulseaudio pulseaudio-utils avahi-daemon
pavumeter pavucontrol ubuntu-sounds
timeshift

additional software

Not installed from the standard Debian repositories

Conda - Miniconda3 is installed in my home directory.

Docker: https://docs.docker.com/engine/install/debian/ Remember to add your account to the docker group.

Disable IPV6

Create this file, then reload sysctl

root@bellman:/etc/sysctl.d# cat 10-disable_ipv6.conf
# 2024-11-24
# Disabling the IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.wlan0.disable_ipv6 = 1

sysctl --system

Check with ip addr command, look for ipv6 addresses. They should be gone.

Firewall

This is all different under Ubuntu. Hmm.

See https://blog.daknob.net/debian-firewall-docker/ for ideas.

I use my own bash script to load iptables rules. See /usr/local/bin, /etc/network, and /var/lib/vastra.

Email

I gave up on Dockerizing this for now. Ubuntu wisely switched from exim4 to postfix at Jammy.

But Bellman is currently running exim4 so anyways I set it up as a smarthost https://askubuntu.com/questions/167043/how-do-i-configure-exim4-to-send-mail-through-a-password-protected-ssl-smtp-mail using Porkbun. https://kb.porkbun.com/article/146-email-client-configuration-settings


I had to change the exim4 config with dpkg-reconfigure exim4-config followed by update-exim4.conf and systemctl restart exim4

I had to login to porkbun in /etc/exim4/passwd.client

I had to rewrite the sender in /etc/exim4/conf.d/rewrite/00_exim4-config_header like this

^[email protected] [email protected] SFfrs

Printing

The Brother printer is currently connected to Wenda not Bellman. When it was, I found the Linux drivers for my HL-L2320D printer didn't work, so I set up a raw driver on Bellman and then used the appropriate driver (manually selected) on client computers. It works fine.

Allow remote access

cupsctl --remote-admin --remote-any --share-printers

I also had to edit and add to /etc/cups/cupsd.conf

HostNameLookups on

and then

systemctl restart cups

NFS mounts

The Synology is automounted via the autofs package on /net/wenda/volume1/* I had to uncomment the /net line in /etc/auto.master to enable this.

Backups

Strategy -- back up to one of three USB drives. Keep one offsite, someplace?

borgjs setup

See ~bwilson/Backups/README.md. Output goes to an attached USB drive.

First time out, you must initialize the repository.

fdisk /dev/sdb
mkfs.btrfs /dev/sdb1
mount /dev/sdb1 /media/Backups
borg init -e none /media/Backups

I opt for no encryption when going to an attached hard drive.

See https://github.com/vesparny/borgjs

My system is not smart enough yet to mount the drives itself, so when I swap them out I have to do a mount operation, (first make sure you have the right device.)

mount /dev/sdb1 /media/Backups

I tried putting it in a Docker and gave up. It's installed on Bellman, directly. The docker seemed to run and never terminate, this is disturbing. How can I check the status? I wrote a script for that, run "./check_status.sh". But the script does not need docker.

Recovery

If I can't recover a file from a backup, I need to find a different strategy.

Today I pretend I want just one file, so I do this: list the backups and pick one, mount it, copy.

sudo borg list /media/Backups
sudo borg mount /media/Backups::20240822-125406 /mnt

Don't forget when you are done to unmount.

sudo umount /mnt

Home Assistant backups

2023-1-1 working

Nightly backup of sqlite3 databases and loose files in config directory, to /net/wenda/volume1/Wildsong/Backups/home-assistant/

BBR congestion

See https://www.cyberciti.biz/cloud-computing/increase-your-linux-server-internet-speed-with-tcp-bbr-congestion-control/ for example.

Is kernel ready?

uname -a
Linux bellman 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux
grep 'CONFIG_TCP_CONG_BBR' /boot/config-$(uname -r)
grep 'CONFIG_NET_SCH_FQ' /boot/config-$(uname -r)
egrep 'CONFIG_TCP_CONG_BBR|CONFIG_NET_SCH_FQ' /boot/config-$(uname -r)

sudo -s 
cat > /etc/sysctl.d/10-custom-kernel-bbr.conf <<EOF
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF

'''sysctl --system'''
* Applying /etc/sysctl.d/10-custom-kernel-bbr.conf ...
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
* Applying /etc/sysctl.d/30-postgresql-shm.conf ...
* Applying /etc/sysctl.d/99-sysctl.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/asterisk.conf ...
kernel.core_uses_pid = 1
kernel.core_pattern = /tmp/core-%e-%s-%u-%g-%p-%t
fs.suid_dumpable = 2
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1

That's that.

Services that run here

  • git moved to Synology Wenda (see Running my own git server)
  • Brother printer moved to Wenda
  • gpsd welll --- not in Astoria, not yet anyway. :-(
  • ssh to allow remote access
  • fail2ban to cut off break in attempts via ssh

DNS

I tried to get dnsmasq to happily live in a container and failed (it would not come back up on reboots.) So dnsmasq runs on the host.

Network syslog

To allow devices such as [[Granstream GXV3240] phones to spit out logging information, I enable rsyslog from remote hosts: In /etc/rsyslog.conf you must uncomment 2 lines and restart rsyslogd:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Services in Docker containers

/etc/docker/daemon.json looks like this

{
   "data-root": "/var/lib/docker",
   "storage-driver": "overlay2",
   "dns" : ["127.0.0.11", "1.0.0.1", "1.1.1.1"],
   "dns-search":["wildsong.biz"]
}
service containers notes
Home Assistant home-assistant, node red, mosquitto Compose
Proxy proxy, letsencrypt Stack
Squeezebox squeezebox compose Squeezebox server SqueezeBox See Streaming media for installation notes.
Traccar traccar anyd mysql Stack
Unifi Stack
$ docker stack ls
NAME                SERVICES            ORCHESTRATOR
dnsmasq             1                   Swarm
proxy               3                   Swarm
traccar             2                   Swarm

See also, Asterisk in Docker geoserver Vault and others...

History

2023-11 Replaced NVME with a new one and installed Debian 12 (Bookworm).

2022-03-02 Installed Docker from the Docker repo per https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository so I can use buildx now.

2020-12-03 Installed exim4 and configured to use Sendgrid.

2020-12-01 Moved dnsmasq from Docker container to host, it just was not restarting properly when I rebooted and that would take my entire network offline.

2020-10-18 Moved from garage to structured media panel.

2020-08-05 Intel NUC edition hardware arrived. Installed Ubuntu Server 20.04.1 LTS.

2020-07-29 Bellman, Supermicro edition completely went dark. I set up Tern as a temporary replacement and ordered an Intel NUC.

2020-01-20 - started generating errors: NMI: IOCK error (debug interrupt?) for reason 61 on CPU 0. Then it would not restart. I ended up replacing the CR2032 (did not help) and then reseating the connectors. Fixed. This system is getting long in the tooth.

2019-10-04 - fix for networking, applied on Dart too.

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

2019-10-03 - Upgraded to Debian Buster (10) and this broke Docker because of the move from iptables to nftables. Must fix ASAP. All Dockers are broken. How dismaying. Repeat after me: "It's only a hobby."

2019-05-09 - Added docker-compose for elasticsearch and per recommendations of ElasticSearch docker docs, changed vm.max_map_count; it was 65530 and I set it: sysctl -w vm.max_map_count=262144

2019-04-26 - Moving NVMe WDC Black drive from Murre to Bellman.

2018-03-20 - Installed 8TB Archive drive, for TimeMachine and Owncloud storage. Moved from 120GB SSD to 750GB Samsung Evo 840. Installed clean copy of Stretch on the SSD.

2017-09-06 - Upgrade to 32GB RAM, yay! I need to do something with all that space. I did move /tmp to RAM; see SSD optimizations. I also removed a lot of dead code including lightdm (how'd that get in there?)

[/cdn-cgi/l/email-protection [email protected]]:~$ free
              total        used        free      shared  buff/cache   available
Mem:       32937080     2287376    27811208       25700     2838496    30153064


2017-08-25 - Migrated mariabdb and owncloud to Docker

2017-07-25 - Migrated logitech media server to Docker

2017-07-25 - Upgraded to Debian 9 (Stretch)

2016-10-16 - Seeing disk errors in the WDC. It's 6 years old! REPLACE!!! Installed new Seagate Barracuda ST2000DM006 2TB $70 10-26-16 Added a fan in the hard drive section of the case, too.

2016-01-26 - Installed VirtualBox 5.0.14 and Vagrant 1.8.1 (from DEB files, repos are too old) and started migration of services.

2015-12-?? - Moved to hardware formerly used for Vastra2

2015-07-10 - Added lm-sensors and added temperature tracking to Cacti.

2015-07-01 - Replaced APC UPS with Cyberpower. Installed monitoring software.

2015-06-19 - reconnected the MX330 printer and shared it.

2015-06-18 - upgraded to Debian 8 Jessie

2013-12-29 - returned from X-Mas and discovered Bellman won't boot. Snarks about a degraded RAID. Darn.

2013 Mar - Installed Linux Mint 14 so that I could use Makerware with my new Replicator 2

2013 Jan - Seagate Barracuda 2TB Green drive died. ST2000DL003 S/N 5YD77CTE Replaced with a Barracuda 2TB mirror

2011 Dec - Been doing PostGIS experiments so I upgraded the hardware.

2010 Jan - I just started this section but I have had this machine online for at least a couple years now.

2015-06-19 back up

Note this includes /home but not /green.

cd /
tar --one-file-system czvf /mnt/bellman_root.tar.gz .

2013-12-29 Rescue from boot fail

I no longer need a desktop environment on the small server, because I moved my main desktop next to the 3D printer. So I put Debian back on the server again. So I am going to try a Debian rescue image.

Diagnosis

Step 1. Build rescue thumbdrive. Download from http://debian.osuosl.org/ and copy image to thumbdrive

sudo cp debian-live-7.2-amd64-rescue.iso /dev/sdX
sudo sync
sudo eject /dev/sdX

where X is the appropriate drive letter, do NOT use the wrong letter!

Step 2. Boot Bellman with the thumb drive

Step 3. Look around

Using hdparm -i

  • sda Vertex SSD S/N OCZ-9UDI676M56Z4IR8P
  • sdb Seagate 2TB ST2000DM001-9YN164 S/N Z240BVP5
  • sdc Seagate 2TB ST2000DM001-9YN164 S/N Z240A0H1
  • sdd rescue drive
# fdisk -l /dev/sda

Disk /dev/sda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0009c7c9

  Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048   218460159   109229056   83  Linux
/dev/sda2       218462206   234440703     7989249    5  Extended
/dev/sda5       218462208   234440703     7989248   82  Linux swap / Solaris

sdb and sdc don't have partition tables as they are used in a RAID (see 2013 Jan entry)

See LVM page

cat /proc/mdstat 
Personalities : [raid1] 
md126 : active raid1 sda[1]
      117218240 blocks [2/1] [_U]
      
md127 : active raid1 sdb[0] sdc[1]
      1953514496 blocks [2/2] [UU]
      
unused devices: <none>

mdadm --detail /dev/md126
/dev/md126:
        Version : 0.90
  Creation Time : Thu Feb 21 06:23:36 2013
     Raid Level : raid1
     Array Size : 117218240 (111.79 GiB 120.03 GB)
  Used Dev Size : 117218240 (111.79 GiB 120.03 GB)
   Raid Devices : 2
  Total Devices : 1
Preferred Minor : 126
    Persistence : Superblock is persistent

    Update Time : Thu Feb 21 06:30:49 2013
          State : clean, degraded 
 Active Devices : 1
Working Devices : 1
 Failed Devices : 0
  Spare Devices : 0

           UUID : 9f48e120:81a0f612:edd8d016:611227ea
         Events : 0.12

    Number   Major   Minor   RaidDevice State
       0       0        0        0      removed
       1       8        0        1      active sync   /dev/sda

mdadm --detail /dev/md127
/dev/md127:
        Version : 0.90
  Creation Time : Mon Jan  7 04:12:45 2013
     Raid Level : raid1
     Array Size : 1953514496 (1863.02 GiB 2000.40 GB)
  Used Dev Size : 1953514496 (1863.02 GiB 2000.40 GB)
   Raid Devices : 2
  Total Devices : 2
Preferred Minor : 127
    Persistence : Superblock is persistent

    Update Time : Mon Dec 30 17:21:21 2013
          State : clean 
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

           UUID : 462f6c0c:68770b3a:b268e686:64f77a36
         Events : 0.131

    Number   Major   Minor   RaidDevice State
       0       8       16        0      active sync   /dev/sdb
       1       8       32        1      active sync   /dev/sdc

Looks like there are 2 RAID's, and md126 is the broken one. It should be the SSD and something else? Time to open the box and see what's in there.

fdisk /dev/md126

Command (m for help): p

Disk /dev/md126: 120.0 GB, 120031477760 bytes
255 heads, 63 sectors/track, 14592 cylinders, total 234436480 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0009c7c9

      Device Boot      Start         End      Blocks   Id  System
/dev/md126p1   *        2048   218460159   109229056   83  Linux
/dev/md126p2       218462206   234440703     7989249    5  Extended
/dev/md126p5       218462208   234440703     7989248   82  Linux swap / Solaris

Command (m for help): 

Conclusion - I was planning on doing RAID mirror and never got the second drive installed. I think I might have used it in Stellar instead. Steller's drive failed and needed immediate replacement. Something failed on the SSD and now it's not booting, but this has nothing to do with the hardware from what I can tell. It complains about the RAID missing a drive but that's not new.

2014 Jan 01 rebuild

Do as in the Linux Mint section below

Also note:

PRESERVE MYSQL!!

/etc/hdparm.conf

2013 Jan data mirror build

apt-get install mdadm lvm2
mdadm --create --metadata=0.90 --level=mirror --raid-devices=2 /dev/md0 /dev/sdb /dev/sdc
cat /proc/mdstat 
pvcreate /dev/md0 
vgcreate vg_mirror /dev/md0 
lvcreate --verbose --extents 100%FREE -n lv_mirror vg_mirror
mkfs.ext4 /dev/vg_mirror/lv_mirror 
mount /dev/vg_mirror/lv_mirror /green
dd if=/dev/zero of=/green/swapfile1 bs=1024 count=1048576

2013 Mar Linux Mint rebuild

Had to install mdadm and lvm2 but then it recognized the LVM drives All I had to do was mount the RAID on /green.

sudo apt-get install synaptic nfs-kernel-server ssh mysql-server phpmyadmin ntp winbind smartmontools postfix

Re-install dropbox

Re-install squeezeboxserver from Logitech. http://bellman:9000/

Set up cups again

Copy over /etc/exports file

Need AFP support for Apple Timemachine. See Netatalk 3 on Debian

December 2011 upgrade

Bellman had an Intel Little Falls Atom 230 mini-itx main board + 2GB RAM until Dec 2011. Bellman used to be an Athlon desktop system, I recycled the name because I like it.

Hardware

bellman:~$ inxi -Fx
System:
  Host: bellman Kernel: 6.1.0-21-amd64 arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    Console: pty pts/0 Distro: Debian GNU/Linux 12 (bookworm)
Machine:
  Type: Mini-pc System: Intel Client Systems product: NUC10i5FNH v: K61160-303
    serial: <superuser required>
  Mobo: Intel model: NUC10i5FNB v: K61361-303 serial: <superuser required> UEFI: Intel
    v: FNCML357.0038.2020.0131.1422 date: 01/31/2020
CPU:
  Info: quad core model: Intel Core i5-10210U bits: 64 type: MT MCP arch: Comet/Whiskey Lake
    note: check rev: C cache: L1: 256 KiB L2: 1024 KiB L3: 6 MiB
  Speed (MHz): avg: 500 high: 800 min/max: 400/4200 cores: 1: 400 2: 400 3: 800 4: 800 5: 400
    6: 400 7: 400 8: 400 bogomips: 33599
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel CometLake-U GT2 [UHD Graphics] driver: i915 v: kernel arch: Gen-9.5
    bus-ID: 00:02.0
  Display: server: No display server data found. Headless machine? tty: 112x24
  API: OpenGL Message: GL data unavailable in console. Try -G --display
Audio:
  Device-1: Intel Comet Lake PCH-LP cAVS driver: snd_hda_intel v: kernel bus-ID: 00:1f.3
  API: ALSA v: k6.1.0-21-amd64 status: kernel-api
Network:
  Device-1: Intel Ethernet I219-V driver: e1000e v: kernel port: N/A bus-ID: 00:1f.6
  IF: eno1 state: up speed: 1000 Mbps duplex: full mac: 1c:69:7a:67:a9:76
  IF-ID-1: br-0deef3cf3b16 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:ea:ed:30:4d
  IF-ID-2: br-1abc8acede4e state: down mac: 02:42:28:b1:11:35
  IF-ID-3: br-3596ed8c023f state: up speed: 10000 Mbps duplex: unknown mac: 02:42:ab:f9:d2:52
  IF-ID-4: br-3a14003316ab state: up speed: 10000 Mbps duplex: unknown mac: 02:42:96:9a:03:cb
  IF-ID-5: br-53d612b820e4 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:64:bf:2f:5e
  IF-ID-6: br-76e52b16b02c state: down mac: 02:42:2d:12:cc:8a
  IF-ID-7: br-7f875566c220 state: down mac: 02:42:7e:19:cc:d8
  IF-ID-8: br-a2f5bc89e1f9 state: down mac: 02:42:ad:87:11:41
  IF-ID-9: br-d98f5362c5c1 state: up speed: 10000 Mbps duplex: unknown mac: 02:42:d2:91:ed:18
  IF-ID-10: docker0 state: down mac: 02:42:39:5e:2c:b4
  IF-ID-11: veth1b63b5b state: up speed: 10000 Mbps duplex: full mac: 32:8c:f1:c3:a3:3e
  IF-ID-12: veth20059e6 state: up speed: 10000 Mbps duplex: full mac: 96:b2:5e:72:41:4a
  IF-ID-13: veth3c22098 state: up speed: 10000 Mbps duplex: full mac: e6:d2:d6:4d:6e:2e
  IF-ID-14: veth70f35dd state: up speed: 10000 Mbps duplex: full mac: 8e:5d:2c:2d:dd:41
  IF-ID-15: veth71476e6 state: up speed: 10000 Mbps duplex: full mac: ee:7c:c8:f9:2f:36
  IF-ID-16: veth835c0e3 state: up speed: 10000 Mbps duplex: full mac: 12:aa:36:a2:26:c6
  IF-ID-17: veth838f419 state: up speed: 10000 Mbps duplex: full mac: 4a:7b:ad:1c:58:6a
  IF-ID-18: veth9c763bb state: up speed: 10000 Mbps duplex: full mac: 6e:60:7c:0b:ad:4e
  IF-ID-19: vethb2eb4bf state: up speed: 10000 Mbps duplex: full mac: 52:dd:e6:0d:e7:41
  IF-ID-20: vethbf1c6b9 state: up speed: 10000 Mbps duplex: full mac: fa:cb:12:b2:17:e8
  IF-ID-21: vethe236ee0 state: up speed: 10000 Mbps duplex: full mac: ea:4e:61:03:02:64
  IF-ID-22: vethe725186 state: up speed: 10000 Mbps duplex: full mac: a2:e3:35:fc:30:cc
  IF-ID-23: vethfa384da state: up speed: 10000 Mbps duplex: full mac: 42:48:c3:7f:c4:87
Bluetooth:
  Device-1: Intel AX201 Bluetooth type: USB driver: btusb v: 0.8 bus-ID: 1-10:2
  Report: rfkill ID: hci0 rfk-id: 0 state: down bt-service: not found rfk-block: hardware: no
    software: no address: see --recommends
Drives:
  Local Storage: total: 2.75 TiB used: 243.34 GiB (8.6%)
  ID-1: /dev/nvme0n1 vendor: TeamGroup model: TM8FPD001T size: 953.87 GiB temp: 30.9 C
  ID-2: /dev/sda type: USB vendor: Seagate model: ST2000DM 006-2DM164 size: 1.82 TiB
Partition:
  ID-1: / size: 952.41 GiB used: 124.27 GiB (13.0%) fs: btrfs dev: /dev/nvme0n1p2
  ID-2: /boot/efi size: 511 MiB used: 5.8 MiB (1.1%) fs: vfat dev: /dev/nvme0n1p1
Swap:
  ID-1: swap-1 type: partition size: 977 MiB used: 332.8 MiB (34.1%) dev: /dev/nvme0n1p3
Sensors:
  System Temperatures: cpu: 46.0 C pch: 42.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 324 Uptime: 104d 23h 33m Memory: 31.06 GiB used: 2.31 GiB (7.4%) Init: systemd
  target: graphical (5) Compilers: gcc: 12.2.0 Packages: 1191 Shell: Bash v: 5.2.15 inxi: 3.3.26

Intel NUC edition, born 8/5/2020

  • Intel NUC10i5FNH (Newegg 7/29/20)
    • 4 core i5 CPU (hyperthreaded, 8 threads)
    • WiFi (Intel Wi-Fi 6 AX201)
    • Bluetooth 5.2
    • IR sensor
    • Thunderbolt 3 (USB-C)
    • 7.1 HD Audio
    • Digital mic array
  • Kingston Technology Corp. HX429S17IBK2/32 32GB 2933MHZ DDR4 (2 16GB SODIMM) (Newegg 7/29/20) Note, MAX is 64GB
  • Team Group MP33 PRO M.2 2280 1TB S/N TPBF2308210070300362 5 year warranty (Newegg 11/23)
  • REPLACED 11/23 - WD Black 512GB Performance SSD - M.2 2280 PCIe NVMe Solid State Drive - WDS512G1X0C (moved from Supermicro)
  • REMOVED -- Corsair Neutron at /workspace 240GB /dev/sda s/n 124479060000190702E2

It has GEN3 PCIe which means this WD Black NVME is about as fast as it will ever get.

Audio

I note that it says it has a microphone array, and that appears to show up in dmesg so I guess it's true? This might mean I need to move the computer up someplace where it can listen to me?

It says it has a DSP too.

Supermicro version, deceased 7/29/20

Local copy of motherboard manual File:SuperMicro SYS5018A.pdf

Audio output: NuForce UDAC 2

Newegg 03/26/2019 2 Noctua 40mm x 20mm system fans
Newegg 09/03/2017 Inv 153021116
Newegg 10/16/2016 Inv 143374043
Newegg 11/21/2014 Inv 120335149

  • SUPERMICRO SYS-5018A-FTN4 1U Rackmount Server Barebone FCBGA 1283 DDR3 1600/1333
  • SUPERMICRO MCP-220-00051-0N Single 2.5" Fixed HDD Mounting Bracket
  • 4 x Kingston 8GB 204-Pin DDR3 SO-DIMM ECC Unbuffered DDR3 1600 (PC3 12800) Server Memory Model KVR16LSE11 (3 added 2017-09-07)
  • sda = Samsung SSD 840 EVO 750GB
  • sdb = Seagate Archive 8TB (Installed 3/18/18, purchased 9/03/17)
  • WD Black 512GB Performance SSD - M.2 2280 PCIe NVMe Solid State Drive - WDS512G1X0C (moved from Murre)

eth0 00:25:90:F7:37:72

Bellman is configured to bring up a management interface on this ethernet interface too. (Optionally there is a separate management interface. This server has 5 ethernet ports, 4 on the motherboard and 1 on the management card.) Since it's a Supermicro possibly it can be pwned at any time by the Chinese. Since I don't use Bellman to control centrifuges or do weapons research I live with it.