How to install vmware tools on IPCop virtual machine

IPCop is a small linux distribution providing simple firewall / router / NAT solution. When running as a virtual machine, it is advisable to have VMware Tools installed (at least to allow graceful restart/shutdown of the OS and reporting guest IPs in vSphere). However IPCop is a very limited distribution, lacking many needed tools like insmod / rmmod, PAM, init.d system (IPCop uses sysinit). Plus it is using kernel version 3.4, which is not supported by vmtools. See Enabling NAT on VMware ESX with help of IPCop for detailed insructions on how to install IPCop on ESX.

But there is still an option to install vmtools under IPCop, although without any kernel modules – but the graceful shutdown still works.

First initiate the vmtools installation from vSphere / vCenter via menu Guest –> Install/Upgrade VMware Tools (I am running under ESX 6.0 host in this example). Then mount the virtual CD and extract the package to a temp directory (we use /var/log filesystem because of how IPCop partitions its limited disk space). We remove all binary modules as none are for our kernel. IPCop itself needs less than 500 MB of disk space, so if you allocated only so much to the VM, take care you have at least 120 MB free in root filesystem (and about 250 MB in /var/log during the install process).

root@ipcop:~ # mount /dev/sr0 /mnt/ -o ro
root@ipcop:~ # mkdir /var/log/VM-tools
root@ipcop:~ # ll /mnt/
total 71888
-r-xr-xr-x 1 root root     2012 Feb 17  2016 manifest.txt
-r-xr-xr-x 1 root root     1850 Feb 17  2016 run_upgrader.sh
-r--r--r-- 1 root root 72162730 Feb 17  2016 VMwareTools-10.0.6-3560309.tar.gz
-r-xr-xr-x 1 root root   687524 Feb 17  2016 vmware-tools-upgrader-32
-r-xr-xr-x 1 root root   757944 Feb 17  2016 vmware-tools-upgrader-64
root@ipcop:~ # cd /var/log/VM-tools
root@ipcop:/var/log/VM-tools # tar xzf /mnt/VMwareTools-10.0.6-3560309.tar.gz
root@ipcop:/var/log/VM-tools # du -ks
222276  .
root@ipcop:/var/log/VM-tools # cd vmware-tools-distrib/
root@ipcop:/var/log/VM-tools/vmware-tools-distrib # ll
total 524
drwxr-xr-x  2 root root   4096 Feb 17  2016 bin
drwxr-xr-x  5 root root   4096 Feb 17  2016 caf
drwxr-xr-x  2 root root   4096 Feb 17  2016 doc
drwxr-xr-x  5 root root   4096 Feb 17  2016 etc
-rw-r--r--  1 root root 282475 Feb 17  2016 FILES
-rw-r--r--  1 root root   2538 Feb 17  2016 INSTALL
drwxr-xr-x  2 root root   4096 Feb 17  2016 installer
drwxr-xr-x 14 root root   4096 Feb 17  2016 lib
drwxr-xr-x  3 root root   4096 Feb 17  2016 vgauth
-rwxr-xr-x  1 root root    243 Feb 17  2016 vmware-install.pl
-rwxr-xr-x  1 root root 205571 Feb 17  2016 vmware-install.real.pl
root@ipcop:/var/log/VM-tools/vmware-tools-distrib # rm -r lib/modules/binary/*
root@ipcop:/var/log/VM-tools/vmware-tools-distrib # du -ks
110328  .

Then we need to create some dirs, which vmtools installation expects, but are not part of IPCop’s system.

root@ipcop:/var/log/VM-tools/vmware-tools-distrib # for i in 0 1 2 3 4 5 6; do mkdir -p /usr/local/rc.d/rc$i.d; done
root@ipcop:/var/log/VM-tools/vmware-tools-distrib # mkdir /etc/pam.d

Now we can start the installation script. It will complain about some tools not found, just reply with /bin/true for all of them. Also reply with our created directories when asked.

root@ipcop:/var/log/VM-tools/vmware-tools-distrib # ./vmware-install.pl
Setup is unable to find the "rmmod" program on your machine. Please make sure
it is installed. Do you want to specify the location of this program by hand?
[yes]

What is the location of the "rmmod" program on your
machine? /bin/true

Creating a new VMware Tools installer database using the tar4 format.

Installing VMware Tools.

In which directory do you want to install the binary files?
[/usr/bin] /usr/local/bin

What is the directory that contains the init directories (rc0.d/ to
rc6.d/)? /usr/local/rc.d

What is the directory that contains the init scripts?
[/usr/local/rc.d]

In which directory do you want to install the daemon files?
[/usr/local/sbin]

In which directory do you want to install the library files?
[/usr/local/lib/vmware-tools]

The path "/usr/local/lib/vmware-tools" does not exist currently. This program
is going to create it, including needed parent directories. Is this what you
want? [yes]

In which directory do you want to install the common agent library files?
[/usr/local/lib]

In which directory do you want to install the common agent transient files?
[/var/lib]

In which directory do you want to install the documentation files?
[/usr/local/doc/vmware-tools]

The path "/usr/local/doc/vmware-tools" does not exist currently. This program
is going to create it, including needed parent directories. Is this what you
want? [yes]

The installation of VMware Tools 10.0.6 build-3560309 for Linux completed
successfully. You can decide to remove this software from your system at any
time by invoking the following command:
"/usr/local/bin/vmware-uninstall-tools.pl".

Before running VMware Tools for the first time, you need to configure it by
invoking the following command: "/usr/local/bin/vmware-config-tools.pl". Do you
want this program to invoke the command for you now? [yes]

Setup is unable to find the "ldd" program on your machine.  Please make sure it
is installed.  Do you want to specify the location of this program by hand?
[yes]

What is the location of the "ldd" program on your machine? /bin/true

Setup is unable to find the "insmod" program on your machine.  Please make sure
it is installed.  Do you want to specify the location of this program by hand?
[yes]

What is the location of the "insmod" program on your
machine? /bin/true

Setup is unable to find the "rmmod" program on your machine.  Please make sure
it is installed.  Do you want to specify the location of this program by hand?
[yes]

What is the location of the "rmmod" program on your
machine? /bin/true

Searching for GCC...
The path "" is not valid path to the gcc binary.
Would you like to change it? [yes] no

Searching for a valid kernel header path...
The path "" is not a valid path to the 3.4-3 kernel headers.
Would you like to change it? [yes] no


WARNING: This program cannot compile any modules for the following reason(s)...

The communication service is used in addition to the standard communication
between the guest and the host.  The rest of the software provided by VMware
Tools is designed to work independently of this feature.
If you wish to have the VMCI feature, you can install the driver by running
vmware-config-tools.pl again after making sure that gcc, binutils, make and the
kernel sources for your running kernel are installed on your machine. These
packages are available on your distribution's installation CD.
[ Press Enter key to continue ]

{the same for other kernel modules...}

Warning: This script could not find mkinitrd or update-initramfs and cannot
remake the initrd file!

Generating the key and certificate files.
Successfully generated the key and certificate files.
   Checking acpi hot plug                                              done
Starting VMware Tools services in the virtual machine:
   Switching to guest configuration:                                   done
   Guest operating system daemon:                                      done
The configuration of VMware Tools 10.0.6 build-3560309 for Linux for this
running kernel completed successfully.

root@ipcop:/var/log/VM-tools/vmware-tools-distrib # ps -ef|grep vm
root     29659     1  0 21:48 ?        00:00:00 /usr/local/sbin/vmtoolsd
root@ipcop:/var/log/VM-tools/vmware-tools-distrib # cd
root@ipcop:~ # rm -r /var/log/VM-tools
root@ipcop:~ # du -ks /usr/local/
110404  /usr/local/

The configuration will output message about each kernel module not being able to compile, just acknowledge it with Enter. At the end, you should have the vmtoolsd daemon running, but we still need to adjust the IPCop startup sysinit script to run vmtools start script at boot.

root@ipcop:~ # cat >>/etc/rc.d/rc.event.local
EVENT=${1}
VALUE=${2}
if [ "$EVENT" = "system" -a "$VALUE" = "up" ]; then
  /usr/bin/logger -t ipcop "Starting vmware tools"
  rm -f /var/lock/subsys/vmware-tools
  /usr/local/rc.d/vmware-tools start
fi

File rc.event.local is run from rc.event, which is run at the end of rc.sysinit with parameters system and up. We need to remove the stale lock file first as we are not properly stopping the vmtools during shutdown. Now you can reboot IPCop to check if vmtools will be started during boot.

Posted in Sysadmin Tagged with: , , , ,

Enabling NAT on VMware ESX with help of IPCop

VMware’s desktop products like Workstation include abilities to connect virtual machines (VMs) to outside network via NAT, but professional ESX hypervisor does not include any networking features (besides virtual L2 switches). So all such features must be done via a dedicated VM. One of the solutions is to use a small and efficient Linux distribution called IPCop. It requires only about 300 MB of disk space and maybe 256 MB of RAM (although I recommend to give it 512 MB of RAM and 512 MB of disk space).

What you need:

  1. ESX server (I use v6.0)
  2. Two public IPs (one for ESX itself, one for IPCop external “Red” network interface)
  3. IPCop installation CD (available on its homepage http://www.ipcop.org/download.php)

vcenter-ipcop2

In my example I have default ESX vSwitch 0, which is connected to the only physical network card of my server (so it has ESX public IP configured). I have named it “Red network” to be consistent of the IPCop naming. However individual VMs cannot be connected to this switch as each of them would require their own public IP. So instead we create an isolated virtual network (vSwitch 1) called “Green network”. As you can see this one does not contain any physical adapters, so the VMs are not able to communicate with outside world on their own. VMs will have private IPs and IPCop will provide them DHCP, DNS and internet access via NAT.

First we need to create a new VM, where we will install IPCop. Unfortunately it is not straightforward, because IPCop’s kernel does not include some of the usual drivers. The important parameters we need to set up are:

  • Guest operating system: Other 3.x or later Linux (32-bit)
  • 1 CPU socket, 1 CPU core
  • 512 MB RAM, 512 MB disk space (or more)
  • 2x Network: adapter type E1000, assign one to “Red network” and one to “Green network”
  • SCSI controller: BusLogic Parallel (this is most important as otherwise IPCop won’t detect any harddisk)

vcenter-ipcop2-vm

Now you can connect the installation CD iso image to the virtual CD/DVD drive and start the installation. The process is easy, just follow the IPCop’s manual. You can identify the Red/Green network during installation by looking at the MAC address in the VM’s properties (as seen on the image above). Configure your Red interface with the connection type you have from your network provider (DHCP in my case) and don’t forget that IPCop must use an IP address which is different from main IP assigned to ESX itself.

Just don’t forget to assign any new VMs just to the “Green network”, so it will get internet connection via IPCop. For more advanced users IPCop supports also DMZ network and OpeVPN access (so that your PC can be part of the virtual VM network and you can directly connect to them).

If you want to install VMware Tools in IPCop, I have a guide for that too: How to install vmware tools on IPCop virtual machine

Posted in Sysadmin Tagged with: , , ,

How to block ads on Youtube on Smart TV

adblock

After buying new Samsung Smart TV I noticed lot of ads on Youtube. I was surprised as on my Android phone and PC I have ads blocked (uBlock Origin for Firefox and AdAway for Android) for many years already.

First I was thinking about setting a proxy on my home router, which would block the ads. However the TV does not have any proxy settings (probably because it would help circumvent GeoIP restrictions on paid streaming content?). I would say, no problem, we have transparent proxying. However proxy in transparent mode does not support https connections, which are used on many websites (including Youtube) nowadays. So no proxy solution possible. But if anyone wants it for devices which do support proxy settings, use Privoxy package for OpenWrt and privoxy-blocklist script.

Then I have found a DNS-based solution. It works by returning modified DNS responses for domains which host ads. It is not as good as URL-based filtering, but still good enough (inc. Youtube ads, as well as video ads in SME TV application) and works for https or other protocols. I use Google DNS in my home. Its IPs are returned by my DHCP for all devices. I have manually configured TV to use DNS of my router instead. This way I can have “normal” DNS for most devices, but ad-blocking DNS for the TV.

For OpenWrt (I am using 15.05 Chaos Calmer), install package adblock (and optionally luci-app-adblock for web interface). They are not included in the repository for CC, but can be downloaded from OpenWrt’s adblock github page. There you can find also detailed installation instructions (basically just download the packages to your router and use opkg install). You can configure a cron job to automatically renew the list of blocked domains. You can also choose which blocklists to use. You can find Adblock easylist sources among the supported ones. Adding blocklists in different format is also easy, just add regexp which will filter the domain names from the list.

openwrt-adblock

The whole solution works by using dnsmasq (built in OpenWrt) to return special local IP (192.0.2.1) for ad serving domains. There is an instance of uhttpd webserver running on this IP on router, which returns empty page / empty gif for every request.

If you are not running OpenWrt on your router, the same can be accomplished on any linux machine (does not even have to be in your home network), where you will run DNS server together with the script, which will populate the list of ad domains.

Posted in Uncategorized Tagged with: , , , , , , ,

Tips & tricks for systemd

Here are few tips I discovered while writing few systemd units for my new Debian Jessie system. You can find my unit files in my GitHub repository.

Perl and stdout in systemd unit

I convered my simple perl script to systemd. Before, it was running in a screen session and outputting some status information to stdout. I used StandardOutput=journal parameter to redirect stdout to systemd’s journal. However the journal did not contain any output of that script. I have found out that by redirecting perl’s stdout to anything other than a terminal, perl turns on buffering, so the output would appear only after 8 kB of text. To disable the buffering, just put $|=1; in the beginning of your script. You can display the unit’s output by using command journalctl -u myunit.

Handing of /var/run and /run subdirs

Note: /var/run is being replaced by (and symlinked from) /run, which is a tmpfs filesystem on modern distros. That implies it is empty after each boot.

When a daemon is run under non-root user, its init.d script traditionally created a subdir inside the /var/run, which was then made owned by the non-root user under which the daemon will be run. Here is how the same can be accomplished in a systemd unit file.

[Unit]
Description=DCC (Distributed Checksum Clearinghouses) interface daemon
Before=spamassassin.service

[Service]
Type=forking
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p /run/dcc
ExecStartPre=/bin/chown -R vscan:vscan /var/run/dcc
ExecStart=/var/dcc/libexec/dccifd
User=vscan

We use ExecStartPre to create the directory before the actual daemon is run. When PermissionsStartOnly is true, only the actual daemon is run under the defined user, but the pre-start commands are run under root. I use mkdir -p, which doesn’t return error even when the directory already exists (for example when the daemon is restarted several times).

UPDATE 13.07.2016: Better solution is to use system’d options RuntimeDirectory and RuntimeDirectoryMode (see man systemd.exec). However this can’t be used when the daemon itself changes the UID to unpriviledged and so there is no User option in the unit’s config file. The above example could be re-written as:

[Unit]
Description=DCC (Distributed Checksum Clearinghouses) interface daemon
Before=spamassassin.service

[Service]
Type=forking
RuntimeDirectory=dcc
ExecStart=/var/dcc/libexec/dccifd
User=vscan

Making your own units to start automatically at system boot

Systemd uses so-called targets instead of run levels. The main difference is that you can have only one run level active at a time. Targets are states which can be activated (or better said achieved), but there is nothing like an active target and more than one target can be achieved at the same time. The most interesting target is the multi-user.target.

To start your service at boot, add these lines to your unit’s config file.

[Install]
WantedBy=multi-user.target

However, by default the unit is in disabled state, so it won’t be started. To enable it, run systemctl enable myunit. (This will make a symlink from /etc/systemd/system/multi-user.target.wants/myunit.service to /etc/systemd/system/myunit.service.)

How to modify existing unit file (and set open files limit for MySQL)

By default, systemd units shipped with distro packages are put into /lib/systemd/system directory. Don’t modify any of these files as your changes would get lost on update.

If you want to replace whole unit with your own version (and loose any further changes by updated package), you can put your copy of the unit file in /etc/systemd/system. When this exists, systemd will use it instead of the one in /lib.

If you want just to change few settings, create a new directory /etc/systemd/system/mysql.service.d (in our case for MySQL daemon). Each file there will be read after the main unit file in /lib. I have created a file override.conf with this content to stop MySQL complaining about not enough open files limit.

[Service]
LimitNOFILE=32000

This is the warning message MySQL produces when the open files limit is too low for your configuration:

[Warning] Changed limits: max_open_files: 1024 (requested 5000)

[Warning] Changed limits: table_open_cache: 431 (requested 2000)

Certain options can be overwritten by specifying them 2nd time, some options are additive, so specifying them multiple times just adds new values to the list. If you want to replace such option, specify it without arguments first (Option=).

Posted in Sysadmin Tagged with: , ,