Posts Tagged ‘sysadmin’

Poor man’s VPN via ssh socks proxy

Sunday, December 13th, 2015

This was also posted on Redpill Linpro’s Sysadvent blog

It is late night. You have just arrived at your Grandparents, when the SMS beeper goes off. There is a problem with a SAN controller, and the on-call person know you fixed it the last time. Now, if you only had documented it.

You know you have to fix this yourself, but you have no VPN access. You don’t even have an Internet connection, except your 3G mobile phone, and you really need access to that admin web gui. There is an emergency ssh port available, but no other port is open. X-forwarding over 3G? Not an option. ssh port-forwarding and fix /etc/hosts. Doable perhaps? VNC over ssh? Awkward. Enter the ssh socks proxy!

Emergency web access

Simply run:

$ ssh -D 1080 login.example.com

Now, you have a local port 1080 that creates a SOCKS proxy to the server side. Firefox has support for that proxy.

Settings -> Advanced -> Network -> Configure how Firefox connects to the Internet -> Manual settings, Socks: localhost, Port: 1080

If you need to resolve addresses from the server side, add that to the config. In the URL field, type about:config , then search for key

network.proxy.socks_remote_dns

Set it to true. That is all. You are now surfing as if Firefox was running locally on the login server. Remember to reset your settings after you have finished your session, or Firefox will not work properly when you close your SOCKS proxy ssh shell.

Not just surfing

But wait, there’s more. With a local SOCKS proxy, you may also use other programs, and they don’t even have to support SOCKS themselves. Install tsocks, and set localhost as the socks proxy host:

$ sudo yum install tsocks || sudo apt-get install tsocks
$ echo "server = 127.0.0.1" | sudo tee /etc/tsocks.conf

tsocks is a little gem of a program. It hooks into other programs, and redirects network traffic to the local SOCKS proxy. Now, while the ssh SOCKS proxy is still running (the ssh -D1080 command), just use tsocks to run your favourite program through the proxy:

# Log into a server on a closed network behind the firewall
$ tsocks ssh server.behind.firewall.example.com
# Run a local psql shell against a remote server through the SOCKS proxy
$ tsocks psql -U pg_admin_user -W -h database.behind.firewall.example.com -W template1

or to run a whole session of commands through the socks proxy, start with “. tsocks on” (note the leading dot), and stop it with “. tsocks off”

$. tsocks on
$ command
$ command
$ command 
$. tsocks off

To run Firefox through the SOCKS proxy, but without changing its configuration:

$ tsocks firefox http://ripe.net   # Stop firefox first

To check tsocks status, run

$ tsocks show

If the LD_PRELOAD variable is empty, tsocks is disabled for this shell.

Note that all Internet traffic is not routed via tsocks. For example, ICMP is not.

jemalloc-4.0.x for fedora and epel

Thursday, August 20th, 2015

jemalloc, Jason Evans’ general-purpose scalable concurrent malloc implementation, was recently updated to version 4.0.0. I have wrapped packages for Fedora, and will update rawhide in a few days. If you would like to test the packages already, have a look at http://users.linpro.no/ingvar/jemalloc/4.0.0/.

Update: Jason recently released updates through 4.0.1 to 4.0.3. Packages for 4.0.3 are pushed to rawhide. Builds for epel are available at http://users.linpro.no/ingvar/jemalloc/4.0.3/.

There are a few fedora packages that rely on jemalloc. If you have a chance to help testing, please recompile and test the package against the updated version. You can leave comments here, or send me a mail.

$ sudo repoquery --whatrequires jemalloc |\
  sed 's,\(.*\)-.*-.*,\1,g;' | sort | uniq | tr '\n' ' ' | fold -s; echo

blender blenderplayer bro gridengine gridengine-execd gridengine-qmaster 
gridengine-qmon jemalloc-devel nfs-ganesha nfs-ganesha-ceph nfs-ganesha-gluster 
nfs-ganesha-proxy nfs-ganesha-utils nfs-ganesha-vfs nfs-ganesha-xfs redis 
varnish 

For those that would like to use jemalloc-4.0 on epel, I have built packages for epel 5, 6, and 7 as well. These will not be pushed to the official epel mirrors, as there are api and abi changes that make them binary incompatible with the existing packages in epel.

I have my happy day job at Redpill Linpro in Norway. Redpill Linpro is the market leader for professional Open Source and Free Software solutions in the Nordics, though we have customers from all over. For professional managed services, all the way from small web apps, to massive IPv4/IPv6 multi data center media hosting, and everything through container solutions, in-house, cloud, and data center, contact us at http://www.redpill-linpro.com, or follow us on social media:

Today’s sysadmin tip: Finding what binaries to restart revisited

Monday, January 20th, 2014

Almost exactly two years ago, I posted a perl script to find what binaries to restart for Red Hat based systems. I digs a bit deeper than the excellent needs-restarting script that is provided by Red Hat, by running ldd on the running process binaries, and recursively checking all underlying libraries. I did an extra variant for Debian and derivates today.

Why is this necessary? Because processes may map libraries without opening them. If the underlying library is updated, needs-restarting (or checkrestart on Debian, Ubuntu and derivates) won’t list the process as need to be restarted. But the process may crash or behave strangely when it some time in the future opens a mapped library, and that library has been changed by an update.

And yes, this is a real problem, experienced on production systems.

Red Hat variant
Debian/Ubuntu variant