Category Archives: Ubuntu

Ubuntu related stuff

Add docker to unattended-upgrades in ubuntu 20.04

If you want your server to install docker updates automatically then you need to add the docker repository to the list of allowed origins. Otherwise docker updates will stay untouched by unattended-update which will looks similar to this when you login and check which updates need to be installed. Had that quite some times until I decided to look into this.

sudo apt dist-upgrade 
...
The following packages will be upgraded:
  containerd.io docker-ce docker-ce-cli

As you can see all docker packages (coming from https://download.docker.com/linux/ubuntu) weren’t updated. This happens because this origin isn’t in the allowed origin list of unattended-upgrade. You can see metadata of the repository by running

apt-cache policy

There you will find an entry like this

 500 https://download.docker.com/linux/ubuntu focal/stable amd64 Packages
     release o=Docker,a=focal,l=Docker CE,c=stable,b=amd64
     origin download.docker.com

The important part is the o and a in this definition. Those state the origin and the archive.

To allow the docker repo as an origin you need to open /etc/apt/apt.conf.d/50unattended-upgrades with root access and add

"Docker:${distro_codename}";

to the list in Unattended-Upgrade::Allowed-Origins. The syntax is short for “origin:archive”.

Here the allowed origins list from my file as an example:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
        "Docker:${distro_codename}";
};

I replaced the archive name focal with the variable distro_codename like the existing examples also did. This will help in a future dist upgrade if you plan to upgrade your os for example with the next lts version.

With those changes in place unattended-upgrade should also install updates for docker from now on.

The same procedure can be followed to add other repositories to this list as well.

redis-server on ubuntu 18.04

After installing redis on my machine I received the following error message:

redis-server.service: Can’t open PID file /var/run/redis/redis-server.pid (yet?) after start: No such file or directory

This message comes because redis refuses to start with disabled ipv6. To get it running you have to remove “::1” from “bind 127.0.0.1 ::1” in /etc/redis/redis.conf. Then redis starts as expected.

Access Ubuntu 18.04 via VNC from Mac

Ubuntu

First prepare the ubuntu machine by installing vino:

sudo apt install vino

Then hit windows button and look for sharing. Configure the system to allow remote connections with given password.

You also need to disable encryption with:

gsettings set org.gnome.Vino require-encryption false

MAC

Then you can access the machine from your Mac with Screen Sharing app with the url

vnc://<IP>:5900

 

Add network bridge with ubuntu 18.04

To create a network bridge with netplan you have to create a file

network:
  version: 2
  ethernets:
     enp6s0:
        dhcp4: true
  bridges:
     br0:
       interfaces: [enp6s0]
       dhcp4: true
       optional: false
       macaddress: <some mac>

Make sure to place a mac address in and replace the interface name enp6s0 with yours.

Then run sudo netplan apply.

The machine gets a new IP from dhcp so make sure you have it configured in your dhcp before or have a local console 😉

Openssl certificates for apache

In my former post i described a way how to create self signed SSL certificates with an own certificate authority. These certificates didn’t work in latest chrome versions so I updated my scripts to create valid certificates for chrome. This time I only create wildcard certificates because creating one for every subdomain was annoying.

#!/bin/bash
if [ -e ca.key ]; then
	echo "ca.key already exists"
	exit 1
fi

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Coffeebeans/CN=Coffeebeans Domain Validation Secure Server CA/emailAddress=office@coffeebeans.at"
#!/bin/bash
NAME=star.$1
if [ "star." == $NAME ]; then
	echo "usage: $0 <domain.name>"
	exit 1
fi
if [ -e $NAME.key ]; then
	echo "$NAME.key already exists"
	exit 1
fi
if [ ! -e ca.crt ]; then
	echo "no ca certificate created"
	exit 1
fi

CONFIG=$(cat <<-EOF
[ca]
default_ca=CA_default

[CA_default]
dir=./ca
database=\$dir/index.txt
new_certs_dir=\$dir/newcerts
serial=\$dir/serial
private_key=./ca.key
certificate=./ca.crt
default_days=3650
default_md=sha256
policy=policy_anything
copy_extensions=copyall

[policy_anything]
countryName=optional
stateOrProvinceName=optional
localityName=optional
organizationName=optional
organizationalUnitName=optional
commonName=supplied
emailAddress=optional

[req]
default_bits=4096
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
 
[ dn ]
C=AT
ST=Vienna
L=Vienna
OU=Domain Control Validated
emailAddress=office@coffeebeans.at
CN=*.$1
 
[ req_ext ]
subjectAltName=@alt_names
 
[ alt_names ]
DNS.1=$1
DNS.2=*.$1
EOF
)

# PREPARE
echo "$CONFIG" > config.txt
if [ ! -d ./ca ]; then
	mkdir -p ./ca/newcerts
	touch ./ca/index.txt
fi

openssl genrsa -out $NAME.key 4096
openssl req -new -key $NAME.key -out $NAME.csr -config config.txt
openssl ca -create_serial -batch -in $NAME.csr -out $NAME.crt -config config.txt

# CLEANUP
rm -f *.csr config.txt
chmod 644 *.key *.crt

I also tried to use these certificates in postfix which did NOT work. To create files for postfix see my former post.

 

Robo 3T MongoDB client fails to start on ubuntu 16.04

I tried to rim robo3t-1.1.1-linux-x86_64 downloaded from https://robomongo.org/ and got the following error when trying to run it:

This application failed to start because it could not find or load the Qt platform plugin "xcb"
in "".

Available platform plugins are: xcb.

Reinstalling the application may fix this problem.
Aborted

Trying to install xcb via apt install xcb doesn’t change the behavior. Then I found a solution by removing all libstdc++* files from the lib directory in the extracted directory:

rm lib/libstdc++*

failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: “systemd” is different from docker cgroup driver: “cgroupfs”

Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Docker version 17.06.0-ce, build 02c1d87

openshift-origin-server-v3.6.0-c4dd4cf-linux-64bit

I followed the steps under https://docs.openshift.org/latest/getting_started/administrators.html#downloading-the-binary and got the error in the title. To fix this you have to add “–exec-opt native.cgroupdriver=systemd” to ExecStart of docker. The best way to do this is to add a addin file /etc/systemd/system/docker.service.d/override.conf with following content:

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --exec-opt native.cgroupdriver=systemd

Then reload systemd and restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

 

Ubuntu: Docker behind proxy

sudo mkdir /etc/systemd/system/docker.service.d
cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy-address:8080/"
Environment="HTTPS_PROXY=http://proxy-address:8080/"
Environment="NO_PROXY=localhost,127.0.0.1,.localdomain"

sudo systemctl daemon-reload
sudo systemctl restart docker

 

error: symbol ‘grub_efi_find_last_device_path’ not found

Updating to the latest grub version leads to “error: symbol ‘grub_efi_find_last_device_path’ not found” on my dual boot system having Ubuntu 15.10 next to Windows 10.

This can be fixed by downgrading to the version before the latest one in the ubuntu repository till this bug is fixed.

Here is how I downgraded my grub installation:

sudo apt-get install grub2-common=2.02~beta2-29ubuntu0.2 \
  grub-common=2.02~beta2-29ubuntu0.2 grub-efi-amd64=2.02~beta2-29ubuntu0.2 \
  grub-efi-amd64-bin=2.02~beta2-29ubuntu0.2

sudo apt-mark hold grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

Without the hold line apt would install the latest version on the next upgrade. As soon as the bug is fixed you can remove the hold mark with

sudo apt-mark install grub-common grub-efi-amd64-bin grub2-common grub-efi-amd64

hwclock problems with dual boot

My English version of Windows 10 and Ubuntu 16.04 could not agree whether my hwclock is UTC or not. So booting either Window or Linux changed my hwclock and then the time in the other OS was wrong. So I changed my hwclock to UTC and told Windows and Linux that my clock is set to UTC:

Windows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
"RealTimeIsUniversal"=dword:00000001

Linux:

Open the file (as superuser)

/etc/default/rcS

and add or change UTC=yes