Install openssl-1.1.0 on CentOS7

I really wanted the -proxy flag on the openssl command. It’s not available in the provided openssl package (1.0.1 series), but it is in the 1.1.0 which is now the base package in Fedora. But for the Enterprise Linux users, you need to do a little bit of work to get it.

Download a pre-compiled package

You could just download the package from my copr. Save the contents of the .repo file [copr.fedorainfracloud.org] or use them from here.

[bgstack15-stackrpms]
name=Copr repo for stackrpms owned by bgstack15
baseurl=https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

Install with:

yum install openssl110

And then the binary has been named openssl110

Download and compile the source

wget https://www.openssl.org/source/openssl-1.1.0i.tar.gz
tar -zxf openssl-1.1.0i.tar.gz
cd openssl-1.1.0i
./config
make
sudo make install

To prevent an error that resembles:

/usr/local/bin/openssl version
/usr/local/bin/openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory

You have to provide the library files in a directory that the dynamic linker is looking in. There are multiple ways to tackle this.

Option 1: update library path

Add the directory containing the libcrypt.so.1.1 and similar files to the LD_LIBRARY_PATH environment variable.

export LD_LIBRARY_PATH=/usr/local/lib64:${LD_LIBRARY_PATH}

Option 2: move library files to lib directory

Or just move the files to the main library location. On a x86_64 system, that would be:

mv libcrypto.so.1.1 libssl.so.1.1 /usr/lib64/

References

Weblinks

Internet search openssl s_client http proxy [duckduckgo.com]
openssl s_client using a proxy [stackoverflow.com]
How to update openssl 1.1.0 in Centos 6.9/7.0 [linuxscriptshub.com]

Advertisements

Git merge just a few files

Taking almost all of this content from How to selectively merge or pick changes from another branch in git? [stackoverflow.com]

git merge --no-ff --no-commit usefulbranch

By issuing no-commit, you can make any modifications to the code before committing, including:

git checkout HEAD filetostaythesame.txt

Fetching the original (probably master) file that should stay the same.

Extract src.rpm files

Command is borrowed from How To: Extract an RPM Package Files Without Installing It (cyberciti.biz)

rpm2cpio myrpmfile.rpm | cpio -idmv

When you search for “rpm2cpio” it shows that page, but you have to click into it and scroll down to find the one command. Maybe this page will supplant that one in the Internet searches and make it easier to see the command to run from the lede in the search results.

Kerberos notes and sssd Internal credentials cache error

If sssd gives you errors about unable to connect, it’s probably the host password (keytab) is out of date with what AD has. You have to reset the host account in AD, or even delete the computer account and rejoin the domain.

kdestroy -A
kinit domainadmin
msktutil -f -s host
msktutil -u -s host
kinit -k "$( hostname -s | tr '[[:lower:]]' '[[:upper:]]' )\$@MSAD.EXAMPLE.COM"
klist -kt

The kvno value in the output of klist -kt should match the attribute “msDS-KeyVersionNumber” of the server object in AD.

Error can include:

(Thu Aug  9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [create_ccache] (0x0020): 1009: [-1765328188][Internal credentials cache error]
(Thu Aug  9 15:28:57 2018) [[sssd[krb5_child[3177]]]] [map_krb5_error] (0x0020): 1657: [-1765328188][Internal credentials cache error]
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Thu Aug  9 15:29:22 2018) [[sssd[krb5_child[3333]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [bgstack15\@MSAD.EXAMPLE.COM@MSAD.EXAMPLE.COM] might not be correct.

Monitor owner and permissions changes

A user on the Fedora forum asked for assistance monitoring owner and permissions changes to files. I whipped up a general solution in shell.

It uses a compressed database to store the last run, and will show the changes of the requested attributes of each file.

Here’s some of the business logic.

   # not empty
   test -n "${CO_DEBUG}" && echo "Comparing ${CO_INPUT} to database ${CO_OUTPUT}"

   # learn current status
   scan_dir "${CO_INPUT}" > "${CO_TMPFILE}"

   # compare to database
   zcat "${CO_OUTPUT}" | diff -W300 --suppress-common-lines -y "-" "${CO_TMPFILE}"

   # replace database
   cat "${CO_TMPFILE}" | gzip > "${CO_OUTPUT}"

And the scan function is pretty simple. Just change what stat outputs if you want to monitor different file characteristics.

scan_dir() {
   # call: scan_dir "${CO_INPUT}"
   # output: listing of hash, owner+perm hash for each file
   local td="${1}"

   find "${td}" -exec stat -L -c '%u,%U,%g,%G,%a,%n' {} + 2>/dev/null | sort -t ',' -k6
}

The script stores its compressed databases in /var/cache/check-owners/, and it will make files named based on the base directory it scans, so /home would be db file /var/cache/check-owners/co.home.db.gz.

You could write a cron entry to call this once a day on a particular directory and email the output to you. A poor man’s AIDE, if you will.

Firefox disable trr

From a user at slashdot:

From:

https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
https://wiki.mozilla.org/Trusted_Recursive_Resolver [mozilla.org]

• 0: Off by default
• 1: Firefox chooses faster
• 2: TRR default w/DNS fallback
• 3: TRR only mode
• 5: Disabled

I imagine the setting we’re all looking for is: user_pref(“network.trr.mode”, 5); (emphasis mine)

Manually fix volume in mp3 file

I am shamelessly ripping off a superuser answer: How can I normalize audio using ffmpeg?.

Option 3: Manually normalizing audio with ffmpeg

In ffmpeg you can use the volume filter to change the volume of a track. Make sure you download a recent version of the program.

This guide is for peak normalization, meaning that it will make the loudest part in the file sit at 0 dB instead of something lower. There is also RMS-based normalization which tries to make the average loudness the same across multiple files. To do that, do not try to push the maximum volume to 0 dB, but the mean volume to the dB level of choice (e.g. -26 dB).

Find out the gain to apply

First you need to analyze the audio stream for the maximum volume to see if normalizing would even pay off:

ffmpeg -i video.avi -af "volumedetect" -vn -sn -dn -f null /dev/null

Replace /dev/null with NUL on Windows.
The -vn, -sn, and -dn arguments instruct ffmpeg to ignore non-audio streams during this analysis. This drastically speeds up the analysis.

This will output something like the following:

[Parsed_volumedetect_0 @ 0x7f8ba1c121a0] mean_volume: -16.0 dB
[Parsed_volumedetect_0 @ 0x7f8ba1c121a0] max_volume: -5.0 dB
[Parsed_volumedetect_0 @ 0x7f8ba1c121a0] histogram_0db: 87861

As you can see, our maximum volume is -5.0 dB, so we can apply 5 dB gain. If you get a value of 0 dB, then you don’t need to normalize the audio.

Apply the volume filter:

Now we apply the volume filter to an audio file. Note that applying the filter means we will have to re-encode the audio stream. What codec you want for audio depends on the original format, of course. Here are some examples:

• Plain audio file: Just encode the file with whatever encoder you need:

  ffmpeg -i input.wav -af "volume=5dB" output.mp3
  

  Your options are very broad, of course.

ldapsearch find disabled users in Active Directory

If you want to find the disabled users in your AD environment, you can use a specific filter. Additionally, due to the number of records returned, I had to turn on paging (pr = some arbitrarily high value) so I could actually retrieve more than just the first 1000 entries.

echo '' | ldapsearch -E 'pr=4500' -z max -b 'dc=prod1,dc=example,dc=com' -s 'sub' -x -D 'CN=B Stack15,OU=Users,DC=prod1,DC=example,DC=com' -W -H 'ldaps://dc4.prod1.example.com:636' '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' dn

The userAccountControl item in the search filter stores various useful information. The := operator is a bitmask.

References

Weblinks

1. https://www.petri.com/find-disabled-and-inactive-active-directory-users-accounts-with-powershell-revisited
2. Found from web search string “userAccountControl:1.2.840.113556.1.4.803” https://blogs.technet.microsoft.com/mempson/2011/08/24/useraccountcontrol-flags/
3. https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro

Compile Pale Moon 28 on Fedora 27

Introduction

Pale Moon 28 was released on August 16, 2018. I package it myself on Fedora because I don’t see it in the fedora repositories, and plus I like the experience of assembling packages myself. For a basic compile (not in an rpm), you can follow these instructions.

Install dependencies

Install the whole set of packages listed on the Pale Moon site (reference 2) or CentOS7

sudo dnf -y install gtk2-devel dbus-glib-devel autoconf213 yasm mesa-libGL-devel alsa-lib-devel libXt-devel zlib-devel openssl-devel sqlite-devel bzip2-devel pulseaudio-libs-devel
sudo dnf -y groupinstall 'Development Tools'

Install the dependencies I found.

sudo dnf -y install GConf2-devel notification-daemon

Use autoconf 2.13

Pale Moon depends on autoconf 2.13. Thankfully, it’s in the Fedora repos, but changing the main autoconf link to point to this specific version will save a bunch of headache later. Be aware that this step exactly as shown will change your system’s default autoconf. I’m sure this is a crude way to do it, but aren’t build systems throwaway systems nowadays?

autoconfver="$( autoconf --version 2>/dev/null | awk 'NR==1 {print $NF*100;} END {print "0";}' | head -n1 )"
test ${autoconfver} -ne 213 &&amp test ${autoconfver} -gt 0 && sudo mv /usr/bin/autoconf /usr/bin/autoconf-${autoconver} 2>/dev/null ; sudo ln -sf autoconf-2.13 /usr/bin/autoconf

Fetch source

Pale Moon likes to compile in ~/pmsrc. Don’t change it. It just makes it easier.

mkdir ~/pmsrc ~/pmbuild
cd ~/pmsrc
git clone https://github.com/MoonchildProductions/UXP .

Prepare to compile

Use the recommended .mozconfig from the Pale Moon site (reference 2)

tf=~/pmsrc/.mozconfig
touch "${tf}"
cat <<'EOFMOZCONFIG' > "${tf}"
mk_add_options AUTOCLOBBER=1
mk_add_options MOZ_OBJDIR=/home/$USER/pmbuild/
ac_add_options --enable-application=palemoon
 
ac_add_options --enable-optimize="-O2"
 
# Please see https://www.palemoon.org/redist.shtml for restrictions when using the official branding.
ac_add_options --enable-official-branding
export MOZILLA_OFFICIAL=1
 
ac_add_options --enable-default-toolkit=cairo-gtk2
ac_add_options --enable-jemalloc
ac_add_options --enable-strip
ac_add_options --with-pthreads
 
ac_add_options --disable-tests
ac_add_options --disable-eme
ac_add_options --disable-parental-controls
ac_add_options --disable-accessibility
ac_add_options --disable-webrtc
ac_add_options --disable-gamepad
ac_add_options --disable-necko-wifi
ac_add_options --disable-updater
 
ac_add_options --x-libraries=/usr/lib
EOFMOZCONFIG

Compile

These instructions include saving the output to a log file, but that’s not necessary.

mkdir ~/log
cd ~/pmsrc
{ time ./mach build && time ./mach package ; } | tee -a ~/log/pmsrc.$( date "+%F-%H%M%S" ).log
echo done

References

Weblinks

1. https://bugzilla.mozilla.org/show_bug.cgi?id=1167201
2. http://developer.palemoon.org/Developer_Guide:Build_Instructions/Pale_Moon/Linux#head:Fedora
3. Compiling Pale Moon web browser on Fedora (published 2018-02-09)

ansible control hosts entries

Somebody should make a module of this. In the meantime, here’s a simple hosts entries task in ansible.

- name: hosts entries
  lineinfile:
    path: "{{ etc_hosts_file | default('/etc/hosts') }}"
    regexp: '^\s*{{ item.ip }}.*'
    line: "{{ item.ip }}   {{ item.hostnames | sort() | join(' ') }}"
    backup: yes
  with_items:
  - "{{ hosts_entries }}"

Use a list like so:

hosts_entries:
- { ip: '1.2.3.4', hostnames: ['example.com','www.example.com'] }
- { ip: '5.6.7.8', hostnames: ['ldap.example.com'] }