X forwarding for virt-manager to Windows

Story time! When I was working on my virtual environment, I rebooted my main desktop. So I was stuck using my Windows desktop for a minute, and I wanted to work on my virtual machines.

I decided to do some X forwarding, which for virt-manager on CentOS 7 needs some special steps.

On the server

The first thing is to install virt-manager. You also will need a piece of software named xauth, and some special fonts.

yum install -y virt-manager xauth dejavu-\*fonts

Reference: https://superuser.com/questions/119792/how-to-use-x11-forwarding-with-putty/119908#119908

On the client

On the Windows client, you should install an X server. I picked Xming. It also needs it fonts installed.

Run Xming.

Connect to server with PuTTY. You will need to configure PuTTY to allow X forwarding, and to use the right X server.

Screenshot of Putty configuration screen showing X11 forwarding options
Telling PuTTY to allow X11 forwarding to localhost:0

Notes

Unfortunately, my keyboard input to the virtual machine does not work when I have it configured with a spice display. But it works when I use a vnc display. See https://bugzilla.redhat.com/show_bug.cgi?id=1236412 for a closed bug report that has similar symptoms to this problem.

virt-manager settings of a virtual machine, showing where to change display to VNC server type.
Setting on virtual machine of VNC server or spice server.

References

Weblinks

  1. http://straightrunning.com/XmingNotes/#head-131
  2. https://superuser.com/questions/119792/how-to-use-x11-forwarding-with-putty/119908#119908
  3. https://sourceforge.net/projects/xming/files/Xming/
  4. https://sourceforge.net/projects/xming/files/Xming-fonts/
  5. https://robert.penz.name/354/how-to-fix-the-font-for-virt-manager-via-x-forwarding/
  6. https://bugzilla.redhat.com/show_bug.cgi?id=1236412
  7. PuTTY https://www.chiark.greenend.org.uk/~sgtatham/putty/
Advertisements

List outbound ssh sessions

tl;dr

sudo netstat -Watp | grep 'ESTABLISHED.*ssh' | awk '{print $5}' | sed 's/:ssh//;' | sort | uniq | while read line; do ps -ef | grep -o "ssh\s.*${line}"; done | sort | uniq | sed -r -e 's/ssh //g;' -e 's/-l (\w*) /\1@/;'

Backstory

During other work, it came up that I was interested in seeing what outbound ssh sessions I was using. Now I don’t even know why it came up, because I was just writing a shell script to programmatically adjust my xfce settings using its xfconf-query API.

Walking through the command

sudo netstat -Watp | grep 'ESTABLISHED.*ssh' | awk '{print $5}' | sed 's/:ssh//;' | sort | uniq | while read line; do ps -ef | grep -o "ssh\s.*${line}"; done | sort | uniq | sed -r -e 's/ssh //g;' -e 's/-l (\w*) /\1@/;'

This whole statement lists the established ssh connections and then finds the running processes for those and tries to identify the usernames for them.
Step by step:
Everything before the while collects the list of established ssh connections.
sudo netstat -Watp | grep ‘ESTABLISHED.*ssh’ gets the list of ssh connections, and awk | sed | sort | uniq just gets the information we want from each row and removes duplicates.
The while read line; do :; done loop iterates over the list. So for each line in the list, search all running processes for that name on the same line as the expression ‘ssh.’
sort | uniq removes duplicates (apparently qemu+kvm in virt-manager uses a lot of separate ssh processes).
sed -r -e ‘s/ssh //g;’ -e ‘s/-l (\w*) /\1@/;’ trims extra characters and also converts compatible outputs into “username@hostname.”

Improvements to be made

This snippet as is only works if the ssh command issued matches exactly the description of the output of netstat. If dns reverse zones are not configured correctly, so that the netstat shows an IP address but the ssh command was a hostname, this snippet will not find it. I need to improve that, which will probably require a fancier script and not just a oneliner.

References

Weblinks

  1. https://serverfault.com/questions/431034/getting-list-of-opened-ssh-connections-by-name

Fix Korora xfce spice display pausing

For the Fedora spin Korora with the xfce desktop running in a kvm virtual machine, the display might pause for 2 seconds every so often. The system is running, but sometimes the display just freezes.

To fix this issue, run the xfce “Window Manager Tweaks.” On the “Compositor tab” uncheck “Synchronize drawing to the vertical blank.”

Thanks to Jim at the Korora Project for this one!

Mount an lvm logical volume from a qcow2 file

Mounting qcow2 files to host filesystem

Converting to raw and mounting

kpartx does not work very well with qcow2 files. You can convert the qcow2 file to a raw file:

oldfile=file.qcow2
newfile=file.raw
qemu-img convert "${oldfile}" "${newfile}"

You can now find the partitions and map them:

kpartx -av "${newfile}"
mount /dev/loop2p2 /mnt/foo

Modifying a virtual machine to use the new image file

You can modify a virtual machine definition to use this new file:

virsh dumpxml ${domain} > domain.xml
vi domain.xml # Lines “source file=/path/file.raw” and “driver name=qemu type=raw"
virsh create domain.xml

Mounting lvm logical volumes from the image file

Update lvm with the currently attached disks.

pvscan; lvscan; lvdisplay

Now you can mount /dev/mapper/cl_centos7–02a_root to a mount point.

References

Weblinks

  1. Converting qcow2 file to raw to make it work with kpartx https://www.certdepot.net/rhel7-access-virtual-machines-console/#comment-41448
  2. An alternate way to mount a qcow2 file http://ask.xmodulo.com/mount-qcow2-disk-image-linux.html

Man pages

  1. virsh

Resize a live logical volume

Resizing a live logical volume

If you use lvm to abstract the filesystems away from the direct hardware, you might need to know how to add additional space without taking the filesystem offline. This post shows how you might do that.

Attach new disk

Save current state to a file for comparison.

ls -l /dev/{s,v}d* > ~/ls.dev.sd.before

Install additional disk to system (in hypervisor or attach to physical machine).
Scan with rescan-scsi-bus.sh (from sg3_utils package).
If that fails, try

find /sys/class/scsi_host/host*/scan | while read line; do echo "- - -" > $line; done
lsblk

Find the name of the new disk:

ls -l /dev/{s,v}d* > ~/ls.dev.sd.after
diff ~/ls.dev.sd.before ~/ls.dev.sd.after

The output should be the name of the new disk.

Create a new partition

How to do it in fdisk:

fdisk /dev/newdisk
n[enter]
p[enter]
1[enter]
[enter]
w[enter]

Add the partition to lvm and the logical volume

pvcreate /dev/newdisk1
vgextend vgname /dev/newdisk1
lvextend /dev/vgname/lvname /dev/newdisk1

Resize the filesystem

Filesystem type ext4 can be resized live:

resize2fs /dev/vgname/lvname

sshd_config match negate address

tl;dr

Match Address *,!192.168.1.0/24

Negating address in match statement in sshd_config

I was locking down my ssh server configuration on a host, so that it will not accept password auth from outside a certain IP address range.
I had to learn how to get the Match Address directive to work with a negation. To make it work, you need to insert a wildcard before you then state the exclusion.

Match Address *,!192.168.1.0/24

And then I added the directives for this matched IP address range.

   AuthenticationMethods publickey
   PubkeyAuthentication yes
   PasswordAuthentication no
   X11Forwarding no

References

Weblinks

  1. https://serverfault.com/questions/408284/how-can-the-address-condition-in-a-match-conditional-block-in-sshd-config-be-neg

Man pages

  1. sshd_config
  2. ssh_config

Send authenticated gmail from cli with mailx

Overview

I’ve shown how to send authenticated gmail from the command line before. That uses msmtp which takes some configuration.
This document shows how to use mailx itself to send authenticated gmail.

tl;dr

echo "this is the message" | mailx -s "Subject line here" \
-S smtp-use-starttls -S ssl-verify=ignore -S smtp-auth=login \
-S smtp=smtp://smtp.gmail.com:587 -S from="bgstack15@gmail.com(B Stack)" \
-S smtp-auth-user="bgstack15@gmail.com" \
-S smtp-auth-password="${SMTPPASSWORD}" -S ssl-verify=ignore \
-S nss-config-dir=/etc/pki/nssdb/ destination@example.com

Explanation

You need a certificate chain somewhere. You could also try nss-config-dir=~/.mozilla/firefox/xxxxxxxx.default.
If you use the whole command in the tl;dr section, you don’t need any config file. Of course, be aware that any parameter passed on the command line is visible to any other program running, so passing in the password like seen above is risky.
You can redirect standard in from a file if you wish, of course, or from a here-document.
For a dedicated configuration, and better password security, consider adding in to your ~/.mailrc file:

set smtp-use-starttls
set nss-config-dir=/etc/pki/nss/
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=bgstack15@gmail.com
set smtp-auth-password=QWERTYUIOP
set from="bgstack15@gmail.com(B Stack)"

And then just use:

mailx -s "Subject line" destination@example.com

References

Weblinks

  1. https://bgstack15.wordpress.com/2017/04/03/send-authenticated-gmail-from-command-line/
  2. Inspiration for entire contents https://www.systutorials.com/1411/sending-email-from-mailx-command-in-linux-using-gmails-smtp/

Cinnamon on VNC on CentOS 7

Overview

This document describes how to install Cinnamon desktop environment on CentOS 7 for use in VNC. Basically, you can take a headless server and turn it into a virtual desktop controller.

Caveats

Limitations of this design prevent this from scaling up past so many users, so this would be best suited for home or small office use.
VNC uses no security. Consider alternatives or additions to this process when security is a consideration.

Installing Cinnamon for VNC

Installing the components

Install the vnc server.

yum install tigervnc-server tigervnc vnc

Install the desktop environment.

yum install cinnamon

Install any applications to be used.

yum install firefox gnome-terminal

Configuring the components

For each user that uses a virtual desktop on this host, you will need a separate systemd service, as well as a vnc password which is separate from the regular user password. Also set up the xstartup file for vnc.

tu=bgstack15
tn=1
sudo cp -p /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@\:${tn}.service
sed -r -i -e "s//${tu}/g;' /etc/systemd/system/vncserver@\:${tn}.service
systemctl enable vncserver@\:${tn}.service
firewall-cmd --permanent --add-port 59$( printf '%02i' "${tn}")/tcp
printf "For user ${tu} please provide new "
su - ${tu} -c vncpasswd
tf=~/.vnc/xstartup
test -f "${tf}" && \cp -p "${tf}" "${tf}.$( date "+%Y-%m-%dT%H%M%S" )"; touch "${tf}"; chmod 0755 "${tf}"
cat <<EOF > "${tf}"
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
exec /usr/bin/cinnamon-session
EOF
systemctl start vncserver@\:${tn}.service

Connecting to the desktop

On a client, run

vncviewer hostname:1