Posted on Leave a comment

5 cool terminal pagers in Fedora

Large files like logs or source code can run into the thousands of lines. That makes navigating them difficult, particularly from the terminal. Additionally, most terminal emulators have a scrollback buffer of only a few hundred lines. That can make it impossible to browse large files in the terminal using utilities which print to standard output like cat, head and tail. In the early days of computing, programmers solved these problems by developing utilities for displaying text in the form of virtual “pages” — utilities imaginatively described as pagers.

Pagers offer a number of features which make text file navigation much simpler, including scrolling, search functions, and the ability to feature as part of a pipeline of commands. In contrast to most text editors, some terminal pagers do not require loading the entire file for viewing, which makes them faster, especially for very large files.

In the modern era of Linux computing, terminal emulators are more sophisticated than ever. They offer support for a kaleidoscope of colors, terminal resizing, as well as a host of other features to make parsing text on screen easier and more efficient. Terminal pagers have undergone a similar evolution, from extremely simple UNIX utilities like pg and more, to sophisticated programs with a wide range of features, covering any number of use cases. With this in mind, we’ve put together a list of some of the most popular terminal paging utilities — more or less.

More

more is one of the earliest pagers, initially featured in version 3.0 BSD. The first implementation of more was written in 1978 by Daniel Halbert. Since then, more has become a ubiquitous feature of many operating systems, including Windows, OS/2, MacOS and most linux distributions.

more is a very lightweight utility. The version featured in util-linux runs to just under 2100 lines of C. However, this small footprint comes at a price. Most versions of more feature relatively limited functionality, with no support for backwards scroll or search. Commands are similarly stripped back: press enter to scroll one line, or space to scroll one page. Some other useful commands include:

  • Press v while reading to open the current file in your default terminal editor.
  • ‘/pattern‘ let’s you search for the next occurrence of pattern.
  • :n and :p will open the next and previous files respectively when more is called with more than one file as arguments

Less

less was initially conceived as a successor to more, addressing some of its limitations. Building on the functionality of more, less adds a number of useful features including backwards scroll, backwards search. It is also more amenable to window resizing.

Navigation in less is similar to more, though less borrows a few useful commands from the vi editor as well. Users can navigate the document using the familiar home row navigational keys. A glance at the man page for less reveals a fairly rich repertoire of available commands. Some particularly useful examples include:

  • ?pattern lets you search backwards in the file for pattern
  • &pattern shows only lines which feature pattern. This is particularly useful for those who find themselves issuing $ grep pattern | less regularly.
  • Calling less with the -s (–sqeueeze-blank-lines) flag allows you to view text files with large gaps. Multiple newline characters are reduced to single breaks.
  • s filename, called from within the program, saves input to filename (if input is a pipe).
  • Alternatively, calling less with the -o filename flag will save the input of less to filename.

With this enhanced functionality comes a little extra weight. The version of less that ships with Fedora at the time of writing clocks in at around 25000 lines of source code. Granted, for all but the most storage constrained systems, this is a non-issue. Besides, less is more than more.

Most

While less aims to expand on the existing capabilities of more, most takes a different approach. Rather than expanding on the traditional single file view, most gives users the ability to split their view into “windows.” Each window contains different files in different viewing modes.
Significantly, most takes into account the width of its input text. The default viewing mode doesn’t wrap text (-S in less), a feature particularly useful when dealing with “wide” files. While these design decisions might represent a significant departure from tradition for some users, the end result is very powerful.

In addition to the navigation commands offered by more, most uses intuitive mnemonics for file navigation. For example, t moves to the top of a file, and b moves to the bottom. As a result, users unfamiliar with vi and its descendants will find most to be refreshingly simple.

The distinguishing feature of most is its ability to split windows and contexts quickly and easily. For example, one could open two distinct text files using the following:

$ most textFile1.txt textFile2.txt

In order to split the screen horizontally, use the key combos Ctrl+x, 2 or Ctrl+w, 2. The command :n will open the next file argument in a given window, offering a split screen view of two files:

If you turn wrap off in one window, it does not affect the behavior of other windows. The \ character indicates a wrap or fold, while the $ character indicates that the file extends past the limitations of the current window.

pspg

Those who work with SQL databases often need to be able to examine the contents of our databases at a glance. The command line interfaces for many popular open source DBMS’s, such as MySQL and PostGreSQL, use the system default pager to view outputs that don’t fit on a single screen. Utilities like more and less are designed around the idea of presenting text files, but for more structured data, leave something to be desired. Naive text paginating programs have no concept of broad, tabular data, which can be frustrating when dealing with large queries.

pspg attempts to address this by offering users the ability to freeze columns while viewing, sort data in situ, and colourize output. While pspg was intended initially to serve as a pager replacement for psql specifically, the program also supports the viewing of CSV data, and is a suitable drop-in replacement for mysql and pgcli.

Vim

In a modern, technicolor terminal, the idea of endless pages of drab grey on black text can feel like something of an anachronism. The syntax highlighting options offered by powerful text editors like vim can be useful for browsing source code. Furthermore, the search functions offered by vim vastly outclass the competition. With this in mind, vim ships with a shell script less.sh that lets vim serve as a replacement for conventional pagers.

To set vim as the default pager for man pages, add the following to your shell’s config (such as ~/.bashrc if using the default bash shell):

export MANPAGER="/bin/sh -c \"col -b | vim -c 'set ft=man ts=8 nomod nolist nonu noma' -\""

Alternatively, to set vim as the default pager system-wide, locate the less.sh script. (You can find it at /usr/share/vim/vim81/macros/ on current Fedora systems.) Export this location as the variable PAGER to set it as default, or under an alias to invoke it explicitly.


Photo by Cathy Mü on Unsplash.

Posted on Leave a comment

Using Ansible to organize your SSH keys in AWS

If you’ve worked with instances in Amazon Web Services (AWS) for a long time, you may run into this common issue. It’s not technical, but more to do with the human nature of getting too comfortable. When you launch a new instance in a region you haven’t used recently, you may end up creating a new SSH key pair. This leads to having too many keys, which can become complicated and disordered.

This article shows you a way to have your public key in all regions. A recent Fedora Magazine article includes one solution. But the solution in this article is automated even further, and in a more concise and scalable way.

Say you have a Fedora 30 or 31 desktop system where your key is stored, and Ansible is installed as well. These two things together provide the solution to this problem and many more.

With Ansible’s ec2_key module, you can create a simple playbook that will maintain your SSH key pair in all regions. If you need to add or remove keys, it’s as simple as adding and removing lines from a file.

Setting up and running the playbook

To use the playbook, first install necessary dependencies for the ec2_key module:

$ sudo dnf install python3-boto python3-boto3

The playbook is simple: you need only to change your key and its name as in the example below. After that, run the playbook and it iterates over all the public AWS regions listed. The example also includes the restricted regions in case you have access. To include them, uncomment each line as needed, save the file, and then run the playbook again.

---
- name: Maintain an ssh key pair in ec2 hosts: localhost connection: local gather_facts: no vars: ansible_python_interpreter: python tasks: - name: Make available your ssh public key in ec2 for new instances ec2_key: name: "YOUR KEY NAME GOES HERE" key_material: 'YOUR KEY GOES HERE' state: present region: "{{ item }}" with_items: - us-east-2 #US East (Ohio) - us-east-1 #US East (N. Virginia) - us-west-1 #US West (N. California) - us-west-2 #US West (Oregon) - ap-east-1 #Asia Pacific (Hong Kong) - ap-south-1 #Asia Pacific (Mumbai) - ap-northeast-2 #Asia Pacific (Seoul) - ap-southeast-1 #Asia Pacific (Singapore) - ap-southeast-2 #Asia Pacific (Sydney) - ap-northeast-1 #Asia Pacific (Tokyo) - ca-central-1 #Canada (Central) - eu-central-1 #EU (Frankfurt) - eu-west-1 #EU (Ireland) - eu-west-2 #EU (London) - eu-west-3 #EU (Paris) - eu-north-1 #EU (Stockholm) - me-south-1 #Middle East (Bahrain) - sa-east-1 #South America (Sao Paulo) # - us-gov-east-1 #AWS GovCloud (US-East) # - us-gov-west-1 #AWS GovCloud (US-West) # - ap-northeast-3 #Asia Pacific (Osaka-Local) # - cn-north-1 #China (Beijing) # - cn-northwest-1 #China (Ningxia)

This playbook requires AWS access via API, as well. To do this, use environment variables as follows:

$ AWS_ACCESS_KEY="aws-access-key-id" AWS_SECRET_KEY="aws-secret-key-id" ansible-playbook ec2-playbook.yml

Another option is to install the aws cli tools and add the credentials as explained in a previous Fedora Magazine article. It is not recommended to insert these values in the playbook if you store it anywhere online! You can find this playbook code on GitHub.

After the playbook finishes, confirm that your key is available on the AWS console. To do that:

  1. Log into your AWS console
  2. Go to EC2 > Key Pairs
  3. You should see your key listed. The only limitation is that you have to check region-by-region with this method.

Another way is to use a quick command in a shell to do this check for you.

First create a variable with all regions on the playbook:

AWS_REGION="us-east-1 us-west-1 us-west-2 ap-east-1 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 me-south-1 sa-east-1"

Then do a for loop and you will get the result from aws API:

for each in ${AWS_REGION} ; do aws ec2 describe-key-pairs --key-name <YOUR KEY GOES HERE> ; done

Keep in mind that to do the above you need to have the aws cli installed.

Posted on Leave a comment

A quick introduction to Toolbox on Fedora

Toolbox allows you to sort and manage your development environments in containers without requiring root privileges or manually attaching volumes. It creates a container where you can install your own CLI tools, without installing them on the base system itself. You can also utilize it when you do not have root access or cannot install programs directly. This article gives you an introduction to toolbox and what it does.

Installing Toolbox

Silverblue includes Toolbox by default. For the Workstation and Server editions, you can grab it from the default repositories using dnf install toolbox.

Creating Toolboxes

Open your terminal and run toolbox enter. The utility will automatically request permission to download the latest image, create your first container, and place your shell inside this container.

$ toolbox enter
No toolbox containers found. Create now? [y/N] y
Image required to create toolbox container.
Download registry.fedoraproject.org/f30/fedora-toolbox:30 (500MB)? [y/N]: y

Currently there is no difference between the toolbox and your base system. Your filesystems and packages appear unchanged. Here is an example using a repository that contains documentation source for a resume under a ~/src/resume folder. The resume is built using the pandoc tool.

$ pwd /home/rwaltr $ cd src/resume/ $ head -n 5 Makefile all: pdf html rtf text docx pdf: init pandoc -s -o BUILDS/resume.pdf markdown/* $ make pdf
bash: make: command not found
$ pandoc -v
bash: pandoc: command not found

This toolbox does not have the programs required to build the resume. You can remedy this by installing the tools with dnf. You will not be prompted for the root password, because you are running in a container.

$ sudo dnf groupinstall "Authoring and Publishing" -y && sudo dnf install pandoc make -y
... $ make all #Successful builds
mkdir -p BUILDS
pandoc -s -o BUILDS/resume.pdf markdown/*
pandoc -s -o BUILDS/resume.html markdown/*
pandoc -s -o BUILDS/resume.rtf markdown/*
pandoc -s -o BUILDS/resume.txt markdown/*
pandoc -s -o BUILDS/resume.docx markdown/*
$ ls BUILDS/
resume.docx resume.html resume.pdf resume.rtf resume.txt

Run exit at any time to exit the toolbox.

$ cd BUILDS/
$ pandoc --version || ls
pandoc 2.2.1
Compiled with pandoc-types 1.17.5.4, texmath 0.11.1.2, skylighting 0.7.5
...
for a particular purpose.
resume.docx resume.html resume.pdf resume.rtf resume.txt
$ exit logout
$ pandoc --version || ls
bash: pandoc: command not found...
resume.docx resume.html resume.pdf resume.rtf resume.txt

You retain the files created by your toolbox in your home directory. None of the programs installed in your toolbox will be available outside of it.

Tips and tricks

This introduction to toolbox only scratches the surface. Here are some additional tips, but you can also check out the official documentation.

  • Toolbox –help will show you the man page for Toolbox
  • You can have multiple toolboxes at once. Use toolbox create -c Toolboxname and toolbox enter -c Toolboxname
  • Toolbox uses Podman to do the heavy lifting. Use toolbox list to find the IDs of the containers Toolbox creates. Podman can use these IDs to perform actions such as rm and stop. (You can also read more about Podman in this Magazine article.)

Photo courtesy of Florian Richter from Flickr.

Posted on Leave a comment

Create virtual machines with Cockpit in Fedora

This article shows you how to install the software you need to use Cockpit to create and manage virtual machines on Fedora 31. Cockpit is an interactive admin interface that lets you access and manage systems from any supported web browser. With virt-manager being deprecated users are encouraged to use Cockpit instead, which is meant to replace it.

Cockpit is an actively developed project, with many plugins available that extend how it works. For example, one such plugin is “Machines,” which interacts with libvirtd and lets users create and manage virtual machines.

Installing software

The required software prerequisites are libvirt, cockpit and cockpit-machines. To install them on Fedora 31, run the following command from a terminal using sudo:

$ sudo dnf install libvirt cockpit cockpit-machines

Cockpit is also included as part of the “Headless Management” package group. This group is useful for a Fedora based server that you only access through a network. In that case, to install it, use this command:

$ sudo dnf groupinstall "Headless Management"

Setting up Cockpit services

After installing the necessary packages it’s time to enable the services. The libvirtd service runs the virtual machines, while Cockpit has a socket activated service to let you access the Web GUI:

$ sudo systemctl enable libvirtd --now
$ sudo systemctl enable cockpit.socket --now

This should be enough to run virtual machines and manage them through Cockpit. Optionally, if you want to access and manage your machine from another device on your network, you need to expose the service to the network. To do this, add a new rule in your firewall configuration:

$ sudo firewall-cmd --zone=public --add-service=cockpit --permanent
$ sudo firewall-cmd --reload

To confirm the services are running and no issues occurred, check the status of the services:

$ sudo systemctl status libvirtd
$ sudo systemctl status cockpit.socket

At this point everything should be working. The Cockpit web GUI should be available at https://localhost:9090 or https://127.0.0.1:9090. Or, enter the local network IP in a web browser on any other device connected to the same network. (Without SSL certificates setup, you may need to allow a connection from your browser.)

Creating and installing a machine

Log into the interface using the user name and password for that system. You can also choose whether to allow your password to be used for administrative tasks in this session.

Select Virtual Machines and then select Create VM to build a new box. The console gives you several options:

  • Download an OS using Cockpit’s built in library
  • Use install media already downloaded on the system you’re managing
  • Point to a URL for an OS installation tree
  • Boot media over the network via the PXE protocol

Enter all the necessary parameters. Then select Create to power up the new virtual machine.

At this point, a graphical console appears. Most modern web browsers let you use your keyboard and mouse to interact with the VM console. Now you can complete your installation and use your new VM, just as you would via virt-manager in the past.


Photo by Miguel Teixeira on Flickr (CC BY-SA 2.0).

Posted on Leave a comment

Set up single sign-on for Fedora Project services

In addition to an operating system, the Fedora Project provides services for users and developers. Services such as Ask Fedora, the Fedora Project wiki and the Fedora Project mailing lists help users learn how to best take advantage of Fedora. For developers of Fedora, there are many other services such as dist-git, Pagure, Bodhi, COPR and Bugzilla for the packaging and release process.

These services are available with a free account from the Fedora Accounts System (FAS). This account is the passport to all things Fedora! This article covers how to get set up with an account and configure Fedora Workstation for browser single sign-on.

Signing up for a Fedora account

To create a FAS account, browse to the account creation page. Here, you will fill out your basic identity data:

Account creation page

Once you enter your data, the account system sends an email to the address you provided, with a temporary password. Pick a strong password and use it.

Password reset page

Next, the account details page appears. If you want to contribute to the Fedora Project, you should complete the Contributor Agreement now. Otherwise, you are done and you can use your account to log into the various Fedora services.

Account details page

Configuring Fedora Workstation for single sign-On

Now that you have your account, you can sign into any of the Fedora Project services. Most of these services support single sign-on (SSO), so you can sign in without re-entering your username and password.

Fedora Workstation provides an easy workflow to add your Fedora credentials. The GNOME Online Accounts tool helps you quickly set up your system to access many popular services. To access it, go to the Settings menu.

Click on the option labeled Fedora. A prompt opens for you to provide your username and password for your Fedora Account.

GNOME Online Accounts stores your password in GNOME Keyring and automatically acquires your single-sign-on credentials for you when you log in.

Single sign-on with a web browser

Today, Fedora Workstation supports three web browsers out of the box with support for single sign-on with the Fedora Project services. These are Mozilla Firefox, GNOME Web, and Google Chrome.

Due to a bug in Chromium, single sign-on doesn’t work currently if you have more than one set of Kerberos (SSO) credentials active on your session. As a result, Fedora doesn’t enable this function out of the box for Chromium in Fedora.

To sign on to a service, browse to it and select the login option for that service. For most Fedora services, this is all you need to do; the browser handles the rest. Some services such as the Fedora mailing lists and Bugzilla support multiple login types. For them, select the Fedora or Fedora Account System login type.

That’s it! You can now log into any of the Fedora Project services without re-entering your password.

Special consideration for Google Chrome

To enable single sign-on out of the box for Google Chrome, Fedora takes advantage of certain features in Chrome that are intended for use in “managed” environments. A managed environment is traditionally a corporate or other organization that sets certain security and/or monitoring requirements on the browser.

Recently, Google Chrome changed its behavior and it now reports Managed by your organization or possibly Managed by fedoraproject.org under the ⋮ menu in Google Chrome. That link leads to a page that says, “If your Chrome browser is managed, your administrator can set up or restrict certain features, install extensions, monitor activity, and control how you use Chrome.” However, Fedora will never monitor your browser activity or restrict your actions.

Enter chrome://policy in the address bar to see exactly what settings Fedora has enabled in the browser. The AuthNegotiateDelegateWhitelist and AuthServerWhitelist options will be set to *.fedoraproject.org. These are the only changes Fedora makes.

Posted on Leave a comment

Fedora pastebin and fpaste updates

Fedora and EPEL users who use fpaste to paste and share snippets of text might have noticed some changes recently. Recently, an update went out which sends pastes made by fpaste to the CentOS Pastebin instead of the Modern Paste instance that Fedora was running. Don’t fear — this was an intentional change, and is part of the effort to lower the workload within the Fedora Infrastructure and Community Platform Engineering teams. Keep reading to learn more about what’s happening with pastebin and your pastes.

About the service

A pastebin lets you save text on a website for a length of time. This helps you exchange data easily with other users. For example, you can post error messages for help with a bug or other issue.

The CentOS Pastebin is a community-maintained service that keeps pastes around for up to 24 hours. It also offers syntax highlighting for a large number of programming and markup languages.

As before, you can paste files:

$ fpaste sql/010.add_owner_ip_index.sql Uploading (0.1KiB)...
https://paste.centos.org/view/6ee941cc

…or command output…

$ rpm -ql python3 | fpaste
Uploading (0.7KiB)...
https://paste.centos.org/view/44945a99

…or system information:

$ fpaste --sysinfo Gathering system info .............Uploading (8.1KiB)...
https://paste.centos.org/view/8d5bb827

What to expect from Pastebin

On December 1st, 2019, Fedora Infrastructure will turn off its Modern Paste servers. It will then redirect fpaste.org, www.fpaste.org, and paste.fedoraproject.org to paste.centos.org.

If you notice any issues with fpaste, first try updating your fpaste package. On Fedora use this command:

$ dnf update fpaste

Or, on machines that use the EPEL repository, use this command:

$ yum update fpaste

If you still run into issues, please file a bug on the fpaste issue tracker, and please be as detailed as possible. Happy pasting!


Photo by Kelly Sikkema on Unsplash.

Posted on Leave a comment

Managing software and services with Cockpit

The Cockpit series continues to focus on some of the tools users and administrators can use to perform everyday tasks within the web user-interface. So far we’ve covered introducing the user-interface, storage and network management, and user accounts. Hence, this article will highlight how Cockpit handles software and services.

The menu options for Applications and Software Updates are available through Cockpit’s PackageKit feature. To install it from the command-line, run:

 sudo dnf install cockpit-packagekit

For Fedora Silverblue, Fedora CoreOS, and other ostree-based operating systems, install the cockpit-ostree package and reboot the system:

sudo rpm-ostree install cockpit-ostree; sudo systemctl reboot

Software updates

On the main screen, Cockpit notifies the user whether the system is updated, or if any updates are available. Click the Updates Available link on the main screen, or Software Updates in the menu options, to open the updates page.

RPM-based updates

The top of the screen displays general information such as the number of updates and the number of security-only updates. It also shows when the system was last checked for updates, and a button to perform the check. Likewise, this button is equivalent to the command sudo dnf check-update.

Below is the Available Updates section, which lists the packages requiring updates. Furthermore, each package displays the name, version, and best of all, the severity of the update. Clicking a package in the list provides additional information such as the CVE, the Bugzilla ID, and a brief description of the update. For details about the CVE and related bugs, click their respective links.

Also, one of the best features about Software Updates is the option to only install security updates. Distinguishing which updates to perform makes it simple for those who may not need, or want, the latest and greatest software installed. Of course, one can always use Red Hat Enterprise Linux or CentOS for machines requiring long-term support.

The example below demonstrates how Cockpit applies RPM-based updates.

Running system updates with RPM-based operating systems in Cockpit.

OSTree-based updates

The popular article What is Silverblue states:

OSTree is used by rpm-ostree, a hybrid package/image based system… It atomically replicates a base OS and allows the user to “layer” the traditional RPM on top of the base OS if needed.

Because of this setup, Cockpit uses a snapshot-like layout for these operating systems. As seen in the demo below, the top of the screen displays the repository (fedora), the base OS image, and a button to Check for Updates.

Clicking the repository name (fedora in the demo below) opens the Change Repository screen. From here one can Add New Repository, or click the pencil icon to edit an existing repository. Editing provides the option to delete the repository, or Add Another Key. To add a new repository, enter the name and URL. Also, select whether or not to Use trusted GPG key.

There are three categories that provide details of its respective image: Tree, Packages, and Signature. Tree displays basic information such as the operating system, version of the image, how long ago it was released, and the origin of the image. Packages displays a list of installed packages within that image. Signature verifies the integrity of the image such as the author, date, RSA key ID, and status.

The current, or running, image displays a green check-mark beside it. If something happens, or an update causes an issue, click the Roll Back and Reboot button. This restores the system to a previous image.

Running system updates with OSTree-based operating systems in Cockpit.

Applications

The Applications screen displays a list of add-ons available for Cockpit. This makes it easy to find and install the plugins required by the user. At the time of this article, some of the options include the 389 Directory Service, Fleet Commander, and Subscription Manager. The demo below shows a complete list of available Cockpit add-ons.

Also, each item displays the name, a brief description, and a button to install, or remove, the add-on. Furthermore, clicking the item displays more information (if available). To refresh the list, click the icon at the top-right corner.

Managing Cockpit application add-ons and features

Subscription Management

Subscription managers allow admins to attach subscriptions to the machine. Even more, subscriptions give admins control over user access to content and packages. One example of this is the famous Red Hat subscription model. This feature works in relation to the subscription-manager command

The Subscriptions add-on can be installed via Cockpit’s Applications menu option. It can also be installed from the command-line with:

sudo dnf install cockpit-subscriptions

To begin, click Subscriptions in the main menu. If the machine is currently unregistered, it opens the Register System screen. Next, select the URL. You can choose Default, which uses Red Hat’s subscription server, or enter a Custom URL. Enter the Login, Password, Activation Key, and Organization ID. Finally, to complete the process, click the Register button.

The main page for Subscriptions show if the machine is registered, the System Purpose, and a list of installed products.

Managing subscriptions in Cockpit

Services

To start, click the Services menu option. Because Cockpit uses systemd, we get the options to view System Services, Targets, Sockets, Timers, and Paths. Cockpit also provides an intuitive interface to help users search and find the service they want to configure. Services can also be filtered by it’s state: All, Enabled, Disabled, or Static. Below this is the list of services. Each row displays the service name, description, state, and automatic startup behavior.

For example, let’s take bluetooth.service. Typing bluetooth in the search bar automatically displays the service. Now, select the service to view the details of that service. The page displays the status and path of the service file. It also displays information in the service file such as the requirements and conflicts. Finally, at the bottom of the page, are the logs pertaining to that service.

Also, users can quickly start and stop the service by toggling the switch beside the service name. The three-dots to the right of that switch expands those options to Enable, Disable, Mask/Unmask the service

To learn more about systemd, check out the series in the Fedora Magazine starting with What is an init system?

Managing services in Cockpit

In the next article we’ll explore the security features available in Cockpit.

Posted on Leave a comment

Tuning your bash or zsh shell on Fedora Workstation and Silverblue

This article shows you how to set up some powerful tools in your command line interpreter (CLI) shell on Fedora. If you use bash (the default) or zsh, Fedora lets you easily setup these tools.

Requirements

Some installed packages are required. On Workstation, run the following command:

sudo dnf install git wget curl ruby ruby-devel zsh util-linux-user redhat-rpm-config gcc gcc-c++ make

On Silverblue run:

sudo rpm-ostree install git wget curl ruby ruby-devel zsh util-linux-user redhat-rpm-config gcc gcc-c++ make

Note: On Silverblue you need to restart before proceeding.

Fonts

You can give your terminal a new look by installing new fonts. Why not fonts that display characters and icons together?

Nerd-Fonts

Open a new terminal and type the following commands:

git clone https://github.com/ryanoasis/nerd-fonts ~/.nerd-fonts
cd .nerd-fonts sudo ./install.sh

Awesome-Fonts

On Workstation, install using the following command:

sudo dnf install fontawesome-fonts

On Silverblue, type:

sudo rpm-ostree install fontawesome-fonts

Powerline

Powerline is a statusline plugin for vim, and provides statuslines and prompts for several other applications, including bash, zsh, tmus, i3, Awesome, IPython and Qtile. You can find more information about powerline on the official documentation site.

Installation

To install powerline utility on Fedora Workstation, open a new terminal and run:

sudo dnf install powerline vim-powerline tmux-powerline powerline-fonts

On Silverblue, the command changes to:

sudo rpm-ostree install powerline vim-powerline tmux-powerline powerline-fonts

Note: On Silverblue, before proceeding you need restart.

Activating powerline

To make the powerline active by default, place the code below at the end of your ~/.bashrc file

if [ -f `which powerline-daemon` ]; then powerline-daemon -q POWERLINE_BASH_CONTINUATION=1 POWERLINE_BASH_SELECT=1 . /usr/share/powerline/bash/powerline.sh
fi

Finally, close the terminal and open a new one. It will look like this:

Oh-My-Zsh

Oh-My-Zsh is a framework for managing your Zsh configuration. It comes bundled with helpful functions, plugins, and themes. To learn how set Zsh as your default shell this article.

Installation

Type this in the terminal:

sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

Alternatively, you can type this:

sh -c "$(wget https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"

At the end, you see the terminal like this:

Congratulations, Oh-my-zsh is installed.

Themes

Once installed, you can select your theme. I prefer to use the Powerlevel10k. One advantage is that it is 100 times faster than powerlevel9k theme. To install run this line:

git clone https://github.com/romkatv/powerlevel10k.git ~/.oh-my-zsh/themes/powerlevel10k

And set ZSH_THEME in your ~/.zshrc file

ZSH_THEME=powerlevel10k/powerlevel10k

Close the terminal. When you open the terminal again, the Powerlevel10k configuration wizard will ask you a few questions to configure your prompt properly.

After finish Powerline10k configuration wizard, your prompt will look like this:

If you don’t like it. You can run the powerline10k wizard any time with the command p10k configure.

Enable plug-ins

Plug-ins are stored in .oh-my-zsh/plugins folder. You can visit this site for more information. To activate a plug-in, you need edit your ~/.zshrc file. Install plug-ins means that you are going create a series of aliases or shortcuts that execute a specific function.

For example, to enable the firewalld and git plugins, first edit ~/.zshrc:

plugins=(firewalld git)

Note: use a blank space to separate the plug-ins names list.

Then reload the configuration

source ~/.zshrc 

To see the created aliases, use the command:

alias | grep firewall

Additional configuration

I suggest the install syntax-highlighting and syntax-autosuggestions plug-ins.

git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions

Add them to your plug-ins list in your file ~/.zshrc

plugins=( [plugins...] zsh-syntax-highlighting zsh-autosuggestions)

Reload the configuration

source ~/.zshrc 

See the results:

Colored folders and icons

Colorls is a Ruby gem that beautifies the terminal’s ls command, with colors and font-awesome icons. You can visit the official site for more information.

Because it’s a ruby gem, just follow this simple step:

sudo gem install colorls

To keep up to date, just do:

sudo gem update colorls

To prevent type colorls everytime you can make aliases in your ~/.bashrc or ~/.zshrc.

alias ll='colorls -lA --sd --gs --group-directories-first'
alias ls='colorls --group-directories-first'

Also, you can enable tab completion for colorls flags, just entering following line at end of your shell configuration:

source $(dirname ($gem which colorls))/tab_complete.sh

Reload it and see what it happens:

Posted on Leave a comment

Cloning a MAC address to bypass a captive portal

If you ever attach to a WiFi system outside your home or office, you often see a portal page. This page may ask you to accept terms of service or some other agreement to get access. But what happens when you can’t connect through this kind of portal? This article shows you how to use NetworkManager on Fedora to deal with some failure cases so you can still access the internet.

How captive portals work

Captive portals are web pages offered when a new device is connected to a network. When the user first accesses the Internet, the portal captures all web page requests and redirects them to a single portal page.

The page then asks the user to take some action, typically agreeing to a usage policy. Once the user agrees, they may authenticate to a RADIUS or other type of authentication system. In simple terms, the captive portal registers and authorizes a device based on the device’s MAC address and end user acceptance of terms. (The MAC address is a hardware-based value attached to any network interface, like a WiFi chip or card.)

Sometimes a device doesn’t load the captive portal to authenticate and authorize the device to use the location’s WiFi access. Examples of this situation include mobile devices and gaming consoles (Switch, Playstation, etc.). They usually won’t launch a captive portal page when connecting to the Internet. You may see this situation when connecting to hotel or public WiFi access points.

You can use NetworkManager on Fedora to resolve these issues, though. Fedora will let you temporarily clone the connecting device’s MAC address and authenticate to the captive portal on the device’s behalf. You’ll need the MAC address of the device you want to connect. Typically this is printed somewhere on the device and labeled. It’s a six-byte hexadecimal value, so it might look like 4A:1A:4C:B0:38:1F. You can also usually find it through the device’s built-in menus.

Cloning with NetworkManager

First, open nm-connection-editor, or open the WiFI settings via the Settings applet. You can then use NetworkManager to clone as follows:

  • For Ethernet – Select the connected Ethernet connection. Then select the Ethernet tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.
  • For WiFi – Select the WiFi profile name. Then select the WiFi tab. Note or copy the current MAC address. Enter the MAC address of the console or other device in the Cloned MAC address field.

Bringing up the desired device

Once the Fedora system connects with the Ethernet or WiFi profile, the cloned MAC address is used to request an IP address, and the captive portal loads. Enter the credentials needed and/or select the user agreement. The MAC address will then get authorized.

Now, disconnect the WiFi or Ethernet profile, and change the Fedora system’s MAC address back to its original value. Then boot up the console or other device. The device should now be able to access the Internet, because its network interface has been authorized via your Fedora system.

This isn’t all that NetworkManager can do, though. For instance, check out this article on randomizing your system’s hardware address for better privacy.

Posted on Leave a comment

Build a virtual private network with Wireguard

Wireguard is a new VPN designed as a replacement for IPSec and OpenVPN. Its design goal is to be simple and secure, and it takes advantage of recent technologies such as the Noise Protocol Framework. Some consider Wireguard’s ease of configuration akin to OpenSSH. This article shows you how to deploy and use it.

It is currently in active development, so it might not be the best for production machines. However, Wireguard is under consideration to be included into the Linux kernel. The design has been formally verified,* and proven to be secure against a number of threats.

When deploying Wireguard, keep your Fedora Linux system updated to the most recent version, since Wireguard does not have a stable release cadence.

Set the timezone

To check and set your timezone, first display current time information:

timedatectl

Then if needed, set the correct timezone, for example to Europe/London.

timedatectl set-timezone Europe/London

Note that your system’s real time clock (RTC) may continue to be set to UTC or another timezone.

Install Wireguard

To install, enable the COPR repository for the project and then install with dnf, using sudo:

$ sudo dnf copr enable jdoss/wireguard
$ sudo dnf install wireguard-dkms wireguard-tools

Once installed, two new commands become available, along with support for systemd:

  • wg: Configuration of wireguard interfaces
  • wg-quick Bringing up the VPN tunnels

Create the configuration directory for Wireguard, and apply a umask of 077. A umask of 077 allows read, write, and execute permission for the file’s owner (root), but prohibits read, write, and execute permission for everyone else.

mkdir /etc/wireguard
cd /etc/wireguard
umask 077

Generate Key Pairs

Generate the private key, then derive the public key from it.

$ wg genkey > /etc/wireguard/privkey
$ wg pubkey < /etc/wireguard/privkey > /etc/wireguard/publickey

Alternatively, this can be done in one go:

wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

There is a vanity address generator, which might be of interest to some. You can also generate a pre-shared key to provide a level of quantum protection:

wg genpsk > psk

This will be the same value for both the server and client, so you only need to run the command once.

Configure Wireguard server and client

Both the client and server have an [Interface] option to specify the IP address assigned to the interface, along with the private keys.

Each peer (server and client) has a [Peer] section containing its respective PublicKey, along with the PresharedKey. Additionally, this block can list allowed IP addresses which can use the tunnel.

Server

A firewall rule is added when the interface is brought up, along with enabling masquerading. Make sure to note the /24 IPv4 address range within Interface, which differs from the client. Edit the /etc/wireguard/wg0.conf file as follows, using the IP address for your server for Address, and the client IP address in AllowedIPs.

[Interface]
Address = 192.168.2.1/24, fd00:7::1/48
PrivateKey = <SERVER_PRIVATE_KEY>
PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade
PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade
ListenPort = 51820 [Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjKLMQ=
AllowedIPs = 192.168.2.2/32, fd00:7::2/48

Allow forwarding of IP packets by adding the following to /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Load the new settings:

$ sysctl -p

Forwarding will be preserved after a reboot.

Client

The client is very similar to the server config, but has an optional additional entry of PersistentKeepalive set to 30 seconds. This is to prevent NAT from causing issues, and depending on your setup might not be needed. Setting AllowedIPs to 0.0.0.0/0 will forward all traffic over the tunnel. Edit the client’s /etc/wireguard/wg0.conf file as follows, using your client’s IP address for Address and the server IP address at the Endpoint.

[Interface]
Address = 192.168.2.2/32, fd00:7::2/48
PrivateKey = <CLIENT_PRIVATE_KEY> [Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = LpI+UivLx1ZqbzjyRaWR2rWN20tbBsOroNdNnjWKLM=
AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = <SERVER_IP>:51820
PersistentKeepalive = 30

Test Wireguard

Start and check the status of the tunnel on both the server and client:

$ systemctl start wg-quick@wg0
$ systemctl status wg-quick@wg0

To test the connections, try the following:

ping google.com
ping6 ipv6.google.com

Then check external IP addresses:

dig +short myip.opendns.com @resolver1.opendns.com
dig +short -6 myip.opendns.com aaaa @resolver1.ipv6-sandbox.opendns.com

* “Formally verified,” in this sense, means that the design has been proved to have mathematically correct messages and key secrecy, forward secrecy, mutual authentication, session uniqueness, channel binding, and resistance against replay, key compromise impersonation, and denial of server attacks.


Photo by Black Zheng on Unsplash.