Attach a USB device to running QEMU guest

run lsusb and note the Bus and Device IDs for the External HDD (in this case)

Bus 001 Device 002: ID 1058:2621 Western Digital Technologies, Inc.

Create an xml file ExHDD.xml as follows :
<hostdev mode='subsystem' type='usb' managed='yes'>
<source>
<address bus='1' device='2'/>
</source>
</hostdev>

Next just run following command to attach the device :

virsh attach-device fs1 /root/ExHDD.xml

where fs1 is the QEMU guest

Kavach KA-4035 Error

This is for NIC Email or services which are linked to Kavach. If you are connected using only IPv6 you will face this issue. Mostly for Jio Mobile network which sometimes uses only IPv6. The Kavach server running over IPv4 fails to detect clients location and fails.
Unless NIC uses IPv6 for Kavach this problem will remain (today is 03/Sep/2024).

Fedora Upgrade version 35 to 40

check diskspace in /boot
if required remove old kernels to free space:
run "rpm -q kernel-core" then "dnf remove <name of the kernel>"

dnf upgrade –refresh dnf install dnf-plugin-system-upgrade dnf system-upgrade download --releasever=<ver> Incase of broken dependancy try with dnf system-upgrade download --releasever=<ver> –allowerasing replace <var> with the version you want to upgrade to. Remember <ver> should not be more than 2 versions from current version. I have tested above from 35 to 37 then 37 to 39 then 39 to 40.

Route Addition to IKEv2 in Windows 11

There is no option in windows for adding a static route automatically through a VPN using GUI, but using powershell its working fine here is the command :

Add-VpnConnectionRoute VPN-Name Route-In-CIDR

To remove the route

 Remove-VpnConnectionRoute VPN-Name  Route-In-CIDR

For Example

Add-VpnConnectionRoute "IKEv2 VPN NML" "192.168.1.0/24"

Whenever I connect to NML VPN I get all traffic 192.168.1.0/24 directed to NML Network. Be careful your home network is other than 192.168.1.0/24

FirewallD IPSet for blocking list of ips

Decided to create ipset stophack and add all access to ports 23, 22, 3306, 110, 143, 25 of ip <myserverip>

firewall-cmd –zone=external –add-rich-rule=’rule source ipset=stophack drop’
firewall-cmd –permanent –get-ipsets
firewall-cmd –permanent –new-ipset=stophack –type=hash:net
firewall-cmd –permanent –ipset=stophack –add-entries-from-file=stophack.txt
firewall-cmd –permanent –ipset=stophack –get-entries
firewall-cmd –permanent –ipset=stophack –add-entry=120.224.174.135

cat bdknock.xml
<?xml version="1.0" encoding="utf-8"?>
 <service>
  <port port="12345" protocol="tcp"/>
  <port port="2345" protocol="udp"/>
  <port port="345" protocol="udp"/>
  <port port="54321" protocol="tcp"/>
 </service>

OwnCloud upgrade issue PHP8.0 problem

After Fedora upgrade to 35 from 33 faced issue under OwnCloud

Can not run OC 10.xxx under php 8.0.xx

Resolved the issue with following steps

Following was already there under /etc/httpd/conf.d/owncloud.conf



# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch \.(php|phar)$>
    SetHandler "proxy:unix:/var/opt/remi/php74/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>

while doing console upgrade using
occ upgrade
problem arises as default php was 8.0

First renamed /usr/bin/php to /usr/bin/php80
then run following command
update-alternatives –install /usr/bin/php php /opt/remi/php74/root/usr/bin/php 74

next occ update was successful

Networked HP Laser Printer limit IP / System Access

A separate VLAN created for the printer(say PVLAN). All PCs are in default VLAN.

A router (R1) is connected to both default VLAN and PVLAN. A static route is configured in R1 for the printers IP Address (IP1) via PVLAN interface. Appropriate firewall rules configured in R1 to forward packets only from defined/allowed source IPs to the printer.


Printer is assigned an static IP (IP1) from same pool as the PCs and default route is R1.

DHCP is configured to push a static route to client PCs which are allowed. The static route defined R1 for IPs assigned to printers.

Now any access to the printer is goes through the router/firewall, where you can configured which system you want to allow printer access.

PC <->DefaultVLAN<-> Router<->PRN VLAN<->Printer

Docker / PODMAN in linux

First installed podman-compose then created docker file with name docker-compose.yml :

version: '3.1'

services:

  wordpress:
    image: wordpress1
    restart: always
    ports:
      - 8080:80
    environment:
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: mydbuser
      WORDPRESS_DB_PASSWORD: mydbpassword
      WORDPRESS_DB_NAME: mydb
    volumes:
      - wordpress:/var/www/html
      - logs:/var/log/apache2

  db:
    image: wordpress1db
    restart: always
    environment:
      MYSQL_DATABASE: mydb
      MYSQL_USER: mydbuser
      MYSQL_PASSWORD: mydbpassword
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql

volumes:
  wordpress:
  db:
  logs:

now run :

podman-compose up -d

It will create containers and run webserver at 8080 port.

to stop and remove the containers run

podman-compose down

The docker file will create containers for webserver from image wordpress1 and container for database server from image wordpress1db, please check and update image name incase of any problem. Also you can commit after any change to webserver / mysql configuration to create another image locally.

The running containers will share storage outside the docker for mysql database files(/var/lib/mysql) in named space db and website (/var/www/html) at named space wordpress. These named spaces can be looked by running:

# podman volume ls

DRIVER      VOLUME NAME
local       fcab36796140245f735851f808b193c38e4771143db12ead1c59ce2b5fa3177e
local       WordPress_db
local       WordPress_logs
local       WordPress_wordpress

now run following to find out the actual location of the volumes

# podman volume inspect WordPress_db WordPress_wordpress
[
    {
        "Name": "WordPress_db",
        "Driver": "local",
        "Mountpoint": "/var/lib/containers/storage/volumes/WordPress_db/_data",
        "CreatedAt": "2022-01-31T18:54:23.157971622+05:30",
        "Labels": {
            "io.podman.compose.project": "WordPress"
        },
        "Scope": "local",
        "Options": {}
    },
    {
        "Name": "WordPress_wordpress",
        "Driver": "local",
        "Mountpoint": "/var/lib/containers/storage/volumes/WordPress_wordpress/_data",
        "CreatedAt": "2022-01-31T18:54:19.661705064+05:30",
        "Labels": {
            "io.podman.compose.project": "WordPress"
        },
        "Scope": "local",
        "Options": {}
    }
]

You can add/modify webserver files located at /var/lib/containers/storage/volumes/WordPress_wordpress/_data

To login to any of the containers above first findout the names of containers by running

]# podman container ls
CONTAINER ID  IMAGE                   COMMAND               CREATED      STATUS          PORTS                                        NAMES
4f7976ee3529  k8s.gcr.io/pause:3.5                          4 hours ago  Up 4 hours ago  0.0.0.0:8080->80/tcp  bca02e003722-infra
171df0e7c268  localhost/wp1:latest    apache2-foregroun...  4 hours ago  Up 4 hours ago  0.0.0.0:8080->80/tcp  WordPress_wordpress_1
70c70112d52b  localhost/wp1db:latest  mysqld                4 hours ago  Up 4 hours ago  0.0.0.0:8080->80/tcp  WordPress_db_1

the last word in each line is the name i.e. WordPress_wordpress_1 and WordPress_db_1 are the container names. Now to login to wordpress (webserver) type the following

# podman exec -ti WordPress_wordpress_1 /bin/bash
root@171df0e7c268:/var/www/html#

similarly for the db server type:

podman exec -ti WordPress_db_1 /bin/bash
root@70c70112d52b:/#

Installation of Reverse Proxy HAPROXY

Generated dhparams.pem for haproxy moved to its directory linked it in the haproxy.cfg file

Kept most global options in the cfg file. Add lines for frontend and backend.

frontend default
   bind :80
   http-request redirect scheme https unless { ssl_fc }
   use_backend % [req.hdr(host),lower,map_dom(/etc/haproxy/maps/hosts.map,be_default)]

   default_backend             acer2

create hosts.map file for each and every host, each line must have host name and backend name like

acer2.nmlindia.org acer2

for each altername port create a frontend like above just replace :80 with say :8080 and provide another map file for hosts handing this port

    backend acer2
        mode http
        http-request redirect scheme https unless { ssl_fc }
        server acer2 acer2.nmlindia.org:8888 check

the line

http-request redirect scheme https unless { ssl_fc }

controls the reirection in case the traffic is SSL

if nonSSL site comment out in both default block and backend block

the port 8888 indicates the port where the website is running

frontend https
   bind *:443 ssl crt-list /etc/haproxy/ssl/private/crt-list.txt   # crt /etc/haproxy/ssl/bdpc-ssl.pem
   mode tcp
   tcp-request inspect-delay 5s
   tcp-request content accept if { req_ssl_hello_type 1 }
   use_backend acer2 if { ssl_fc_sni acer2.nmlindia.org }

Provide certificate path and mode should be tcp for SSL port