Benpro - Blog https://blog.benpro.fr/ FLOSS and Japan things Sun, 05 Feb 2023 07:44:36 +0000 undocker, run a Docker image without Docker https://blog.benpro.fr/undocker-run-a-docker-image-without-docker <![CDATA[I self-host on .benpro.fr a lot of things with LXD, right now I have 20 LXC containers managed by LXD on a single machine. When I want to self-host something, there are three possibilities: The software is packaged in Debian/Ubuntu or Archlinux: I just launch a new container, and install the software with the package manager. For example, this is the case of Miniflux. The software is not packaged but there is a production install guide: I just launch a new container and do all the necessary actions. For example, this is the case of Mastodon. The software is only available via Docker: I could try to translate the Dockerfile to manual steps but I prefer to just not use it. But thanks to a new discovery, this has changed! I discovered undocker and skopeo. With these two tools you can easily extract a Docker image (a succession of "layers"), and run the app out of Docker. I tried with Photoview. Here is the basic guideline: Deploy with LXD a LXC container with the same Linux distribution as the Dockerfile use. Install MariaDB since the app need a database. Extract the Docker image. Identify required environment variable by reading the Dockerfile and Docker compose. Create a systemd unit file. Launch the application with systemd. ??? Profit! Give the middle finger to Docker! Here are the steps for Photoview: $ lxc launch images:debian/11 gallery $ lxc exec gallery bash apt install mariadb-server skopeo wget mysql -e "CREATE DATABASE photoview; GRANT ALL PRIVILEGES ON photoview. TO 'photoview'@localhost IDENTIFIED BY 'PASSOWRD'" wget https://git.sr.ht/~motiejus/undocker/refs/download/v1.0.1/undocker-linux-amd64-v1.0.1 -O /tmp/undocker install -m 755 /tmp/undocker /usr/local/bin/undocker adduser --disabled-password photoview sudo -iu photoview $ skopeo copy docker://docker.io/viktorstrate/photoview:latest docker-archive:photoview.tar $ mkdir photoview cache $ cd photoview $ undocker ~/photoview.tar - | tar -xv $ cat < EOT ~/.env PHOTOVIEWLISTENIP=127.0.1.1 PHOTOVIEWLISTENPORT=1234 PHOTOVIEWSERVEUI=1 PHOTOVIEWUIPATH=/ui PHOTOVIEWDATABASEDRIVER=mysql PHOTOVIEWMYSQLURL='photoview:PASSWORD@tcp(127.0.0.1)/photoview' PHOTOVIEWMEDIACACHE=/home/photoview/cache MAPBOXTOKEN=TOKEN EOT cat < EOT /etc/systemd/system/photoview.service [Unit] Description=Photoview After=network.target Requires=mariadb.service [Service] Type=simple User=photoview EnvironmentFile=/home/photoview/.env BindReadOnlyPaths=/proc WorkingDirectory=/app RootDirectory=/home/photoview/photoview ExecStart=/app/photoview Restart=on-failure [Install] WantedBy=multi-user.target EOT systemctl daemon-reload systemctl enable --now photoview systemctl status photoview ● photoview.service - Photoview Loaded: loaded (/etc/systemd/system/photoview.service; enabled; vendor preset: enabled) Drop-In: /run/systemd/system/service.d └─zzz-lxc-service.conf Active: active (running) since Sun 2021-09-05 12:49:47 UTC; 8s ago Main PID: 4643 (photoview) Tasks: 9 (limit: 7084) Memory: 54.1M CGroup: /system.slice/photoview.service ├─4643 /app/photoview └─4653 /usr/bin/perl -w /usr/bin/exiftool -stayopen True -@ - -common_args -n Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: Waiting for signal Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: New ticker detected Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: Waiting for signal Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found executable worker: darktable (this is darktable-cli Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found executable worker: ffmpeg (ffmpeg version 4.3.2-0+d Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found exiftool Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Initializing face detector Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview API endpoint listening at http://127.0.1.1:1234 Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview API public endpoint ready at /api Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview UI public endpoint ready at / And voilà! 🎉 Now, you still have the the same issue as using Docker, the Dockerfile may have used old software and libraries when compiling the application... But, somehow I find it better, and it integrate well with my LXD usage. Note that it is also possible to not use RootDirectory in the systemd unit file and install all the required dependencies (ffmpeg, darktable, ...) and it may also work, having more control on these dependencies, instead of relying of what is shipped in the Docker image.]]> I self-host on *.benpro.fr a lot of things with LXD, right now I have 20 LXC containers managed by LXD on a single machine.

When I want to self-host something, there are three possibilities:

  • The software is packaged in Debian/Ubuntu or Archlinux: I just launch a new container, and install the software with the package manager. For example, this is the case of Miniflux.
  • The software is not packaged but there is a production install guide: I just launch a new container and do all the necessary actions. For example, this is the case of Mastodon.
  • The software is only available via Docker: I could try to translate the Dockerfile to manual steps but I prefer to just not use it.

But thanks to a new discovery, this has changed!

I discovered undocker and skopeo. With these two tools you can easily extract a Docker image (a succession of “layers”), and run the app out of Docker.

I tried with Photoview. Here is the basic guideline:

  • Deploy with LXD a LXC container with the same Linux distribution as the Dockerfile use.
  • Install MariaDB since the app need a database.
  • Extract the Docker image.
  • Identify required environment variable by reading the Dockerfile and Docker compose.
  • Create a systemd unit file.
  • Launch the application with systemd.
  • ???
  • Profit! Give the middle finger to Docker!

Here are the steps for Photoview:

$ lxc launch images:debian/11 gallery
$ lxc exec gallery bash
# apt install mariadb-server skopeo wget
# mysql -e "CREATE DATABASE photoview; GRANT ALL PRIVILEGES ON photoview.* TO 'photoview'@localhost IDENTIFIED BY '<PASSOWRD>'"
# wget https://git.sr.ht/~motiejus/undocker/refs/download/v1.0.1/undocker-linux-amd64-v1.0.1 -O /tmp/undocker
# install -m 755 /tmp/undocker /usr/local/bin/undocker
# adduser --disabled-password photoview
# sudo -iu photoview
$ skopeo copy docker://docker.io/viktorstrate/photoview:latest docker-archive:photoview.tar
$ mkdir photoview cache
$ cd photoview
$ undocker ~/photoview.tar - | tar -xv
$ cat << EOT > ~/.env
PHOTOVIEW_LISTEN_IP=127.0.1.1
PHOTOVIEW_LISTEN_PORT=1234
PHOTOVIEW_SERVE_UI=1
PHOTOVIEW_UI_PATH=/ui
PHOTOVIEW_DATABASE_DRIVER=mysql
PHOTOVIEW_MYSQL_URL='photoview:<PASSWORD>@tcp(127.0.0.1)/photoview'
PHOTOVIEW_MEDIA_CACHE=/home/photoview/cache
MAPBOX_TOKEN=<TOKEN>
EOT
# cat << EOT > /etc/systemd/system/photoview.service
[Unit]
Description=Photoview
After=network.target
Requires=mariadb.service

[Service]
Type=simple
User=photoview
EnvironmentFile=/home/photoview/.env
BindReadOnlyPaths=/proc
WorkingDirectory=/app
RootDirectory=/home/photoview/photoview
ExecStart=/app/photoview
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOT

# systemctl daemon-reload
# systemctl enable --now photoview
# systemctl status photoview
● photoview.service - Photoview
     Loaded: loaded (/etc/systemd/system/photoview.service; enabled; vendor preset: enabled)
    Drop-In: /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: active (running) since Sun 2021-09-05 12:49:47 UTC; 8s ago
   Main PID: 4643 (photoview)
      Tasks: 9 (limit: 7084)
     Memory: 54.1M
     CGroup: /system.slice/photoview.service
             ├─4643 /app/photoview
             └─4653 /usr/bin/perl -w /usr/bin/exiftool -stay_open True -@ - -common_args -n

Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: Waiting for signal
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: New ticker detected
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Scan interval runner: Waiting for signal
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found executable worker: darktable (this is darktable-cli>
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found executable worker: ffmpeg (ffmpeg version 4.3.2-0+d>
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Found exiftool
Sep 05 12:49:47 test photoview[4643]: 2021/09/05 12:49:47 Initializing face detector
Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview API endpoint listening at http://127.0.1.1:1234>
Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview API public endpoint ready at /api
Sep 05 12:49:48 test photoview[4643]: 2021/09/05 12:49:48 Photoview UI public endpoint ready at /

And voilà! 🎉

Now, you still have the the same issue as using Docker, the Dockerfile may have used old software and libraries when compiling the application... But, somehow I find it better, and it integrate well with my LXD usage.

Note that it is also possible to not use RootDirectory in the systemd unit file and install all the required dependencies (ffmpeg, darktable, ...) and it may also work, having more control on these dependencies, instead of relying of what is shipped in the Docker image.

]]>
https://blog.benpro.fr/undocker-run-a-docker-image-without-docker Sun, 05 Sep 2021 12:31:39 +0000
Get SWAP information for your LXD containers https://blog.benpro.fr/get-swap-information-for-your-lxd-containers <![CDATA[If you use LXD and you have SWAP enabled on your host machine you may want to know the SWAP usage of some containers. To do that, you must first enable the SWAP accounting in Linux, that can be done by adding a kernel parameter at boot time. If you use GRUB, you just need to edit the line GRUBCMDLINELINUX_DEFAULT= and add swapaccount=1, then update-grub && reboot. You can then have some stats with lxc info: $ lxc info toots [...] Memory usage: Memory (current): 860.96MiB Memory (peak): 1.64GiB Swap (current): 563.36MiB Swap (peak): 87.00MiB [...] Looks like it is a little buggy though, peak value behind under current value.]]> If you use LXD and you have SWAP enabled on your host machine you may want to know the SWAP usage of some containers.

To do that, you must first enable the SWAP accounting in Linux, that can be done by adding a kernel parameter at boot time. If you use GRUB, you just need to edit the line GRUB_CMDLINE_LINUX_DEFAULT= and add swapaccount=1, then update-grub && reboot.

You can then have some stats with lxc info:

$ lxc info toots
[...]
  Memory usage:
    Memory (current): 860.96MiB
    Memory (peak): 1.64GiB
    Swap (current): 563.36MiB
    Swap (peak): 87.00MiB
[...]

Looks like it is a little buggy though, peak value behind under current value.

]]>
https://blog.benpro.fr/get-swap-information-for-your-lxd-containers Sat, 04 Sep 2021 09:41:31 +0000
tootpaste, clean your Mastodon instance https://blog.benpro.fr/tootpaste-clean-your-mastodon-instance <![CDATA[tootpaste logo I wanted to write such a script for a long time but never found the motivation... And suddenly the motivation came to me! So I present to you tootpaste, a simple bash script to clean your Mastodon instance. It is basically a wrapper around tootctl but add some more logic, especially around accounts cull to detect instances in errors and purge them (expired certificate, cannot connect, etc.).]]> tootpaste logo

I wanted to write such a script for a long time but never found the motivation... And suddenly the motivation came to me!

So I present to you tootpaste, a simple bash script to clean your Mastodon instance.

It is basically a wrapper around tootctl but add some more logic, especially around accounts cull to detect instances in errors and purge them (expired certificate, cannot connect, etc.).

]]>
https://blog.benpro.fr/tootpaste-clean-your-mastodon-instance Sun, 29 Aug 2021 01:31:20 +0000
LXD and Archlinux containers broken https://blog.benpro.fr/lxd-and-archlinux-containers-broken <![CDATA[systemd-resolved.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied [...] Meh! I run some containers with Archlinux and when I update them in a monthly manner, they broke most of the time, because everything related to systemd has always some new security features that LXD and AppArmor cannot handle well. After lots of dirty hacks, turn out Canonical patched this by adding a systemd-generator that add all the required drop-in unit files. If you launch a new container it will benefit from this patch, because the base image is updated. But what if you run an old container? Either you launch a new container and you migrate your old container to the new... Or, you add this file to your container, reboot, and voilà! mkdir /etc/systemd/system-generators wget https://raw.githubusercontent.com/lxc/distrobuilder/master/distrobuilder/main.go -O /tmp/main.go awk -v RS='^$' -v FS='`' '{ n = split($0, extracted) print extracted[14] }' /tmp/main.go /etc/systemd/system-generators/lxc chmod +x /etc/systemd/system-generators/lxc reboot Note: That command may not work anymore if they change the main.go file. Also, why the hell do they embed the sh script in the go source code?! ]]> systemd-resolved.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied systemd-logind.service: Failed to set up mount namespacing: /run/systemd/unit-root/proc: Permission denied [...]

Meh!

I run some containers with Archlinux and when I update them in a monthly manner, they broke most of the time, because everything related to systemd has always some new security features that LXD and AppArmor cannot handle well.

After lots of dirty hacks, turn out Canonical patched this by adding a systemd-generator that add all the required drop-in unit files.

If you launch a new container it will benefit from this patch, because the base image is updated. But what if you run an old container? Either you launch a new container and you migrate your old container to the new... Or, you add this file to your container, reboot, and voilà!

mkdir /etc/systemd/system-generators
wget https://raw.githubusercontent.com/lxc/distrobuilder/master/distrobuilder/main.go -O /tmp/main.go
awk -v RS='^$' -v FS='`' '{
                  n = split($0, extracted)
                  print extracted[14]
              }' /tmp/main.go > /etc/systemd/system-generators/lxc
chmod +x /etc/systemd/system-generators/lxc
reboot

Note: That command may not work anymore if they change the main.go file.

Also, why the hell do they embed the sh script in the go source code?!

]]>
https://blog.benpro.fr/lxd-and-archlinux-containers-broken Sat, 31 Jul 2021 06:25:43 +0000
Emojis support with Konsole on Archlinux https://blog.benpro.fr/emojis-support-with-konsole-on-archlinux <![CDATA[I just installed a new Archlinux machine and noticed that Konsole doesn't display color emojis by default. Here's how to do it: Install noto-color-emoji-fontconfig from AUR. DONE. What it does is installing noto-fonts-emoji AUR package and pushing a fontconfig file that says to your system to use the Noto font for displaying emojis. Now I wonder why this is not the default? screenshot.png]]> I just installed a new Archlinux machine and noticed that Konsole doesn't display color emojis by default.

Here's how to do it:

  • Install noto-color-emoji-fontconfig from AUR.
  • DONE.

What it does is installing noto-fonts-emoji AUR package and pushing a fontconfig file that says to your system to use the Noto font for displaying emojis.

Now I wonder why this is not the default?

screenshot.png

]]>
https://blog.benpro.fr/emojis-support-with-konsole-on-archlinux Sat, 20 Feb 2021 00:33:18 +0000
Shipping methods from Japan to France/Europe https://blog.benpro.fr/shipping-methods-from-japan-to-france-europe <![CDATA[ Note: This is mostly a memo for me because I am always lost behind all those shipping methods available. Japan Post website. Tariff code for customs EMS Max weight: 30kg Example price for 500g: 2,200¥ Delivery: about one week Registered: yes Insured: yes, 20,000¥, more possible More details International ePacket Max weight: 2kg Example price for 500g: 1,235¥ Delivery: about two weeks Registered: yes Insured: yes, 6,000¥ More details Small packet AIR Max weight: 2kg Example price for 500g: 960¥ Delivery: about one month Registered: option, 410¥ Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥ More details Small packet Surface (boat) Max weight: 2kg Example price for 500g: 430¥ Delivery: about three month! Registered: option, 410¥ Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥ More details Others for more than 2kg Sending more than 2kg is not cheap! So I never used. Available if your package is more than 2kg: EMS, example 3kg: 6,600¥ Postal parcel via Air, example 3kg: 6,750¥ Postal parcel via Surface (boat), example 3kg: 2,900¥ Others not available I don't really know why it is not available. Maybe it change sometimes? Especially during COVID period... Small packet SAL Used in the past, cannot use it anymore. Max weight: 2kg Example price for 500g: 580¥ Delivery: about one month Registered: option, 410¥ Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥ More details International ePacket light Never used. Don't know the difference with the non-light... ]]>

Note: This is mostly a memo for me because I am always lost behind all those shipping methods available.

Japan Post website. Tariff code for customs

EMS

  • Max weight: 30kg
  • Example price for 500g: 2,200¥
  • Delivery: about one week
  • Registered: yes
  • Insured: yes, 20,000¥, more possible
  • More details

International ePacket

  • Max weight: 2kg
  • Example price for 500g: 1,235¥
  • Delivery: about two weeks
  • Registered: yes
  • Insured: yes, 6,000¥
  • More details

Small packet AIR

  • Max weight: 2kg
  • Example price for 500g: 960¥
  • Delivery: about one month
  • Registered: option, 410¥
  • Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥
  • More details

Small packet Surface (boat)

  • Max weight: 2kg
  • Example price for 500g: 430¥
  • Delivery: about three month!
  • Registered: option, 410¥
  • Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥
  • More details

Others for more than 2kg

Sending more than 2kg is not cheap! So I never used. Available if your package is more than 2kg:

  • EMS, example 3kg: 6,600¥
  • Postal parcel via Air, example 3kg: 6,750¥
  • Postal parcel via Surface (boat), example 3kg: 2,900¥

Others not available

I don't really know why it is not available. Maybe it change sometimes? Especially during COVID period...

Small packet SAL

Used in the past, cannot use it anymore.

  • Max weight: 2kg
  • Example price for 500g: 580¥
  • Delivery: about one month
  • Registered: option, 410¥
  • Insured: yes if registered, up to 6,000¥. If more than 6,000¥: 400¥
  • More details

International ePacket light

Never used. Don't know the difference with the non-light...

]]>
https://blog.benpro.fr/shipping-methods-from-japan-to-france-europe Wed, 02 Dec 2020 11:32:08 +0000
PSA: Do not use OneProvider Cloud https://blog.benpro.fr/psa-do-not-use-oneprovider-cloud <![CDATA[ This is a rant but also a PSA. On their website: OneCloud is our KVM based virtualization infrastructure, available in two versions: General Purpose and Storage. I set up a storage machine for a NFS filer purpose. I had two major incidents... In two months! After about one month uptime: Machine down, cannot be powered on again. Asked support to resolve the issue: Took a long time but the machine was restored. Again, after about one month uptime: Machine running but disk not responding, kernel put the partition in read only mode. Fact is the disk was not even visible anymore. Restarted the machine in the panel, then drama. After a fsck -y the server is back. But I can see that their storage solution is not reliable. Do not use OneProvider Cloud, also called OneCloud at least for their storage machines, if you want reliable storage. On the other hand, I am really happy with Hetzner, too bad that their storage is only SSD... Expensive! I want HDD storage.]]>

This is a rant but also a PSA.

On their website: OneCloud is our KVM based virtualization infrastructure, available in two versions: General Purpose and Storage.

I set up a storage machine for a NFS filer purpose. I had two major incidents... In two months!

After about one month uptime: Machine down, cannot be powered on again. Asked support to resolve the issue: Took a long time but the machine was restored.

Again, after about one month uptime: Machine running but disk not responding, kernel put the partition in read only mode. Fact is the disk was not even visible anymore. Restarted the machine in the panel, then drama. After a fsck -y the server is back. But I can see that their storage solution is not reliable.

Do not use OneProvider Cloud, also called OneCloud at least for their storage machines, if you want reliable storage.

On the other hand, I am really happy with Hetzner, too bad that their storage is only SSD... Expensive! I want HDD storage.

]]>
https://blog.benpro.fr/psa-do-not-use-oneprovider-cloud Fri, 27 Nov 2020 12:43:57 +0000
Encrypted disk on RPi 4 Model B https://blog.benpro.fr/encrypted-disk-on-rpi-4-model-b <![CDATA[ Note: This guide is for RPi 4 Model B, Raspberry Pi OS (Raspbian) and external disk drive (no SD card used, except for /boot). Kernel used is v7l+. I like to encrypt all the devices I own, except for servers which can be troublesome to decrypt it... Anyway, here is a memory guide on how I configured encryption on an external disk for a RPi 4 B and boot on it. Install required packages ~ apt install busybox cryptsetup initramfs-tools lvm2 ~ Prepare configuration Set CRYPTSETUP=Y in /etc/cryptsetup-initramfs/conf-hook. Add a kernel post-install hook: cat <EOF /etc/kernel/postinst.d/mkinitramfs !/bin/sh -e version=\$1 if ! (echo "\$version" | grep -q "v7l+"); then exit 0; fi mkinitramfs -o /boot/initramfs.gz "\$1" EOF chmod +x /etc/kernel/postinst.d/mkinitramfs Encrypt the disk and copy filesystem On a freshly written SD card Raspberry Pi image. cryptsetup luksFormat /dev/sda cryptsetup open /dev/sda crypted pvcreate /dev/mapper/crypted vgcreate /dev/mapper/crypted vg0 lvcreate -nrootfs -L30G vg0 lvcreate -nhome -L100G vg0 mount /dev/vg0/home /mnt/ rsync -avh --progress /home/ /mnt/ mount /dev/vg0/rootfs /mnt rsync -avh --progress --exclude="{/proc/, /sys/, /dev/, /tmp/, /home/ , /mnt}" / /mnt/ Note: I don't delete sources files on the SD card, as it can be useful to boot on the SD card later, for a rescue mode. Configure fstab and crypttab fstab: /dev/mapper/vg0-rootfs / ext4 defaults,noatime 0 1 /dev/mapper/vg0-home /home ext4 defaults,noatime 0 1 crypttab: crypted /dev/sda none luks Prepare an initramfs image The RPi bootloader directly access the kernel image on the SD card, partition /boot and don't need an initramfs like traditional machines. But, as we want to decrypt and mount LVM volumes we need an image which contains the required tools. mkinitramfs -o /boot/initramfs.gz Check that the image has cryptsetup and LVM tools: lsinitramfs /boot/initramfs.gz | grep -e cryptsetup -e lvm Note:** It may fail to detect root device, in this case at next reboot you will have to manually luksOpen and vgchange -ay in busybox to be able to boot correctly. After that "manual" boot, you can redo mkinitramfs and it should works. Final steps with RPi bootloader Add to /boot/config.txt: initramfs initramfs.gz followkernel Modify /boot/cmdline.txt to add new root device and crypt device: root=/dev/mapper/vg0-rootfs cryptdevice=/dev/sda:crypted Also, remove quiet or splash to see the boot process and to be able to have a prompt asking for your LUKS password. And you're done! Main source: robpol86.com website. ]]>

Note: This guide is for RPi 4 Model B, Raspberry Pi OS (Raspbian) and external disk drive (no SD card used, except for /boot). Kernel used is v7l+.

I like to encrypt all the devices I own, except for servers which can be troublesome to decrypt it... Anyway, here is a memory guide on how I configured encryption on an external disk for a RPi 4 B and boot on it.

Install required packages

# apt install busybox cryptsetup initramfs-tools lvm2

Prepare configuration

  • Set CRYPTSETUP=Y in /etc/cryptsetup-initramfs/conf-hook.
  • Add a kernel post-install hook:
# cat <<EOF > /etc/kernel/postinst.d/mkinitramfs
#!/bin/sh -e
version=\$1
if ! (echo "\$version" | grep -q "v7l+"); then exit 0; fi
mkinitramfs -o /boot/initramfs.gz "\$1"
EOF
chmod +x /etc/kernel/postinst.d/mkinitramfs

Encrypt the disk and copy filesystem

On a freshly written SD card Raspberry Pi image.

# cryptsetup luksFormat /dev/sda
# cryptsetup open /dev/sda crypted
# pvcreate /dev/mapper/crypted
# vgcreate /dev/mapper/crypted vg0
# lvcreate -nrootfs -L30G vg0
# lvcreate -nhome -L100G vg0
# mount /dev/vg0/home /mnt/
# rsync -avh --progress /home/ /mnt/
# mount /dev/vg0/rootfs /mnt
# rsync -avh --progress --exclude="{/proc/**, /sys/**, /dev/**, /tmp/**, /home/** , /mnt}" / /mnt/

Note: I don't delete sources files on the SD card, as it can be useful to boot on the SD card later, for a rescue mode.

Configure fstab and crypttab

  • fstab:
/dev/mapper/vg0-rootfs  /               ext4    defaults,noatime  0       1
/dev/mapper/vg0-home  /home               ext4    defaults,noatime  0       1
  • crypttab:
crypted	/dev/sda	none	luks

Prepare an initramfs image

The RPi bootloader directly access the kernel image on the SD card, partition /boot and don't need an initramfs like traditional machines. But, as we want to decrypt and mount LVM volumes we need an image which contains the required tools.

# mkinitramfs -o /boot/initramfs.gz

Check that the image has cryptsetup and LVM tools:

# lsinitramfs /boot/initramfs.gz | grep -e cryptsetup -e lvm

Note: It may fail to detect root device, in this case at next reboot you will have to manually luksOpen and vgchange -ay in busybox to be able to boot correctly. After that “manual” boot, you can redo mkinitramfs and it should works.

Final steps with RPi bootloader

  • Add to /boot/config.txt:
initramfs initramfs.gz followkernel
  • Modify /boot/cmdline.txt to add new root device and crypt device:
root=/dev/mapper/vg0-rootfs cryptdevice=/dev/sda:crypted

Also, remove quiet or splash to see the boot process and to be able to have a prompt asking for your LUKS password.

And you're done!

Main source: robpol86.com website.

]]>
https://blog.benpro.fr/encrypted-disk-on-rpi-4-model-b Fri, 27 Nov 2020 06:34:37 +0000
Wireguard on Raspbian Buster https://blog.benpro.fr/wireguard-on-raspbian-buster <![CDATA[Rasbian Buster doesn't have wireguard packages available. There are only available on Raspbian Bullseye (testing). To install them we can use APT Preferences. Enable the mirror and set apt pinning echo "deb http://archive.raspbian.org/raspbian/ testing main" /etc/apt/sources.list.d/raspbian-testing.list cat < EOF /etc/apt/preferences.d/raspbian-testing Package: Pin: release a=testing,n=bullseye Pin-Priority: 50 Package: wireguard wireguard- Pin: release a=testing,n=bullseye Pin-Priority: 999 EOF apt update Check that apt policy is OK and install it apt policy [̉...] 50 http://archive.raspbian.org/raspbian testing/main armhf Packages release o=Raspbian,a=testing,n=bullseye,l=Raspbian,c=main,b=armhf [...] Pinned packages: wireguard-dkms - 1.0.20201112-1 with priority 999 wireguard-tools - 1.0.20200827-1 with priority 999 wireguard - 1.0.20200827-1 with priority 999 apt install wireguard Note: Wireguard is not built on the raspberry kernel so it will be compiled as a module with DKMS which take a few minutes. ]]> Rasbian Buster doesn't have wireguard packages available. There are only available on Raspbian Bullseye (testing). To install them we can use APT Preferences.

Enable the mirror and set apt pinning

# echo "deb http://archive.raspbian.org/raspbian/ testing main" > /etc/apt/sources.list.d/raspbian-testing.list
# cat << EOF > /etc/apt/preferences.d/raspbian-testing
Package: *
Pin: release a=testing,n=bullseye
Pin-Priority: 50

Package: wireguard wireguard-*
Pin: release a=testing,n=bullseye
Pin-Priority: 999
EOF
# apt update

Check that apt policy is OK and install it

# apt policy
[̉...]
50 http://archive.raspbian.org/raspbian testing/main armhf Packages
     release o=Raspbian,a=testing,n=bullseye,l=Raspbian,c=main,b=armhf
[...]
Pinned packages:
     wireguard-dkms -> 1.0.20201112-1 with priority 999
     wireguard-tools -> 1.0.20200827-1 with priority 999
     wireguard -> 1.0.20200827-1 with priority 999

# apt install wireguard

Note: Wireguard is not built on the raspberry kernel so it will be compiled as a module with DKMS which take a few minutes.

]]>
https://blog.benpro.fr/wireguard-on-raspbian-buster Fri, 27 Nov 2020 03:49:08 +0000
One year in Japan - Finding where to stay https://blog.benpro.fr/one-year-in-japan-finding-where-to-stay <![CDATA[This mid-September I will go to Japan for one year with a Working Holliday Visa as I'm taking a sabbatical leave. I have booked the first 18 days in a standard hostel in Tokyo. My plan is to live in Tokyo the first three to four-month finding a part job and taking Japanese class. After that, I will go to Sapporo, because of the amazing Snow Festival in February. Then, I will explore the country from north to south by hitchhiking. I'm not sure how many months I will hitchhike. I will maybe make some stops on big cities (Osaka, Fukuoka, ...). Back to the subject of this post. Where to stay in Tokyo for ~70,000¥/month (mid term staying)? Apartment? A hassle for strangers and way too expensive AirBNB? Too expensive Hotel? Too expensive Hostel? Well 3 month in a hostel is kinda uncomfortable, budget matches though Share-house (also called Guesthouse)? Yes, that's the way to go. Except I really struggle to find a good share-house with a private room. Here is a list of housing sites I found while exploring the web. List of Share-houses There are many websites/agencies, it seems infinite... Sakura House https://www.sakura-house.com/en One of the most know agencies for strangers. They are very slow to respond by mail. Many houses have only one shower... For 10+ rooms. That's a hassle. One thing I like is the rent you see is the true rent you will pay, no hidden fees. Oakhouse https://www.oakhouse.jp/eng/ Maybe the second one popular after Sakura House. They have a contract fee from 30,000¥ to 50,000¥ and you need to add maintenance fee to the total rent. They seem to have better-designed houses than Sakura. DK House http://www.e-guesthouse.com/eng/ They are big buildings with many rooms (100+), many showers, many facilities and so on. All rooms are the same. They have 30,000¥ contract fee and you need to add the common fee to the total rent. Fontana: Tokyo City Apartments http://www.tokyocityapartments.net/ This website is shady... Their houses too. Looks like there are no hidden fees though. ComeOnUp Sharehouses http://www.comeonup-house.com/en They have hidden fees for hot water shared between tenants. Bamboo House https://www.bamboo-house.com/roomgallery.php They have fees of 9,000¥ for common utilities. Borderless House https://www.borderless-house.com/jp/ They have fees of 7,000¥ to 12,000¥ for common utilities. BeGoodJapan https://bgj.co.jp/ They don't display the price on the website... Fujimi House https://fujimihouse.jp/?lang=en No hidden fees. The rent displayed is what you'll pay. My choice Edit: I have found a room with Sakura House for 66,000¥. ]]> This mid-September I will go to Japan for one year with a Working Holliday Visa as I'm taking a sabbatical leave.

I have booked the first 18 days in a standard hostel in Tokyo. My plan is to live in Tokyo the first three to four-month finding a part job and taking Japanese class.

After that, I will go to Sapporo, because of the amazing Snow Festival in February. Then, I will explore the country from north to south by hitchhiking. I'm not sure how many months I will hitchhike. I will maybe make some stops on big cities (Osaka, Fukuoka, ...).

Back to the subject of this post.

Where to stay in Tokyo for ~70,000¥/month (mid term staying)?

  • Apartment? A hassle for strangers and way too expensive
  • AirBNB? Too expensive
  • Hotel? Too expensive
  • Hostel? Well 3 month in a hostel is kinda uncomfortable, budget matches though
  • Share-house (also called Guesthouse)? Yes, that's the way to go.

Except I really struggle to find a good share-house with a private room.

Here is a list of housing sites I found while exploring the web.

List of Share-houses

There are many websites/agencies, it seems infinite...

Sakura House

https://www.sakura-house.com/en One of the most know agencies for strangers. They are very slow to respond by mail. Many houses have only one shower... For 10+ rooms. That's a hassle. One thing I like is the rent you see is the true rent you will pay, no hidden fees.

Oakhouse

https://www.oakhouse.jp/eng/ Maybe the second one popular after Sakura House. They have a contract fee from 30,000¥ to 50,000¥ and you need to add maintenance fee to the total rent. They seem to have better-designed houses than Sakura.

DK House

http://www.e-guesthouse.com/eng/ They are big buildings with many rooms (100+), many showers, many facilities and so on. All rooms are the same. They have 30,000¥ contract fee and you need to add the common fee to the total rent.

Fontana: Tokyo City Apartments

http://www.tokyocityapartments.net/ This website is shady... Their houses too. Looks like there are no hidden fees though.

ComeOnUp Sharehouses

http://www.comeonup-house.com/en They have hidden fees for hot water shared between tenants.

Bamboo House

https://www.bamboo-house.com/roomgallery.php They have fees of 9,000¥ for common utilities.

Borderless House

https://www.borderless-house.com/jp/ They have fees of 7,000¥ to 12,000¥ for common utilities.

BeGoodJapan

https://bgj.co.jp/ They don't display the price on the website...

Fujimi House

https://fujimihouse.jp/?lang=en No hidden fees. The rent displayed is what you'll pay.

My choice

Edit: I have found a room with Sakura House for 66,000¥.

]]>
https://blog.benpro.fr/one-year-in-japan-finding-where-to-stay Fri, 16 Aug 2019 18:39:28 +0000