Author: jrg

letsencrypt Fun with zimbra

Posted on by jrg

so most people who don’t want to pay for ssl certs use letsencrypt which seems to have been added to most normal browsers and operating systems cert CA lists. zimbra is quite a pain to get working as it has to use a particular CA for letsencrypt. the assumption when using this is that you have a properly configured letsencrypt cert for zimbra that automatically downloads. there are probably better ways to do this but this is a quick script for after letsencrypt grabs new certs and you want to add it to zimbra…

#!/bin/sh

# Down and dirty means to renew LetsEncrypt cert with Zimbra

# I copy my LE certs to a dir so I don't totally bork my certs and have to go through certbot tomfoolery.
# Steps: 1. delete old copied certs, 2. copy new certs to zimbra cert staging dir, 3. copy the LE private key 
# to commercial.key, 4/5. change ownership of copied files to zimbra, 6. grab the LE root cert, 7. copy the 
# contents of the root cert and append it to chain.pem, 8. test things to make sure the commercial.key, cert,
# and chain are working together, 9. deploy to zimbra. 

# as root

rm /opt/zimbra/ssl/letsencrypt/*
cp /etc/letsencrypt/live/<directory>/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

# as zimbra

su - zimbra -c "wget -O /opt/zimbra/ssl/letsencrypt/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt"
su - zimbra -c "cat /opt/zimbra/ssl/letsencrypt/ISRG-X1.pem >> /opt/zimbra/ssl/letsencrypt/chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"

sorry if the formatting here is borked. here is a .txt of what it should look like. click on newcert.txt to take a look at it or download if you want to just download it. i usually call it newcert.sh…

newcert.txtDownload

after this you need to zmcontrol restart as zimbra to ensure the certificate gets put into use. 

# su - zimbra -c "/opt/zimbra/bin/zmcontrol restart"

zimbra should be using the updated cert after this. again. this is assuming that you have already configured letsencrypt and certbot is fetching new certs for you already. there are other steps that need to be done before this if this is your first time using letsencrypt with zimbra.

levinboot suspend Fun with Pinebook Pro

Posted on by jrg

WARNING! DO THIS AT YOUR OWN RISK! POSSIBLE BRICKING OF PINEBOOK PRO!

UPDATE 2024-07-24: honestly…. just throw this piece of crap out. 😂 after years of trying to make this thing something that was even worth anything at all it fails miserably. you are better off finding an ancient 2010s macbook pro and installing linux on that.

UPDATE 2022-06-13: had a hiccup on my first day using suspend. seems like samba+winbind+pam+nss did not like coming off the AD network when i started it back up. it wasn’t a complete loss i just had to get back to lightdm and log back in using cached credentials. i am searching for a fix for this now but this is a bit difficult to test without coming off the network then figuring out a way to get back into the state i was in. otherwise, suspend has been a massive improvement on battery life if you are constantly closing and opening the pbp.

anybody who has a pinebook pro has probably lost their mind because suspend doesn’t work. this makes having an arm based laptop rather moot. i learned that using levinboot instead of u-boot with the lts linux kernel allows for actual legitimate suspend to ram to work. it still eats up around 2%/hr of battery life but that is still way better than s2idle or just leaving it on. it also means carrying a charger around isn’t as important. sorry but nvme still has its issues. so if you have one, you either have to pull it out or just not do this. i had to yank mine out. serial cable is super duper ridiculously highly recommended.

this was done with manjaro (running xfce) which is what i use day to day on the pbp on emmc. you first have to install linux-lts over linux. this is because there are bugs in the more recent manjaro kernels that prevent it from working. lts is decent and still works (5.15.x). first edit /etc/mkinitcpio.conf and you will see this line…

MODULES=(rtc_rk808 rockchipdrm panel_edp pwm_bl)

change panel_edp to panel_simple so the line looks like this…

MODULES=(rtc_rk808 rockchipdrm panel_simple pwm_bl)

one you do this replace whatever kernel you have with the lts kernel with…

# pacman -S linux-lts linux-lts-headers

it will ask you to remove linux (and linux-headers) for whatever kernel you are running and it will replace them. after you do this you should completely power down and power back up again. this is just to ensure the kernel is functional. you should see something like…

# uname -a
Linux hostname 5.15.43-1-MANJARO-ARM-LTS #1 SMP PREEMPT Wed May 25 13:20:50 UTC 2022 aarch64 GNU/Linux

the reason you reboot is to ensure u-boot still works. using levinboot essentially stops you from using u-boot. it is important to know this because it means that you either need to write u-boot back to emmc or you need to get an img that is made using a levinboot payload.

levinboot uses a partition that you write raw to. unlike u-boot which requires you write two files to /dev/mmcblk2 (or 1 for sd), levinboot just needs one write to the actual device. you then write a payload raw to a partition using a special guuid. to use an analogy related to u-boot: it would be like writing idbloader.img but then writing u-boot to a partition instead of the main device. i probably didn’t explain that properly but you’ll understand once you start doing it.

we want to ensure u-boot can still be brought back to life if necessary. there may be a lot of reasons you may want to do this (mostly because u-boot has active development and cross arch universal appeal). so we are going to ensure that /boot with all the u-boot bits still exists. i accomplished this by moving /boot (which in manjaro has its own partition on mmcblk2p1) to /boot unmounted on /dev/mmcblk2p2. essentially stopping it from having its own partition. in order to do this you need to..

# cd /mnt
# mkdir tmp
# umount /dev/mmcblk2p1
# mount /dev/mmcblk2p1 /mnt/tmp
# cd /mnt/tmp/
# cp -Rvp * /boot
# cd /boot
# umount /dev/mmcblk2p1

you have essentially copied anything u-boot needs to the larger partition on the emmc. now edit /etc/fstab and remove any references to /boot that you see. afterwards edit /boot/extlinux/extlinux.conf and change any references to dirs you see there to /boot/… it will look something like this…

LABEL Manjaro ARM
KERNEL /boot/Image
FDT /boot/dtbs/rockchip/rk3399-pinebook-pro.dtb
APPEND initrd=/boot/initramfs-linux.img console=ttyS2,1500000n8 … other options…

shut it down and start it back up again to ensure u-boot can still function. login and make sure /dev/mmcblk2p1 did not mount under boot. this can be checked quickly with df -h.

next you will need this awesome package created by Venom668 who packaged levinboot and it can be loaded side by side with u-boot.

levinboot-0.8.6-1-aarch64.pkg.tar.zstDownload

save the file somewhere and go to the dir it is in and use pacman to install it…

# pacman -U levinboot-0.8.6.1-aarch64.pkg.tar.zst

he was nice enough to add instructions. just a warning. once you write levinboot-sd.img to emmc you have essentially ‘gotten rid of’ u-boot. you can no longer boot u-boot based sds. so this is really something you only do if you only want a functional laptop and do not want to use it as a playground. before doing the writing though you should take a look at cmdline.txt.

# cd /boot/levinboot
# nano -w cmdline.txt

ok. so the easiest way i found to modify the cmdline.txt was to just take the append portion of u-boot extlinux.conf, remove the initrd=linux… portion… and take the remainder and toss it into cmdline.txt. so your cmdline.txt should look SOMETHING similar to this (NOTE: NOT EXACTLY… COPY AND PASTE YOUR OWN PARTUUID FOR root=. I totally screwed myself doing this the first time out). pay close attention to this one and don’t rush it… this is all one line…

console=ttyS2,1500000n8 earlycon=uart8250,mmio32,0xff1a0000 ignore_loglevel no_console_suspend keep_bootcon root=PARTUUID=<YOUR PARTUUID!!> rw rootwait audit=0 plymouth.ignore-serial-consoles ipv6.disable=1

some of the stuff i have there you may not need but this is what i use. like i said. just take whatever is in your extlinux.conf and paste it in other than the initrd=thisstuff portion. after you are done doing this in the /boot/levinboot dir there is a script to update the payload.img. run the script from /boot/levinboot.

# ./update-payload.sh

this script will create a new payload.img that you will write raw to the /dev/mmcblk2p1 partition. now you have to move onto fdisk…

tl;dr…

# fdisk /dev/mmcblk2

> t
> 1
> e5ab07a0-8e5e-46f6-9ce8-41a518929b7c
> x
> A
> 2
> w

just a rundown of this black box stuff… t changes a partition tag, 1 is the partition you are choosing (mmcblk2p1), e5ab07a0-8e5e-46f6-9ce8-41a518929b7c is a special guuid that levinboot uses to know this is the partition that it has a payload on, x swaps you to expert mode, A sets a boot flag to partition, 2 so you can boot u-boot later if you really have to. i am not sure if u-boot needs the boot flag to be set but better safe than sorry. it won’t hurt anything anyways, w write to disk and exit. i did this while everything was mounted because you’re really just toying with the partition table and not doing much by way of resizing partitions.

so at this point your emmc should be good to write levinboot to your emmc and partition. from /boot/levinboot…

# dd if=levinboot-sd.img of=/dev/mmcblk2
# dd if=payload.img of=/dev/mmcblk2p1

for safe measure but probably not necessary…
# sync

you can also add conv=fsync if you are paranoid. it’s a pinebook… just saying. at this point you SHOULD be able to power down. cross your fingers. power it back up. and boot.

if you managed to make the alchemy work then you should see a rather quick booting into manjaro. the real test is making sure suspend to ram works. what you should do first is just hold alt+ctrl and press F2 in order to swing over to a console login (if you have a ui based one like lightdm or gdm running). login as root or as a user who can sudo -s. then sudo -s and become root and do this…

# cat /sys/power/mem_sleep

you should see [deep]. this means that the pinebook pro is set to suspend to ram. if it is not then something is wrong. you can force it but i doubt it would help later when you try to suspend it…

# echo deep > /sys/power/mem_sleep

before the final testing you may want to edit a couple of things…

EDIT: /etc/systemd/login.conf
HandlePowerKey=ignore

EDIT: /etc/systemd/sleep.conf
AllowSuspend=yes
SuspendState=mem

once that’s done your pinebook pro should be sort of all set for sleep mode. you may want to reboot one more time just to ensure these settings are in effect. the first edit is because once you press the power button to turn it back on then once it comes out of sleep mode it will turn off.

once you are set. you are booting levinboot. your /sys/power/mem_sleep says [deep]. you can run this…

# echo mem > /sys/power/state

the second you hit enter your pinebook pro SHOULD go to suspend to ram. it would be easier to confirm this with a serial cable but another easy way is to wait around 20-30s and press the power button on the keyboard for about 2-3s to wake it up. if it comes back to life you are successful and can finally use it how it should be used. i am not sure about other desktop environments (like gnome or kde) but i think they all call systemd in order to control sleep mode so you should be able to set all the settings that you normally do in order to do things like closing the lid to put it to sleep. at least for me in xfce this all seems to function properly. suspend key works and closing the lid puts it to sleep and opening it again wakes it up.

good luck. if you got it to work you can bask in the glory of finally having an arm based laptop that doesn’t get charged like an x64.

zfs snapshot Fun with FreeBSD

Posted on by jrg

i migrated away from truenas (formerly freenas) and decided to use vanilla freebsd. truenas tended to be far behind freebsd version and in the past couple of years or so their support with relation to bug reports has tanked with them requesting a verbose log for easily reproducible bugs; else WONTFIX. i also wanted the zfs support without the awkward gpl vs. cddl tomfoolery you tend to find with linux distributions. i understand that zfs is well integrated into linux but freebsd was the best support for a long time.

after setting everything up so freebsd could be used as a fileserver (really just samba) i wanted to be able to do periodic backups. i first tried zfs-snapshot-mgmt which seemed straightforward but did not run properly. someone in #freebsd on liberachat suggested zfs-periodic.

install it:

# pkg install zfs-periodic

zfs-periodic uses /etc/periodic.conf for its configuration. it gives you some suggestions on how to set it up after its install from pkg. (i use pkg because it’s quick and easy. some people use the ports tree because they need certain things baked in.)

Message from zfs-periodic-1.0.20130213


In order to enable periodic snapshots you need to add these lines to your /etc/periodic.conf

hourly_output=”root”
hourly_show_success=”NO”
hourly_show_info=”YES”
hourly_show_badconfig=”NO”
hourly_zfs_snapshot_enable=”YES”
hourly_zfs_snapshot_pools=”tank”
hourly_zfs_snapshot_keep=6

FreeBSD 13.1 pkg install for zfs-periodic-1.0.20130213

going off the github page it seems as though output show_success show_info show_badconfig are only required in hourly_. the rest of the options are similar if you want to make a daily_ weekly_ or monthly_ block too. example: add daily_zfs_snapshot_enable=”YES” with the same types of options as hourly_ underneath. to break this down. hourly_output=”root” is the user that will run zfs snapshot. the show options are a bit obvious. <type>_zfs_snapshot_enable=”YES” is to enable the type of snapshot schedule. hourly_zfs_snapshot_pools=”tank” is what datasets you want to snapshot. you add more than one by putting a space. for instance if you have more than one pool with datasets and want to add both of them for a scheduled snapshot then make it “tank foo”. This is based on datasets so if you don’t want tank and want tank/home then just put “tank/home foo”. hourly_zfs_snapshot_keep=6 means it will keep the last 6 snapshots (or last 6 hours worth). any snapshots that are older than this will be destroyed (or pruned if you want to use that word instead).

afterwards you have to edit /etc/crontab and add an hourly line for periodic.

2 * * * * root periodic hourly

FreeBSD 13.1 pkg install for zfs-periodic-1.0.20130213

this will run periodic and run through the hourly scripts (these don’t have to just be the zfs-periodic scripts; it can do a lot more) every 2nd minute of the hour. freebsd periodic already comes with entries for daily weekly and monthly. might as well leave those alone.

# service cron restart

this will restart the cron service in order for your changes to cron to work.

if you make changes mid week or month you can always just run periodic <weekly/monthly> to snapshot right away.

# periodic weekly
# zfs list -t snapshot

you should see your snapshots. weekly will show the week number at the end. so it would be weekly_year_11 if you are in the 11th week of the year.

smb Fun with Proxmox

Posted on by jrg

i have containers which mount smb shares from a freebsd server. i added the smb shares to the fstab within the container. the container is privileged and cifs is checked for options in proxmox. i noticed that mounting would not occur properly. sometimes they would mount, sometimes they would not, sometimes one would and the rest wouldn’t. i added _netdev to the fstab options. i only tried once so far but they all mounted this time. _netdev is a flag that makes the mount wait for a network device prior to attempting the mount. i thought that this was done automatically if cifs was being used in fstab. maybe i am wrong or maybe proxmox needs this for containers when they boot? i only tested it once because i cant just keep rebooting this container. i may try another container just to see how it goes. but the first time seemed to work fine. hopefully this is no longer a problem.

nvme Fun with Pinebook Pro

Posted on by jrg

got an nvme adapter for the pinebook pro and a patriot P300 (256GB). installation was pretty straightforward. put the nvme on the adapter, screw it down into the case on the bottom around where the trackpad is. connect the included ribbon cable (be careful with this thing) to the connectors. don’t forget to lift the tiny tabs up before trying to shove it into the ports. side note: not sure if this is the same for everybody but my ribbon cable sort of stands up a little. this isn’t a major issue but don’t expect it to sit perfectly flush when you put it in. and be weary of that sticker that’s connected to the “no battery” cabling. it will stick to the ribbon cable. this happened to me so i guess it’s a forever cable because i don’t think i can get that sticker off of it anymore. i should have taken that sticker out when i had the chance but it was connected to the other ribbon cable. whatever.

pretty much worked out the box. the only thing that sort of sucks is that you can’t keep the adapter in the pinebook pro without the nvme on it because it locks into place by using a small golden “nut” by screwing it in from the bottom (trackpad side) up and not downward. so the nvme must go into it prior to mounting it onto the pinebook pro.

another thing discovered is that the nvme can draw too much power and should be power limited. there are instructions on the pinebook pro wiki that explain how to do this. when i have time i’ll see if i can write up how this is added as a service. some nvme can save this onto the drive itself; some cannot. mine cannot. so i need to run a service that does this on boot. i didn’t notice much of a drop in the speed when limiting the power. i have been using it as the /home dir for a manjaro install booting from emmc. (128GB module). works great.

swap Fun with Proxmox

Posted on by jrg

so i set up proxmox a while back and its installer doesn’t partition disks for swap space. so i used a zvol to create swap. i noticed that some containers just absolutely lose it for some reason when they begin swapping. it makes no sense and i haven’t quite figured out the reason why. it seems related to older posts about proxmox losing swap control because cgroup2 was not implemented but later it seems that this was supposed to be fixed. swapping is typically abnormal anyways. the solution was to just give the main culprit more ram and disable swap. this seems to be doing the trick but i would like to sort out exactly why this is happening. i don’t want to bump into oom (out of memory) issues in the container (which has been given 16GB of my 64GB in my awesome ryzen proxmox server).

serial Fun with Pinebook Pro

Posted on by jrg

so i have a serial cable now but it wouldn’t work on my macbook air running ubuntu. some brltty thing that was doing something. so i went ahead and did the stuff from this github link and it works. i guess the udev rules are jacked up or something. whatever. just in case someone bumps into this.

ffmpeg nvenc Fun in Linux

Posted on by jrg

so if you have ripped your bluray discs because you got sick of throwing them in and out of a player like it’s 1999… then you probably want to conserve space. some people rip them properly without any loss of quality direct from the disc commonly known as ‘remuxing’ in the video world. but if you did it to shows and have it nice and organized it sucks to be wasting space on media you hardly watch. so most people want to encode this to hevc which really crushes it down. i figured i’d give people an example of ffmpeg methods using nvenc. this assumes you have a functional nvidia gpu in your system (i personally have an ancient P400 because crypto and chip shortages make getting anything newer or better a chore)…

this will help you encode an entire directory (good for shows adjust to your system)

for i in *.mkv;
do name=echo "$i" | cut -d'.' -f1
echo “$name”
ffmpeg -i “$i” -map 0:a? -map 0:s? -map 0:v -tag:v hvc1 -c:v hevc_nvenc -cq:v 28 -c:a copy -c:s copy -preset slow -tune hq -rc:v vbr -b:v 0 “/some/directory/for/encoding/${name}.mkv”
done

so just to understand. you must be in the directory with a lot of files (in this case mkvs). then just run it. typically you add it to your path to make it quick and easy or you can alias it or something. what it does is it grabs a list of files and runs each one in order through the ffmpeg command. if you lower the ’28’ to a lower number then the quality is supposed to increase (i think). i just sort of slapped this together to get something functional going. i am sure there are better flags for ffmpeg when using nvenc but this one has given me the best quality vs space.

another quick and easy for individual files.

ffmpeg -i “$1” -map 0:a? -map 0:s? -map 0:v -tag:v hvc1 -c:v hevc_nvenc -preset:v p7 -cq:v 28 -c:a copy -c:s copy -preset slow -tune hq -rc:v vbr -rc-lookahead 20 -b:v 0 “/some/directory/for/encoding/$1”

this one requires that the individual files (when using it) be placed in quotes “iwantthis.mkv” when using it. it sort of sucks trying to rummage through the man page but at least this may get you in the right spot where you can start tweaking things. in this case the focus was only on turning h264 video into h265 but you can also use ffmpeg to convert the audio etc if you would like. in these it just copies everything else and encodes the video.

just a note: subtitles are a special case. i have never really tried to convert them into something else ever so you’re on your own with that. from my understanding it is a little bit more difficult especially if you are trying to change to different formats. good luck.

Samba Offline AD Users Fun with Pinebook Pro

Posted on by jrg

this was done with manjaro xfce.

so i went through the process of connecting to an ad in order to have centralized authentication (among a few other things that may be ‘good’ for). but being a laptop i want to make sure that the pinebook pro can still login as an ad user when it isn’t connected to the same network. this seems to work with the common settings found on samba.org which explains how to configure pam and smb.conf to work this way.

what i noticed though is that when i am off the network there is a long delay when trying to login as a cached ad user. i need to investigate this more but it is incredibly annoying. maybe i might move over to sssd but sssd seems a little underbaked in manjaro/arch. it is far easier to configure in debian or ubuntu. manjaro stock image repos are also missing realmd which i guess is a thing. i’ll update here if i find anything that can fix this.

just a note: manjaro instructions are the ‘old school’ way of doing it where you need to set up kerberos, samba / winbind, and pam in order for it to function. some people said they had success with sssd but i didn’t bother with it yet since old school method works for fbsd and it is best to keep that fresh.

Distro Fun with Pinebook Pro

Posted on by jrg

so i am sure plenty of people are going through the motions trying to find that perfect distro to set up on their pinebook pro. and are having either good or bad success. i figured i’d post a few notes on the distros i have attempted to try so far.

manjaro plasma – installs, runs, jittery. ran this on emmc without sd installed. it jumps all over the place. you will notice this when under high load.

manjaro gnome – installs, runs, jittery, ran this on emmc without sd installed. it jumps all over the place. you will notice this when under high load.

manjaro xfce – installs, runs, smooth. running this now on emmc with sd installed (512GB samsung EVO A2). seem to be bumping into random freezes. not really sure what’s causing it but i am sure it is related to flakey emmc issues. hopefully i can catch it when it happens.

armbian xfce – does not run on emmc. this may be related to emmc issues with pinebook pro. i somehow managed to get it to run with emmc disabled on a sd. xfce is a bit lacking and you run into weird issues like firefox not being able to ‘save as…’ files. i tried to fix this by removing thunar to use the gnome filemanager instead but thunar had tons of xfce deps attached to it that i thought i could remove as well. that did not work out so well and xfce was wrecked.

armbian gnome – after ruining the xfce install i decided to just go ahead and install gnome on it. this was probably the best ux i had with the pinebook pro but, again, does not boot from emmc. the only way i managed to get this to boot was using tow-boot. also i ran into an issue after an udpate where i HAD to choose “boot from SD” in the boot menu of tow-boot instead of it automatically booting. i never really looked too deep into that since i moved onto manjaro xfce which seems stable and does what i need.

dietpi – just like armbian i could not get this to boot from emmc. this may be related to the emmc issues people are discussing. not sure though. it did boot from sd. it is a very stripped down version of armbian and the install was really nice with console menus to get you started. it is up to you to get a decent setup going though. you are pretty much starting out with the bare minimum which is what this distro attempts to do in order for you to take your own path. apt though so that’s always nice.

openbsd – it managed to boot from sd but needs serial console at this time. i did not get farther than this since i didn’t have a serial cable. maybe i’ll look into this when it is further along or i get my serial cable.

fun fact about armbian.. it is actually more ubuntu than debian. just saying.

maybe this will help someone out.