Meeting 2021-06-26 Raspberry Pi Diskless Workstation

The chatter of the meeting is at the bottom of the page, it’s just me talking, and talk on subject starts about 15 minutes in.
So – this meeting I was talking about setting up a Raspberry Pi as a Diskless Workstation – the files I describe have been anonymized, they won’t work as given, but the flow is correct and complete.

We are currently deploying this to end users at a cost of about $100 for the compute end, it doesn’t include the Monitors (Dual 27inch 1920×1080 LCDs), or a wireless Keyboard and Mouse.

This is the script that is run on the ‘Pi to set it up, it can be placed in /boot or downloaded with wget or curl.


#!/bin/bash
# Save this script as /boot/RDbuild.sh
# This script sets up most everything you should need for a Raspberry Pi
# to connect a Remote Desktop Session with 2FA to the corporate RD-Gateway
# Run this after setting the country code then bringing up the network, do
# not update the software on the pi beforehand - this script does that and
# logs everything in case something breaks in the future.

# Still to do
## Set config, set backgrounds
#

mkdir -p /home/pi/.Logs
Log()
{
tee -a /home/pi/.Logs/$(date +"%Y-%m-%d.txt")
}

sudo apt install -y git tig etckeeper | Log
sudo apt update | Log
sudo apt -y upgrade | Log
sudo apt install -y freerdp2-x11 vim vim-doc vim-scripts mc speedtest-cli inxi fonts-ubuntu* | Log
sudo pip3 install easygui

mkdir /home/pi/bin
cd /home/pi/bin
# The construction below creates a file (adminaccess.service) and then cats
# everything to it until it matches the string 'EndOfText'. 
cat << 'EndOfText' > adminaccess.service
[Unit]
Description=Permit admin access from secretuser@www.clug.org
After=network-online.target
Before=multi-user.target
DefaultDependencies=no
Wants=network-online.target

[Service]
# SSH connection runs as, and uses the private key stored in this users home dir (~/.ssh/)
User=pi

# SSH connection with port forwarding, forwards port 22 on the client through port 2280 on the server
# and creates the reverse (-R2288) port, which must be unique on the server.
ExecStart=/usr/bin/ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=3 \
-o ExitOnForwardFailure=yes -N -T -R2288:localhost:22 -i ~/.ssh/ed25519 -p 2280 \
secretuser@www.clug.org

# Wait one minute before trying to restart the connection if it disconnects, and keep retrying.
RestartSec=60
Restart=always

[Install]
WantedBy=multi-user.target
EndOfText
chmod a+x adminaccess.service
sudo cp adminaccess.service /etc/systemd/system/adminaccess.service
echo "Added adminaccess.service (1)" | Log

cat << 'EndOfText' > ConnectToWork
#!/bin/bash
User=${1}
Pass=${2}
# Uncomment only one of the three lines below.
LBI="tsv://MS Terminal Services Plugin.1.Desktop"
# LBI="tsv://MS Terminal Services Plugin.1.DevOps"
# LBI="tsv://MS Terminal Services Plugin.1.Finance"

xfreerdp /cert-ignore /g:rd-gateway.example.com:4430 /gd:exampl /gu:${User} /gp:${Pass} /sound:sys:alsa \
/gdi:hw /multimon /f /u:EXAMPLE\\${User} /p:${Pass} /load-balance-info:"${LBI}" /v:rd-gateway.example.com

EndOfText
chmod a+x ConnectToWork
echo "Added ConnectToWork (2)" | Log

cat << 'EndOfText' > Help
#!/bin/bash
# This script connects to www.clug.org for assistance, opening
# a tunnel that remote admins can connect back through.
ScriptName=adminaccess.service
[ ${1} ] && Opt=$( echo ${1} | tr A-Z a-z )
case ${Opt} in
q|x )
sudo systemctl disable ${ScriptName}
sudo systemctl stop ${ScriptName}
;;
* )
sudo systemctl enable ${ScriptName}
sudo systemctl start ${ScriptName} && echo "Started ${ScriptName}"
esac
EndOfText
chmod a+x Help
echo "Added Help (3)" | Log

cat << 'EndOfText' > StartHere
#!/usr/bin/python3
import easygui as eg
import os
msg = "Employee Information"
title = "Associates Login"
fieldNames = "Login","Password"
fieldValues = eg.multpasswordbox(msg,title, fieldNames)
Cmd = ["/home/pi/bin/ConnectToWork", fieldValues[0], fieldValues[1]]
os.system(" ".join(Cmd))
EndOfText
chmod a+x StartHere
echo "Added StartHere (4)" | Log

cat << 'EndOfText' > autostart
@lxpanel --profile LXDE-pi
@pcmanfm --desktop --profile LXDE-pi
@xscreensaver -no-splash
@/home/pi/bin/StartHere
EndOfText
sudo cp autostart /etc/xdg/lxsession/LXDE-pi/
echo "Added autostart (5)" | Log

cat << 'EndOfText' > Update
#!/bin/bash
Log()
{
tee -a /home/pi/.Logs/$(date +"%Y-%m-%d.txt")
}
[ -e /home/pi/.Logs/$(date +"%Y-%m-%d.txt") ] && echo '='$_{1..38} | Log
sudo apt update | Log
sudo apt upgrade -y | Log
sudo apt-get -y autoremove | Log
if [ -f /var/run/reboot-required ]; then
echo 'Reboot required' | Log
sudo shutdown -r +2 "Rebooting in two minutes..."
else
echo 'No reboot needed' | Log
fi
EndOfText
chmod a+x Update
echo "Added Update (6)" | Log

cd
mkdir -m 0700 /home/pi/.ssh
cd .ssh
echo "Created .ssh (7)" | Log

cat << 'EndOfText' > ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBImfS6jC8eknCw06KssCszdiLMINBvmi4679Fact18a For reverse tunnel only
EndOfText
cat ed25519.pub >> authorized_keys
chmod 644 authorized_keys
chmod 600 ed25519.pub
echo "Added ed25519.pub (8)" | Log

cat << 'EndOfText' > ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGgAAAJDO/g1wzv4N
cAAAAAtzc2gtZWQyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGg
AAAEAxDSzm5ImkNJ32LceDv98MsZWnxg1Qfdr8jO0CwDq6GRImfS6jC8eknCw06KssCszd
iLMINBvmi4679Fact18aAAAACXN0ZXZlQFNSSgECAwQ=
-----END OPENSSH PRIVATE KEY-----
EndOfText
chmod 600 ed25519
echo "Added ed25519 (9)" | Log

cat << 'EndOfText' > known_hosts
|1|F1nKHIysQLR79CbrWewcYJ74mY6=|5Mw5E0QDksfb54FGHbEDTRCER75= ecdsa-sha2-nistp256 AAAAE2VjZerHFeh47GNmlL64gfMH3thQoPUtKt456fartbyty7JGTDGFweqf54bflwpkEd84WXnUQxCWyz4VvTXW2wyrnqhEe2kzFDMIZfCzMbb9yDiKu5ZTS8uPuLIgq1gkJkXo3mk=
|1|qDyy9RISBVo76huTetVrt5H6MF4=|dU4HqdQZJ6HEghi6DGFJ6gfhj6V= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXDGHH6HDDD3ytum768hgf9hjg89DFG7684nbBVCNHwjD5wAMiv5lwpkEd84WXnUQxCWyz4VvTXW2wyrnqhEe2kzFDMIZfCzMbb9yDiKu5ZTS8uPuLIgq1gkJkXo3mk=
EndOfText
chmod 644 known_hosts
echo "Added known_hosts (10)" | Log

# The lines from here down set a known set of keys, which keeps us from needing
# to remove keys on the remote end.
cat << 'EndOfText' > ssh_host_dsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABsgAAAAdzc2gtZH
NzAAAAgQDdUNGSdLxCZ3fR2ClVSeS22yFzYCg12Cv7zEagmxfRseMSVSZMVfYGEXNyXMrr
I5yNkH2wc4CTAwoIDMqZs1r1JkWar7ohKUD10ANvpYPMNjUvY0RXyRq5FRfcm27dUSkCUE
czFXRk1UhhKmvWwc+r2/VFh5J6bywW/X6A40hIAQAAABUAvgdKFYWKwsu4BRZcc9CeqqQ3
LKsAAACAaC9XWH2/qQQVb6uLz3af9ckMb059UYxXkzsNJv6WdMBQHXnQDXKJO+sKXBirXi
HT/mpJFeYnaydyTOenBL1v3PpMbE2oYVLQ4bBtV1S8MuI7FAcXRVc7pS7hG+nj1A1dd6Ho
2NbT4cbv/Zk2Af6vgXxq7PvkFystXinT9zSpyaoAAACBAKapw6rgRO0qmu3WWDA6yfWEDa
XAWaLmk+Wj2GrFknRHD6P8l/OnwAbW+3JzwD8fgCmzSszCmpxyiMg9A5L7lb8StP2g8sil
jMrndfmhIlTX/YgSJyNmVhGl5KgHxjxRNwOJYIXjltbQ3Lu0hXBtOVuk9/+iiVweA4kGfW
xcfSHpAAAB4OqgjpHqoI6RAAAAB3NzaC1kc3MAAACBAN1Q0ZJ0vEJnd9HYKVVJ5LbbIXNg
KDXYK/vMRqCbF9Gx4xJVJkxV9gYRc3JcyusjnI2QfbBzgJMDCggMypmzWvUmRZqvuiEpQP
XQA2+lg8w2NS9jRFfJGrkVF9ybbt1RKQJQRzMVdGTVSGEqa9bBz6vb9UWHknpvLBb9foDj
SEgBAAAAFQC+B0oVhYrCy7gFFlxz0J6qpDcsqwAAAIBoL1dYfb+pBBVvq4vPdp/1yQxvTn
1RjFeTOw0m/pZ0wFAdedANcok76wpcGKteIdP+akkV5idrJ3JM56cEvW/c+kxsTahhUtDh
sG1XVLwy4jsUBxdFVzulLuEb6ePUDV13oejY1tPhxu/9mTYB/q+BfGrs++QXKy1eKdP3NK
nJqgAAAIEApqnDquBE7Sqa7dZYMDrJ9YQNpcBZouaT5aPYasWSdEcPo/yX86fABtb7cnPA
Px+AKbNKzMKanHKIyD0DkvuVvxK0/aDyyKWMyud1+aEiVNf9iBInI2ZWEaXkqAfGPFE3A4
lgheOW1tDcu7SFcG05W6T3/6KJXB4DiQZ9bFx9IekAAAAUCs8TiCQGVeAIPaKGn4AtO53g
p6EAAAAJc3RldmVAU1JKAQ==
-----END OPENSSH PRIVATE KEY-----
EndOfText
sudo cp ssh_host_dsa_key /etc/ssh/
echo "Added ssh_host_dsa_key (11)" | Log

cat << 'EndOfText' > ssh_host_dsa_key.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAN1Q0ZJ0vEJnd9HYKVVJ5LbbIXNgKDXYK/vMRqCbF9Gx4xJVJkxV9gYRc3JcyusjnI2QfbBzgJMDCggMypmzWvUmRZqvuiEpQPXQA2+lg8w2NS9jRFfJGrkVF9ybbt1RKQJQRzMVdGTVSGEqa9bBz6vb9UWHknpvLBb9foDjSEgBAAAAFQC+B0oVhYrCy7gFFlxz0J6qpDcsqwAAAIBoL1dYfb+pBBVvq4vPdp/1yQxvTn1RjFeTOw0m/pZ0wFAdedANcok76wpcGKteIdP+akkV5idrJ3JM56cEvW/c+kxsTahhUtDhsG1XVLwy4jsUBxdFVzulLuEb6ePUDV13oejY1tPhxu/9mTYB/q+BfGrs++QXKy1eKdP3NKnJqgAAAIEApqnDquBE7Sqa7dZYMDrJ9YQNpcBZouaT5aPYasWSdEcPo/yX86fABtb7cnPAPx+AKbNKzMKanHKIyD0DkvuVvxK0/aDyyKWMyud1+aEiVNf9iBInI2ZWEaXkqAfGPFE3A4lgheOW1tDcu7SFcG05W6T3/6KJXB4DiQZ9bFx9Iek= root@raspberrypi
EndOfText
sudo cp ssh_host_dsa_key.pub /etc/ssh/
echo "Added ssh_hosh_dsa_key.pub (12)" | Log

cat << 'EndOfText' > ssh_host_ecdsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGgAAAJDO/g1wzv4N
cAAAAAtzc2gtZWQyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGg
AAAEAxDSzm5ImkNJ32LceDv98MsZWnxg1Qfdr8jO0CwDq6GRImfS6jC8eknCw06KssCszd
iLMINBvmi4679Fact18aAAAACXN0ZXZlQFNSSgECAwQ=
-----END OPENSSH PRIVATE KEY-----
EndOfText
sudo cp ssh_host_ecdsa_key /etc/ssh/
echo "Added ssh_host_ecdsa_key (13)" | Log

cat << 'EndOfText' > ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE2M9NVI8UJQ+MOIGetwGhaX+JBb/JfnG3lwJPx/KjbMM7BIQ497TpPZtAlDlckLruML0SUhRkdIoOMqZnAyKoA= root@raspberrypi
EndOfText
sudo cp ssh_host_ecdsa_key.pub /etc/ssh/
echo "Added ssh_host_ecdsa_key.pub (14)" | Log

cat << 'EndOfText' > ssh_host_ed25519_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGgAAAJDO/g1wzv4N
cAAAAAtzc2gtZWQyNTUxOQAAACASJn0uowvHpJwsNOirLArM3YizCDQb5ouOu/RWnLdfGg
AAAEAxDSzm5ImkNJ32LceDv98MsZWnxg1Qfdr8jO0CwDq6GRImfS6jC8eknCw06KssCszd
iLMINBvmi4679Fact18aAAAACXN0ZXZlQFNSSgECAwQ=
-----END OPENSSH PRIVATE KEY-----
EndOfText
sudo cp ssh_host_ed25519_key /etc/ssh/
echo "Added ssh_host_ed25519_key (15)" | Log

cat << 'EndOfText' > ssh_host_ed25519_key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBImfS6jC8eknCw06KssCszdiLMINBvmi4679Fact18a root@raspberrypi
EndOfText
sudo cp ssh_host_ed25519_key.pub /etc/ssh/
echo "Added ssh_host_ed25519_key.pub (16)" | Log

cat << 'EndOfText' > ssh_host_rsa_key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAtVjIdOEWnM2EKNfCOk/iZq02C0U64wGm//Nogj/ljIrrtdYuu5YH
gzcNxsMvndVssX8j1/J9ZgDjMWt1ZVHym8B5mm9MQ9QfY8UYwLhYu+f5Vori4xqQTehfpS
I8AuEyCIuFJIRE+MRB9p+Ty+wNur6/V0M4OTG374NB11SRmiy8GdYMLcrSPLNcrKwPnoep
3Gh8VhnRNFeZc1TM1JcjoiwK2sOc+CK+YmWbWnXImbtl0qzJkRNFCZvJNJPnr9U3tAQHKT
sHcHJm1DagGRrm/yO9wTmaL3liQGBY5vWgmof0DwZukHLm5RrAdBY98dkqNbG+8aySyLB4
V9AkwmrdawxgTz+ipXiMH/6Fu2P8s50wma+p3XVu1QDzl8SAiraSntRr9k6fh7RDEeSbul
lGMUXIkd7YDR8qoJc6nEB40g38e9huw4D+2L9Gb5RYyiU0rtuh798Cx7o4D7LhyHfFgBec
FRVkx9wo/0cS7+ygf9e96hFSF3pBOWSymCSZMY9XAAAFgD2aaSk9mmkpAAAAB3NzaC1yc2
EAAAGBALVYyHThFpzNhCjXwjpP4matNgtFOuMBpv/zaII/5YyK67XWLruWB4M3DcbDL53V
bLF/I9fyfWYA4zFrdWVR8pvAeZpvTEPUH2PFGMC4WLvn+VaK4uMakE3oX6UiPALhMgiLhS
SERPjEQfafk8vsDbq+v1dDODkxt++DQddUkZosvBnWDC3K0jyzXKysD56HqdxofFYZ0TRX
mXNUzNSXI6IsCtrDnPgivmJlm1p1yJm7ZdKsyZETRQmbyTST56/VN7QEByk7B3ByZtQ2oB
ka5v8jvcE5mi95YkBgWOb1oJqH9A8GbpBy5uUawHQWPfHZKjWxvvGsksiweFfQJMJq3WsM
YE8/oqV4jB/+hbtj/LOdMJmvqd11btUA85fEgIq2kp7Ua/ZOn4e0QxHkm7pZRjFFyJHe2A
0fKqCXOpxAeNIN/HvYbsOA/ti/Rm+UWMolNK7boe/fAse6OA+y4ch3xYAXnBUVZMfcKP9H
Eu/soH/XveoRUhd6QTlkspgkmTGPVwAAAAMBAAEAAAGAf8jD17gUGwGmMrF2J2jK+9bp0h
9CU1uCtbBq3/zuX440cbkuzPf26zsL9hbroqgVIy2XsD8qpYnSjaxO2MpZze5ewbfTYahD
RiZIPuSngiD/zT+oiKbbMEqhutbYup68htDpTMX3Y+PHJ2Vi27rGIeTvJyoyn/qsxZUT/A
uXXbBQC1SM2GempScuEm5bwzWNN8ZYdsNSazOe6WnDu7mUXl3yeByGq0KwLN20DpYYeFtY
cI9YqWWOrCqeKPJfu8LdgP5Dbfzayf7mbQibwfHsPLE7MM66HMQIYuSwhWkdK0hgiV6Nvo
mzznwE7rnkiqkg0gDuDUvaekRQlNcqYfmwCaGVXhOQ9YFHdwVUHiUzUBL9AeOqnyFQWO68
DDbLhFL4JCQV1H6zPYn/9JAv1XlGZ+9lZ7jF44YcEtpENWri421bdLjzsANJqkqh+xRQhl
UulmdoE6/y2irEZqMSKSZcrXyxpV73OZ6oifp4f1X9auXXXarBEYSPsA7/5X0RhE3BAAAA
wQCRpeNLn7anAaIPGbaL+DadaCyaTTS12p12NUUoDfFdcJ93n5mtgM+Np5AsqByvzi0GLh
7s0nU6vjM9lsEkBY7hVn8m3NBTowxSEpleAWa7onHLS5UXwYATwds6QTxc7TE5uAGXWFBt
eQn0MBH/4BoG8c2+xR1IsonmoRXuvqLwjoXowhusRH1rEVzCnDLle7ORPnGWnkU0BZmEmh
WrAtnYRdjDWR6RtXaiXtNxwrmNodoOZMTSOk3hI0WB6ba0tnMAAADBAOfktHrPsOzaLXc9
d/TiPK5LFbaKEZsagf90R3Rv6hXHzIlpc79h++0JfyG7kG87BXky08zY4FobsVtrMgH8s7
RDG4IBCRPKkiN7BP5li1jLi881LjwttKnButZe8L7FrKX6sVkSzvAopaRbBFh2Y81iTdq6
6vtbaFRq6KONk16mISAToew3NRL9BULBMWTr+P4/aezaTxRn+XODXMH/24tICwdc67zTD6
g0qsAGYdvDLclKWwE5aYDVGEPxjLjHCQAAAMEAyDLmfhQDFEsfVMYyQspFQQGAcx103p6q
HEMr2FYzpRJmLR8UgqlaD2ruMqyGxN1dX6/9UHR7j7z2kKyH0mQVsc9qofScOVkFq6PtGy
NJvqf4+ytGMnRSfhgwmek7ppuz7hhFa7z1T5sP4FqrMmIZCuqF9mnD+qjGe63jgHnRhpAQ
kJXPm32IgV9KQcnugRCVOy/zegbRDBjutYLpeQRVFIjKrDIM1IsYAZL1bRYMQadSIckUJ9
m59blyFIg/Q9tfAAAACXN0ZXZlQFNSSgE=
-----END OPENSSH PRIVATE KEY-----
EndOfText
sudo cp ssh_host_rsa_key /etc/ssh/
echo "Added ssh_host_rsa_key (17)" | Log

cat << 'EndOfText' > ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1WMh04RaczYQo18I6T+JmrTYLRTrjAab/82iCP+WMiuu11i67lgeDNw3Gwy+d1WyxfyPX8n1mAOMxa3VlUfKbwHmab0xD1B9jxRjAuFi75/lWiuLjGpBN6F+lIjwC4TIIi4UkhET4xEH2n5PL7A26vr9XQzg5Mbfvg0HXVJGaLLwZ1gwtytI8s1ysrA+eh6ncaHxWGdE0V5lzVMzUlyOiLAraw5z4Ir5iZZtadciZu2XSrMmRE0UJm8k0k+ev1Te0BAcpOwdwcmbUNqAZGub/I73BOZoveWJAYFjm9aCah/QPBm6QcublGsB0Fj3x2So1sb7xrJLIsHhX0CTCat1rDGBPP6KleIwf/oW7Y/yznTCZr6nddW7VAPOXxICKtpKe1Gv2Tp+HtEMR5Ju6WUYxRciR3tgNHyqglzqcQHjSDfx72G7DgP7Yv0ZvlFjKJTSu26Hv3wLHujgPsuHId8WAF5wVFWTH3Cj/RxLv7KB/173qEVIXekE5ZLKYJJkxj1c= root@raspberrypi
EndOfText
sudo mv ssh_host_rsa_key.pub /etc/ssh/
echo "Added ssh_host_rsa_key.pub (18)" | Log

cat << 'EndOfText' > /home/pi/.local/share/applications/ConnectToWork.desktop
[Desktop Entry]
Comment=Connect to Work
Terminal=false
Name=Connect to Work
Exec=/home/pi/bin/StartHere
Type=Application
Icon=gnome-remote-desktop
EndOfText
echo "Added ConnectToWork.desktop (19)" | Log

sudo systemctl enable ssh.service
sudo systemctl start ssh.service
echo "Enabled & started ssh (20)" | Log
echo " "

echo "You should restart now with;"
echo "sudo shutdown -r now"

As far as the hardware is concerned, this is what we’ve been buying;

Case

‘Pi (2, 4, or 8GB)

Power Supply

Micro HDMI Cable (1, 2, 5, 10 Pack)

16GB Micro SD/TF

Meeting-2016-06-25 The Picnic!

When: Saturday, June 25th. 10:30 – Dark
Where: H.F. Walsh Shelter, Rentschler Forest (Follow Signs)
Who: Members (and family) are invited, others may join at the picnic!!!

Now, the important issues, what do we want to eat? Use the form below to let us know!
[easy_contact_forms fid=7]

* Bring something to share: Beverages, Side dishes, Desserts!
* We’ll provide meat, flatware, napkins, cups, etc.
* Also, bring outdoor games, group games, maybe water balloons, anything!
* Electricity is NOT available at the site.
* A Motor Vehicle Permit is not required (it’s included with the shelter)
* Membership rates are prorated for new members.

Information about the park;

Address of the preserve: 5701 Reigart Rd, Hamilton, OH 45011

The preserve is North of Hamilton, very near the intersection of Route 4
and the
Route 4 Bypass.

Map of the park; BC-MetroParks
Directions to the park; Google
Information about the park; Rentschler Preserve

A thousand apologies about the late notice, a car ran into a pole near my
house and took out my Internet – I’m recovering slowly, I don’t know about
the driver.

Backing up MySQL Databases

This is the script I run every morning to back up all of the databases in my MySQL database – it gets every database, including mysql, which has the users and access rights for users.

Obviously, you’ll need to modify a few of the variables in the script, but it shouldn’t be difficult. There are a few comments in the script. Feel free to ask questions if you have them, you can always e-mail me with steve at clug dot org.

#!/bin/sh
# MySQL backup script
# With a few modifications by Steve Jones
### System Setup ###
BACKUP=$HOME/.MySQL-Backup
### MySQL Setup ###
MUSER="root"  ;  MPASS="Secret!"  ;  MHOST="localhost"
MYSQL=$(which mysql)
MYSQLDUMP=$(which mysqldump)
GZIP=$(which gzip)
NEW=$(date +%Y-%m-%d)
OLD=$(date -d "7 days ago" +%Y-%m-%d)
### Start Backup for file system ###
[ ! -d $BACKUP ] && mkdir -p $BACKUP || :
### Start MySQL Backup ###
# Get all databases name
ALL=$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'show databases')
for DB in $ALL
  do
  ### The perf_schema DB doesn't have events, it isn't even real.
  if [ "$DB" = "performance_schema" ]; then
    OPTS="--single-transaction --add-drop-table"
    else
    OPTS="--single-transaction --events --add-drop-table"
  fi
  NEWFILE=$BACKUP/$NEW-$DB.sql.gz
  OLDFILE=$BACKUP/$OLD-$DB.sql.gz
  $MYSQLDUMP $OPTS -u $MUSER -h $MHOST -p$MPASS $DB \
  | $GZIP -9 > $NEWFILE
  ### If an oldfile exists, remove it. An added feature of this is that
  ### if you drop a DB, the last few days of its life will be here forever
  [ -f $OLDFILE ] && rm -f $OLDFILE
done

Meeting-2015-12-19 SSH, offering assistance in a hostile world

If you offer remote assistance to an unknown party, there are security implications that might not be obvious.
For you to connect to them, they need to have properly configured quite a lot of stuff, which is the issue.

This presentation will go over the security issues, ssh configuration issues, ssh usage, and more!

I’ll update this post with the full presentation next Sunday morning (Dec 20th), for the live presentation, come to the meeting.

Hope to see you there!

Steve

Meeting-2015-07-25 Update / Upgrade … Improvement in both … Dave Hemmerle

Update / Upgrade … Improvement in both … Method and Content. Dave Hemmerle / CLUG Handout
Traditional or Basic Update:

1. GUI : Through the “Update Manager” a GUI found by Applications > Systems Tools > Administration > Update Manager.

2. Command Line: Open the terminal or terminal emulator:
Type in a “sudo apt-get update -y && sudo apt-get upgrade -y”.
Followed by your password.
And finally the Update / Upgrade begins to run.

Improved automated method included:

1. A bash scrip, 2. a bin directory added to my home directory for the bash scrip, 3. password negated from sudo to run Update commands, and 4. Shortcut keys to run the Updare file showing the terminal as the file is ran so you know it ran.

Here are the steps to accomplish this:

1. The bash scrip and 2. a bin directory:
1. Create a “bin” directory in your ~/home/user_name/ directory.
2. Open a text editor an make the following bash scrip: “Update.sh” file.

dave@dave-ThinkPad-T500:~/bin$ cat Update

#!/bin/bash
#
# FILE NAME: Update.sh
# LOCATED: ~/home/dave/bin
#
# The following are the commands that I want to run to Update and Upgrade
# my applications as well as clean out some of the junk.
#
# This bash scrip or file(Update.sh)is in ~/home/dave/bin/ and can be ran from the terminal
# or from, "Hot Keys" using " Alt + u".
#
# Although running a file that list files or having the ability to change files,
# requires "sudo" or "root" level permission the requirement for a "password" has
# been negated through the augmentation file "dave" .
#
# This file has been added to the /etc/sudoers.d/dave, and is read after the "sudoer" file.
#

# The last items read are used to establish the state of the password requirement.
# Thus,this augmenting file has the “last word” in the permission settings.
#
# And this indicate:
# NOPASSWD for user dave from ALL terminals, as ALL dave log on users, for the
# listed commands that follows:

sudo /usr/bin/apt-get -y update
sudo /usr/bin/apt-get -y upgrade
sudo /usr/bin/apt-get -y autoclean
sudo /usr/bin/apt-get -y autoremove

dave@dave-ThinkPad-T500:~/bin$

3. And make it into an executable ( “ chmod +x Update”), and then stored in your ~/home/user_name/bin/ .

This can be confirmed by “ls -lF Update” from the bin directory:

dave@dave-ThinkPad-T500:~$ cd bin && ls -lF
total 12
-rwxrwxr-x 1 dave dave 37 May 3 07:00 new.sh*
-rwxrwxr-x 1 dave dave 231 May 1 18:58 talk.sh*
-rwxrwxr-x 1 dave dave 150 Jun 25 14:58 Update*
dave@dave-ThinkPad-T500:~/bin$

Note the file Update* has an asterisk , as well as -rwxrwx-x in ownership, both of which indicate an executable file. Since update and upgrade can make changes above your normal user permission level, you need to use “sudo” elevate your permission level to that of a superuser, or root, and it takes a password to authenticate yourself, unless the password requirement has been negated.

3. No Password for the commands:

Now there is another change that is needed. The ability to run the apt-get commands without stopping to input your password. This is accomplished through “sudoers”, and a file in the “sudoers.d” directory
that has files read, after “sudoers” that amends “sudoers” default permissions. ( .d files / augmentation )

Make a file “your user name” in /root/etc/sudoers.d directory. Keep in mind that this file is above your normal user home and other users may need to add similar files. Putting them in the user’s name will keep it easier to maintain.

Change directory to your “root /etc “directory and then … from the root/ … ls | grep “sudo” , ( there are a lot of files in “etc” and and we are only interested in the ones with sudo in their names ), here is what I get:

dave@dave-ThinkPad-T500:/$ cd etc
dave@dave-ThinkPad-T500:/etc$ ls | grep “sudo”
sudoers
sudoers.backup
sudoers.d
sudoers.tmp.save
dave@dave-ThinkPad-T500:/etc$

1. If you do not have a “sudoers.backup ”, backup the “sudoers”.

2. Then sudo cat sudoers:

dave@dave-ThinkPad-T500:/etc$ sudo cat sudoers
[sudo] password for dave:
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path=”/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on “#include” directives:

#includedir /etc/sudoers.d
dave@dave-ThinkPad-T500:/etc$

3. “sudoers.d” is a directory … change into itand list its contenance … then “sudo cat README”.

This is what it says:

dave@dave-ThinkPad-T500:/etc/sudoers.d$ sudo cat README
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
# #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in ‘~’ or contain a ‘.’ character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#
# Note also, that because sudoers contents can vary widely, no attempt is
# made to add this directive to existing sudoers files on upgrade. Feel free
# to add the above directive to the end of your /etc/sudoers file to enable
# this functionality for existing installations if you wish!
#
#
dave@dave-ThinkPad-T500:/etc/sudoers.d$

I used my text editor and made the file “dave” that has additional user privilege specification:

dave@dave-ThinkPad-T500:/etc/sudoers.d$ sudo cat dave

# This file is in the sudoers.d directory and will be read
# after the sudoers file. Thus these permissions will be
# the last read and thus will be used.

# The statements indicate that when dave is the log in person …
# he can use ALL (terminals) … =(ALL) (as all users) … with
# NOPASSWD … needed for the following commands in the
# /usr/bin/apt-get -y update ….

dave ALL=(ALL) NOPASSWD: /usr/bin/apt-get -y update
dave ALL=(ALL) NOPASSWD: /usr/bin/apt-get -y upgrade
dave ALL=(ALL) NOPASSWD: /usr/bin/apt-get -y autoclean
dave ALL=(ALL) NOPASSWD: /usr/bin/apt-get -y autoremove

( user name (ALL=(ALL) ALL = MUC,
M U C = MUC
M=Machine or terminal, U=Users (or any other user name this user name may be using, and C=Commands, what Commands are involved. )

The file dave is not an “executable” file as there is no scrip to be run. However this file need read permission (0440), so “sudoers” can be read and thus be used to change/augment the sudo password requirement.

We now have a “executable” bash scrip file called “Upgrade” in my users /home/user_name/bin/ directory. The sudo permission does not require a password when the log in person is dave
and the apt-get commands have had their permission changed to NOPASSWD , the -y option ( is so there is no stopping for input when the commands are ran.

To check for special sudo permissions type “sudo -l”
I now show:

dave@dave-ThinkPad-T500:~$ sudo -l
Matching Defaults entries for dave on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dave may run the following commands on this host:
(ALL : ALL) ALL
(ALL) NOPASSWD: /usr/bin/apt-get -y update
(ALL) NOPASSWD: /usr/bin/apt-get -y upgrade
(ALL) NOPASSWD: /usr/bin/apt-get -y autoclean
(ALL) NOPASSWD: /usr/bin/apt-get -y autoremove
dave@dave-ThinkPad-T500:~$

4. Shortcut Keys:

All we need now is to have the “Update” file explicable from “Shortcut keys”.

Go to “Systems Settings”, Applications > Systems Tools > Systems Settings

When Systems Settings opens up go to the Hardware grouping and open the Keyboard …
in the Keyboard window select the Shortcut tab. Near the bottom of this window there is a narrow strip with a + and – sign. Click on the + and a window will open up so you can add a custom shortcut key.

In the Name window put “Update”. ( This is not the file but just any name to identify this command.)
In the Command window input the command to be run. At first I used “/home/dave/bin/Update”.

Clicked Apply and the new shortcut command name will appear, however, it will be listed as
“Disabled” where the hot keys should be noted.

Click on the term “Disabled” and input the hot key the keys you want to use to run this command. I used “Alt + u”. Close the shortcut window and try the shortcut key.

All seemed to run ok no error messages ??? , however, there was no observed sign that it was working, so the command in the “Shortcut key” was improved / changed to:
“gnome-terminal -e /home/dave/bin/Update”

When this command is ran, the gnome-terminal is displayed for a brief time and the scrip can be seen running.

“Wa La” … Press Alt + u, and the applications that were downloaded through the PPA’s are updated / upgraded, and purged of obsolete junk.

Meeting-2015-06-27 The Picnic!

This meeting is open to members only!

If you are not currently a member (nobody is, see previous post), then pro-rated dues are expected. Those dues are;

  • $12.50 for a Family Membership
  • $10.00 for an Individual Membership
  • $5.00 for a Student Membership

The June meeting of the Cincinnati Linux Users Group will be our annual picnic, held at the GE Condo shelter in Rentschler Park, Butler County, Ohio.

For a Google map to the park, click here. This should open in a new tab or window.

For a .pdf file of the park, click here. This should open in a new tab or window.

The group provides the meat and cooking, Members are requested to bring drinks and side dishes.

This post will be updated as the event draws near!

Meeting-2015-05-23

The meeting today concerned the format of future meetings. Over the years the group has moved away from the formal style we started with to a far more casual and unstructured format. Dues have not been collected for years, introductions are rarely made, topics have been spotty at best.

I take responsibility for these issues and others, and am trying to rectify them now.
The CLUG Bylaws have been posted, please read them and be aware that in the future, they will be used to govern the direction and intent of the group.

Technically, there were no members in attendance as we have no dues paying members. The following folks showed up to discuss where the group is headed;

  • Bill Stowell
  • Parker Jones
  • Mike Bechtold
  • Dave Hemmerle
  • Mike Lau
  • Anthony Strauss
  • Edwin Clements
  • Jonathan Jacobs
  • Lance Feldmen
  • Mike Humerickhouse
  • Sandi Jones
  • Duncan Jones
  • Brett Birdsall
  • Steve Jones

Offices were discussed and volunteers stepped forward to fill the positions of;

  • President: Steve Jones
  • Vice President: Dave Hemmerle
  • Secretary: Bill Stowell
  • Treasurer: Mike Bechtold
  • Program Director: Mike Lau
  • Program Director: Anthony Strauss
  • Program Director: Jonathan Jacobs

The treasury currently holds approximately $1225.00, after debiting $75.00 for a picnic shelter for the June meeting.

The group was called to order at 10:35, and was released to disorder at 12:00.

Meeting-2014-11-22

This meeting covered an installation of ownCloud, ending with an exciting software RAID rebuild done live!

The linked .pdf file is a complete walkthrough of the build.

Thank you to all who attended!

ownCloud