Hardening the Raspberry Pi VNC Mirror

***Please visit the new simplified installation of the Raspberry Pi VNC Mirror***


This is an extension from this post: Raspberry Pi – VNC Mirror (Repeater) – Make any computer public anywhere

Having a RPi as VNC Mirror in production is a nice idea. But from time to time energy shortages make the Raspberry Pi shutdown unexpectedly where it may come to SD card corruption while a read or write process was in progress.

Another thing I experienced is that sometimes the computer you want to mirror loses the network connection or is by itself down for any reason. After this the VNCViewer will hang in a state where it wants the user to click-OK the a message and does not do anything, also if the computer which is to be mirrored comes up again in the meanwhile.

I have found out if the process is running correctly and mirroring the other computer, its Signal Ignore state is 0000000000000004.

First I get the process ID of my ssvncviewer

pidof ssvncviewer

knowing the process ID (in my case 2134), the status of the process can now be viewed

pi@rpi1 ~ $ cat /proc/2134/status
Name:   ssvncviewer
State:  S (sleeping)
Tgid:   2134
Pid:    2134
PPid:   1944
TracerPid:      0
Uid:    1000    1000    1000    1000
Gid:    1000    1000    1000    1000
FDSize: 256
Groups: 4 20 24 27 29 44 46 60 100 106 999 1000
VmPeak:    16044 kB
VmSize:    16044 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:      8904 kB
VmRSS:      8904 kB
VmData:    10792 kB
VmStk:       136 kB
VmExe:       276 kB
VmLib:      3972 kB
VmPTE:        18 kB
VmSwap:        0 kB
Threads:        1
SigQ:   0/3506
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000004
SigCgt: 0000000000004003
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed:   1
Cpus_allowed_list:      0
voluntary_ctxt_switches:        2071
nonvoluntary_ctxt_switches:     17019

I also tested it while the message “could not connect to …” was present.

In this case the SigIgn had the status 0000000000000006. So all we need to do is to check if SigIgn has the State of 0000000000000004. Otherwise we will simply kill the process. The scripts starts the VNCViewer again in some seconds.

This is the updated script, which is found in /home/pi/.config/autostart/vncview.sh

# Process check script: The script simply checks if a process is running and if it is not found to be running it will execute it.
# The script loops in preset intervals, hence it is possible to monitor a process continuously.

# Variables
ProcessInstances=`sudo ps aux | grep [s]svncviewer | wc -l`

#VNC Variables
para="-display :$display -viewonly -fullscreen -shared -passwd $passfile -scale $resolution -encoding zrle"

function checkstatus() {
        vncpid=$(pidof ssvncviewer)
        sigign=$(sudo cat /proc/${vncpid}/status | grep SigIgn | awk '{print $2}')

# Logic
while [ $Running -gt 0 ]

        if [ `sudo ps aux | grep [s]svncviewer | wc -l` -gt 0 ]; then
                echo Process already running! Checking the Status.
                if [ $sigign !=  "0000000000000004" ]; then
                        echo SSVNCViewer has not status 4
                        echo Killing SSVNCViewer
                        kill ${vncpid}
                        echo SSVNCViewer status seems to be ok
                echo Process not running! Starting process
                # This is the command that should start the process in question
                $vnc $host $para &

        # How often shall we repeat the check?
        echo Sleeping for $SleepInterval seconds
        sleep $SleepInterval


exit 0

To avoid SD card corruptions just follow the article by micerinos in the Raspberry Pi forum.

I created a script which does all the stuff (except for the apache thing) mentioned in the article, because I am lazy.

sudo bash
echo "RAMTMP=yes">>/etc/default/rcS
echo "proc            /proc           proc    defaults          0       0">/etc/fstab
echo "tmpfs           /var/log        tmpfs   nodev,nosuid,size=30M,mode=1777 0       0">>/etc/fstab
echo "tmpfs           /tmp            tmpfs   nodev,nosuid,size=30M,mode=1777 0       0">>/etc/fstab
echo "/dev/mmcblk0p1  /boot           vfat    defaults,ro,noatime,errors=remount-ro          0       1">>/etc/fstab
echo "/dev/mmcblk0p2  /               ext4    defaults,noatime  0       1">>/etc/fstab
sed -i 's/[ ! -f /etc/adjtime ]/[ ! -L /etc/adjtime ]/;' /etc/init.d/hwclock.sh
echo "BLKID_FILE="/var/local/blkid.tab"">>/etc/environment
rm /etc/mtab
ln -s /proc/self/mounts /etc/mtab
echo "DPkg {">>/etc/apt/apt.conf
echo "    // Auto re-mounting of a readonly /">>/etc/apt/apt.conf
echo "    Pre-Invoke { "mount -o remount,rw /"; };">>/etc/apt/apt.conf
echo "    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro / || true"; };">>/etc/apt/apt.conf
echo "};">>/etc/apt/apt.conf

Hope you’re lazy too! 😉


VMware vSphere Hypervisor (ESXi) 5.1.0 Patch 2 (Build 914609) with ghettoVCB from January 2013

This article describes how to run the latest build of ESXi 5.1 Patch 2 (Build 914609) with the newest backupscript ghettoVCB (from William Lam). This article also includes an update from ESXi 5.x to the newest version.

You can see an overview of all the releases, patches and updates here.

If you don’t have a ESXi 5.1 P2 follow the upgrade process described here. You can skip this.

Download the patch from here and select the newest update (Patch Release ESXi510-201210001)

The easiest way is to provide the image on a http server so it is very easy to get. (You can also copy it via WinSCP or similar)

Login to your server via PuTTY or similair and get your image via

wget -O /vmfs/volumes/datastore1/ESXi510-201212001.zip

After you downloaded the update execute the update process via esxcli (don’t reboot, there is more to do!)

esxcli software vib update -d /vmfs/volumes/datastore1/ESXi510-201212001.zip

If you have ESXi 5.1 P2 installed you can continue here

It is on to deploy our custom package. Last time a filesystem within a tgz-file was created. This time an own VIB (vSphere Installation Bundle) will be created which. Download the Community Packaging Tools (CPT) from Andreas Peetz (for Windows). If you like to do this with Linux check out the VMware page about the VIB Author (I have not tested this but maybe you find something on William Lams site here)

Also download the newest ghettoVCB. Don’t forget to alter the script (search for preparation) if you want to use Email Log, especially with a Windows Mail server.

As described in my first article about vSphere Hypervisor a filesystem will be created and then packed into a VIB via CPT.

This filesystem looks like the following (I made some changes according to William Lams site)

│   ├───rc.local.d
│   │       999.addCronJobs.sh
│   │
│   └───vmware
│       └───firewall
│               smtp.xml

Starting with the first file


you can see that this file is in the /etc/rc.local.d/ directory. You can’t put your lines in the /etc/lc.local file anymore.

Moreover it is named with the number 999 at the beginning which will make it execute at a very late time and don’t get into conflict with other scripts.

This script kills the cron daemon, injects our lines and starts it again.

# Stop cron
/bin/kill $(cat /var/run/crond.pid)
# Script for cron injection
/bin/echo "#Backup of all VMs" >> /var/spool/cron/crontabs/root
/bin/echo "0    18   *   *   0   /opt/ghettoVCB/ghettoVCB.sh -g /opt/ghettoVCB/ghettoVCB.conf -a" >> /var/spool/cron/crontabs/root
/bin/echo "#Backup of SYSTEM Disk to Datastore2 from existing Backups" >> /var/spool/cron/crontabs/root
/bin/echo "0    23   *   *   0   /opt/ghettoVCB/2nd-backup.sh" >> /var/spool/cron/crontabs/root
# Start cron
/usr/lib/vmware/busybox/bin/busybox crond

The /etc/vmware/firewall/smtp.xml is a custom firewall rule to send to emails. (search for creating a custom firewall rule)

In the /opt/ghettoVCB there are the files which you have downloaded from William Lams Github site and also made the changes regarding Email (see top of this article)

the 2nd-backup.sh looks like this


#delete backups older than 20 days
test -d "${d2}" || mkdir -p "${d2}"
cd "${d2}" && find . -mindepth 1 -mtime +20 -exec rm  -f {} ;
#change to original dir
cd "${d1}" && find . ( ! -name "*_1-flat.vmdk" ) | cpio -padvm "${d2}"

it deletes all backups from datastore2/BACKUP which are older than 20 days.

After this it changes to the datastore 1 and copies only the 1st harddisk of all VMs to datastore2.

Unfortunately the cpio command (Version 2.9) has some bugs where it loses permissions, access and modification time, even when you set the appropriate parameters. These bugs are fixed in version 2.11.

With this knowledge it happens that the initial backup stays longer on your datastore2, but after 20 days it will also be removed. This maybe can be a problem if you do not have that much space on datastore2.

Load the filestructure to the /tmp folder of an existing ESXi or another Linux machine.

Make your shell scripts executable and pack your folder into a tgz file

chmod +x /tmp/opt/ghettoVCB/*.sh
chmod +x /tmp/etc/rc.local.d/*.sh
tar -czvf /tmp/sysstem.tgz /tmp/etc/ /tmp/opt/

Now get the sysstem.tgz back on your machine and start CPT.

Follow the instructions on the page of Andreas Peetz how to configure the parameters. (be aware that this tool can’t handle UNC paths correctly.

These are my preferences



Now Copy this VIB to a Webserver (to make it available for more hosts) or directly to the ESXi.

We need to set the acceptance level to CommunitySupported so the own crafted VIB can be installed.

esxcli software acceptance set --level=CommunitySupported

After this the own package can be installed

esxcli software vib install -v /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib -f

The -f flag forces the VIB to be installed because the acceptance level (and/or other reasons) is officially unsupported by VMware.

Now reboot and your new system should be ready with all the updates and your Backupscript in place.

This is the simplyfied script I use to upgrade a ESXi vSphere Hypervisor, once all the preparation work is done.

wget -O /vmfs/volumes/datastore1/ESXi510-201212001.zip
wget -O /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib
esxcli software vib update -d /vmfs/volumes/datastore1/ESXi510-201212001.zip
esxcli software acceptance set --level=CommunitySupported
esxcli software vib remove -n sysstem-fs
esxcli software vib install -v /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib -f