Hardening the Raspberry Pi VNC Mirror

***Please visit the new simplified installation of the Raspberry Pi VNC Mirror***

 

This is an extension from this post: Raspberry Pi – VNC Mirror (Repeater) – Make any computer public anywhere

Having a RPi as VNC Mirror in production is a nice idea. But from time to time energy shortages make the Raspberry Pi shutdown unexpectedly where it may come to SD card corruption while a read or write process was in progress.

Another thing I experienced is that sometimes the computer you want to mirror loses the network connection or is by itself down for any reason. After this the VNCViewer will hang in a state where it wants the user to click-OK the a message and does not do anything, also if the computer which is to be mirrored comes up again in the meanwhile.

I have found out if the process is running correctly and mirroring the other computer, its Signal Ignore state is 0000000000000004.

First I get the process ID of my ssvncviewer

pidof ssvncviewer

knowing the process ID (in my case 2134), the status of the process can now be viewed

pi@rpi1 ~ $ cat /proc/2134/status
Name:   ssvncviewer
State:  S (sleeping)
Tgid:   2134
Pid:    2134
PPid:   1944
TracerPid:      0
Uid:    1000    1000    1000    1000
Gid:    1000    1000    1000    1000
FDSize: 256
Groups: 4 20 24 27 29 44 46 60 100 106 999 1000
VmPeak:    16044 kB
VmSize:    16044 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:      8904 kB
VmRSS:      8904 kB
VmData:    10792 kB
VmStk:       136 kB
VmExe:       276 kB
VmLib:      3972 kB
VmPTE:        18 kB
VmSwap:        0 kB
Threads:        1
SigQ:   0/3506
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000004
SigCgt: 0000000000004003
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed:   1
Cpus_allowed_list:      0
voluntary_ctxt_switches:        2071
nonvoluntary_ctxt_switches:     17019

I also tested it while the message “could not connect to …” was present.

In this case the SigIgn had the status 0000000000000006. So all we need to do is to check if SigIgn has the State of 0000000000000004. Otherwise we will simply kill the process. The scripts starts the VNCViewer again in some seconds.

This is the updated script, which is found in /home/pi/.config/autostart/vncview.sh

# Process check script: The script simply checks if a process is running and if it is not found to be running it will execute it.
# The script loops in preset intervals, hence it is possible to monitor a process continuously.

# Variables
Running=1
SleepInterval=20
ProcessInstances=`sudo ps aux | grep [s]svncviewer | wc -l`

#VNC Variables
vnc=ssvncviewer
host=vm1.sysstem.at
display=0
resolution=1920x1080
passfile=/home/pi/.vnc/passwd2
para="-display :$display -viewonly -fullscreen -shared -passwd $passfile -scale $resolution -encoding zrle"

function checkstatus() {
        vncpid=$(pidof ssvncviewer)
        sigign=$(sudo cat /proc/${vncpid}/status | grep SigIgn | awk '{print $2}')
}

# Logic
while [ $Running -gt 0 ]
do

        if [ `sudo ps aux | grep [s]svncviewer | wc -l` -gt 0 ]; then
                echo Process already running! Checking the Status.
                checkstatus
                if [ $sigign !=  "0000000000000004" ]; then
                        echo SSVNCViewer has not status 4
                        echo Killing SSVNCViewer
                        kill ${vncpid}
                else
                        echo SSVNCViewer status seems to be ok
                fi
        else
                echo Process not running! Starting process
                # This is the command that should start the process in question
                $vnc $host $para &
        fi

        # How often shall we repeat the check?
        echo Sleeping for $SleepInterval seconds
        sleep $SleepInterval

done

exit 0

To avoid SD card corruptions just follow the article by micerinos in the Raspberry Pi forum.

I created a script which does all the stuff (except for the apache thing) mentioned in the article, because I am lazy.

sudo bash
echo "RAMTMP=yes">>/etc/default/rcS
echo "proc            /proc           proc    defaults          0       0">/etc/fstab
echo "tmpfs           /var/log        tmpfs   nodev,nosuid,size=30M,mode=1777 0       0">>/etc/fstab
echo "tmpfs           /tmp            tmpfs   nodev,nosuid,size=30M,mode=1777 0       0">>/etc/fstab
echo "/dev/mmcblk0p1  /boot           vfat    defaults,ro,noatime,errors=remount-ro          0       1">>/etc/fstab
echo "/dev/mmcblk0p2  /               ext4    defaults,noatime  0       1">>/etc/fstab
sed -i 's/[ ! -f /etc/adjtime ]/[ ! -L /etc/adjtime ]/;' /etc/init.d/hwclock.sh
echo "BLKID_FILE="/var/local/blkid.tab"">>/etc/environment
rm /etc/mtab
ln -s /proc/self/mounts /etc/mtab
echo "DPkg {">>/etc/apt/apt.conf
echo "    // Auto re-mounting of a readonly /">>/etc/apt/apt.conf
echo "    Pre-Invoke { "mount -o remount,rw /"; };">>/etc/apt/apt.conf
echo "    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro / || true"; };">>/etc/apt/apt.conf
echo "};">>/etc/apt/apt.conf

Hope you’re lazy too! 😉

 

VMware vSphere Hypervisor (ESXi) 5.1.0 Patch 2 (Build 914609) with ghettoVCB from January 2013

This article describes how to run the latest build of ESXi 5.1 Patch 2 (Build 914609) with the newest backupscript ghettoVCB (from William Lam). This article also includes an update from ESXi 5.x to the newest version.

You can see an overview of all the releases, patches and updates here.

If you don’t have a ESXi 5.1 P2 follow the upgrade process described here. You can skip this.

Download the patch from here and select the newest update (Patch Release ESXi510-201210001)

The easiest way is to provide the image on a http server so it is very easy to get. (You can also copy it via WinSCP or similar)

Login to your server via PuTTY or similair and get your image via

wget http://10.10.10.10/esxi5.1u2/ESXi510-201212001.zip -O /vmfs/volumes/datastore1/ESXi510-201212001.zip

After you downloaded the update execute the update process via esxcli (don’t reboot, there is more to do!)

esxcli software vib update -d /vmfs/volumes/datastore1/ESXi510-201212001.zip

If you have ESXi 5.1 P2 installed you can continue here

It is on to deploy our custom package. Last time a filesystem within a tgz-file was created. This time an own VIB (vSphere Installation Bundle) will be created which. Download the Community Packaging Tools (CPT) from Andreas Peetz (for Windows). If you like to do this with Linux check out the VMware page about the VIB Author (I have not tested this but maybe you find something on William Lams site here)

Also download the newest ghettoVCB. Don’t forget to alter the script (search for preparation) if you want to use Email Log, especially with a Windows Mail server.

As described in my first article about vSphere Hypervisor a filesystem will be created and then packed into a VIB via CPT.

This filesystem looks like the following (I made some changes according to William Lams site)

/
├───etc
│   ├───rc.local.d
│   │       999.addCronJobs.sh
│   │
│   └───vmware
│       └───firewall
│               smtp.xml
│
└───opt
    └───ghettoVCB
            2nd-backup.sh
            ghettoVCB-resotre_vm_resotre_configuration_template
            ghettoVCB-restore.sh
            ghettoVCB-vm_backup_configuration_template
            ghettoVCB.conf
            ghettoVCB.sh

Starting with the first file

999.addCronJobs.sh

you can see that this file is in the /etc/rc.local.d/ directory. You can’t put your lines in the /etc/lc.local file anymore.

Moreover it is named with the number 999 at the beginning which will make it execute at a very late time and don’t get into conflict with other scripts.

This script kills the cron daemon, injects our lines and starts it again.

# Stop cron
/bin/kill $(cat /var/run/crond.pid)
# Script for cron injection
/bin/echo "#Backup of all VMs" >> /var/spool/cron/crontabs/root
/bin/echo "0    18   *   *   0   /opt/ghettoVCB/ghettoVCB.sh -g /opt/ghettoVCB/ghettoVCB.conf -a" >> /var/spool/cron/crontabs/root
/bin/echo "#Backup of SYSTEM Disk to Datastore2 from existing Backups" >> /var/spool/cron/crontabs/root
/bin/echo "0    23   *   *   0   /opt/ghettoVCB/2nd-backup.sh" >> /var/spool/cron/crontabs/root
# Start cron
/usr/lib/vmware/busybox/bin/busybox crond

The /etc/vmware/firewall/smtp.xml is a custom firewall rule to send to emails. (search for creating a custom firewall rule)

In the /opt/ghettoVCB there are the files which you have downloaded from William Lams Github site and also made the changes regarding Email (see top of this article)

the 2nd-backup.sh looks like this

#variables
d1=/vmfs/volumes/datastore1/BACKUP
d2=/vmfs/volumes/datastore2/BACKUP

#delete backups older than 20 days
test -d "${d2}" || mkdir -p "${d2}"
cd "${d2}" && find . -mindepth 1 -mtime +20 -exec rm  -f {} ;
#change to original dir
cd "${d1}" && find . ( ! -name "*_1-flat.vmdk" ) | cpio -padvm "${d2}"

it deletes all backups from datastore2/BACKUP which are older than 20 days.

After this it changes to the datastore 1 and copies only the 1st harddisk of all VMs to datastore2.

Unfortunately the cpio command (Version 2.9) has some bugs where it loses permissions, access and modification time, even when you set the appropriate parameters. These bugs are fixed in version 2.11.

With this knowledge it happens that the initial backup stays longer on your datastore2, but after 20 days it will also be removed. This maybe can be a problem if you do not have that much space on datastore2.

Load the filestructure to the /tmp folder of an existing ESXi or another Linux machine.

Make your shell scripts executable and pack your folder into a tgz file

chmod +x /tmp/opt/ghettoVCB/*.sh
chmod +x /tmp/etc/rc.local.d/*.sh
tar -czvf /tmp/sysstem.tgz /tmp/etc/ /tmp/opt/

Now get the sysstem.tgz back on your machine and start CPT.

Follow the instructions on the page of Andreas Peetz how to configure the parameters. (be aware that this tool can’t handle UNC paths correctly.

These are my preferences

DDownloadsesxi5-cptESXi5-CPT-v2

 

Now Copy this VIB to a Webserver (to make it available for more hosts) or directly to the ESXi.

We need to set the acceptance level to CommunitySupported so the own crafted VIB can be installed.

esxcli software acceptance set --level=CommunitySupported

After this the own package can be installed

esxcli software vib install -v /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib -f

The -f flag forces the VIB to be installed because the acceptance level (and/or other reasons) is officially unsupported by VMware.

Now reboot and your new system should be ready with all the updates and your Backupscript in place.

This is the simplyfied script I use to upgrade a ESXi vSphere Hypervisor, once all the preparation work is done.

wget http://10.10.10.10/esxi5.1p2/ESXi510-201212001.zip -O /vmfs/volumes/datastore1/ESXi510-201212001.zip
wget http://10.10.10.10/esxi5.1p2/sysstem-fs-5.1p2.x86_64.vib -O /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib
esxcli software vib update -d /vmfs/volumes/datastore1/ESXi510-201212001.zip
esxcli software acceptance set --level=CommunitySupported
esxcli software vib remove -n sysstem-fs
esxcli software vib install -v /vmfs/volumes/datastore1/sysstem-fs-5.1p2.x86_64.vib -f

 

Upgrade VMware vSphere Hypervisor (ESXi) Version 5.0.0 to 5.1.0 with ghettoVCB

Since October there is the new VMware Hypervisor (ESXi) version available: 5.1

This update eliminates the problem with the automatic startup and shutdown, comes with more tools (e.g. cpio), upgraded tools, security updates, new Virtual Hardware version 9 and so on. You can find detailed information from the VMware site.

The system I am going to upgrade is a ESXi-5.0.0-20120302001 (build 623860) which install process is described here.

Download the update from this site.

Choose ESXi and Version 5.1.0 as seen in the screenshot

On the next site download the file: ESXi510-201210001.zip

  • Open your VMware vSphere Client
  • Click on your host
  • Click on configuration
  • Click on storage
  • Rightclick on your datastore
  • Select Browser Datastore…
  • Select the upload symbol
  • Select upload file

Select your update-file

 File is uploading…

When it is uploaded activate your SSH Server to trigger the update.

For this go to the firewall properties…

 … and activate the SSH server service.

Now start putty and connect to your server. Login with root.

Depending on where you uploaded your ESXi 5.1.0 update file you need to execute this command to updated your server:

esxcli software vib install -d /vmfs/volumes/datastore1/ESXi510-201210001.zip

After a while the result of the update appears:

~ # esxcli software vib install -d /vmfs/volumes/datastore1/ESXi510-201210001.zip
Installation Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: VMware_bootbank_ata-pata-amd_0.3.10-3vmw.510.0.0.799733, ...snip...
 VIBs Removed: VMware_bootbank_ata-pata-amd_0.3.10-3vmw.500.0.0.469512, ...snip...
VIBs Skipped:

As you can see the updated completed successfully. A lot of old versions of programs and drivers have been removed and the newer versions have been added.

Reboot your server with the command

reboot

or over your vSphere Client. The ESXi Server should then boot up with the new version.

Adjusting ghettoVCB

for the folks of you who are using ghettoVCB from William Lam, here are some alterations to make your script work for version 5.1.0. These information comes from this VMware-comunity-site. There might be more incompatibilities, which I have not found yet.

You need to do this changes in both scripts: ghettoVCB.sh AND ghettoVCB-restore.sh

Add versionstring

Search for

ESX_VERSION=$(vmware -v | awk '{print $3}')
        if [[ "${ESX_VERSION}" == "5.0.0" ]]; then

replace by

ESX_VERSION=$(vmware -v | awk '{print $3}')
        if [[ "${ESX_VERSION}" == "5.0.0" ]] || [[ "${ESX_VERSION}" == "5.1.0" ]] ; then

Change userrecognition

Search for

if [ ! $(whoami) == "root" ]; then

replace by

if [ ! $USER == "root" ]; then


Pack your new scripts like described in this article (search for preparation) and upload it via WinSCP or get it via wget. Execute the sed-command like in the linked article if your tgz is NOT already registered. (see /bootbank/boot.cfg) If you had already used this method you MUST NOT execute the sed command, otherwise the system tries to load your tgz twice which causes an error which can’t be remotley solved. (Remote hands needed)

Try this on a non-productive machine first if it really works for you and also does the backups!

Be aware that after you upgraded your ESXi you can no longer use the ThinApped vSphere Client 5.0. You need to download a new version from your ESXi Server: (replace with your serveraddress)

http://esx.sysstem.at

There you will find a link to download a suitable VMware Hypervisor Client for your ESXi Instllation.

If you have made some interessting experiences with VMware ESXi Server 5.1.0 compared to Version 5.0.0 let me know. I consider making an article about it or add it to an existing one.