Proxmox enable SOL access to ASRock Rack

I had some trouble enable the SOL (Serial-Over-LAN) access to my ASRock Rack motherboard. Here’s how I finally managed to get it working.

First start off by configuring “Serial Console Redirection” in the BIOS with the following settings (credit to pvalkone at GitHub):

/----------------------------------------------------+-------------------------\
|  SOL                                               |Emulation: ANSI:         |
|  Console Redirection Settings                      |Extended ASCII char      |
|                                                    |set. VT100: ASCII char   |
|  Terminal Type           [VT100]                   |set. VT100+: Extends     |
|  Bits per second         [115200]                  |VT100 to support color,  |
|  Data Bits               [8]                       |function keys, etc.      |
|  Parity                  [None]                    |VT-UTF8: Uses UTF8       |
|  Stop Bits               [1]                       |encoding to map Unicode  |
|  Flow Control            [None]                    |chars onto 1 or more     |
|  VT-UTF8 Combo Key Sup   [Enabled]                 |-------------------------|
|  Recorder Mode           [Disabled]                |<>: Select Screen        |
|  Resolution 100x31       [Disabled]                |^v: Select Item          |
|  Legacy OS Redirection   [80x24]                   |Enter: Select            |
|  Putty KeyPad            [VT100]                   |+/-: Change Option       |
|  Redirection After BIO   [Always Enable]           |F1: General Help         |
|                                                    |F7: Discard Changes      |
|                                                    |F9: Load UEFI Defaults   |
|                                                    |F10: Save and Exit       |
|                                                    |ESC: Exit                |
\----------------------------------------------------+-------------------------/

From your client (where you have installed ipmitools ):

➞ ipmitool -I lanplus -H <bmc-mgmt-ip> -U admin -e \&amp; sol info 1
Password: 
Set in progress                 : set-complete
Enabled                         : true
Force Encryption                : false
Force Authentication            : false
Privilege Level                 : USER
Character Accumulate Level (ms) : 60
Character Send Threshold        : 96
Retry Count                     : 7
Retry Interval (ms)             : 500
Volatile Bit Rate (kbps)        : 115.2
Non-Volatile Bit Rate (kbps)    : 115.2
Payload Channel                 : 1 (0x01)
Payload Port                    : 623

Make sure that Volatile Bit Rate (kbps) and Non-Volatile Bit Rate (kbps) is set to 115.2 (115200).

Restart the server and login. Edit /etc/default/grub and change GRUB_CMDLINE_LINUX_DEFAULT, GRUB_TERMINAL and GRUB_SERIAL_COMMAND:

GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS1,115200n8 console=tty0"
GRUB_TERMINAL="serial console"
GRUB_SERIAL_COMMAND="serial --speed 115200 --unit=1 --word=8 --parity=no --stop=1"

After saving the file, do not forget to run update-grub.

Then we need to tell systemd to start serial ttyS1 on boot.

Optional, it can be worth changing the default serial-getty@.service to only accept 115200 as baud-rate, as according to Roger Irvin. Do this by coping the default service to /etc/systemd/system/.

cp /lib/systemd/system/serial-getty@.service /etc/systemd/system/

Then change the ExecStart line from:

ExecStart=-/sbin/agetty -o '-p -- \\u' --keep-baud 115200,38400,9600 %I $TERM

To:

ExecStart=-/sbin/agetty -o '-p -- \\u' 115200 %I $TERM'

Save the file, reload systemd daemon, start and enable ttyS1:

systemctl daemon-reload
systemctl start serial-getty@ttyS1
systemctl enable serial-getty@ttyS1

Reboot the server, and use ipmitool to get a SOL session:

ipmitool -I lanplus -H <bmc-mgmt-ip> -U admin -e \&amp; sol activate

To exit the session type &. (no enter!) and the session is terminated.

Citrix Receiver – use all available external monitors

When working on a remote server over Citrix, it is sometimes useful not having ICAClient to span over all monitors in fullscreen mode. It is possible to tell wfica to only span certain monitors with the -span parameter.

Change /opt/Citrix/ICAClient/wfica.sh to:

#!/bin/bash
ICAROOT=/opt/Citrix/ICAClient
export ICAROOT
LD_LIBRARY_PATH=/opt/Citrix/ICAClient/lib
export LD_LIBRARY_PATH

array_join() {
    local IFS="$1"
    shift
    echo "$*"
}

param=""
number_of_monitors="$(xrandr --query | grep -c " connected ")"

if (( number_of_monitors > 1 )); then
    param="-span"
    monitors=()
    for monitor in $(seq 2 "${number_of_monitors}"); do
        monitors+=("${monitor}")
    done

    param="${param} $(array_join ',' "${monitors[@]}")"
fi

$ICAROOT/wfica ${param} -file $1

This will use all monitors, except for the first one in fullscreen mode (unless you only have one monitor of course).

To get this to work automagically, Firefox has to be told to open *.ica files with this script. Go to Edit, Preferences, Applications, type ica in the search, select Use other... as action and browse to /opt/Citrix/ICAClient/wfica.sh.

Disable iPhone USB devices when charging via computer

I usually charge my iPhone by connecting it to my Ubuntu laptop. It is quite annoying that it tries to mount it as a USB-storage and adds it as an ethernet interface.

To the rescue: udev blacklisting:

sudo tee /etc/udev/rules.d/90-disable-iphone.rules <<EOF
# Disable iPhone ethernet device
SUBSYSTEM=="usb", DRIVER=="usb", ATTR{idProduct}=="12a8", ATTR{idVendor}=="05ac", ATTR{authorized}="0"
EOF

ATTR{idVendor} and ATTR{idProduct} might differ between different iPhone models. Examine with udevadm info -a -p /sys/class/net/<ethernet interface> and find any information, as close to the top as possible, that can be used to blacklist the device.

Download a sites certificates with openssl

The following snippet can be used to download all the CA certificates from a site, into seperate .crt files. The file name will be the last CN part from the issued information.

openssl s_client -connect $SITE:443 -showcerts \
        </dev/null 2>/dev/null | \
	awk '/^ [0-9] s:/,/^[-]+END CERTIFICATE/' | \
	csplit -q -z -f cert - '/^ [0-9] s:/' '{*}'
for file in cert*; do \
	name="$(awk -F= '/^ [0-9] s:/ {gsub(/[^A-Za-z0-9.]/, "", $NF); print $NF".crt"}' "${file}")"; \
	awk '/^[-]+BEGIN CERTIFICATE/,/^[-]+END CERTIFICATE/' "${file}" > "${name}"; \
	rm "${file}"; \
done

Example, if running the above with SITE=blog.mgor.net:

↳ openssl s_client -connect $SITE:443 -showcerts         </dev/null 2>/dev/null | awk '/^ [0-9] s:/'
 0 s:/CN=blog.mgor.net
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Two certificate files will be created:

↳ ls *.crt
blog.mgor.net.crt  LetsEncryptAuthorityX3.crt

Run production WordPress site in docker for development

I have a couple of WordPress sites that I wanted to create local development environments in docker for, here are some tips on how to get it to work.

I use the official MySQL and WordPress docker images. The directory structure is as follows:

dev-env.sh:

update-development-site.sh:

production_dump.sql is a MySQL dump of the production database, add a “use wordpress-site;” statement in the beginning so that the backup is imported into the correct database.