yoursunny blog
computer, Internet, and life

How to Compile Just One Kernel Module

Junxiao Shi

I received two C.H.I.P computers in 2016. They come with Linux kernel 4.4.13, but the kernel had limited features. When I needed to use the fuse kernel module, I had to re-compile the entire kernel, which took a whole day. Two years later, I upgraded to a newer 4.4.138 kernel, built by community member kaplan2539. The kernel comes with more modules including fuse, which is a better situation than the original kernel.

DM9601 USB Ethernet adapter plugged into a C.H.I.P computer

Recently I acquired a cheap USB Ethernet adapter. When I plugged it in, the kernel recognizes a USB device:

chip@chip-b:~$ lsusb | grep Ethernet
Bus 002 Device 002: ID 0fe6:9700 Kontron (Industrial Computer Source / ICS Advent) DM9601 Fast Ethernet Adapter

But there's no new NIC showing up in ip link command. A quick Google search of the USB ID 0fe6:9700 indicates that I need the dm9601 kernel module. But:

(read more)

Install OpenConnect VPN Server with Trusted Certificate from Let's Encrypt

Junxiao Shi

OpenConnect VPN server, or ocserv, is an SSL VPN server compatible with Cisco AnyConnect. It can easily be installed in a cheap OpenVZ Virtual Private Server (VPS) with TUN capability. However, most online tutorials for installing OpenConnect VPN server rely on certtool to generate a self-signed certificate via OpenSSL. Afterwards, since the self-signed certificate is not trusted by operating systems, either the VPN client must be configured to skip certificate checking, or the self-signed certificate must be imported as a trusted certificate on the VPN client machine. Both practices are insecure. Bypassing certificate checking would allow an attacker to impose as the VPN server. Importing a trusted certificate does not seem wrong at first, but in case the private key is compromised, an attacker would be able to impose as any server to the client, including online shopping and bank websites, using a certificate signed by that private key. Remember that the self-signed certificate's private key is stored on the VPS filesystem, it is much less secure than Hardware Security Modules used at real CAs to store private keys, and therefore it is a bad idea to trust such certificates in client machines.

Let's Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a domain-verified certificate within minutes, and without paying anything. Certificates from Let's Encrypt are trusted by most modern operating systems. They are ideal for securing an OpenConnect VPN server.

This article explains how to request a proper trusted certificate from Let's Encrypt for use with ocserv, how to install OpenConnect VPN Server and use the Let's Encrypt certificate, and how to configure Cisco AnyConnect client to connect to ocserv. These steps are verified with an OpenVZ Ubuntu 16.04 64bit VPS provided by SecureDragon. It is required to enable TUN devices for the VPS, typically through a button in SolusVM or other control panel provided by the hosting company.

Request Let's Encrypt Certificate for OpenConnect VPN Server

Before requesting a certificate from Let's Encrypt, you must have a Virtual Private Server with an IPv4 address, and have a domain name (could be subdomain) resolved to the server so that you are able to ping the server via the domain name.

(read more)

Access C.H.I.P UART Wirelessly with ESP8266

Junxiao Shi

A year ago, a Kickstarter campaign CHIP - The World's First Nine Dollar Computer caught my attention: it's a $9 computer smaller than a banana. Unlike the Raspberry Pi, it comes with onboard storage so I don't need to buy a separate SD card, it has WiFi instead of wired Ethernet so I don't have to run wires everywhere, and it is compatible with my existing VGA monitor through a $10 adaptor so I don't have to buy another HDMI monitor. Therefore, I snagged two of these little computers along with one VGA adapter during the campaign.

During the whole year of waiting, Next Thing Co sent me regular email updates on the development progress, with each email ending with mmmtc (much much more to come) and a lot of hearts. NTC also clarified that C.H.I.P is strictly B.Y.O.B. Finally, my pair of CHIPs and a VGA DIP arrived in my mailbox on Jun 16. An hour later, yoursunny.com homepage is displayed on its Debian desktop.

A few more hours later, I start to discover a limitation of C.H.I.P software: The Linux kernel comes with CHIP operating system has very limited features.

$ sudo modprobe fuse
modprobe: FATAL: Module fuse not found.

Obviously, the solution to this problem is to compile my own Linux kernel with more features. The compilation can be done on the C.H.I.P itself. I managed to do that when the CHIP is powered by a 5V 1A phone charger plus a 1500mAh LiPo battery. I had the compilation running under screen(1) and attended to it intermittently, and it finished in a day.

(read more)

parallelize.sh: run commands in parallel with bash

Junxiao Shi

Recently I'm doing some heavy research work. One part of my work involves invoking a simulation script with different inputs and parameters and then an analysis script to analyze the simulation output.

At first, this is an easy bash loop:

(
  echo 3 11
  echo 3 11
  echo 5 19
  echo 5 19
) | while read -r -a L; do
  X=${L[0]}
  Y=${L[1]}
  python2 simulation.py --x=$X --y=$Y < input.tsv > $X-$Y.simulation.log
  gawk -f analysis.awk $X-$Y.simulation.log > $X-$Y.analysis.tsv
done

The loop works fine, but it takes too long time when the input gets larger, because scripts are running sequentially. Since we have a big server with 32 CPU cores, can I run the scripts in parallel?

So I wrote this nifty little script, parallelize.sh:

(read more)

Share Dropbox between VirtualBox Host and Guest

Junxiao Shi

My laptop comes with Windows, like most other laptops in the market. But as a computer science student, I need to use Linux from time to time. The laptop manufacturer advised me not to install Linux directly on this laptop. Although this would not void my warranty, they would not provide technical support or supply device drivers if I install Linux. Therefore, I turned into VirtualBox, a hypervisor that allows me to run Linux in a virtual machine, alongside the Windows installation.

I'm also a heavy user of Dropbox, a file hosting service that can synchronize my documents among all my device. I have Dropbox clients installed everywhere, including the Windows of this laptop, and the Linux virtual machine. When I edit a file, the Dropbox client uploads this file to the cloud, and then the Dropbox clients on all other devices download the file from the cloud.

One day, there's a congestion on my apartment's WiFi hotspot, and I notice that the Dropbox synchronization between Windows and the Linux virtual machine is having significant delay: every update travels a long way to the cloud, and then comes back. I also realize that, in my setup, the entire Dropbox contents are duplicated twice: it has one copy in Windows, and another copy in Linux virtual machine. Although having multiple copies is usually a good thing because you have more redundancy, having multiple copies on the same hard drive is not useful. Can I eliminate the synchronization delay and the redundant copy?

VirtualBox Shared Folder

VirtualBox has a nifty feature, shared folders, which allows files of the host system to be accessed within a guest system. In my setup, I could use this feature to access the Dropbox on Windows within the Linux virtual machine.

(read more)

计算机网络安全访问控制系统的实现

Junxiao Shi

网络拓扑

网络拓扑图

  • 外网网段 202.120.36.0/24

    防火墙eth0接口 202.120.36.180

    DNS服务器 202.120.2.101

  • 内网网段 192.168.33.0/24

    防火墙eth1接口 192.168.33.254

    主机A 192.168.33.40

    主机A公网地址 202.120.36.100

    主机B 192.168.33.41

    主机B公网地址 202.120.36.101

  • DMZ区网段 192.168.1.0/24

    防火墙eth2接口 192.168.1.1

    Web服务器 192.168.1.2

    邮件服务器 192.168.1.40

网络拓扑的脚本定义

Internal="192.168.33.0/24"
DNSServer="202.120.2.101"
WWWServer="202.120.2.102"
GlobalA="202.120.36.100"
HostA="192.168.33.40"
GlobalB="202.120.36.101"
HostB="192.168.33.41"
MailServer="192.168.1.40"
FireWall="202.120.36.180"
HttpsServer="216.239.63.83"
FtpServer="202.38.97.230"
TelnetServer="202.120.3.1"
(read more)