collector {dt.:Sammler}

OpenWrt Barrier Breaker metarouter instance on MikroTik RB-2011

THE PATCH PUBLISHED IN THIS ARTICLE IS NOT COMPLETE. AT LEAST THE VIRTUAL MACHINE WILL CRASH SPORADICALLY UPON RECEIVING NETWORK PACKETS USING THE VIRTUAL INTERFACES. I WIIL TRY TO FIX THIS ASAP.

While looking around for a new router for my home network I stumbled over the RB2011UiAS-2HnD-IN produced by MikroTik. It uses a AR9344-DC3A-R SOC (@600Mhz) and offers a broad range of interfaces:

• 5x 1Gbit copper ports (+ 1x SFP copper/fiber)
• 5x 100 MBit copper ports
• 128 MB of RAM and FLASH
• 802.11 b/g/n wireless interface
• a micro USB 2.0 port (that can be used to attach storage using an OTG cable)
• a small color touch display
• a CISCO-style RJ45 console port

All that is covered by a solid metal chassis and sold for ~120 € – not that bad.The LINUX-based routerOS offers an intuitive CLI – but there is no way to install private packages. So I had a look at openwrt.org to check if OpenWrt is running on this thingy… – it does. But after digging a little bit deeper I found something really awesome: it is possible to run up to 7 virtual instances of OpenWrt on top of the router OS using a mechanism called Metarouter. And each of the instances can be connected to the environment (the external network / other instances, …) using

• the physical network ports of the router and
• virtual interfaces connected to other virtual/physical interfaces using (LINUX-) bridges.

That creates the ability to reduce the footprint of my hardware infrastructure significantly by using (buzzword mode on) consolidation via virtualization (buzzword mode off). In fact, by using Metarouter(s) I’m able to replace two „fat“ routers (one running a public access point [currently a WRT 54G], another on used inside our home network [a TPLINK WR1043ND]) and a smaller one (TPLINK 703N) running my private JABBER server by one box. And the concept of having bridges connecting virtual and physical interfaces makes the whole setup a way easier to handle (splitting the network into a private and public network using just one WRT54G + OpenWrt was no fun). And at the end of the day I can keep all my configurations used in the old OpenWrt based setup…

The sad thing: MikroTik only provided support (by publishing patches) for OpenWrt up to Backfire (10.3, first release in 4/2010, 2.6.31) – and I was not able to find any sign that they will continue. Happily liquidcz from the MikroTik forum was able to create a patch usable for Attitude Adjustment (12.09, 4/2013, kernel 3.3). This worked fine – but the successor of AA – Barrier Breaker (10/2014, kernel 3.10.49) brought lots of updates (mainly related to the packages – but also to the kernel). I picket up liquidcz patch and adapted it to be usable with Barrier Breaker. And it was easier then expected :). So this is the outline on how to build OpenWrt Barrier Breaker to be used as a virtual instance on a MikroTik router:

build the firmware image for Mikrotik metarouter

$m[2]

The created image is placed in bin/mr-mips/.

build additional packages

$m[2]

You can find the packages in bin/mr-mips/packages/.

build all packages

$m[2]

trouble shooting

• if a build using make -j $(nproc) fails, rerun with make -j1
• if it still fails, rerun with make -j1 V=s
• if the builder is not able to fetch a packet, check if you could find another source and adapt the Makefile located in the packages// director

Since the flash storage of the router is accessible via FTP, the created image can be pushed down to the device using curl…

$m[2]

Creating a virtual instance on the router is done using CLI metarouter command:

$m[2]

As you could see, BB is very demanding in the context of memory (even a stripped BB firmware – more or less all services from the default image removed, no IPv6 support – needs at least 9 MB). Since the stock router offers ~110 MB of free RAM you can easily run up to 4 instances where each uses 24 MB.

The setup of network interfaces is well documented in the metarouter manual and straight forward.

If you need to store a lot of data you can use the micro USB port to attach any USB storage using an OTG-cable:

$m[2]

IMPORTANT: The USB drive must be formated with the (proprietary) MetaFS filesystem – so all data on the USB drive is lost.

Since the storage of the router is exported via FTP, curlftpfs can be used to mount a folder located on the attached USB drive into the local file system of an OpenWrt instance. Do not try to abuse the system as NAS device – the storage access eats the CPU (if you do a file transfer to the USB storage the CPU usage goes up to 100%).

ressources / links

original patch created by liquidcz: here

patch for Barrier Breaker: openwrt_metarouter_1407.patch

default fw image (Barrier Breaker, r43889): openwrt-mr-mips-default-image-rootfs.tar.gz

lowered memory footprint: openwrt-mr-mips-small-image-rootfs.tar.gz

image builder: OpenWrt-ImageBuilder-mr-mips-for-linux-x86_64.tar.bz2

binary packages: here

 

Have phun!

collected: SELinux-module example for mod_tile

For a project@work I had to setup an open street map server on Scientific Linux 6.1 (64 bit) for rendering the map of the BRD. For this I installed all needed components – and run into big trouble with mod_tile. This module is responsible for taking queries for map-tiles from the apache, forward it to the render daemon and deliver the images back. mod_tile and renderd communicate via an unix socket. And SELinux prevents mod_tile – that runs in the context of httpd – to access the socket. A short grep of the web gives a general answer: disable SELinux. Since SELinux was also a long time common problem to me (yes, I used echo „0“ > /selinux/enforce some times) I decided to accept the challenge… and after reading a lot I got a solution:=).

The following description should work in general if you have trouble with „access-denied-by-SELinux“-problems. The process is quite easy: use the output of the SELinux-audit-logging for create a probate module. Step by step:

0. be sure that SELinux is your problem. Maybe you got error messages like „permission denied“ when accessing files – and you already give full access via chmod/ (if the application gives no output use strace and grep for EACCES, use -e trace=… to filter systemcalls) and/or set the correct security context by chcon/restorecon. Have a look at the boolean shortcuts (getsebool -a | grep ) to check if there is an option to permit the needed action/access.

1. check SELinux-audit-log (/var/log/audit/audit.log) for entries that are related to your problem. If there is nothing enable audit by restart your machine with an additional kernel parameter audit=1. For mod_tile we captured 2 entries:

type=AVC msg=audit(1328183212.312:383): avc:  denied  { connectto } for  pid=2314 comm="httpd" path="/var/run/renderd/renderd.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1328182336.427:158): avc:  denied  { write } for  pid=2017 comm="httpd" name="renderd.sock" dev=sda2 ino=2097727 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

Put the relevant entries into a separate file like audit.out.

2a.build module the long way – so you see what happens…

/*build the module description aka "the source" into apachemodtile.te*/
#>cat audit.out | audit2allow -m apachemodtile > apachemodtile.te
#>cat apachemodtile.te
module apachemodtile 1.0;
require {
type unconfined_t;
type var_run_t;
type httpd_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t unconfined_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

/*build the binary module apachemodtile.mod*/
#>checkmodule -M -m -o apachemodtile.mod apachemodtile.te
/*build a SELinux policy module package in apachemodtile.pp*/
#>semodule_package -o apachemodtile.pp -m apachemodtile.mod

2b. use audit2module – does all of 2a in one step:

#>cat audit.out | audit2allow -M apachemodtile

3. install the module permanently:

/*modul goes (SL61) to /etc/selinux/targeted/modules/active/modules/apachemodtile.pp*/
#>semodule -i apachemodtile.pp

After this mod_tile was able to connect to the socket of the renderd. Quite easy 🙂

Fedora 14 & GRUB2

Forced by a project@work I had to install GRUB2 in Fedora 14. Here is a simple description of what I have done to got it running:

1. install the new „grand unified bootloader package“ by

$m[2]

Attention: at this time, Fedora uses multislot – GRUB Legacy (0.9x) and GRUB2 could be installed parallel.

2. edit/create the new /boot/grub2/grub.cfg

2.1 My old /boot/grub/grub.conf looks like:

$m[2]

In the snipped above you could see that GRUB2 is allready inserted into the grub.conf of your old GRUB. You could use it for boot into the GRUB command-line.

2.2. create a new grub.cfg
Important: in GRUB Legacy (the old GRUB) the partition-numbering starts with 0. In GRUB2 the numbering starts with 1. So hd0,0 from above becomes hd0,1 eg.
Check/note on witch device/partition your /boot and root is located and witch UUID it has assigned (mount gives you the device /dev/sd…, blkid the associated UUID), sample:

$m[2]

3. Now run

$m[2]

The output is placed into /boot/grub2/grub.cfg.new – do a cat on it and compare the UUID for /boot and root with the ones from above (and maybe compare against your old grub.conf) … and yes, hd0,0 is now hd0,1 .

4. The final step: install the new GRUB on the disc…
First only test that everything is fine… (without writing to MBR assuming the target drive is /dev/sda):

$m[2]

Now lets use the real bullet:

$m[2]

5. Finally

$m[2]

And it works. For me. Now.

GRUB2 offers 1000nds new possibilities (ohh, it has a LUA-shell, there is module-support, submenus, theming, …)

For learning: boot the core.img, load kernel and ramdisk by hand. boot. check console commads ls & cat.

Have a look at:
http://www.gnu.org/software/grub/manual/
http://ubuntuforums.org/showthread.php?t=1195275