vuxu.org: Kali

Kali is a Seagate DockStar (1.2 GHz ARM Feroceon 88FR131, kirkwood) running OpenWrt.

The naming

Kali is the Hindu goddess associated with eternal energy.

She is sometimes depicted with 6 limbs, and the DockStar has 6 connectors (3 USB, 1 Mini-USB, 1 Ethernet, 1 Power). Kālī also means “beyond time”, and the DockStar has no real time clock.

Benchmarks

  • Power Usage (without USB devices)

    • Boot: 3.6 W, Idle: ~2.7 W, Full load: 4.7 W
  • Ethernet

    • iperf: 850 Mbit/sec as client, 786 Mbit/sec as server

Setup

I followed Eric Cooper’s HOWTO, and used his images. I made a backup first as by Alexander Holler.

The only annoying thing is figuring out the IP address of the device. If you don’t want to wait for a /16 nmap ping probe (~15min), it can be easier to quickly set up a local dnsmasq.

DO NOT LET THE DEVICE ACCESS THE INTERNET BEFORE INSTALLING OPENWRT.

Unfortunately, this configuration does not support IPv6, and due to their own kernel, one cannot use pre-built kmod-ipv6.

I tried building OpenWrt myself, first trunk (25aug2010), then the release Eric used (r22442), which builds but I don’t have the guts to flash it. :|

For now, I’ll wait until OpenWrt is supported officially and stick with the pre-built image for now.

$ opkg install mksh vim-full vim-runtime rsync screen procps --force-overwrite
$ rm /bin/ps
$ ln -s /usr/bin/ps /bin/ps

The fuckup

Too wimpy to just flash my own image, I decided to setup Jeff Doozan’s u-boot with netconsole first, so I could restore the image via TFTP. That was not the best idea, because the thing didn’t boot anymore after that. Damn. (Turns out it expected a debian’s partitioning, not OpenWrt’s.)

Salvation

Time to get a serial connection. I bought a cheap €3.99 CA-42 Nokia cable on ebay. It has USB-Id 067b:2303 and needs the module pl2303. My version has four wires, red, black, green, white and ground on the shielding. I had to wire GND to the shielding, TX to green, and RX to white. Red and black are unconnected.

(If you want to do that more professionally, also see yourwarrantyisvoid.com.)

You can access the console with sudo screen /dev/ttyUSB0 115200.

Hopefully you now can restore according to Eric Cooper.

Still, I now have a netconsole, so I can try stuff without the case open. (Note that Jeff’s u-boot apparently needs $var instead of $(var) for parameter substitution.)

New horizons

OpenWrt now builds natively from trunk. (09sep2010)

Display

I got a IOGEAR USB 2.0 DisplayLink adapter (Model GUC2020DW6, USB-Id 17e9:0059) for use with kali. It has native DVI-output as well as a VGA adapter.

Since OpenWRT didn’t have much of the software I wanted to run, I installed Plugbox—an Arch derivate for ARM—on an USB stick.

The adapter works flawlessy using the kernel module “udlfb” which makes it a framebuffer.

I make it a console with:

openvt -ws -- fbterm -s 10 -n Terminus

The included X.org 1.7.6 works as well. Remember that you need HAL for evdev devices to work.

The third-party xf86-video-displaylink is not noticeably faster than xf86-video-fbdev, but uses a lot less memory: 21 MB vs ~50 MB.

It works well as a X terminal (e.g. chromium runs fine, and videos up to ~640x480 run smooth, this is a limitation of USB 2.0).

Some terminal benchmarks (100k lines of find-output):

urxvt on kali (xf86-video-fbdev)        4.3s
urxvt on zorya (xf86-video-intel)       0.9s
urxvt on emo (proprietary nvidia)       0.3s

fbterm on kali (displaylink)             68s
fb on zorya (KMS)                        67s
fb on emo (uvesafb)                      68s

glxgears on kali:                     27 FPS at 100% CPU (15% system)

One can also locally run lightweight X11 apps such as mupdf.

Sound

I also got a cheap USB sound card (“Speedlink”, C-Media, USB-Id 0d8c:000c) which works well with snd_usb_audio on OpenWRT. For Arch Linux, it will have bad noise until you additionally create a /etc/asound.conf containing:

pcm.!default front

mplayer playing a 128kbit stream needs roughly 25% CPU.

Repurposing as KDC

In July 2012 I decided to repurpose kali (after 611 days of uptime) as a standalone server, currently providing the Kerberos realm VUXU.ORG. The hardware is perfect for this purpose.

Preparing Arch Linux ARM:

sudo mkfs.ext2 -L kali /dev/sdc1
mount /dev/sdc1 /mnt
cd /mnt
tar xzvf /tmp/ArchLinuxARM-armv5te-latest.tar.gz
sync
vi etc/rc.conf
# set timezone, hostname
# adjust /etc/hosts
umount /mnt

Now we can boot the DockStar and configure it:

ssh-copy-id root@$IP
# default password is root
ssh root@$IP
passwd
vi /etc/ssh/sshd_config
# PermitRootLogin without-password
pacman -Su pacman
pacman-key --init
pacman -Syu
pacman -S iptables pacman-contrib vim ntp archlinux-keyring \
          haveged strace tcpdump htop lsof
vi /etc/rc.conf
# DAEMONS=(syslog-ng haveged network ntpdate
#          krb5-kadmind krb5-kdc crond sshd)
vi /etc/rc.local
# iptables -A INPUT -p all -j LED --led-trigger-id netin --led-delay 100
# ip6tables -A INPUT -p all -j LED --led-trigger-id netin --led-delay 100
# echo netfilter-netin >"/sys/class/leds/status:orange:fault/trigger"
# echo default-on >"/sys/class/leds/status:green:health/trigger"

Adding the DNS configuration info:

_kerberos._udp.VUXU.ORG.        IN SRV 10 0  88 kali.home.vuxu.org.
_kerberos-master._udp.VUXU.ORG. IN SRV  0 0  88 kali.home.vuxu.org.
_kerberos-adm._tcp.VUXU.ORG.    IN SRV  0 0 749 kali.home.vuxu.org.
_kpasswd._udp.VUXU.ORG.         IN SRV  0 0 464 kali.home.vuxu.org.

Setting up Kerberos (roughly following Doug Potter’s Kerberos/LDAP/NFSv4 HOWTO):

# cat /etc/krb5.conf 
[libdefaults]
        default_realm = VUXU.ORG
[realms]
        VUXU.ORG = {
                kdc = kali.home.vuxu.org:88
                admin_server = kali.home.vuxu.org:749
        }
[domain_realm]
        .home.vuxu.org = VUXU.ORG
        home.vuxu.org = VUXU.ORG
        .vuxu.org = VUXU.ORG
        vuxu.org = VUXU.ORG

# cat /var/lib/krb5kdc/kdc.conf 
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        VUXU.ORG = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab
                acl_file = /var/lib/krb5kdc/kadm5.acl
                key_stash_file = /var/lib/krb5kdc/.k5.VUXU.ORG
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
        }

# cat /var/lib/krb5kdc/kadm5.acl
*/admin@VUXU.ORG *

# kdb5_util create -s
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'VUXU.ORG', master key name 'K/M@VUXU.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 

# kadmin.local -q "addprinc root/admin"
Authenticating as principal root/admin@VUXU.ORG with password.
WARNING: no policy specified for root/admin@VUXU.ORG; defaulting to no policy
Enter password for principal "root/admin@VUXU.ORG": 
Re-enter password for principal "root/admin@VUXU.ORG": 
Principal "root/admin@VUXU.ORG" created.

# /etc/rc.d/krb5-kadmind start
:: Starting Kerberos Admin Daemon                                        [DONE] 
# /etc/rc.d/krb5-kdc start
:: Starting Kerberos Authentication                                      [DONE] 

# kadmin
Authenticating as principal root/admin@VUXU.ORG with password.
Password for root/admin@VUXU.ORG: 
kadmin:  addprinc -randkey host/kali.home.vuxu.org
WARNING: no policy specified for host/kali.home.vuxu.org@VUXU.ORG; defaulting to no policy
Principal "host/kali.home.vuxu.org@VUXU.ORG" created.

kadmin:  ktadd host/kali.home.vuxu.org
Entry for principal host/kali.home.vuxu.org with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kali.home.vuxu.org with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kali.home.vuxu.org with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/kali.home.vuxu.org with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.

kadmin:  add_policy -minlength 8 -minclasses 3 default

kadmin:  addprinc chris
NOTICE: no policy specified for chris@VUXU.ORG; assigning "default"
Enter password for principal "chris@VUXU.ORG": 
Re-enter password for principal "chris@VUXU.ORG": 
Principal "chris@VUXU.ORG" created.

kadmin:  addprinc -randkey imap/localhost.localdomain
kadmin:  ktadd -k /tmp/juno.keytab imap/localhost.localdomain

On clients, then you need:

% cat /etc/krb5.conf
[libdefaults]
    default_realm = VUXU.ORG