Enable LXD GPU pass-through in Ubuntu 18.04 (Bionic Beaver)

One of the biggest challenge (aside from upgrading nvidia & cuda) in upgrading from Ubuntu 16.04 to Ubuntu 18.04 is enabling GPU passthrough in LXD Containers. Due to a bug in parsing logic, it cannot properly parse Blacklisted line in nvidia-410 drivers.

Only solution is to upgrade lxd to 3.0.2. To do that you have to enable pre-released updates (bionic-proposed).

Enable Pre-released updates from Ubuntu Software

Then just upgrade lxd:

sudo apt upgrade lxd

Reboot and you are done.

Guide: HAProxy HTTP Basic Authentication for specific sites (SSL Termination)

Objective

I use HAProxy to serve multiple SSL/TLS enabled sites with HAProxy doing SSL termination. The sites serve regular HTTP while users see proper HTTPS sites (with free certificates from LetsEncrypt). My objective was to provide HTTP Basic Authentication as a second layer of protection for certain applications like NextCloud (DropBox clone) or Gitea (GitHub clone).

Challenges

I wanted to provide HTTP Basic Auth over specific services (not all which is much easier) which didn’t natively support them like Gitea. Secondly, I wanted it to be transparent to the underlying Application. Thirdly, I didn’t want to provide plain-text passwords in haproxy.cfg.

Solution

After few iterations I arrived at a simple solution to the problem. The steps are:

  1. Create users with encrypted passwords
  2. Add users to haproxy.cfg
  3. Force authentication for specific sites on frontend
  4. Remove authorization on backend

Create users with encrypted passwords

To create encrypted passwords, you need a tool called mkpasswd which is available with whois, so you need to install it first (one time activity):

sudo apt install whois

Create password as shown below (replace Password with your actual Password):

mkpasswd -m sha-512 Password

Copy the encrypted password generated by the tool (mkpasswd).

Add users to haproxy.cfg

You can add multiple user lists as well as user groups (beyond the scope of this guide) to haproxy. Let’s create an user list named AuthUsers (as an example):

userlist AuthUsers
        user Username1 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFiV89xhW524abcdfg
        user Username2 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFefghxhW524abcdfg

Replace Username1, Username2 with your actual user names and the corresponding encrypted password as the last argument in the line.

You can add as many users as you want.

Force authentication for specific sites only

Let’s say we want to force authentication for these two sites (in frontend section):

acl host_example1 hdr(host) -i example1.com
acl host_example1 hdr(host) -i example2.com

Below this we force them to be authenticated:

acl authorized http_auth(AuthUsers)
http-request auth realm Example1 if host_example1 !authorized
http-request auth realm Example2 if host_example2 !authorized

Use backend only when properly authenticated:

use_backend example1 if host_example1 authorized
use_backend example2 if host_cexample2 authorized

Remove authentication header from backend

HAProxy for some strange reason sends this Authorization header to backend which sends certain servers in a loop. it is advisable to remove it.

backend example1
http-request set-header X-Client-IP %[src]
server example1 example1:3000 check
http-request del-header Authorization

backend example2
http-request set-header X-Client-IP %[src]
server example2 example2:3000 check
http-request del-header Authorization

Now restart the haproxy server and voila!

Pros and Cons of Hosting your own Nameservers

Benefits of hosting your Nameservers

  • Ease of changing hosting providers: Having your own nameservers make it easy when you are changing your hosting providers for two reasons:
    • Zero downtime in switching
    • Minimal change on Domain Register (change Nameserver and Hostname reords only)
    • Other nameserver changes can be done easily with your own nameserver, even scripted
  • Vanity Name Servers: Your clients may, particularly if you are in reseller business, check your Domain records including your name servers in a bid to identify your genuineness and commitment.
  • Ease of managing nameserver: You can easily script it or use User interface of your choice.

Disadvantages of hosting your own nameservers

  • Need Knowledge: You need to understand DNS well and be conversant in managing nameservers.  Messing up DNS records while client is shouting is not a good experience to have
  • Responsible for Security: You need to ensure that the Nameserver Software is always updated and protect it against all DNS attack vectors
  • Responsible for performance: If you are using the server for other purposes, most likely you are, then your nameserver performance is dependent on the load of the system. When your system is overloaded, havinbg the namserver also slow down adds to the load and more importantly aggravates the problem. You need to ensure performance of your namservers
  • Responsible for redundancy: There should be at least two namservers for redundancy and failover. Unless you have multiple servers that you can use, you are removing redundancy by pointing both the nameseerver IP at the same server.

Domain name registrars nowadays provide free DNS services to better retain their clients by:

  • making it harder to switch
  • giving better value for money

I have done both and I find using Domain registrars service gives less headache but is harder to configure and boring when you have large number of domains.

Chrome: How to view YouTube at 3x Speed

When viewing a YouTube video you may want to quickly skip through introductory section or boring/repetitive parts. The following solution will allow you to toggle between high speed and normal viewing. 3x speed-up is not offered by YouTube. With little practice you can understand even at that high speed, you need to be a bit focussed. May help increase your power of concentration.
Drag this link to your bookmarks toolbar: 3x
The bookmarklet is a toggle. Click once to view the video at 3x speed, click again to switch to normal mode.

Grails: Validating User Domain class

Grails provides support for validating fields. Here is a typical User class with field validation. It ensure that email address & url is of proper format, login is unique and password is not openly displayed.

package com.taragana
class User {
    String login
    String password
    String email
    String url
    static constraints = {
        login unique: true
        password password: true
        email email: true
        url url: true
    }
}

Script to kill all GradleDaemon processes – gkill

GradleDaemon sometimes redundantly runs in the background and Grails gives erroneous responses. The simplest solution is to kill all the errant GradleDaemon processes and run the app again. Below is a simple script which will run all the errant GradleDaemon processes. The same can be used for killing any processes like say Firefox. Just substitute GradleDaemon with firefox.

# Kills all GradleDaemon processes without mercy
ps -Aeo pid,command|awk '{$1=$1;print}'|grep -v grep|grep GradleDaemon|xargs kill -9

Bash: How to trim leading, following spaces from text

Many Linux/Unix commands are shown formatted like ps -ef for instance. As such it becomes difficult to process them subsequently in the pipeline, like for instance passing it to xargs kill for killing the filtered errant processes. The command below, when part of a bash / sh pipeline will remove the leading and following spaces as well as convert multiple spaces to a single space inside string:
awk '{$1=$1;print}'
or shorter:
awk '{$1=$1};1'
Do you have such handy commands / snippets you would like to share? Please share in the comments below.