I use of a lot of old kit in my lab. Some of these machines have very poor ACPI implementations and they often complete their boot displaying an 80×25 character console on monitors that can support much higher resolutions. I have put up with staggered ZFS listings for too long and decided to fix this problem on my FreeBSD hosts.
Modern FreeBSD uses the VT console by default. If a video graphics driver has been installed, it will display a console in a higher resolution if configured.
The configuration below was tested on FreeBSD 13.4-RELEASE-p1 and FreeBSD 14.1-RELEASE-p5 with onboard intel graphics adapter.
Install the graphics driver:
$ sudo pkg install drm-kmod
Run the following command to load the intel graphics driver on boot:
$ sysrc kld_list+=i915kms
Edit /boot/loader.conf adding the following lines to the file:
Assuming that your Django container is already running under Docker, find out what it’s ‘Container ID’ is.
$ docker ps
CONTAINER ID IMAGE ...
fb3aabc8e123 django-web ...
In the above example the Container ID is fb3aabc8e123.
Now you can easily execute commands inside that container.
$ docker exec -it fb3aabc8e123 sh
The ‘-it’ option executes the command in an Interactive Terminal.
The ‘sh’ at the end of the command is the program to run, in this case it the system shell program. You could use ‘bash’ on a Linux machine if that’s your preference.
Now that you have a shell running in the Django container, you can run the command to create the admin user account.
The easiest way to have Django run a migration inside a Docker container is to get Docker to run a new container to perform the task.
Using ‘run’ instead of ‘exec’ works if there is a start-up script like entrypoint.sh that prevents the container from starting until the migration has been completed (egg-chicken-egg).
E.g. I have a Django app called ‘web’ defined in docker-compose.yml , my terminal’s current working directory is the Django container folder where manage.py is resident.
$ docker compose run web ./manage.py migrate
This probably works similarly with Podman, I just haven’t tried it yet to verify.
I noticed today that the FreeBSD ZFS pool that I created on my laptop SSD was not configured for TRIM. TRIM enables the SSD to recover space from previously written to blocks that have since had files deleted. This can help maintain performance of the SSD as it fills with data.
My pool is called zroot, so the command to check the value of the TRIM setting is:
Originally written in 2018. This post has been languishing in drafts for a couple of years. I may complete it someday.
I acquired three old Netgear GSM7224 switches for my lab network some time ago and I pulled them off the shelf recently to use in a project I am currently working on. I wish I had actually checked them out fully when I first acquired them because it has cost me a week or so in time to get them useable in a reasonably secure test network. I did not anticipate the problems getting older high-end Netgear products to work securely in a network environment with up to date patched hosts.
Netgear GSM7224 installed in test lab
If you are trying to make use of ageing Netgear GSM7224 Gigabit Ethernet Managed Switches you may find this article useful. Some of this may even be relevant to other network equipment running similar firmware Eg. Sun Netra.
Observations
I spent a little time getting familiar with one of the switches on my bench. I used a laptop running Ubuntu 18.04 with a USB Serial adapter and a 9-pin null modem serial cable connected to the switch’s console port on the front panel. As these were second hand switches I didn’t have knowledge of the existing admin password. Resetting the password was at the top of the task list but until then it was time to do some basic surveilance on the switch using nmap. These are my initial observations.
Noisy or failed fans
Slow start-up time
Old firmware. The latest 2007 version is still available for download
Log files are time and dated from 1 Jan 1970 at start-up
Awful Netgear documentation, lots of critical configuration information undocumented
Telnet running on tcp 23
No SSH v2 access
Unencrypted web management interface on tcp 80
No HTTPS for web interface
Mysterious tcp 4242 port listening
Web Management prompts for Java plugin but 2018 browsers are not able to run Java applets
Objectives
Reset passwords on all switch login accounts
Replace fans with new parts
Document out of band command line management via the serial console
Upgrade firmware to latest version
Fix the time stamps in the log files
Fix the Java plugin requirement
Configure in-band management only from the management VLAN 1 with no internet access
Enable SSH v1 safely via a bastion host running SSH v2
Enable HTTPS web interface only over management VLAN
Disable less secure management interfaces, telnet and unencrypted web management
Enable remote syslog
Enable SNMP
Tools and Equipment Required
Netgear GSM7224
The latest firmware for the switch. At the time of writing this was 6.2.0.14
Laptop or desktop computer that has a terminal emulator.
Oracle VirtualBox to host an old distro that has an SSH v1 client or a Windows PC with PuTTY.
CD-ROM or ISO image file for an old 32-bit Linux or FreeBSD distribution that was released between 2006 and 2007. This is primarily for using OpenSSL and OpenSSH from this period to fully configure the switch. I used Ubuntu 6.06 LTS x86 as this was still downloadable in 2018
9-pin serial null modem cable.
USB to Serial adapter if your computer does not have a native serial port.
VT100 terminal emulation program that can connect to the switch’s console session via your serial connection. I used Minicom that was installable from the Ubuntu repos.
A compatible Java Plugin for a web browser that shipped with your 2006 Linux distro. If you want to try the Java applet function in the switch’s web interface
Wireshark if you want or need to decode further the SSH protocol between your switch and ssh clients
Replace the Noisy Fans
All three of my switches had noisy fans. Each has two 40x40x10mm 5VDC 2-pin fans inside and one in each had partially seized which was causing a lot of noise.
Opening the case was just a bit of screwdriver work to remove the rack mounting ears and then the screws holding the case together. All of the externally visible screws have to be removed to open the case. The cover slides of rearwards with a slight upward tilt. Once inside I could see the fans that need replacing.
I opted for cheap replacement fans sourced from eBay but I probably should have put more thought into that decision at the time. Within a few months the replacement fans started getting noisy.
Gain Console Access
I connected a 9-pin null modem serial cable that I use for console access to the switch and to a USB serial adapter plugged into my laptop.
I use Minicom as a terminal emulator to access my switch consoles. Ctrl-A in Minicom gains access to its configuration menu. The connection was configured for /dev/ttyUSB0 at 9600,n,8,1. After saving the settings the switch console login prompt appeared.
My Netgear switches were all purchased used without documentation or being reset to factory defaults. I tried logging in as admin with various popular passwords without luck. Fortunately, rebooting the switches with Minicom still connected and running reveals a boot menu. Select option 2 to access a configuration menu. From here the switch can be reset to factory defaults without needing a password.
Update Firmware
I downloaded the ‘latest’ firmware from Netgear and setup a TFTP server on my laptop to serve the new firmware image. The firmware’s README describes the process to upgrade and although it takes a while silently updating there is eventually some confirmation on screen and the job is done.
I was having problem getting the SNTP client to synchronise time with the NTP servers that I had specified to use. That was until I tried this configuration command that worked…
(GSM7224) (config)# sntp client mode unicast
I also had some problems getting recent SSH clients to work. PuTTY on a Windows machine was useful as is still support SSH v1.
Port scanning the switch revealed that tcp 4242 appears to be used by the switch’s Java client interface. As I am not using the Java client it can be closed using:
I never expected that I would upgrade one of my elderly Dell GX240 PCs again, but today I did. I have two GX240 tower PCs. One of them has been used as a firewall for five years, the other as it’s fallback spare. I retired both of them a few weeks ago, replacing them with Dell PowerEdge 840 servers. Yes, they are old too, but not as old as the GX240.
I have been planning to upgrade my parent’s firewall with a PowerEdge 840 but I’m working on a project at the moment and can’t really spare one of my modified super quiet ones. I had a job lot of old CPUs arrive today and an intel SL7EY was in the bundle. I soon realized that this was the high end processor for the GX240 and quickly decided that perhaps a GX240 would go on for a bit longer at my parents house.
I stripped down both GX240s and rebuilt one using the best bits from each. I will save the other for spares and scrap them both eventually but for now the best of them gets a 2.8Ghz Pentium 4 with 512KB cache. To my dissapointment, a very large number of the new processor’s pins were bent. It took about an hour or so of work with a magnifying glass and craft knife to carefully straighten them enough for the socket to accept the processor. The PC was booted up with the new CPU and it was correctly recognised in the BIOS setup. A successful upgrade!
The 2.6Ghz Celeron has performed really well and I’m interested to see if the additional 200 Mhz and 384KB of cache that the 2.8Ghz Pentium 4 has make a noticeable difference. I didn’t take any benchmarks before and after, this was just a case of making use of a surprise ‘windfall’. I’m not expecting anything as amazing as the last processor upgrade but I think it was worthwhile doing.
I have just acquired a used 4-port D-Link fast ethernet PCI board from a seller on eBay. I have been looking for one of these for my ‘new’ firewall for ages and was about to give up.
The firewall is an old crate of a Dell GX240 with PCI slots but it still has plenty of grunt to do what I need without consuming too much power. It’s one of the old Dells that I bought years ago for peanuts that has been upgraded with a 2.6Ghz Celeron.
I have been experienting with a Broadcom crypto accelerator in pfSense and I was about to give up on the GX240 and move up to a newer old machine with PCI-X slots.
The BCM5821 already delivers 24x performance improvent on 2048 bit RSA in the 33Mhz PCI bus and I am intrigued to find out how fast it will go in a 64 bit, 66Mhz slot. Now that I have the D-Link, I will crack on with the original plan and save the PCI-X upgrade for later.
