{{tag>deluge torrent server openvpn btguard nftables iptables systemd virtual machine linux ubuntu}}
======KPTree Torrent VM Setup======
=====Deluge Headless setup=====
The main reference used is [[http://www.havetheknowhow.com/|Havetheknowhow.com]], specifically for the deluge headless setup, [[http://www.havetheknowhow.com/Install-the-software/Install-Deluge-Headless.html|Havetheknowhow.com - How to install Deluge Headless]]. The Deluge support page is also a root source of knowledge [[https://deluge.readthedocs.io/en/latest/how-to/systemd-service.html|Deluge systemd]]. Whatbox [[https://whatbox.ca/wiki/Deluge|Deluge]] also has some interesting dialog.
If installing on a virtual machine (VM) it is important to also have set up the NFS to allow access to the main storage. Also, consider aligning the appropriate file system user and groups between the VM server and VM guests. (Check the local deluge directory actually exists for the user as otherwise the deluge and deluge web daemons will crash and not load. (For the Ubuntu Network Filing System, NFS, see [[http://www.havetheknowhow.com/Configure-the-server/Configure-NFS.html|Havetheknowhow.com - How to configure NFS Version 4]], that contains configuration information for both the VM server and clients.
Unfortunately, Havetheknowhow.com does not seem to cover the alignment of user and groups between the main OS and VMs. I create a basic template machine and manual update the group and user id numbers to align, a use the basic information given in [[https://muffinresearch.co.uk/linux-changing-uids-and-gids-for-user/|Linux: Changing UIDs and GIDs for a user]]. The process is tedious and takes a bit of care to complete, but once setup properly allows better operation between the server and virtual machines.
I use a dedicated VM guest for Deluge with a VPN set up on this VM. I have been using the VPN [[https://btguard.com/|BTGuard]] for a few years now without any significant problems, save for BTGuard changing the IP address of their servers on occasion without informing end users, this affects the firewall software as noted below.
**//Recent changes not fully updated://**
* I no longer use BTGuard, they were expensive and seem technically outdated. (There is a section on this below.)
* I am using Debian as the Media VM now. (I believe I will try to move fully to Debian for my server in the future instead of Ubuntu. As noted elsewhere I am now using Manjaro (XFCE) on my main desktop now instead of MSWindows. Manjaro is based upon Archlinux, not Debian or Redhat and seems a good desk top choice. I am certainly happy with it after using over 6 months. I am still forced to use Windows 10 and MS corporate software at work.)
----
=====deluge systemd setup=====
Setting up deluged and and deluge-web as systemd services is described in deluge docs [[https://deluge.readthedocs.io/en/latest/how-to/systemd-service.html|How to create systemd services for Linux]]
We want to delay the start of the deluged.service to after the related drives are mounted.
First we need to check the units on on the machine. Use ''sudo systemctl list-units'' and look for the relevant ''.mount''s . In mycase:
-.mount loaded active mounted Root Mount
mnt-deluge.mount loaded active mounted /mnt/deluge
mnt-disk2.mount loaded active mounted /mnt/disk2
Similarly, in the same listing look for the relevant ''.service''s:
deluge-web.service loaded active running Deluge Bittorrent Client Web Interface
deluged.service loaded active running Deluge Bittorrent Client Daemon
===Links:===
* [[https://unix.stackexchange.com/questions/246935/set-systemd-service-to-execute-after-fstab-mount|Set systemd service to execute after fstab mount]]
* DigitalOcean Tutorials systemd:
* [[https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units|How To Use Systemctl to Manage Systemd Services and Units]]
* [[https://www.digitalocean.com/community/tutorials/understanding-systemd-units-and-unit-files|Understanding Systemd Units and Unit Files]]
* [[https://www.digitalocean.com/community/tutorials/how-to-use-journalctl-to-view-and-manipulate-systemd-logs|How To Use Journalctl to View and Manipulate Systemd Logs]]
* [[https://www.digitalocean.com/community/tutorials/systemd-essentials-working-with-services-units-and-the-journal|Systemd Essentials: Working with Services, Units, and the Journal]]
* [[https://cloudnull.io/2017/05/nfs-mount-via-systemd/|NFS mount via systemd]]
* [[https://www.golinuxcloud.com/start-systemd-service-after-nfs-mount/|How to start systemd service after NFS mount in Linux]]
[[https://www.tecmint.com/systemd-analyze-monitor-linux-bootup-performance/|systemd-analyze – Find System Boot-up Performance Statistics in Linux]]
----
=====OpenVPN with PrivateVPN=====
I decided to go with [[https://privatevpn.com/|PrivateVPN]] that seems to get reasonably good reviews at the time of change over (2020-04-18) and my old VPN provided (BTGuard) was getting very poor reviews, was up for renewal, and was becoming comparatively expensive. The following is a list of resources to help with Linux Ubuntu CLI setup:
* [[https://privatevpn.com/support/getting-started/linux/linux/openvpn-cli|OpenVPN CLI - Debian]]
* [[https://privatevpn.com/serverlist|PrivateVPN Server List]]
* [[https://privatevpnsupportguy.github.io/Setup%20a%20manual%20kill%20switch%20for%20OpenVPN%20in%20GNU%20Linux.html|PrivateVPN - Setup a manual kill switch for OpenVPN in GNU/Linux]]
The PrivateVPN OpenVPN Linux CLI setup and associated download script worked well and was similar to the BTGuard setup, with the following issues easily found:
* Once the script was run PrivateVPN recommended using ''sudo privatvpn'' to run. The setup script creates a systemctl profile: openvpn@privatvpn.service. So the standard systemctl commands made much more sense to use! e.g. ''sudo systemctl start openvpn@privatvpn.service'' with other standard systemctl operators: stop, status, enable, disable, etc. Similarly to get a better look at current log status: ''journalctl -u openvpn@privatvpn.service -xe''.
* __The description suggested editing ''/etc/privatevpn.conf'' to change the VPN servers, however the correct file was ''/etc/openvpn/privatevpn.conf''__.
* The remote server server in the downloaded script no longer was correct and had to be changed to one of the listed one in [[https://privatevpn.com/serverlist|PrivateVPN Server List]]. The listed servers all look to now end with the domain ''.host''.
* The PrivatVPN tunnel host IP address is different from the end IP address, unlike BTGuard which were the same. The host IP address must be used in the NFTables firewall to prevent VPN leakage.
* I use [[https://www.findip-address.com/]] to help find the corresponding ip address of the server.
* I then allow the tunnel VPN to pinhold these addresses only in my nftables setup, ''sudo vim /etc/nftables.conf''. Basically the nftables setup firewalls the system to only allow wan through the tunnel, except the pinhole address required to setup the tunnel.
* ''wget http://ipinfo.io/ip -qO -'' to check my current external ip address.
* Unfortunately PrivatVPN changes their server ip address and does not seem to tell their end users.
----
=====OpenVPN setup with BTGuard=====
I decided to move away from BTGuard after many years of service. Primary reasons: 1. They were becoming more expense (in part of currency variation with USD) and 2. Their services seemed not to be very comprehensive and up to date. Basically not the best value for money.
++++BTGuard Setup Notes|The following setup for the VPN with BTGuard. (The BTGuard Setup does not align well with the headless server and Deluge setup.)
*To install openvpn ''sudo apt install network-manager-openvpn''
*Download BTGuard certificate (CA) ''wget -O /etc/openvpn/btguard.ca.crt http://btguard.com/btguard.ca.crt''
*Download BTGuard OpenVPN configuration ''wget -O /etc/openvpn/btguard.conf http://btguard.com/btguard.conf''
*Modify the /etc/openvpn/btguard.conf file as follows:
*To optionally allow additional logging add the line: ''status openvpn-status.log'' (I added in before the "verb 3" line)
*To allow automatic login change the line: ''auth-user-pass'' to ''auth-user-pass /etc/openvpn/login.conf''
Create the /etc/openvpn/login.conf file and add only the BTGuard User name on the first line and associated password on the second line. Consideration should be given to protecting this information by limiting access to this file, e.g. changing file to root access only. (As these files a configuration files only they are not to be made executable.)
The BTguard VPN protection can be started with the command ''sudo openvpn /etc/openvpn/btguard.conf'', however it should have been automatically setup during installation using a systemd boot script.
**BTGuard seems to change their VPN IP addresses from time to time!** The iptables configuration needs to be changed to match to ensure operation. BTGuard seems to show there current IP addresses at their Knowledgebase [[https://btguard.com/support/index.php?/Knowledgebase/Article/View/20/0/how-can-i-test-if-btguard-vpn-is-working|How can I test if BTGuard VPN is working?]]. Sadly BTGuard do not seem to pro-actively inform their users of these changes, perhaps they do not want to keep a mailing list to protect client security.
===Sample /etc/openvpn/btguard.conf:===
client
dev tun
proto udp
remote vpn.btguard.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/btguard.ca.crt
status openvpn-status.log
verb 3
mute 3
auth-user-pass /etc/openvpn/login.conf
mute-replay-warnings
float
reneg-sec 0
===Sample /etc/openvpn/login.conf:===
Username
Password
Obviously, Username and password are end user specific.
++++
=====Some Handy Commands to Check Configuration====
*To start the vpn service: ''sudo systemctl start openvpn@privatvpn.service'', was ''openvpn@btguard.service''
*To check the end of the journal file for the vpn specific comments from the last boot: ''journalctl -u openvpn@privatvpn.service -b 0 -xe''
*__To check current external IP address: ''%%wget http://ipinfo.io/ip -qO -%%''__
*To list current tables in nftables: ''sudo nft list table ip firewall'', not inet, specifically ip, as ip6 is disabled.
*To start nftables: ''sudo systemctl start nftables''
*To check the journal for comments on nftables since the last boot: ''journalctl -u nftables.service -b 0''
*Other systemctl directives:
*''enable'' : to start the systemctl service at boot
*''disable'' : to not start the systemctl service at boot
*''start'' : to start the systemctl service
*''stop'' : to stop the systemctl service
*''status'' : to provide the status information of the systemctl service.
Some of the last journal log lines are shown too, to see all the journal log use the journalctl command. Some journalctl directives:
*''-u service_unit'' only list for service_unit
*''-b n'' Only list boot n, no number or 0 for last boot and 1 for previous and 2 for 2 previous etc.
*''-xe'' List end of file
*''-f'' Live continuous tail listing, until keyboard ''^c''
----
=====NFTables Configuration=====
NFTables supersedes IPTables, although IPTables is still most common in use. I have taken the effort to learn both IPTables and NFTables and prefer the syntax of NFTables.
A problem with the OpenVPN system is should it fail then the IP connectivity falls back to the standard connection with all the VPN benefits lost. To diminish this risk, I have set up the Deluge VM with a NFtables based firewall to effectively stop external internet connection upon any failure of the VPN, that is only the VPN connectivity is allowed. I have learned from the original IPTables based configuration below. With the ease of use of NFTables I have been able to improve and optimise the firewall.
To install nftables: "sudo apt update" followed by ''sudo apt install nftables''
++++Old, to;dr;|
If the nftables repository can not be found in Ubuntu 18.04 they will need to be added: ''sudo vim /etc/apt/sources.list'' and add the following repositories:
deb http://archive.ubuntu.com/ubuntu/ bionic universe
deb http://archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://security.ubuntu.com/ubuntu bionic-security universe
++++
====Sample NFTables configuration script for PrivatVPN====
''sudo vim /etc/nftables.conf''
++++nftables.conf script|
#!/usr/sbin/nft -f
define lan = ens3
define tun = tun0
# Clean out the current ruleset
flush ruleset
#This machine is exclusively for the use of IPv4 so drop all IPv6 communications.
table ip6 firewall {
chain input {
type filter hook input priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
#Setup ip (ipv4) rules, default policy is to drop
table ip firewall {
chain input {
type filter hook input priority 0; policy drop;
# accept input from loopback interface
iif lo counter accept
# Make sure that you can communicate within your own network if Private Network option is enabled
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 counter accept
# ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
# ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 counter accept
# allow established/related connections
ct state {established, related} counter accept
# allow icmp
ip protocol icmp icmp type {
echo-request, echo-reply, time-exceeded,
parameter-problem, destination-unreachable
} counter accept
# iifname $tun counter accept
}
chain output {
type filter hook output priority 0; policy drop;
# accept output from loopback interface
oif lo counter accept
# Make sure that you can communicate within your own network if Private Network option is enabled
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 counter accept
# ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
# ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 counter accept
oifname $tun counter accept
# specifically allow IP addresses of VPN only for outgoing packet on lan
#PrivatVPN Addresses (Host Addresses)
oifname $lan ip daddr 27.50.73.55 counter accept #Host: au-mel.pvdata.host
oifname $lan ip daddr 46.102.153.131 counter accept #Host: au-syd.pvdata.host
oifname $lan ip daddr 91.207.173.91 counter accept #Host: sg-sin.pvdata.host
counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
The use of the counter directive allows the usage to be checked. I commented out lines that were not being used.
++++
*To see active tables in load nftables ''sudo nft list tables''
*To see table commands: ''sudo nft list table ip firewall'' and ''sudo nft list table ip6 firewall''
*Select the server from [[https://privatevpn.com/serverlist|PrivateVPN Server List]].
*The host IP address can be found using the following commands: ''host au-mel.pvdata.host'' or '' ping au-mel.pvdata.host''.
*Edit the vpn (host name) and firewall (host ip address) configuration files, respectively: ''sudo vim /etc/openvpn/privatvpn.conf'' & ''sudo vim /etc/nftables.conf''.
*Restart the respective services: ''sudo systemctl restart openvpn@privatvpn.service'' & ''sudo systemctl restart nftables''
*Remember the host IP address and end point IP address are not the same. To check end point IP use: ''wget http://ipinfo.io/ip -qO -''
====Sample NFTables configuration script for BTGuard====
''sudo vim /etc/nftables.conf''
++++nftables.conf script|
#!/usr/sbin/nft -f
# define common referenced interfaces
define lan = ens3
define tun = tun0
define wan_ip4 = 112.213.222.38
# Clean out the current ruleset
flush ruleset
#This machine is exclusively for the use of IPv4 so drop all IPv6 communications.
table ip6 firewall {
chain input {
type filter hook input priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
}
#Setup ip (ipv4) rules, default policy is to drop
table ip firewall {
chain input {
type filter hook input priority 0; policy drop;
# accept input from loopback interface
iif lo counter accept
# Make sure that you can communicate within your own network
# if Private Network option is enabled
# Comment out private network ranges not used
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 counter accept
# ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
# ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 counter accept
# allow established/related connections
ct state {established, related} counter accept
# allow icmp
ip protocol icmp icmp type {
echo-request, echo-reply, time-exceeded,
parameter-problem, destination-unreachable
} counter accept
# iifname $tun counter accept
}
chain output {
type filter hook output priority 0; policy drop;
# accept output from loopback interface
oif lo counter accept
oifname $lan daddr $wan_ip4 counter drop
# Make sure that you can communicate within your own network
# if Private Network option is enabled
# Comment out private network ranges not used
ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 counter accept
# ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
# ip saddr 10.0.0.0/8 ip daddr 10.0.0.0/8 counter accept
oifname $tun counter accept
# specifically allow IP addresses of VPN only for outgoing
# packet on lan
oifname $lan daddr 63.142.161.0/24 counter accept
oifname $lan daddr 95.211.0.0/16 counter accept
oifname $lan daddr 85.17.28.0/24 counter accept
oifname $lan daddr 203.174.86.88/32 counter accept
oifname $lan daddr 209.58.183.206/32 counter accept
oifname $lan daddr 109.201.137.0/24 counter accept
oifname $lan daddr 104.254.90.0/24 counter accept
oifname $lan daddr 104.254.92.0/24 counter accept
# IP address and subnet masks from BTGuard
# 209.58.183.206/32 seems to be the BTGuard Singapore address
# since circa Oct 2016 & removed May 2017
# 104.254.90.0/24 seems to be the BTGuard Singapore? address
# since circa May 2017
# 104.254.92.0/24 seems to be the BTGuard Singapore? address
# since circa May 2017
}
chain forward {
type filter hook forward priority 0; policy drop;
#iifname $tun counter accept
#iifname $lan oifname $tun counter accept
#iifname $tun oifname $lan counter accept
}
}
++++
The use of the counter directive allows the usage to be checked. I commented out lines that were not being used.\\
To list the firewall: ''sudo nft list table ip firewall''
----
=====IPTables Configuration=====
A problem with this protection is should the OpenVPN system fail then the VPN protection will fail. To diminish this risk, I have set up the Deluge VM with an IPtables based firewall to effectively stop external internet connection upon any failure of the VPN. (The reference for the iptables filter script was [[https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/|AirVPN - Prevent leaks with Linux & iptables]] )
====Sample IPTables configuration script====
++++BTGuard_iptable.sh:|
# Flush
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Flush V6
ip6tables -F
ip6tables -t nat -F
ip6tables -t mangle -F
# Local
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Local V6
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT
# Make sure that you can communicate within your own network if Private Network option is enabled
iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
# Allow incoming pings if Ping option is enabled
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow TUN
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
# make sure that eth and tun can communicate
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
# specifically allow IP addresses of VPN only for outgoing packet on eth0
iptables -A OUTPUT -o eth0 -d 63.142.161.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 95.211.0.0/16 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 85.17.28.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 203.174.86.88 -j ACCEPT
#iptables -A OUTPUT -o eth0 -d 209.58.183.206 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 109.201.137.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 104.254.90.0/24 -j ACCEPT
iptables -A OUTPUT -o eth0 -d 104.254.92.0/24 -j ACCEPT
# IP address and subnet masks from BTGuard
# 209.58.183.206 seems to be the BTGuard Singapore address since circa Oct 2016 & removed May 2017
# 104.254.90.0/24 seems to be the BTGuard Singapore? address since circa May 2017
# 104.254.92.0/24 seems to be the BTGuard Singapore? address since circa May 2017
# Block All else, so that nothing leaks if VPN disconnects
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
# Block All V6
ip6tables -A OUTPUT -j DROP
ip6tables -A INPUT -j DROP
ip6tables -A FORWARD -j DROP
++++
====Some other handy pointers and commands related to the iptables setup:====
++++Old, TL;DR; |
*Remember if creating the script from scratch to make executable use: ''sudo chmod a+x BTGuard_iptable.sh''
*Use the ''route'', ''ifconfig'', ''ip a'' and ''ip route'' commands to help check configuration of your network. (As noted below, particularly check the eth0 / tun0 references match.)
*The network configuration file can be found at ''/etc/network/interfaces''
*If iptables is not installed run ''sudo apt install iptables''
*Ensure the network reference such as "eth0" is consistent, particularly with Ubuntu 16.04 VM which seems to rename this reference, see [[http://askubuntu.com/questions/767786/changing-network-interfaces-name-ubuntu-16-04|Changing Network Interfaces name Ubuntu 16.04]] for further information on this matter.
*The outgoing packet IP addresses, including subnet masks, must match those specified by BTGuard.
*To get the external IP address use: ''%%wget http://ipinfo.io/ip -qO -%%''
*To see the current openvpn status use: ''sudo systemctl status openvpn@btguard.service'' or ''journalctl -u openvpn@btguard.service -b''
++++
====How to make IPTables configuration permanent / restore on boot====
++++ old tl;dr; |
Reference [[http://askubuntu.com/questions/119393/how-to-save-rules-of-the-iptables|How to save rules of the iptables?]] and [[http://manpages.ubuntu.com/manpages/wily/man8/netfilter-persistent.8.html|Ubuntu Netfilter manual]]
*Install iptables persistent ''sudo apt install iptables-persistent''
*To save current IPTable configuration use: ''sudo netfilter-persistent save'' or ''journalctl -u openvpn@btguard.service -f'', where options are; ''-u'' is followed by the service and the ''-f'' give continuous output, use ''cont-c'' to breakout.
++++
======Kodi Setup=======
I have been using WD Media players around the house the past 8 years or so. Originally with individual 2.5"HD and then connecting to my home server. These units are very simple to use and setup and have played media files well. Circa 2016 I notice that some media files will not play anymore. Upon investigating the WD (Western Digital) web site I notice that these units look to be no longer sold and support is limited, perhaps already end of life. Earlier investigation of these unit indicate the internal hardware is quite limited, particularly by current standards, but as already stated good enough as a general media player.
I notice a few years ago the the web site Have the know how recommended the [[http://www.havetheknowhow.com/Kodi-Overview.html|Kodi Overview]], in fact even states, "[[https://kodi.tv/|Kodi]]: The holy grail of media streamer front-ends". I will not go over the benefits and history of [[https://kodi.tv/|Kodi]], just look at the [[https://kodi.tv/|Kodi]] home page and Have the Know How web pages.
Kodi can be loaded on to many different types of hardware and operating systems, it even has a Linux based OS design for it, [[http://openelec.tv/|OpenELEC]]. Specifically it does run on MS Windows and most flavours of Linux.
=====Kodi Server MariaDB (MySQL) Setup=====
++++ old tl;dr; |
I have been using MariaDB instead of MySQL, as MariaDB is true opensource software and MySQL belongs to a large corporation. MariaDB has a few "quirks" to setup comparied to MySQL which is more commonly described.
Make sure that MySQL is NOT installed, if so uninstall it.
MariaDB can be installed by ''sudo apt install mariadb-server''. The latest version can be downloaded from instructions from MariaDB Foundation Downloads Setting up MariaDB Repositories.
To setup secure root access:
*''sudo mysql -u root''
*''use mysql;''
*''update user set plugin=%%''%%'' where User='root';
*''flush privileges;''
*''\q''
*''mysql_secure_installation''
*Add password, and then Y for all other questions
Check status of mariadb ''sudo systemctl status mysql''
Next move MySQL Data Directory
Check current location of MySQL data directory: ''mysql -u root -p'' and then at mysql> ''select @@datadir;''. It should be ''/var/lib/mysql''. Exit mysql prompt with ''\q''.
Stop MySQL : ''sudo systemctl stop mysql''
My the mysql data directory to your preferred location: ''sudo mv /var/lib/mysql /mnt/shared/kodi''
Next create a symlink pointing to the new location: ''sudo ln -s /mnt/shared/kodi/mysql /var/lib/mysql''. Another option instead of using a symlink is to adjust the mysql.cnf file datadir parameter, i.e. change ''datadir=/var/lib/mysql'' to ''datadir=/mnt/shared/kodi/mysql''. Again most the documentation on mysql.cnf is for mysql not mariadb, which has its own quirks. See the notes on adjusting bind-address below to clarify.
The current version of mariadb does not use apparmor, so no need to adjust for this!
The mysql network access needs to be configured to all full LAN access, default access is localhost only. The mysql.cnf configuration file needs to be updated. Mariadb handles this differently than MySQL. The main configuration file ''/etc/mysql/mariadb.cnf'' points to other directories with configuration files. Checking these directories shows the mariadb server parameters are located in ''/etc/mysql/mariadb.conf.d/50-server.cnf'', to edit: ''sudo vim /etc/mysql/mariadb.conf.d/50-server.cnf''. Find the parameter ''bind-address = 127.0.0.1'' and change to the server IP address ''bind-address = 192.168.1.19''.
Restart mysql: ''sudo systemctl restart mysql'', check all is running well: ''sudo systemctl status mysql'', and then check listening address on mysql port: ''sudo lsof -i -P | grep :3306''
Next setup the mysql kodi database access:
*''mysql -u root -p''
*''create user 'kodi' identified by 'kodi';''
*''grant all on *.* to 'kodi';''
*''show grants for 'kodi';''
*''\q''
++++
----
====Kodi Headless Server Setup====
++++ Old tl;dr; |
**Work in Progress. I have not been able to get this working yet.** I get the webui operational with the default kodi-headless settings. When I adjust the advanced kodi setting the webui is not available. I am also concern that this setup will not update the media library as there is no drive link in the design.
The following command is used to set up Docker Kodi Headless Media Center, from LinuxServer.IO [[https://github.com/linuxserver/docker-kodi-headless|docker-kodi-headless]]:
docker create --name=kodi-headless \
-v :/config/.kodi \
-e PGID= -e PUID= \
-e TZ= \
-p 8080:8080 -p 9777:9777/udp \
linuxserver/kodi-headless
**%%--%%name=kodi-headless \**
The container is assigned the name kodi-headless. This has the benefit over the default random assigned name to provide a consistent container name, also helping preventing multiple kodi-headless containers from being started, as running container names must be unique. Docker reference: Container identification Name (-name)
**-v :/config/.kodi \**
is the path on the local machine drive volume where the kodi configuration files are loaded. It is mapped to /config/.kodi with in the container. These files are persistent outside of the Kodi Docker container. Docker documentation link: Use volumes
**-e PGID= -e PUID= \**
These are environment variables to be set as specifically explained in docker-kodi-headless . Some addition information maybe garnered from Linuxserver.io - Kodi-Headless Support threads.
**-e TZ= \**
An other environment variable to be set, my area is Australia/Perth
**-p 8080:8080 -p 9777:9777/udp \**
-p IP:host_port:container_port. The Kodi ports are described below, with source references. Unless the host machine is already using these ports there is no need to remap them. I found the IP in IP:host was necessary to enforce IPv4 mapping, without mapping sometimes was IPv6 (strange)
Kodi headless webui port is on port 8080, see Kodi documentation Web interface and Webserver
Kodi has an EventServer mapped to port 9777/udp, see Kodi documentation EventServer
My Setup:
docker create --name=kodi-headless \
-v /mnt/shared/kodi/config:/config/.kodi \
-e PGID=1001 -e PUID=1000 \
-e TZ=Australia/Perth \
-p 192.168.1.19:8080:8080 -p 192.168.1.19:9777:9777/udp \
linuxserver/kodi-headless
The docker create command creates the container, but does not start it. To create and start use the docker run command.
To check running docker containers "docker ps", to check all docker containers, running and stopped "docker ps -a".
To start a container "docker ", or "docker kodi-headless", to stop a container "docker stop ", where the is the relevant container listed in "docker ps -a"
After starting access to the web interface should be possible from the LAN, at the host IP address and host assigned port, e.g. "192.168.1.19:8080".
Shell access whilst the container is running: "docker exec -it kodi-headless /bin/bash", type "exit" to exit.
It would seem that starting the container populates the "/config/.kodi" directory. These files are stored permanently outside the emphemeral container and can be edited from the permanent stored location , in my case "/mnt/shared/kodi/config" ++++
----
=====Docker Setup - Preliminary=====
Docker seems to be a reasonably recent variation based upon quite old concepts with modern aspects thrown in. The documentation seems a bit sparse. I found it difficult to find a good balanced reference. A good reference is of course the [[https://docs.docker.com/get-started/|Docker Website itself: Get Started, Part 1: Orientation and setup]]. A good reference (pdf) was from Anthony Blair of Universit'e de Rennes, Docker Tutorial. Many of the Docker tutorials seem to focus on features that I am not interest at this time, such as Docker swarms and not enough on basic usage.
Some handy docker commands and related:
*''docker exec -it /bin/bash'' to get terminal inside container
*''sudo netstat -nlp''
*''docker rm '', to remove docker container, container must be stopped ''docker stop ''
*''docker ps'', to list running docker containers, ''docker ps -a'' to list all docker containers, running and stopped
*To remove an unused docker images, ''docker rmi '', list all images with ''docker images -a''
*''docker logs '', to see docker log file, and ''docker logs -f '', to see docker log file online output
*''docker port '' to see docker port mappings to host
==Start container at boot:==
It is assumed that the container has been previously created/run and is available to be started at boot.
''sudo vim /etc/systemd/system/docker-kodi-headless.service''
[Unit]
Description=kodi-headless container
Requires=docker.service
After=docker.service
[Service]
Restart=always
ExecStart=/usr/bin/docker start -a kodi-headless
ExecStop=/usr/bin/docker stop -t 2 kodi-headless
[Install]
WantedBy=default.target
=====The following is a list of related commonly used commands and scripts:=====
*Get external IP address ''%%wget http://ipinfo.io/ip -qO -%%''
*Save the current netfilter (IPTables) configuration ''sudo netfilter-persistent save''
*To check the current network hardware configuration ''ip a''
*System command to start(/stop /status) the OpenVPN program ''sudo systemctl start openvpn@btguard.service''
*To run script with IPTABLES configuration (netfilter) ''sudo /mnt/shared/scripts/BTGuard_iptable_ens3.sh''
*To label list current IPTABLES configuration, verbose ''sudo iptables -L -v'' or simple ''sudo iptables -S''
*To edit BTGuard openVPN configuration file ''sudo vim /etc/openvpn/btguard.conf''
*To flush the current IPtables configuration ''sudo iptables -F''
*To check log on OpenVPN with BTGuard (/VPN /open) ''grep btguard /var/log/syslog''
*To check running process with open for openvpn(/del, for deluge) ''ps -A | grep open''
*To start (/stop /enable) the deluge daemon ''sudo systemctl start deluged''
*To start (/stop /enable) the deluge web interface daemon ''sudo systemctl start deluge-web''
*Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
<- home_server:email_server|prev page ^ home_server:index|Start page ^ home_server:mswindows_notes|next page ->