About Voodoo Business

Voodoo Business is a blog about technology and other things I consider magical such as carpentry and crafts, if you are looking for a different type of magic, I apologize, the name might be misleading.

And sometimes I cover some not so magical shit about not technical experiences that i sometimes go through (none yet but it is a possibility).

I understand that modern technology doesn’t provide all types of magic, (Getting your love life back, cursing someone, you know….) so I think it is appropriate to at least serve you a list of devices and tools to help you out…

  • ouija boards
  • Quality bakhour and sand
  • Crystal balls
  • Tarot cards

Hard drive power draw at startup

The maximum power draw a PC with many hard drives happens at boot time, in my case, the PC is a n intel atom D525MW, which hardly draws any power

What this means is that I need an oversized power supply that only does its thing at startup, then becomes an inefficient power supply right after, why this is particularly important is because this computer runs on a UPS, and the number of minutes it can stay up is a very important number.

The solution is to enable PUIS (Power up in standby), what this does is allow the disks not to spin as soon as they get power, but instead, spin up upon reception of a command from the controller. so in effect, the disks are spun up sequentially (In turn).

There are two ways to enable PUIS, the first is the Jumper method when there is a PUIS jumper on the back of the drive, which is very relevant to me as I am using western digital drives with this jumper, on the western digital website, they make no mentioning of PUIS on the jumpers page, but they tmake no mentioning of pins 3 and 4 ! turns out, Pins 3 and 4, when connected together with a jumper enable PUIS on the drive.

Te other way to enable PUIS is through hdparm, to check if it is already set, use the command

hdparm -I /dev/sdb | grep "Power-Up In Standby"

If your hard drive has it as a jumper option, the command above helps you explore if the jumper trick is working, otherwise, you need to enable PUIS using hdparm

Mind you, before i explain how to set this up in drives with no jumpers, some controllers are incompatible with this feature, so you will need to at least have a machine that is compatible to set them back if they don’t work

So, to enable PUIS, use the following command

sudo hdparm --yes-i-know-what-i-am-doing -s 1 /dev/sdb

And to set it back (Disable PUIS)

hdparm -s 0 /dev/sdb

For your reference, the following is what is mentioned on the wetern digital website about Jumpers, notice that they do not provide an explination of the relevant jumpers

JavaScript – Tools for the trip

Tools you will probably be using in your JavaScript journey, I will keep this list updated as I go. Some obvious tools like NPM and Yarn will be added along with the other obvious stuff, but I will be adding them once I have something usefull to point out about them.

1- A web browser

Web browser: On the market today, relevant to JavaScript development, there are 3 browsers, 1.1- Firefox, 1.2- Safari (And browsers based on it’s WebKit such as some browsers based on it), and everything else that are really all based on 1.3- google chrome (Yes, including both brave and MS edge).

I personally use Firefox, and for development purposes, I use “Firefox Browser Developer Edition“, I would probably make sure i have chrome installed, at least for cross browser compatibility, WebKit/Safari, I have never found a need for it, but it is there is you want to grab it

VS Code

Microsoft s super popular IDE, a great tool, itself written in JavaScript (Electron), but not so useful for JavaScript without a few good extensions, so here are a few extensions that you might need for Javascript development

  • VS Code JavaScript (ES6) snippets by charalampos karypidis
    This extension provides shortcuts to insert code directly into your project
  • ESLint by MidcroSoft
    Integrates ESLint JavaScript into VS Code. ESLint itself is a command line tool you run against your code to analyze it for potential problems, now, it is a VS Code plugin !
  • DotENV by mikestead
    Do you use a lot of .env variables ? I already use this for Laravel development, but it is also good for JS development, this tool adds highlighting and more to environment

Mounting QCOW2 (KVM/QEMU) directly

First, the tools you need

apt-get install qemu-utils

Now, enable NBD

modprobe nbd max_part=8

Once that is enabled, connect the file as a block device

qemu-nbd --connect=/dev/nbd0 /hds/usb/virts/Windows/main.qcow2

Now, the block device should appear like any other, alongside the partitions inside !

fdisk -l

On my machine, this resulted in

Disk /dev/nbd0: 95 GiB, 102005473280 bytes, 199229440 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xc5324c42

Device      Boot     Start       End   Sectors  Size Id Type
/dev/nbd0p1 *         2048    104447    102400   50M  7 HPFS/NTFS/exFAT
/dev/nbd0p2         104448 198138958 198034511 94.4G  7 HPFS/NTFS/exFAT
/dev/nbd0p3      198139904 199225343   1085440  530M 27 Hidden NTFS WinRE

This disk was around 40GB, but fdisk will see the number corresponding to the largest allowed size, 100GB in this case ! let us mount the drive

mount /dev/nbd0p2 /hds/loop

Now, in this case in particular, like any other block device that held the windows operating system, more often than not, you will get the message saying

The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
Falling back to read-only mount because the NTFS partition is in an
unsafe state. Please resume and shutdown Windows fully (no hibernation
or fast restarting.)
Could not mount read-write, trying read-only

The solution to that is simple, follow the following two steps to remedy the issue and then force mount the file by using remove_hiberfile

ntfsfix /dev/nbd0p2
mount -t ntfs-3g -o remove_hiberfile /dev/nbd0p2 /hds/loop

The result of NTFSFIX was

Mounting volume... The disk contains an unclean file system (0, 0).
Metadata kept in Windows cache, refused to mount.
FAILED
Attempting to correct errors...
Processing $MFT and $MFTMirr...
Reading $MFT... OK
Reading $MFTMirr... OK
Comparing $MFTMirr to $MFT... OK
Processing of $MFT and $MFTMirr completed successfully.
Setting required flags on partition... OK
Going to empty the journal ($LogFile)... OK
Checking the alternate boot sector... OK
NTFS volume version is 3.1.
NTFS partition /dev/nbd0p2 was processed successfully.

And the following mount command worked as you would expect, silently

Linux badblocks cheat sheet

1- Large disks need to have their block size specified, without it, disks like my 6TB and my 8Tb hard drives will not work, badblocks will report the following error.

badblocks: Value too large for defined data type invalid end block (5860522584): must be 32-bit value

So the solution is to add the block size, like the following for example (This one is destructive)

badblocks -b 4096 -wsv /dev/sdb

It is a good idea to LOG THE BAD SECTORS (this is the command i usually use for a destructive test)

badblocks -b 4096 -o /root/badblockslog.txt -wsv /dev/sdb

USB over network

Hyper-v does not provide USB passthrough, some people use USB redirection from remote desktop RDP… A similar technology might be USB over network, but this does not always work, as many USB devices have very little tolerance for lag ! and this will introduce some lag !

My objective is to connect a MINI-VCI connected on a raspberry PI to a computer running other software to analyze the data, whether this works or not is yet to be seen.

There seems to be a few solutions online, some using generic hardware, and some using specialty hardware

The most diverse of those solutions that can work on everything from a raspberry pi to a windows computer and android phone is (https://www.virtualhere.com/)

Step by step Unprivileged containers on Debian Bookworm

The full version of this, with an explanation of everything is here, this one is written for copy-paste and speed.

This version is meant to create unprivileged LXC containers owned by root subordinates, which in my opinion provides the best balance of security and flexibility.

  • Install Debian 12 (bookworm) on a computer or virtual machine or what have you.
  • I personally enable root access under SSH, so all the commands you see here are run as root, you may use another user with sudo if you wish, but i execute as root
  • Execute the following to install LXC (I am installing LXC and KVM) but you might want to remove KVM
apt-get update

apt-get install bridge-utils lxc libvirt-clients libvirt-daemon-system debootstrap qemu-kvm bridge-utils virtinst nmap resolvconf iotop net-tools

Most installations will have 2 users, root and another username you chose while installing the operating system,

Learning tailwind (Getting started)

For website speed, I am considering tailwind, a CSS framework that acts more like a library than a framework.

I will be adding my notes here, and the links at the bottom.

Which is better, tailwind or bootstrap

Well, like i said above, you are comparing apples to oranges, while it is very easy to spot a bootstrap theme when you see one, tailwind is more like CSS extended, so you have elements that you can use in your design, but your design is yours 😉

Some of the cool tutorials I have found….

Traversy Media : Tailwind CSS Crash Course (30 minutes)
Traversy Media : Tailwind Crash Course | Project From Scratch (1:30)
Net Ninja – Tailwind CSS Tutorial

Development in TailWind CSS

All you need for developing in TailWind is your CSS editor (VS Code in this post), then you will need NodeJS, and NPM to generate the production CSS and minify it

I will create a few ultra simple files for you to learn the process,

  • the HTML file: Where you add your HTYML
  • The tailwindCSS file, from which the production CSS file is copied.
  • The NPM config file and the tailwind config file WHICH YOU CAN SIMPLY COPY FROM HERE and modify if needed

I personally use Debian Linux, everything should be identical on Windows and Mac, I will assume you are using the command line on Linux, but if you open the command prompt on windows, it should work exactly the same way

Unprivileged containers made simple on Debian 12 (Bookworm)

IMPORTANT NOTE: This is the full version, if you just want to come in, copy some commands, and end up making unprivileged containers under root, THERE IS A SEPARATE POST FOR THAT HERE.

0- Intro

Don’t let the length fool you, I am trying to make this the simplest and fastest yet most comprehensive tutorial to having LXC (both privileged and unprivileged) up and running on debian bookworm !

I sent a previous version of this to a friend to spare myself the need to explain to him what to do, and he found the tutorial confusing ! instead of the old arrangement, having colors to denote what lines are for what task, I have decided to SEPARATE THIS INTO PARTS….

  1. Intro – About this post (You are already in it)
  2. LXC info
  3. Shared system setup (Privileged and unprivileged)
  4. Privilaged LXC step by step
  5. Shared setup for unprivileged containers
  6. Unprivileged LXC run by new user, step by step
  7. Unprivileged LXC run by root user, step by step

I hope this clears things up, the color codes will still exist, mostly because I have already done the work !

Why yet another tutorial ?

Most of the tutorials online focus on creating an extra user to use with LXC, that is one way to do it with a few drawbacks, the other way is to create a range of subordinate IDs for the root user, the advantages of this way of doing it are related to “Autostart” and filesystem sharing between host and guest.

As per usual, the primary goal of every post on this blog is my own reference, the internet is full of misleading and inaccurate stuff, and when i come back to a similar situation, I don’t want to do the research all over again.

Part 1: About LXC

Privileged VS unprivileged

Privileged containers are generally unsafe, the only advantage of privileged containers is that is is very easy to setup.

Privileged containers share the same root user with the host, so if the container root user gets compromised, the attacker can sneak into the host system, hence, unprivileged is more secure but involves some work initially to setup

What is the problem with Privileged containers

It is relatively easy to deploy LXC (Which also happens to be what is powering LXD)… You install it, run a command to create a container, and voila, a whole new Linux system within your host Linux system sharing the same kernel as the host… But there is one caveat, if a malicious user/application compromises your container, he/she would have also compromised the host machine automatically, how, the root user on both is the same user !

The solution, unprivileged containers

In comes Unprivileged containers, in this setup, we simply either map a User ID to root within the container, or, still use root, but through subordinate IDs, so instead of having the Host’s user id for root (Usually Zero) being also root inside the container, we create a user outside the container (Or a subordinate ID of root), and instruct the kernel to map this user’s ID and treat it as ID zero inside the container, So if a malicious user gets access to the container and ends up breaking out of the container, they will find themselves logged on as a different user, with privileges very close to the privileges of the user nobody, or in other words, barely any privileges

Relevant topic: User namespaces

A relevant topic to Unprivileged LXC containers is User namespaces (Starting kernel 3.8), namespaces are created with the functions clone() or unshare().

nuff with the theory, What do i need to do ?

You setup LXC, then depending on the type of container and user you need, you may want to setup Linux kernel to use that user as root in the container, but to make that happen, you will need to take a few steps to give that user the required privileges and nothing more than what is required, nothing complicated about those steps either. So let us get started

2- Shared system setup

Before writing this tutorial, I installed a copy of bookworm, enabled SSH, and got to work doing the steps you see below, the steps in this section are the same whether you plan to create privileged or unprivileged containers or both

Step 2-1: Install everything

apt-get update
apt-get install bridge-utils lxc libvirt-clients libvirt-daemon-system debootstrap qemu-kvm virtinst nmap resolvconf iotop net-tools

Step 2-2: Enable IP forwarding

Next, we need to enable IPv4 forwarding by un-commenting a line in sysctl.conf then run sysctl -p, so open sysctl.conf in your favorite linux compatible editor, and uncomment the line

net.ipv4.ip_forward=1

Now run the following command for the effects to take place

sysctl -p

Step 2-3: Host Networking

Before creating any containers, we need to make sure the host can bridge the network to them, in Debian, this is done by editing the file /etc/network/interfaces, there are a few ways to connect the containers, your host can become a DHCP server, or you can connect the containers directly to your router

In this setup below, I am connecting the containers directly to the router.. The host machine will have the IP 192.168.7.140, IF YOU ARE USING HYPER-V, YOU WILL NEED TO ENABLE “MAC address spoofing” IN THE HYPER-V VM SETTINGS

auto br0
	iface br0 inet static
	bridge_ports eno1
	bridge_fd 0
	address 192.168.7.140
	netmask 255.255.255.0
	gateway 192.168.7.1
	bridge_stp off
	bridge_maxwait 0
	dns-nameservers 8.8.8.8
	dns-nameservers 8.8.4.4

3- Privilaged LXC

To clarify, making a privileged container does not stop you from making unprivileged containers later, BUT, the unprivileged containers need to be different containers 😉 so you might make a privileged one, then replace it with an unprivileged one

Step 3-1: Download container

The following step is all about downloading your LXC container template ! I chose the mirror with the lowest ping time from me, but you can omit the mirror line altogether

MIRROR=http://ftp.debian.org/debian lxc-create --name vm142 --template download -- --dist debian --release bookworm --arch amd64

Something unexpected happened while i was doing this, I received an error about a problem downloading, by coincidence, i rebooted the machine and it worked, my theory is that the reboot was irrelevant but if this happens to you, tell me your conclusions in the comments.

"../src/lxc/lxccontainer.c: create_run_template: 1628 Failed to create container from template"

Right after, you have a brand new LXC container which is unfortunately privileged, you can have it listed with the command “lxc-ls -f” where the f stands for fancy 😉

lxc-ls -f

Step 3-2: Edit virtual machine config

This container might not be able to start though, some editing of the config file may be necessary !

Here is this machines config file, mind the comments, this is meant to be modified to fit your networking setup, so you will need to change the IP address and relevant network address information, the machine name and rootfs path, etc…

#this is a modified LXC container config file
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist debian --release bookworm --arch amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
#nesting is for having docker and other similar containerization tech inside the container, dissable it if you don't want such virtual machines in the virtual machine
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/vm142/rootfs
lxc.uts.name = vm142

# Initial Network configuration, disabled...
#lxc.net.0.type = veth
#lxc.net.0.link = lxcbr0
#lxc.net.0.flags = up

#the above config was dissabled, so net.0 altogether is better left empty
lxc.net.0.type = empty


#Now, add networking

lxc.net.1.type = veth
lxc.net.1.flags = up
lxc.net.1.link = br0
lxc.net.1.name = eth0
lxc.net.1.ipv4.address = 192.168.7.142/24
lxc.net.1.ipv4.gateway = 192.168.7.1


#App armor profile for this PRIVILEGED container
lxc.apparmor.profile = generated


#If you want this container to start with the host, uncomment the following
#lxc.start.auto = 1
#lxc-start.delay = 10
# #the order, the higher the earlier ;) 
#lxc.start.order = 30


# Container specific configuration (Not initially there)
lxc.tty.max = 4
lxc.pty.max = 1024

Problem : One remaining problem was that the virtual machine was getting 2 IP addresses, one static that we set above, and one dynamic via DHCP, turns out the /etc/systemd/network forced the machine to get DHCP, so i went in and commented all the lines inside that file !

Step 3-3: Start the machine and change credentials

Now, after starting the machine, you will need to login to it, to start the virtual machine and do that, issue the command

lxc-start -n vm142 -d
lxc-attach -n vm142

Now, you can use the passwd command to change the container’s password, and you would probably want to install “apt-get install ssh openssh-server”, this way you can login to it with putty or any other SSH client

4- Unprivileged LXC containers (Both)

Whatever in this section applies to unprivileged containers, whether root user or any other user

Step 4-1: Enable Unprivileged User Namespaces

it is enabled by default, To make sure that it is, run the command below, if it returns “kernel.unprivileged_userns_clone = 1” you are good to go.

sysctl kernel.unprivileged_userns_clone

if for any reason it is not enabled (0), you can enable it by adding it to /etc/sysctl.d…. by editing the file “/etc/sysctl.d/00-local-userns.conf” and adding the following line, if the file does not exist, create it

kernel.unprivileged_userns_clone=1

Once done, run the command

service procps restart

5- Unprivileged container under new user

Step 5-1: Create the user

You can call the user whatever you want, I chose to call the user lxcadmin, this is an arbitrary choice, To create a user we issue the following command.

adduser lxcadmin

The output of the adduser command should be something like

Adding user `lxcadmin' ...
Adding new group `lxcadmin' (1001) ...
Adding new user `lxcadmin' (1001) with group `lxcadmin (1001)' ...
Creating home directory `/home/lxcadmin' ...
Copying files from `/etc/skel' ...
...
Adding new user `lxcadmin' to supplemental / extra groups `users' ...
Adding user `lxcadmin' to group `users' ...

So here, our user gets the ID 1001 (Since i already have a user with the ID 1000 and the root user with the ID 0. Now if we inspect the 2 files /etc/subuid (The subordinate uid file) and /etc/subgid, we will find the following content in both (Identical contents in files).

yazeed:100000:65536
lxcadmin:165536:65536

What the above means is that user lxcadmin has a range of UIDs starting with 165536 and has 65536 extra UIDs total, so the last UID that lxcadmin can use is 165536 + 65536 – 1 = 321071, and the next user we add will start at 321072.

So to recap this user has a subordinate ID range from 165537 TO 321071, notice i added one to the starting number since the first number is not a subordinate ID, but rather the user’s default ID.

Step 5-2: Network adapter quota

New users generally do not have the ability to add a container to a bridge, for that you will need to give the user a network device quota, this quota is defined in the file /etc/lxc/lxc-usernet, the initial quota for unprivileged users is zero, so edit the file and add the following lines, depending on what adapters you would like to allow lxcadmin to connect containers to, the format is user type bridge quota

lxcadmin veth lxcbr0 10
lxcadmin veth br0 10

Notice that you can replace the user with a group name, but that is a subject of a different post…

Now you will need to copy the file /etc/lxc/default.conf to the user’s home directory, in my case under /home/lxcadmin/.config/lxc/default.conf, if the config directory does not exist, create it, now edit this file you just created and depending on the user you are using (I am using the second user, hence the numbers, yours will differ unless your user is the second one added, copy the values from /etc/subuid)…

    lxc.idmap = u 0 165536 65536
    lxc.idmap = g 0 165536 65536

Now, we are closer than ever to making it run, we need to create our first container, unlike the privileged “lxc-create mycontainer” this one is slightly more complicated (The solution is below to make things unprivileged and secure again)

systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-create -t download -n my-container
lxc-create -t download -n myunprivcontainer -- -d debian -r bookworm -a amd64

Don’t expect this to work yet…. the following contgainer config file was automatically created

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d debian -r bookworm -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = linux64

# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 165536 65536
lxc.idmap = g 0 165536 65536
lxc.rootfs.path = dir:/home/lxcadmin/.local/share/lxc/myunprivcontainer/rootfs
lxc.uts.name = myunprivcontainer

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up

libpam-cgfs is already installed (It was a dependancy in the apt-get install above), libpam-cgfs is a Pluggable Authentication Module (PAM) to provide logged-in users with a set of cgroups which they can administer. This allows for instance unprivileged containers, and session management using cgroup process tracking.

Configure AppArmor

App Armor is enabled on Debian 10 (buster) and after by default, AppArmor is recommended as it adds a layer of security which may prove vital for a system running your virtual machines.

to check whether it is enabled on your system or not, you can run the following command

cat /sys/module/apparmor/parameters/enabled

If the above returns the letter Y, AppArmor is enabled, and you need to set it up to allow for our unprivileged setup

6- Unprivileged container under root subordinates

This is the most interesting setups, It is a no compromise setup where you can have a container run with all the features you see in privileged containers, while still maintaining the security provided by the unprivileged setup above (More or less)

Step 6-1: root Subordinates:

the first step is to allocate a uid and gid range to root user in /etc/subuid and /etc/subgid. This is because the root user, unlike users added with adduser, does not have subordinate IDs by default, so in short, figure out what the next range of IDs is, and assign them to root by adding a line similar to the following at the top of the list in those 2 files, In my case, lxcadmin has the last range, 165536:65536 means the next id is (165536 + 65536 = 231072), And i would like a million subordinate IDs so i can hand every machine a different set of IDs which should increase security even farther.

root:231072:1000000

adduser will recognize the new range when you use it next time, and start from there

And reflect that range in /etc/lxc/default.conf using lxc.idmap entries similar to those above.

root does not need network devices quotas and uses the global configuration file, so those steps from the above are not needed.

Any container you create as root from that point on will be running unprivileged, able to auto-start, and share filesystems !