Setting up k3s on a single RPi4

Testing out the ability to run some containers on RPi4 and I have a single borrowed device. Most of the tutorials out there describe a multi-node configuration and that’s led to some challenges for me to understand this. First, I started with this tutorial: https://github.com/mhausenblas/kube-rpi

This gets you there most of the way, but I found a few errors in the configuration. First, the port forward config needs to include “–address 1.2.3.4” where the IP address is the external IP of your RPi.

Second, the token retrieval for logging into the dashboard was not correct. Here’s what I used instead:


1
2
kubectl get secrets
kubectl describe secret kdash-kubernetes-dashboard-token-mwgj5

The designator for your instance may be different after the token part of the name. Copying that token into the login allowed me to get into the dashboard.

I’m now having a problem with the dashboard throwing a bunch of errors. I’ll update when I have that worked out.

How to create a file drop in Teams

Actually, this is to create a file folder in Teams that will move files to another (private) location whenever a new file is dropped in there. Why would you want to do that? You might want to get files in a semi-secure manner but then not have them live in a viewable location. Think, budgets from the CFO that others shouldn’t see.

Using Flow, create a new flow with the Sharepoint “When a file is created (properties only)” trigger. The Folder field needs to be populated with the file folder you’re watching.

Add an action for Sharepoint “Move file”. The File to Move field needs to be a dynamic action of “Identifier”. The Destination Site Address and Destination Folder may not be discoverable, so you’ll need to populate those with the correct target location.

One final note, I’m pretty sure the person adding the flow needs to be an Owner of the team, although I haven’t tested that.

The RPi Zero W is…ok…

First of all, I have not returned to using the Chromecast for my Grafana visualization. I didn’t elaborate on this, but my previous post was driven by a change to Grafana visualization that effectively broke the ChromeCast Kiosk server I was using. The recommended solution was to use a proxy for displaying the iFrame, or something. I wasn’t keen on setting up another server instance (not that big a deal) just for the purpose of running the proxy. Yes, I know I could have set that up on the same kiosk server.

I quickly implemented the RPi Zero W I referenced in my previous post, just to get something up and running. It works ok in kiosk mode. There are a couple of issues that are relatively minor. It’s only remotely managed via SSH. The previous Chromecast was managed from the server. Very simple to make adjustments with that. Any adjustments to the RPi must be made via SSH. I’m comfortable with that, but I don’t access the RPi enough for it not to be a little relearning every time.

The RPi will not dynamically update a Grafana dashboard. I’m sure I could script it to reload on a certain interval. This was also a benefit of the ChromeCast server. Well, sort of a benefit. The CC Server could have a refresh interval which would reload the page. You could also manually force the refresh. My only way to do that with the RPi is to pull the power, or SSH in and reboot it. Or figure out how to script it. Which brings me to the big negative to the RPi…

This thing is slow. So….slow…. Doesn’t really matter when the dashboard is up and running. It will happily do the Grafana 1 minute refresh without issue. A reboot takes something like 10 minutes before the dashboard is fully drawn. Even the SSH session is pokey. Slow…. The Zero is still running the same CPU as the RPi 1, just a little overclocked. You’d think they could move to the RPi 2/3 CPU at this point and still keep the price down.

Which brings me to the reason I’m sticking with this as my solution. The Zero W is $10. The current generation CC is going for at least $30 and seems to rarely be on sale for less. A third of the cost sure buys a lot of patience with the other issues I have. The Zero W works fine with USB power from the TV, and can usually be hidden behind the TV with some double-sided tape. No case needed. Ok, you need to spend a few bucks on a SD card.

Could be a nice solution for a NOC full of TVs!

Azure AD Joined device ownership change

If you’ve done an Azure Ad Join for a device and found that you (the admin) is now the owner, it can create certain problems for you. If you’re going through an AutoPilot deployment the end user will end up being the owner. So, how do you modify the device owner to be the recipient of the device if you did the setup?

Get-AzureADUser -SearchString username

  • Run for both new user and current user

Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq “AzureAD”}

  • This will return all Joined devices. Might be too big a list.

Add-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId -RefObjectId userObjectId

  • Add the user first, where deviceObjectId is the device and userObjectId is the new owner

Remove-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId -OwnerId previousUserObjectId

  • Removes the previous owner where deviceObjectId is the device and previousUserObjectId is the previous owner

Get-AzureADDeviceRegisteredOwner -ObjectId deviceObjectId

  • Confirms change

Monitoring Temp and Fan Speed in a Quanta LB4M switch

I’m starting to replace the fans in my LB4M to try to quiet it down. During this process I wanted to keep an eye on my temp and the associated fan speeds to make sure I wasn’t running into a problem with cooling. Here’s my Telegraf code with the applicable OIDs.

[[inputs.snmp]]
agents = [ “192.168.1.1:161” ]
timeout = “5s”
retries = 3
version = 2
community = “something”
max_repetitions = 10
name = “QuantaSwitch”
[[inputs.snmp.field]]
name = “Temp”
oid = “1.3.6.1.4.1.4413.1.1.43.1.8.1.4.0”
[[inputs.snmp.field]]
name = “Fan Speed 1”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.0”
[[inputs.snmp.field]]
name = “Fan Speed 2”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.1”
[[inputs.snmp.field]]
name = “Fan Speed 3”
oid = “1.3.6.1.4.1.4413.1.1.43.1.6.1.4.2”

I started with pulling all 3 original fans and only installing two of the Noctua fans. The temp went from 40c to 60c before I shut it down. The Noctuas were also starting to run pretty fast. I’ve reconnected one of the original fans and now the temp is around 48c. I’m not sure if this is because the Noctuas are less efficient or if having the mixed fans is causing them to be confused about the speed. I’ll get a third Noctua soon and report my results.

The fan tray just slides out the back, so no need to open up the case. It’s super easy. This is the fan I used, and it’s a straight fit: https://www.amazon.com/gp/product/B071W93333/ref=ppx_yo_dt_b_asin_title_o00_s01?ie=UTF8&psc=1

MFA in Office 365, not talkin’ bout Azure

Microsoft is frustratingly vague about support for basic MFA in all Office 365 offerings. They have these lists of feature support across different packages, which go into great detail and yet don’t include basic MFA. Maybe this post will get up in the rankings so others don’t have to spin their wheels looking for an answer.

My results for licenses that have basic MFA include:

  • F1
  • Business Premium
  • E1
  • E3
  • E5

I have not tested Business Essentials or Exchange Online licenses yet. However, I do have an old Exchange Online Kiosk account and it appears to allow enabling it.

In fact, when I try to enable MFA there does not appear to be a restriction based on license type. Let me know your results!

OpenVAS on the Raspberry Pi 4 works really well!

I’ve been trying to set up OpenVAS on a tiny PC like the RPi lately. Based on this post: https://dayne.broderson.org/2018/05/24/RPi_Vulnerability_Scanner.html

I wasn’t expecting much success. And that’s what I found. It wasn’t really usable. I saw the TinkerBoard and the extra performance and RPi compatibility and thought that might be a good thing to try. I was never able to get a working mix of software on the Tinker. The repositories aren’t quite the same and some of the necessary packages, OpenVAS in particular, are not maintained.

Then the RPi4 was announced. I knew this might be the ticket to making this work. 4GB of RAM!!! Unfortunately, the 4GB model isn’t available yet, as far as I can tell. I decided to wait. Then I found out my sometimes partner in crime, Steve, had ordered a pair of 2GB models. Of course, I asked if I could borrow one.

I’m happy to report that the install is simple and it was able to scan my /24 that averages about 75 IP’s in about 3 hours! I didn’t modify anything performance related and didn’t have any of the problems that Dayne referenced.

I do need to sort through a few logistic issues to make this functional in the way I’m thinking. For one thing, I want to run this headless. No problem, except OpenVAS (specifically the GSA web management) is finicky about identifying the IP address it’s listening on. So far I have to manually set it and haven’t figured out how to make it work with 0.0.0.0. I’ll find a way. I also had a problem with the management interface failing due to memory starvation. I think. The scan will continue to run, so it’s not a showstopper. I’m hoping the 4GB will help with that. I also think it’ll be helpful to throw some heatsinks on. It seemed to get pretty hot.

Without further pre-amble, the steps I took. This is very similar to Dayne’s post with a few exceptions:

sudo apt update
sudo apt upgrade
sudo apt autoremove //habit for me
sudo apt-get install openvas
sudo openvas-setup //this took a good hour, maybe more, to run. Lots of errors, but it seems to have been ok.
sudo openvas-start

This is the part I haven’t sorted out yet. You need to update the service config files to reflect something other than 127.0.0.1. I tried 0.0.0.0 and was unsuccessful. When I changed it to the DHCP IP address it worked. I don’t see this as being a good solution as I intend on using this in different environments. Regardless, here are the commands until I can sort out the right answer:

sudo nano /lib/systemd/system/greenbone-security-assistant.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart

sudo nano /lib/systemd/system/openvas-manager.service
sudo systemctl daemon-reload
sudo service greenbone-security-assistant restart
sudo service openvas-manager restart
sudo service openvas-scanner restart

And my GS service line that I edited in the above command:
ExecStart=/usr/sbin/gsad –foreground –listen=0.0.0.0 –port=9392 –mlisten=0.0.0.0 –mport=9390 –allow-header-host=192.168.169.198

The –allow-header-host is the problem I need to fix. I’ll update as I make improvements. One of my goals is to attach a small LCD that will display the IP address.