First off, you need to obtain the Pulse Secure client as a deb file from your network administrator. I have version 8.2R5.

For some reason the client does not list any dependencies when installing so you must install the needed (32 bit) libraries by hand ( does not work without changes):

$ sudo apt install libwebkitgtk-1.0-0:i386 libdconf1:i386 dconf-gsettings-backend:i386

It is also necessary to include Pulse’s libraries in ld’s search patch (LD_LIBRARY_PATH). This is done by running this:

$ echo "/usr/local/pulse" | sudo tee /etc/
$ sudo ldconfig

The above instructions work for Ubuntu 16.04. 16.10, 17.04 and 17.10. In 17.04 and 17.10 you also need to install net-utils to get ifconfig

$ sudo apt install net-utils

After using Linux Mint with Cinnamon for a long time I am now back with Ubuntu with GNOME (reluctantly, I may add).

One thing I have noticed is there does not seem to be an option in the settings to change your preferred terminal emulator.
Continue reading

(This guide applies to any Debian/Ubuntu based distribution)

For some reason (complexity perhaps) it is not possible to configure full-disk encryption and LVM from the graphical installer in the desktop edition. It is possible to select full-disk encryption but this only creates one filesystem (root).

I want to use LVM to allow me to have more than one filesystem without having to enter more than one password during boot-up. It is not impossible to install Ubuntu desktop (or Linux Mint as in this guide) with encryption and LVM but it does require a little more work.

Continue reading

I’ve been running KVM for quite a while on my lab server. It’s been running without issue but with the release of vSphere/ESXi 6.0 I felt it was time to move back to VMware.

I wanted to preserve the virtual machines already running so I set out to move these to ESXi. I ran into some issues which I’m not sure is a generic problem or specific to ESXi 6.0 but I’ll describe what I have done.

In order to convert the existing disk images to VMware’s vmdk format you should you use the program qemu-img from the package qemu-utils (in Ubuntu).

The process is straight-forward

  • $ sudo qemu-img convert -p -i DiskImage.img -O vmdk DiskImage.vmdk
  • Transfer disk image to ESXi (using scp (enable ssh in ESXi)) or NFS (as I did)
  • Create new virtual machine with custom options and add the converted disk
  • Boot

Unfortunate this did not work as expected, when booting the converted images, the Linux instances inside all crashed during boot with this error message (or something similar) unsupported version 0 of verneed record

It turns out, two steps were missing; after transfering the converted disk image to ESXi, do this from the ESXi cli (via SSH)

# vmkfstools -i /vmfs/volumes/nfs1/DiskImage.vmdk -d thin /vmfs/volumes/datastore1/MyServer/DiskImage.vmdk

-d is the output format which can be zeroedthick, eagerzeroedthick or thin.

Now open the newly created vmdk file in vi and change the line ddb.adapterType from ide to lsilogic.

After doing this, add the image(s) to a newly created VM and boot.

(This was done in Ubuntu and will work with any Linux variant with qemu-img. If you want to do this in Windows, StarWinds V2V converter is said to be able to do the job)

I’ve started to use instead of services like Dropbox, SpiderOak and similar.

Why? Because it’s fast (unlike Dropbox), it’s simple (unlike SpiderOak) and it’s able to run on all major platforms (Windows, OSX, Android, iOS and Linux, both graphical and console. Both are native Linux application).

This article explains how to install the agent on Linux – more specifically how to run the console agent on a Ubuntu-derived distribution.

Continue reading

I have recently moved my hosting to a couple of VPSes at ChicagoVPS and wanted to use IPv6 (via

ChicagoVPS uses OpenVZ which presents a couple of problems

$ ifconfig sit0
sit0: error fetching interface information: Device not found
$ sudo modprobe ipv6
FATAL: Module ipv6 not found.

It turns out, this is a fairly common problem though OpenVZ is supposed to support IPv6. Luckily, someone made a small userland program (tb-tun, which “tunnels” IPv6 tunnels through a TUN/TAP device.

First, it requires tun/tap device support to be enabled in the VPS, this is done in the control panel under settings

Control panel

Note! – Changing this setting will reboot your VPS without warning!

Next, make sure the build-essential package is installed (it’s included in the Ubuntu template at ChicagoVPS)

$ sudo apt-get install build-essential

Now, download and install the tb-tun program

$ mkdir tb-tun
$ cd tb-tun
$ wget
$ tar zxvf tb-tun_r18.tar.gz
$ gcc tb_userspace.c -l pthread -o tb_userspace
$ sudo mv tb_userspace /usr/local/sbin

Before, continuing I recommend looking up the following information:

Server IPv4 Address - This is the IPv4 address of the Tunnelbroker gateway
Client IPv4 Address - This is the IPv4 address of your server
Client IPv6 Address - This is the IPv6 address of your server (for the tunnel end-point)
Routed /64 - This is your network

Next, you need to ensure your iptables configuration allows incoming encapsulated IPv6 traffic (protocol 41). Since ufw is a PITA to get to work on OpenVZ, I’m using iptables-persistant, which simply means adding one line to /etc/iptables-persistent/rules.v4

# IPv6 tunnel
-A INPUT -p 41 -s <Server IPv4 Address> -j ACCEPT

You also need to secure your server on IPv6, /etc/iptables-persistent/rules.v6

-A INPUT -i lo -j ACCEPT
# Allow ping
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

Apply the new rules

$ sudo service iptables-persistent reload

Finally, you are ready to set up your tunnel in /etc/network/interfaces

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb <Server IPv4 address> <Client IPv4 address> sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add <Client IPv6 address>/64
        post-up ifconfig tb inet6 add <Routed /64>:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

In my setup it looks like this:

auto tb
iface tb inet6 manual
        pre-up  setsid /usr/local/sbin/tb_userspace tb sit > /dev/null &
        up      ifconfig tb up
        post-up ifconfig tb inet6 add 2001:470:1f10:74b::2/64
        post-up ifconfig tb inet6 add 2001:470:1f11:74b::1:1/64
        post-up ifconfig tb mtu 1480
        post-up route -A inet6 add ::/0 dev tb
        post-up netstat -rn6 | grep -q venet0 && route -A inet6 del ::/0 dev venet0
        down    ifconfig tb down
        post-down       route -A inet6 del ::/0 dev tb
        post-down       killall tb_userspace

Now, I just have one question


(Actually I know, and understand, why. It’s still annoying though)

iptables is not always easy to deal with so I prefer to use Uncomplicated firewall (ufw) in Ubuntu, because it simplifies configuring and maintaining my firewall rules.

Unfortunately, ufw does not play nice with OpenVZ containers so I decided to find something else. In the end (after testing various things) I decided to install the package iptables-persistent which is not as sexy as ufw but gets the job done.

iptables-persistent uses two configuration files


both files can be generated during installation.

The a simple version of /etc/iptables-persistent/rules.v4 may look like this

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d -j DROP

# Allow all traffic from tun-devices (VPN)
-A INPUT -i tun+ -j ACCEPT

#  Accepts all established inbound connections

#  Allows all outbound traffic
#  You could modify this to only allow certain traffic
#  This is in addition to allowing established and related traffic as listed above

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections from trusted-host only - drop the rest
-A INPUT -p tcp --dport 22 -s -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy (change to REJECT of you which to reject packets instead of dropping them)


After making changes to your rules files, apply them by running

$ sudo service iptables-persistent reload

As always with a new Ubuntu release comes the problem of getting Cisco’s VPN client to install (and no, using vpnc instead is not really an option since the VPN concentrator doesn’t play nice and drops the connection from time to time)

The problem this time is the kernel version of Ubuntu 11.10 – The new 3.0 series kernel.

I’ve made a patch which will make the kernel module compile and install on the 3.0 kernel.

If you have the vanilla Linux client, you still need the patches hereIf the installation/compile fails, make sure you have installed all relevant patches as will as the packages needed to install (ia32-libs build-essential linux-headers-`uname -r`).

At some point Veritas has release the Cluster Manager (Java Console) for Linux. Of course, Linux means Red Hat (and other RPM based flavours). Luckily it isn’t too hard making it work on Ubuntu (and friends).

First, get the software – This requires a SymAccount. And no, I will not send you the software

Now, prepare your Ubuntu box

$ sudo apt-get install alien fakeroot

And finally convert and install the package

$ fakeroot alien -c VCS_Cluster_Manager_Java_Console_5.1_for_Linux.rpm
$ sudo dpkg -i vrtscscm_5.1.00.20-1_all.deb

Now, from a terminal or otherwise (ALT-F2 in various Ubuntus) run

$ /opt/VRTSvcs/bin/hagui

Or create a desktop entry for the Cluster Manager to put it in the menu

Create the file ~/.local/share/applications/hagui.desktop

[Desktop Entry]
Name=Veritas Cluster Manager
GenericName=Veritas Cluster Manager
Comment=Manage Veritas clusters

Copy ClusterManager.png to ~/.icons

The fix itself is the same as for Python 2.5 – only the line numbers have changed.

Open the file /usr/lib/python2.7/ and find the line containing en_gb (line 921) and add these lines (this works for Danish locales):

    'en_dk':                                'en_DK.ISO8859-1',
    'en_dk.iso88591':                       'en_DK.ISO8859-1',
    '[email protected]':                           'en_DK.ISO8859-15',

In order to avoid this change getting overwritten by packages updates, I use dpkg-divert:

$ sudo dpkg-divert --add --rename --divert /usr/lib/python2.7/ /usr/lib/python2.7/
$ sudo cp /usr/lib/python2.7/ /usr/lib/python2.7/

If you wish to remove the diversion (if the package is fixed to support you locale at some point) simply run

$ sudo dpkg-divert --rename --remove /usr/lib/python2.7/