blog
Table des matières
0 billet(s) pour février 2026
Config client web proxy
Générique
Les variables http_proxy devrait toujours être en minuscule. Idem pour toutes les variables ayant pour préfixe http_
Préférer ALL_PROXY en majuscule
Source : https://everything.curl.dev/usingcurl/proxies/env.html
Proxy HTTP
#export http_proxy=http://192.168.56.1:3128 #export https_proxy=http://192.168.56.1:3128 export ALL_PROXY=http://192.168.56.1:3128 export NO_PROXY=localhost,127.0.0.1,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1
Proxy Socks
#export ALL_PROXY=socks://127.0.0.1:1080/ export ALL_PROXY=socks5h://127.0.0.1:1080 export NO_PROXY=localhost,127.0.0.0/8,::1
Config permanent / persistent
/etc/environment
#http_proxy=http://192.168.56.1:3128 #https_proxy=http://192.168.56.1:3128 ALL_PROXY=http://192.168.56.1:3128 NO_PROXY=localhost,127.0.0.1,localaddress,.localdomain.com,192.168.56.12
Autre
export use_proxy = on
Curl
curl -x '' https://gnu.org
Mot de passe
Pour un proxy avec authentification
export ALL_PROXY=http://Nom:MotDePasse@192.168.56.1:3128
Si caractères spéciaux ou accentué vous devez encoder les caractères. Voir : 'URL encoding / Percent encoding'
Sudo
Pour charger la conf de /etc/environment
sudo su
-E
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their existing environment variables. The security policy may return an error if the user does not have permission to preserve the environment.
sudo -E -s
Ou
/etc/sudoers
Defaults env_reset Defaults env_keep += "http_proxy" Defaults env_keep += "https_proxy"
RedHat
/etc/yum.conf
proxy=http://192.168.2.30:3128
Debian
Voir Proxy et apt-get
Docker
Exemple de configuration Conky
Exemple de fichier de conf .conkyrc
- ~/.conkyrc
own_window yes own_window_transparent yes #own_window_type override own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager double_buffer yes use_xft yes #xftfont DejaVu Sans:size=10 xftfont Bitstream Vera Sans:size=10 draw_outline no draw_borders no uppercase no draw_shades no border_width 0 text_buffer_size 2048 default_color white update_interval 5 # transparent for KDE4 own_window yes own_window_title conky own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager own_window_argb_visual yes own_window_argb_value 0 own_window_type normal #alignment tm #alignment bottom_right alignment tl gap_x 10 gap_y 60 minimum_size 400 1 maximum_width 400 TEXT ${color grey}${time %H:%M %d/%m/%Y} $nodename - $sysname $kernel $machine #$hr ${color grey}Uptime:$color $uptime ${color grey}Frequency (in MHz):$color $freq ${color grey}RAM Usage:$color $mem/$memmax - $memperc% ${membar 4} ${color grey}Swap Usage:$color $swap/$swapmax - $swapperc% ${swapbar 4} ${color grey}CPU Usage:$color $cpu% ${cpubar 4} ${color grey}Processes:$color $processes ${color grey}Running:$color $running_processes $hr ${color grey}File systems /: $color${fs_used /}/${fs_size /} ${fs_bar 6 /} ${color grey}File systems /home: $color${fs_used /home}/${fs_size /home} ${fs_bar 6 /home} ${color grey}File systems /tmp: $color${fs_used /tmp}/${fs_size /tmp} ${fs_bar 6 /tmp} ${color grey}File systems /usr: $color${fs_used /usr}/${fs_size /usr} ${fs_bar 6 /usr} ${color grey}File systems /var: $color${fs_used /var}/${fs_size /var} ${fs_bar 6 /var} $hr ${color grey}Networking: Up:$color ${upspeed eth0} ${color grey} - Down:$color ${downspeed eth0} #$hr ${color grey}Name PID CPU% MEM% ${color lightgrey} ${top name 1} ${top pid 1} ${top cpu 1} ${top mem 1} ${color lightgrey} ${top name 2} ${top pid 2} ${top cpu 2} ${top mem 2} ${color lightgrey} ${top name 3} ${top pid 3} ${top cpu 3} ${top mem 3} ${color lightgrey} ${top name 4} ${top pid 4} ${top cpu 4} ${top mem 4}
Exemple
- #~/Conkyrc/.conky_current (utilisé avec kde4)
background true
update_interval 1
cpu_avg_samples 2
net_avg_samples 2
temperature_unit celsius
gap_x 0
gap_y 20
total_run_times 0
#Mémoire
double_buffer yes #Éviter le clignotement
no_buffers yes #Soustraire les mémoires tampons de la mémoire utilisée
text_buffer_size 1024 #Taille du cache pour le texte
minimum_size 200
maximum_width 200
#own_window_type desktop
own_window true
own_window_transparent true
own_window_hints below,sticky,skip_taskbar,skip_pager
border_inner_margin 0
border_outer_margin 0
alignment tr
draw_shades false
draw_outline false
draw_borders false
draw_graph_borders false
use_xft true
xftfont Droid Serif:size=8
# Tout le texte en majuscule
uppercase no
# Ajoute des espaces après certains objets pour éviter de les faire bouger.
# Fonctionne uniquement avec les polices Fixes
use_spacer right
xftalpha 0.5
own_window_argb_visual yes
own_window_argb_value 110
#default_color ffffff
color1 white
color2 black
color3 red
TEXT
#${color2}${hr 135}
${color2}${font Droid Serif:size=12}${alignc}${time %A}${font Droid Serif:size=22}${alignc}${time %e}${font Droid Serif:size=9}${alignc}${time %b}${font Droid Serif:size=12}${alignc}${time %Y}${font}
#${color2}${font Droid Serif bold:size=12}${color2}${alignc}${time}
##CPU
#used
${font}
${alignc}${color2}cpu1
${color1}${freq 0}Mhz
${color1}${alignc}${cpu cpu 0}%
${color1}${alignr}${hwmon temp 1}°C
#
${alignc}${color2}cpu2
${color1}${freq 1}Mhz
${color1}${alignc}${cpu cpu 1}%
${color1}${alignr}${hwmon temp 2}°C
#
${alignc}${color2}cpu3
${color1}${freq 2}Mhz
${color1}${alignc}${cpu cpu 2}%
${color1}${alignr}${hwmon temp 3}°C
#
${alignc}${color2}M/B
${alignc}${color1}${hddtemp /dev/sda}°C
#
${alignc}${color2}fan
${color1}${alignc}${hwmon fan 1}RPM
#
${alignc}${color2}downspeed
${color1}${alignc}${downspeedf}KiB
${alignc}${color2}upspeed
${color1}${alignc}${upspeedf}KiB
#
#proc
${color2}${top name 1}${alignr}${color1}${top cpu 1}%
${color2}${top name 2}${alignr}${color1}${top cpu 2}%
${color2}${top name 3}${alignr}${color1}${top cpu 3}%
${color2}${top name 4}${alignr}${color1}${top cpu 4}%
#${color2}${top name 5}${alignr}${color1}${top cpu 5}%
#${color2}${top name 6}${alignr}${color1}${top cpu 6}%
${alignc}${offset 0}${voffset -50}${color green}${cpugauge 40,90}
${voffset 0}
${alignc}${color2}processus
${color1}${alignc}${processes}
#
#RAM
${color2}${top_mem name 1}${alignr}${color1}${top mem 1}%
${color2}${top_mem name 2}${alignr}${color1}${top mem 2}%
${color2}${top_mem name 3}${alignr}${color1}${top mem 3}%
${color2}${top_mem name 4}${alignr}${color1}${top mem 4}%
#${color2}${top_mem name 5}${alignr}${color1}${top mem 5}%
#${color2}${top_mem name 6}${alignr}${color1}${top mem 6}%
#
${alignc}${offset 0}${voffset -50}${color green}${memgauge 40,90}
#
${voffset 0}
#/
${color2}${alignc}/ ${fs_size /}
${fs_used /}${alignr}${color1}${fs_free /}
${voffset -12}${alignc}${color green}${fs_bar 5,90 /}
#
#/HOME
${color2}${alignc}home ${fs_size /home}
${fs_used /home}${alignr}${color1}${fs_free /home}
${voffset -12}${alignc}${color green}${fs_bar 5,90 /home}
#
#/LaCie
${color2}${alignc}LaCie ${fs_size /media/usb0}
${fs_used /media/usb0}${alignr}${color1}${fs_free /media/usb0}
${voffset -12}${alignc}${color green}${fs_bar 5,90 /media/usb0}
#
#VIRTUELRAM
${color2}${alignc}virtuelram ${fs_size /media/virtuelram}
${fs_used /media/virtuelram}${alignr}${color1}${fs_free /media/virtuelram}
${voffset -12}${alignc}${color green}${fs_bar 5,90 /media/virtuelram}
#
#SWAP
#${color2}${alignc}SWAP
#${alignc}${swapmax}${alignc}${color green}${swapbar 5,90}${alignr}${color1}${swapfree}
#
${uptime}${hr}
#SYSNAME
${color3}${execi 86400 lsb_release -si}-${execi 86400 lsb_release -sc}${hr}
${color3}Kernel ${execi 86400 uname -r}${hr}
Installer conky :
apt-get install conky-std
Lancer conky :
conky -d -c ~/Conkyrc/.conky_current &
Stopper conky :
killall conky
Créer des lanceurs : (exemple avec conky-cpu)
Pour que le gestionnaire de menus les reconnaissent, les créer dans ~/.local/share/applications/
###conky_cpu.desktop###
[Desktop Entry]
Version=1.0
Type=Application
Name=conky_cpu
Comment=
Icon=xfce-sensors
Exec=conky -d -c ~/Conkyrc/.conky_current &
Path=
Terminal=false
StartupNotify=false
GenericName=
Categories=conky
Changement dans conky à partir de Debian Sid:
Avant : ${color1}${alignr}${hwmon 1 temp 1}°C Maintenant : ${color1}${alignr}${hwmon temp 1}°C
Compte de test
Exemple :
Installation de PlayOnLinux :
apt-get update && apt-get install playonlinux
playonlinux.sh
#! /bin/bash xhost local:test sudo -u test /home/test/bin/playol.sh
/home/test/bin/playol.sh
#! /bin/bash cd /home/test/repo/POL-POM-4 git pull ./playonlinux
Configuration du Sudoers
visudo
jibe ALL=(test) NOPASSWD: ALL
Création de l’icône de lancement
CRA.desktop
CRA.desktop
[Desktop Entry] Encoding=UTF-8 Name=CRA Comment=PlayOnLinux Type=Application #Exec=sudo -u test -s /bin/bash -- /home/test/repo/POL-POM-4/playonlinux --run "Internet Explorer 7" %F Exec=sudo -u test -s /bin/bash -- /home/test/repo/POL-POM-4/playonlinux --run "Internet Explorer 7" https://hq.proservia.fr/webquartz/ Icon=/usr/share/icons/hicolor/48x48/apps/alacarte.png Name[fr_FR]=CRA StartupWMClass=iexplore.exe Categories=
Compilation Noyau patch Grsecurity PAX Linux sous Debian
Compile Noyau Linux, patch avec Grsecurity sous Debian
Vérif user_xattr ?
apt-get update apt-get install kernel-package
$ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.1-19' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.9.1 (Debian 4.9.1-19)
apt-get install gcc-4.9-plugin-dev apt-get install attr
Téléchargement du patch grsecurity
wget https://grsecurity.net/stable/grsecurity-3.0-3.2.64-201411062032.patch wget https://grsecurity.net/stable/grsecurity-3.0-3.2.64-201411062032.patch.sig gpg --verify grsecurity-3.0-3.2.64-201411062032.patch.sig grsecurity-3.0-3.2.64-201411062032.patch
Téléchargement des sources du noyau Linux
wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.64.tar.xz wget https://www.kernel.org/pub/linux/kernel/v3.0/linux-3.2.64.tar.sign 7z x linux-3.2.64.tar.xz gpg --verify linux-3.2.64.tar.sign linux-3.2.64.tar
On va “patcher” : On test avant
patch --dry-run -p1 < ../grsecurity-3.0-3.2.64-201411062032.patch
Allons-y
patch -p1 < ../grsecurity-3.0-3.2.64-201411062032.patch
C'est fait. Compilons…. Re
ls -lrt /boot/config-3.* cp /boot/config-3.16-3-amd64 .config make oldconfig make menuconfig
ou
make defconfig
Si vous avez un quadcore pas chargé
$ #getconf _NPROCESSORS_ONLN $ nproc 4
export CONCURRENCY_LEVEL=4
C'est l’équivalent du make -j 4 ou de export MAKEFLAGS=“-j4”. Mais pour make-kpkg, la variable MAKEFLAGS ne doit pas être définie. unset MAKEFLAGS si besion.
Ou plus simple
export CONCURRENCY_LEVEL=$(nproc)
Pour compiler le noyau Linux sous Debian
Ca y ai, on compile
fakeroot make-kpkg --initrd --append-to-version="gnugrs" kernel-image kernel-headers
On va avoir besoin de changer des droits PAX (inclus avec Grsecurity) Install du pachet attr qui inclue l'outil setfattr (on va en avoir besoin, sinon certain programe de marcherons plus que nous démarrrons avec le nouveau noyeau)
apt-get install attr
- # Ancienne méthode
Téléchargement du script fourni avec le projet Mempo
wget https://raw.githubusercontent.com/mempo/deterministic-kernel/master/apps/grsec-setpax/postinstall/fs_attr_grsecurity_standard_debian.sh chmod +x fs_attr_grsecurity_standard_debian.sh sudo ./fs_attr_grsecurity_standard_debian.sh
Personnellement, c'est été oublié à rajouté :
setfattr -n user.pax.flags -v "rm" /usr/lib/icedove/icedove setfattr -n user.pax.flags -v "rm" /usr/lib/iceweasel/iceweasel setfattr -n user.pax.flags -v "m" /usr/lib/iceweasel/plugin-container setfattr -n user.pax.flags -v "E" /usr/bin/python3.4 setfattr -n user.pax.flags -v "m" /usr/bin/nodejs setfattr -n user.pax.flags -v "m" /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java
Ou avec paxctl
Configuration PAX paxctld.conf
/etc/paxctld.conf
/usr/lib/icedove/icedove rm
/usr/lib/iceweasel/iceweasel rm
/usr/lib/iceweasel/plugin-container m
/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java m
Nouvelle méthode
gpg --verify paxctld_1.0-2_amd64.deb.sig paxctld_1.0-2_amd64.deb
gpg: Signature faite le jeu. 01 janv. 2015 18:09:39 CET gpg: avec la clef RSA 0x44D1C0F82525FE49 gpg: Bonne signature de « Bradley Spengler (spender) <spender@grsecurity.net> » [inconnu] gpg: Attention : cette clef n'est pas certifiée avec une signature de confiance. gpg: Rien n'indique que la signature appartient à son propriétaire. Empreinte de clef principale : DE94 52CE 46F4 2094 907F 108B 44D1 C0F8 2525 FE49
dpkg -i paxctld_1.0-2_amd64.deb
Plus rien à faire. La conf se trouve dans */etc/paxctld.conf* et le daemon paxctld s'occupe de tout. Dans mon cas, la conf par défaut suffit.
Il est important de vérifier (et de superviser) que le service paxctld soit bien démarré, et activé pour démarrer automatiquement.
En cas de mise à jour faut-il systématiquement redémarrer le service paxctld !?
sysctl
Pour voir les propriétés modifiable à chaud
sysctl -a | egrep "kernel.pax.|kernel.grsecurity."
Exemple de fichier de conf (ordi de bureau)
/etc/sysctl.d/05-grsecurity.conf
kernel.grsecurity.linking_restrictions = 1 kernel.grsecurity.enforce_symlinksifowner = 1 kernel.grsecurity.deter_bruteforce = 1 kernel.grsecurity.fifo_restrictions = 1 kernel.grsecurity.ptrace_readexec = 1 kernel.grsecurity.consistent_setxid = 1 kernel.grsecurity.ip_blackhole = 1 kernel.grsecurity.lastack_retries = 4 kernel.grsecurity.chroot_deny_shmat = 1 kernel.grsecurity.chroot_deny_unix = 1 kernel.grsecurity.chroot_deny_mount = 1 kernel.grsecurity.chroot_deny_fchdir = 1 kernel.grsecurity.chroot_deny_chroot = 1 kernel.grsecurity.chroot_deny_pivot = 1 kernel.grsecurity.chroot_enforce_chdir = 1 kernel.grsecurity.chroot_deny_chmod = 1 kernel.grsecurity.chroot_deny_mknod = 1 kernel.grsecurity.chroot_restrict_nice = 1 kernel.grsecurity.chroot_caps = 1 kernel.grsecurity.chroot_deny_sysctl = 1 kernel.grsecurity.chroot_findtask = 1 # TPE : Trusted Path Execution. kernel.grsecurity.tpe = 1 # Drastique. Plus d exec dans le home kernel.grsecurity.tpe_restrict_all = 1 #kernel.grsecurity.socket_all = 1 #kernel.grsecurity.socket_client = 1 #kernel.grsecurity.socket_server = 1 kernel.grsecurity.harden_ptrace = 1 # For mplayer2 with x11 drivers (full screen) # else "vo=x11,sdl" => "vo=xv,directfb" in /etc/mplayer2/mplayer.conf kernel.grsecurity.harden_ipc = 0 # Drastique. Rebbot necessaire pour revenir en arriere # Empeche ecryptfs de fonctionner #kernel.grsecurity.romount_protect = 1 ## Desactiv kernel.grsecurity.dmesg = 0 kernel.grsecurity.deny_new_usb = 0 ## Groupes #kernel.grsecurity.socket_all_gid = 1004 #kernel.grsecurity.socket_client_gid = 1003 #kernel.grsecurity.socket_server_gid = 1002 #kernel.grsecurity.audit_gid = 1007 kernel.grsecurity.tpe_gid = 1005 #kernel.grsecurity.symlinkown_gid = 1006 ## Audit #kernel.grsecurity.audit_group = 1 # Si activé vraiment bavard kernel.grsecurity.audit_chdir = 0 kernel.grsecurity.audit_mount = 1 kernel.grsecurity.audit_ptrace = 1 ## Logging #kernel.grsecurity.exec_logging = 1 #kernel.grsecurity.rwxmap_logging = 1 kernel.grsecurity.signal_logging = 1 kernel.grsecurity.forkfail_logging = 1 kernel.grsecurity.timechange_logging = 1 #kernel.grsecurity.chroot_execlog = 1 #kernel.grsecurity.resource_logging = 1 # Test kernel.grsecurity.disable_priv_io = 1 ## Dernier parametre # Drastique. Interdit toutes modifications de ces parametres. Reboot necessaire pour rechanger #kernel.grsecurity.grsec_lock = 1
Cette conf sera appliquée au démarrage du PC ou bien :
sysctl -p /etc/sysctl.d/05-grsecurity.conf
Exemple de changement de conf à chaud La pluspart des problèmes sont résolut en abaissant la sécurité de la façon suivantes :
sysctl -w kernel.pax.softmode=1 sysctl -w kernel.grsecurity.tpe=0
Plus de son ? Pour un ordi de bureau : CONFIG_GRKERNSEC_SYSFS_RESTRICT=n
http://arunraghavan.net/2012/10/grsec-and-pulseaudio/
Liens :
http://www.chromium.org/chromium-os/chromiumos-design-docs/system-hardening
http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System
http://linux.developpez.com/cours/securedeb/?page=annexe12
http://www.cs.virginia.edu/~jcg8f/GrsecuritySELinuxCaseStudy.pdf
http://www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf
http://judepereira.com/blog/playing-with-grsecurity-a-brief-tutorial/
http://resources.infosecinstitute.com/gentoo-hardening-part-2-introduction-pax-grsecurity/
http://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
http://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart
https://grsecurity.net/gracldoc.htm
Pb
Pb Apache prefork fork bruteforce
Voir : https://serverfault.com/questions/460429/clone2-30-sec-delay-in-apache
Symptôme : 30 seconde pour avoir la réponse HTTP d'un fichier statique :
time curl http://localhost/robots.txt
Logs dmesg ou /var/log/kern.log
# dmesg bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/sbin/apache2[/usr/sbin/apach:49719] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache2[/usr/sbin/apach:52102] uid/euid:0/0 gid/egid:0/0
/var/log/apache2/error.log
[Thu Jan 17 11:31:03.452626 2019] [mpm_itk:error] [pid 53254] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 12:07:55.121999 2019] [mpm_prefork:error] [pid 27073] (12)Cannot allocate memory: AH00159: fork: Unable to fork new process [Thu Jan 17 12:07:55.516731 2019] [mpm_itk:error] [pid 60456] child died with signal 11 [Thu Jan 17 13:57:28.126583 2019] [mpm_itk:error] [pid 13856] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.613734 2019] [mpm_itk:error] [pid 18798] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.628835 2019] [mpm_itk:error] [pid 20078] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.735962 2019] [mpm_itk:error] [pid 20018] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.748244 2019] [mpm_itk:error] [pid 18798] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.852928 2019] [mpm_itk:error] [pid 20073] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:49.865209 2019] [mpm_itk:error] [pid 20018] (12)Cannot allocate memory: fork: Unable to fork new process [Thu Jan 17 14:30:50.006418 2019] [mpm_itk:error] [pid 20078] (12)Cannot allocate memory: fork: Unable to fork new process [crit] Memory allocation failed, aborting process.
Apache forkant souvent et rapidement grsec prend cela pour une tentative de bruteforce
Cela est dû à GRSecurity, à plus précisément à l'option suivante de compilation du Kernel :
CONFIG_GRKERNSEC_BRUTE=y
Solution possible :
- Passer Apache en mode worker ou lieu de prefork
- Désactiver grsec
- Modifier la conf Apache pour qu'il fork moins
- Maintenance palliative : chien de garde (A tester)
/etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module> #StartServers 5 StartServers 140 #MinSpareServers 5 MinSpareServers 20 #MaxSpareServers 10 MaxSpareServers 30 MaxClients 150 MaxRequestsPerChild 0 </IfModule>
Tentative de chien de garde via crontab chaque minute
/usr/local/bin/fix_apache_grkernsecbrut.sh
#! /bin/bash curl --resolve www.acme.fr:443:127.0.0.1 --max-time 10 --connect-timeout 10 http://www.acme.fr/robots.txt >/dev/null 2>&1 if [[ $? == 28 ]] then date >> /root/${0}.log /usr/sbin/apachectl graceful & fi
Compilation OpenCV sur Debian
Voir aussi :
- skimage est une alternative à OpenCV
- YOLO (Python)
Compilation et installation d'OpenCV 3.3.0 sous Debian 9
Prérequis
sudo apt-get update sudo apt-get install -y build-essential sudo apt-get install -y cmake git libgtk2.0-dev pkg-config libavcodec-dev libavformat-dev libswscale-dev sudo apt-get install -y python-dev python-numpy libtbb2 libtbb-dev libjpeg-dev libpng-dev libtiff-dev libdc1394-22-dev sudo apt-get -y install unzip # Pour la création du .deb sudo apt-get install -y fakeroot checkinstall
Téléchargement des sources
mkdir ~/src cd ~/src wget https://github.com/opencv/opencv/archive/3.3.0.zip unzip 3.3.0.zip
Pas nécessaire si -DWITH_IPP=OFF on option de compilation
mkdir -p ~/src/opencv-3.3.0/3rdparty/ippicv/downloads/linux-8b449a536a2157bcad08a2b9f266828b/ cd !$ export https_proxy=http://192.168.56.1:3128 wget https://sourceforge.net/projects/opencvlibrary/files/3rdparty/ippicv/ippicv_linux_20141027.tgz
Compilation
cd ~/src/opencv-3.3.0/cmake #cmake -DWITH_CUDA=OFF -DWITH_QT=OFF -DWITH_OPENGL=OFF -DFORCE_VTK=ON -DWITH_TBB=ON -DWITH_GDAL=ON -DWITH_XINE=ON -DBUILD_EXAMPLES=ON -DENABLE_PRECOMPILED_HEADERS=OFF .. #cmake -DCMAKE_INSTALL_PREFIX=/usr/lib/opencv3.0 -DWITH_FFMPEG=OFF -DWITH_IPP=OFF -DWITH_CUDA=OFF -DWITH_QT=OFF -DWITH_OPENGL=OFF -DFORCE_VTK=ON -DWITH_TBB=ON -DWITH_GDAL=ON -DWITH_XINE=ON -DBUILD_EXAMPLES=ON -DENABLE_PRECOMPILED_HEADERS=OFF .. cmake -DBUILD_TIFF=ON \ -DBUILD_opencv_java=OFF \ -DBUILD_SHARED_LIBS=ON \ -DBUILD_EXAMPLES=OFF \ -DBUILD_TESTS=OFF \ -DBUILD_PERF_TESTS=OFF \ -DWITH_CUDA=ON \ -DCUDA_TOOLKIT_ROOT_DIR=/usr/local/cuda-8.0 \ -DCUDA_ARCH_BIN='3.0 3.5 5.0 6.0 6.2' \ -DCUDA_ARCH_PTX="" \ -DCPU_DISPATCH=AVX,AVX2 \ -DENABLE_PRECOMPILED_HEADERS=OFF \ -DWITH_OPENGL=OFF \ -DWITH_OPENCL=OFF \ -DWITH_QT=OFF \ -DWITH_IPP=ON \ -DWITH_TBB=ON \ -DFORCE_VTK=ON \ -DWITH_EIGEN=ON \ -DWITH_V4L=ON \ -DWITH_XINE=ON \ -DWITH_GDAL=ON \ -DWITH_1394=OFF \ -DWITH_FFMPEG=OFF \ -DBUILD_PROTOBUF=OFF \ -DCMAKE_BUILD_TYPE=RELEASE \ -DCMAKE_INSTALL_PREFIX=/usr/lib/opencv3.3 \ .. make -j $(nproc)
Installation
sudo make install
Création d'un paquet Debian avec checkinstall
cat >description-pak <<EOF libopencv This package contains the header files and static library needed to compile applications that use OpenCV (Open Computer Vision) core. . The Open Computer Vision Library is a collection of algorithms and sample code for various computer vision problems. The library is compatible with IPL (Intel's Image Processing Library) and, if available, can use IPP (Intel's Integrated Performance Primitives) for better performance. . OpenCV provides low level portable data types and operators, and a set of high level functionalities for video acquisition, image processing and analysis, structural analysis, motion analysis and object tracking, object recognition, camera calibration and 3D reconstruction. EOF echo |fakeroot checkinstall --install=no \ --strip \ --stripso \ --addso \ --exclude '/home' \ --gzman \ --reset-uids \ --maintainer 'ACME SAS \<[mailto:root@acme.fr\>]root@acme.fr\>' \ --pkglicense 'Copyright' \ --pkgname opencv-all3.3 \ --pkgrelease 1 \ --pkgversion 3.3.0 \ --pkgsource 'https://github.com/opencv/opencv/archive/3.3.0.zip'
TODO : ldconfig
Exemple
- DEBIAN/shlibs
libcudnn 7 libcudnn7
Voir http://man7.org/linux/man-pages/man5/deb-shlibs.5.html
- DEBIAN/triggers
# Triggers added by dh_makeshlibs/11.1.6ubuntu2 activate-noawait ldconfig
Voir : https://manpages.debian.org/unstable/dpkg-dev/deb-triggers.5.fr.html
blog.txt · Dernière modification : de 127.0.0.1