Debian Linux 8, Jessie, Managing and Troubleshooting Memory Consumption

I ran into some issues running Debian 8.6 on Hyper-V recently – my VM would run out of memory, run through a series of activities kill processes to try and self-heal and then, eventually, lock up entirely.

On reviewing the syslog I started to understand what was going on – the system was running out of memory:

sudo cat /var/log/syslog | grep memory

It looked as if, for whatever reason, wfica (the Citrix Receiver Client) couldn’t be “completely” killed to free-up memory; once killed more processes seemed to spawn which in turn would be killed, leading to more processes. Eventually more important system processes were killed to try and free-up memory:

Sep 30 11:42:15 debian kernel: [55556.844790]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:42:15 debian kernel: [55556.844978] Out of memory: Kill process 9405 (clamd) score 72 or sacrifice child
Sep 30 11:52:15 debian kernel: [56156.791644]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:52:15 debian kernel: [56156.791823] Out of memory: Kill process 8831 (wfica) score 30 or sacrifice child
Sep 30 11:52:15 debian kernel: [56156.792333]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 11:52:15 debian kernel: [56156.792498] Out of memory: Kill process 8834 (threaded-ml) score 30 or sacrifice child
Sep 30 12:02:16 debian kernel: [56757.847752]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 12:02:16 debian kernel: [56757.848397] Out of memory: Kill process 8853 (wfica) score 31 or sacrifice child
[...]
[...] # many more wfica processes killed, different PIDs
[...]
process 9238 (wfica) score 45 or sacrifice child
Sep 30 13:52:39 debian kernel: [63381.448595]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:52:39 debian kernel: [63381.448762] Out of memory: Kill process 1147 (dropbox) score 18 or sacrifice child
Sep 30 13:53:17 debian kernel: [63419.152094]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:53:17 debian kernel: [63419.152256] Out of memory: Kill process 8655 (shutter) score 10 or sacrifice child
Sep 30 13:53:21 debian kernel: [63423.078535]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:53:21 debian kernel: [63423.078699] Out of memory: Kill process 1071 (Xvnc) score 10 or sacrifice child
Sep 30 13:57:26 debian kernel: [63666.800723]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63666.800914] Out of memory: Kill process 852 (lightdm-gtk-gre) score 3 or sacrifice child
Sep 30 13:57:26 debian kernel: [63666.820658]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63666.820787] Out of memory: Kill process 581 (Xorg) score 2 or sacrifice child
Sep 30 13:57:26 debian kernel: [63668.058072]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:26 debian kernel: [63668.058324] Out of memory: Kill process 501 (freshclam) score 0 or sacrifice child
Sep 30 13:57:26 debian kernel: [63668.065610]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:27 debian kernel: [63668.065906] Out of memory: Kill process 3727 (AuthManagerDaem) score 0 or sacrifice child
Sep 30 13:57:29 debian kernel: [63668.256015]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:29 debian kernel: [63668.256217] Out of memory: Kill process 9143 (AuthManagerDaem) score 0 or sacrifice child
Sep 30 13:57:29 debian kernel: [63668.872898]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63668.873008] Out of memory: Kill process 192 (systemd-journal) score 0 or sacrifice child
Sep 30 13:57:30 debian kernel: [63669.939297]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63669.939437] Out of memory: Kill process 552 (polkitd) score 0 or sacrifice child
Sep 30 13:57:30 debian kernel: [63669.943290]  [<ffffffff81142f43>] ? out_of_memory+0x473/0x4b0
Sep 30 13:57:30 debian kernel: [63669.943387] Out of memory: Kill process 502 (NetworkManager) score 0 or sacrifice child

This got me thinking, coming from a Windows background, about how to monitor / review consumption of resources.

To view memory consumption, by process, sorted high > low:

top -o %MEM

Review syslog for out of memory events:

sudo cat /var/log/syslog | grep memory

To view virtual memory consumption:

vmstat

To view CPU utilisation, by process, sorted high > low:

top -o %CPU

To view disk utilisation:

sudo apt-get install sysstat
iostat -d #for physical disks
iostat -N #for LVM

[more to come]

Debian 8, Jessie, Installing Citrix Receiver

Download the Citrix Receiver Client from here: https://www.citrix.com/downloads/citrix-receiver/linux/receiver-for-linux-latest.html

Now install the client using the commands:

sudo dpkg -i ~/Downloads/icaclient_*.deb ctxusb_*.deb
sudo apt-get -f install # Install missing depends.

Next, configure the client:

sudo /opt/Citrix/ICAClient/util/configmgr &

Without executing this command I would get a brief pop-up and then the Citrix client would simply disappear – no errors were displayed.

Using FireFox? Check here for specific instructions: https://help.ubuntu.com/community/CitrixICAClientHowTo#A7._.2864-bit_only.29_Fix_Firefox_plugin_installation

SSL configuration for GlobalSign SSL (if you’re using a different CA you can skip this / retrofit to meet your needs).

Download GlobalSign Root CA crt files from: https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates

wget https://secure.globalsign.net/cacert/Root-R1.crt
wget https://secure.globalsign.net/cacert/Root-R2.crt
wget https://secure.globalsign.net/cacert/Root-R3.crt

Convert to PEM format using openSSL:

openssl x509 -inform DER -in Root-R1.crt -out Root-R1.pem -outform PEM
openssl x509 -inform DER -in Root-R2.crt -out Root-R2.pem -outform PEM
openssl x509 -inform DER -in Root-R3.crt -out Root-R3.pem -outform PEM

Copy these to: /opt/Citrix/ICAClient/keystore/cacerts

sudo cp *.pem /opt/Citrix/ICAClient/keystore/cacerts/

Rehash the ICA Client certificates:

sudo c_rehash /opt/Citrix/ICAClient/keystore/cacerts/

Citrix “official” instruction are available here: http://docs.citrix.com/en-us/receiver/linux/13/linux-secure-wrapper/linux-secure-connect-secure-gateway-ssl-relay.html

If you get SSL Error 61 :: “Contact your help desk with the following information: You have not chosen to trust “GlobalSign RootCA”, the issuer of the server’s security certificate (SSL error 61).”

citrix-receiver_001

You haven’t imported / rehashed the necessary SSL certificates for your servers certificate.

Microsoft Local Administrator Password Solution (LAPS)

Managing local Administrator passwords on computers can be painful, especially in a large estate. Good practice is for each device to have its own, unique, local Administrator password to stop “lateral movement” of malware / reduce risk – in practice, few organisations actually achieve this.

I recently came across a Microsoft solution geared towards addressing  this problem – the Local Admin Password Solution:

The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

In terms of supported operating systems, at time of writing requirements are very flexible in respect of DCs and target Operating Systems:

Active Directory:
> Windows 2003 SP1 and above

Managed machines:
> Windows Vista with current SP or above; x86 or x64
> Windows 2003 with current SP and above; x86 or x64 (Itanium not supported)

For more information, and, to download the tool itself click here: https://www.microsoft.com/en-us/download/details.aspx?id=46899

ConfigMgr : Adding KMDF 1.11 (KB2685811) to Build and Capture Taks Sequences

Download the KMDF 1.11 driver for X86 and X64 architectures using this link: https://support.microsoft.com/en-us/kb/2685811

Extract the MSU files using the commands:

mkdir C:\Temp
mkdir C:\Temp\Windows6.1-KB2685811-x86\"
mkdir C:\Temp\Windows6.1-KB2685811-x64\"

expand –f:* kmdf-1.11-Win-6.1-x86.msu "C:\\Temp\Windows6.1-KB2685811-x86\\"
expand –f:* kmdf-1.11-Win-6.1-x64.msu "C:\\Temp\\Windows6.1-KB2685811-x64\\"

Create a ConfigMgr package (not Application) as indictaed below:

Package name: Microsoft KMDF 1.11 Hotfix

Folder structure / contents:
\X86\Windows6.1-KB2685811-x86.cab (extracted from downloaded MSU, as above)
\X64\Windows6.1-KB2685811-x64.cab (extracted from downloaded MSU, as above)

Ensure content for this package is distributed to all of your DPs prior to continuing.

Now we will modify your “Build and Capture” Task Sequence.

Create a new folder/ group just prior to the “Setup Windows and Configuratipn Manager” task:

kmdf

Below, I have detailed actions for x64 architecture, replace X64 with X86 for 32-bit.

This group will contain two actions:

Run Command Line: Create Temp Folder
Command: cmd.exe /c mkdir %OSDSystemDrive%\Temp
Package: No Package

Run Command Line: Inject KMDF 1.11 x64
Command: cmd.exe /c X:\windows\system32\dism.exe /ScratchDir:%OSDSystemDrive%\Temp /Image:%OSDSystemDrive%\ /Add-Package /PackagePath:%_SMSTSMDataPath%\Packages\M010038D\X64\Windows6.1-KB2685811-x64.cab
Package: Microsoft KMDF 1.11 Hotfix

This driver will now be injected automatically everytime you re-create your master image via the Buld and Capture Task Sequence.

Debian 8, Jessie, Configuring a Static IPv4 Address

If you’re enabling RDP support, or other services on a Debian Linux machine that you want to connect to from a remote device, a static IP is an obvious requirement (be-that, ideally, a DHCP reservation or manually configured IP).

Considering I couldn’t opt for a DHCP reservation for my home set-up (long story) I went for a manually configured IP address, using the commands / configuration files below.

Edit /etc/network/interfaces:

sudo vi /etc/network/interfaces

   auto eth0
    iface eth0 inet static
        address 192.168.1.249
        netmask 255.255.255.0
        gateway 192.168.1.1

Edit resolv.conf:

sudo vi /etc/resolv.conf 

   nameserver 192.168.1.1

I found that after this change, in order for Network Manager to “release” control of the interface, I had to restart the device – I’m sure there is a better solution, let me know if you find one…

Debian 8, Jessie, Middle-Button Scrolling in Firefox

One annoyance I’ve had since using Debian 8 / Firefox was that every time I pressed the middle-mouse button and tried to scroll on a web page I’d get a new page load, or nothing would happen.

This was a Firefox-specific issue, that can be resolved by configuring as below in about:config:

Setting: general.autoScroll
Set to: True

Setting: middlemouse.contentLoadURL
Set to: False

Internet Privacy : Is this even possible?!

I’ll be clear from the off-set here, anonymity is not my aim, but my  privacy is. I am happy to be held accountable for my actions, for my bank to know my purchases and to have a presence on LinkedIn and other such sites.

My aim is however simple, I don’t want “various companies” (such as Facebook) mining my data and/or sharing it and in effect using it to target me with products and services or to “profile” me. At the very least, I’d like to make it harder for them to do this.

I’ll state, for the record, I am in no way affiliated with any company listed within this article – there is no sponsorship or similar going on here.

Be aware, much of “the solution” involves you changing how you consume Internet-based services. Start thinking about one thing, when a service or product is free consider how you might actually be paying for it – in some cases the provider is privacy aware and has a robust privacy policy in-place, in other cases this is simply not true, and in-fact flies against the commercial model of the product or service. Continue reading “Internet Privacy : Is this even possible?!”

Debian 8, Jessie, Installing Sudo

I was surprised to find that sudo was not installed by default on Debian 8 as it is with Ubuntu. You can debate whether the root account should, or should not be enabled however, I would recommend the use of sudo for audit logging the use of elevated privileges.

Install sudo itself using the command:

apt-get install sudo

Now add your personal account to the sudo group

adduser <username> sudo

You’ll need to either logoff or reload your groups.

Should you chose to disable the root account itself, use the following commands:

sudo passwd -l root
usermod --expiredate 1

Debian 8, Jessie, Firefox Locked Preferences

Firefox has recently become my go-to browser of choice, not becuase of speed, but because of privacy – more to come on this subject at a later time.

Having established a configuration I am happy with – following guides on sites such as privacytools.io – I like to be sure no add-ons or Firefox updates can reset the configuration, so I opt for locked preferences. More information from Mozilla on this here.

To lock preferences on Debian, you’ll need to create two files as outlined in the Mozilla article – mozilla.cfg and local-settings.js.

mozilla.cfg

//
lockPref("privacy.trackingprotection.enabled", true);
lockPref("geo.enabled", false);
lockPref("browser.safebrowsing.enabled", false);
lockPref("browser.safebrowsing.malware.enabled", false);
lockPref("browser.safebrowsing.downloads.enabled", false);
lockPref("dom.event.clipboardevents.enabled", false);
lockPref("network.cookie.cookieBehavior", 1);
lockPref("network.cookie.lifetimePolicy", 2);
lockPref("browser.cache.offline.enable", false);
lockPref("browser.send_pings", false);
lockPref("webgl.disabled",true);
lockPref("dom.battery.enabled", false);
lockPref("browser.sessionstore.max_tabs_undo", 0);
lockPref("media.peerconnection.enabled", false);
lockPref("media.peerconnection.turn.disable", true);
lockPref("media.peerconnection.use_document_iceservers", false);
lockPref("media.peerconnection.video.enabled", false);
lockPref("media.peerconnection.identity.timeout", 1);
lockPref("browser.search.suggest.enabled", false);
lockPref("datareporting.healthreport.service.enabled", false);
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("signon.rememberSignons", false);

local-settings.js

pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

Now copy these files to the required directories, close and open Firefox.

cp mozilla.cfg /usr/lib/firefox-esr/
cp local-settings.js /usr/lib/firefox-esr/defaults/pref/

 

Debian 8, Jessie, Enable RDP Server

As an avid, die-hard Windows user I struggle to make the move to VNC considering how fast RDP is in comparison. When I discovered it was possible to enable RDP support on Debian, I quickly set-to.

Install XRDP on Debian

This wil both install and configure XRDP:

sudo apt-get install xrdp

Fix Key-Mapping Issues

There is one “bug” with key-mapping that requires a custom key-map file to be used with XRDP specifically, the below is for en-GB / UK keyboards – save the below as km-0809.ini – see last step after text file contents!

Continue reading “Debian 8, Jessie, Enable RDP Server”