SSH access with passwordless keyfile

I want to be able to access my Raspberry Pi Cluster and log onto any node without entering a password. To do this I can set up as passwordless SSH key.

Generating a SSH Key

To generate a SSH key you can use the command ssh-keygen. Once you have ran this you will get the below command output.

chewett@bunker-master:/tmp$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/chewett/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/chewett/.ssh/id_rsa.
Your public key has been saved in /home/chewett/.ssh/id_rsa.pub.
The key fingerprint is:
08:da:bf:3b:40:60:19:62:a8:97:10:77:e1:c9:93:d8 chewett@bunker-master
The key's randomart image is:
+---[RSA 2048]----+
|+oooo.           |
|+o+* o           |
|.o.oE            |
|. oo.o .         |
| .... . S        |
|    ..           |
|     ..          |
|      ..         |
|      oo         |
+-----------------+

 

During this command you can choose where the store the key files and what passphrase you want to secure the key with. For this I have not set a passphrase so I don’t need to enter it when logging into my cluster.

Once I have ran this command it will generate a public and private key. This private key is used in combination with the public key to authenticate yourself. I will install the public key on any machine that I want to login to and it will give access via the private key. As suggested by the name the public key can be installed on all your machines and the private one should be kept private.

Installing the public key

Once you have generated your public key you need to copy it to all the machines you want to access it on. To install it you need to add it  into the authorized_keys file. This is located in ~/.ssh/authorized_keys. You can copy your public key to the machine and install it using.

scp  /home/chewett/.ssh/id_rsa.pub bunker-master:~/
ssh bunker-master
mkdir ~/.ssh/
cat id_rs.pub >> ~/.ssh/authorized_keys

The first line copies the public key to the machine. Once this has been done you can login to the remote server (second line). If the ~/.ssh/ directory does not exist it can be created with mkdir. Using cat you can then echo your public key and append it to the authorized_keys file. We want to ensure we append to this file using >>. This is because if the file exists we want to add your public key and not lose the other lines in this file.

Logging in with the SSH key

Now  we  have installed the SSH public key we can login to the machine using

ssh -i ~/.ssh/id_rsa bunker-master

Using the -i flag you can specify which key file you want to use to ssh into the host. If you don’t want to enter this each time you can specify this in your SSH config file. This file should be found, or created, in ~/.ssh/config

Host bunker-master
 HostName 192.168.0.5
 User chewett
 IdentityFile ~/.ssh/id_rsa

The format for the file is above. Host is the name you want to refer to the machine as. HostName is the IP or hostname of the machine that will be used to SSH to. User can be specified to set the username used to SSH in and IdentityFile will specify the keyfile you want to use when logging.

If I set my config file up as above, all I would need to do so is type ssh bunker-master and this would effectively run ssh -i ~/.ssh/id_rsa chewett@192.168.0.5. The first being much shorter.

In addition to being able to specify all the options in the config file, using a keyfile means you don’t need to enter your password. Since I didn’t enter a password for my keyfile entering ssh bunker-master will automatically ssh into the host and log me in.

Once I have installed this on all of my nodes I will be able to SSH into any one of them without needing a password. Performing this will be important for automatically running commands on the nodes.

Powering a Raspberry Pi Cluster

The Raspberry Pi doesn’t come with its own power supply so you need to decide how to power it.

The recommendation from the Raspberry Pi website is that they have “found that purchasing a 2.5A power supply from a reputable retailer will provide you with ample power to run your Raspberry Pi”. After doing some research online it appears that most newer Raspberry Pi’s will draw about an amp at full load.

Actually its relatively easy to find a power supply for Raspberry Pi. This is because you can power the Pi by a standard 5 volt Micro USB port. These requirements are similar to most mobile phones and tablets. This means that a standard mobile charger with a USB connector should power the Pi.

If you don’t want to use a phone charger you can buy a specific Raspberry Pi power supply. There a number of these online designed for the Raspberry Pi.

Why I wont be using standard chargers

Using a single charger works well for a single Pi but running 5+ will become messy with wires. I wanted something to power my Pi which would only require one power socket and power multiple Pi’s at the same time.

One of the main requirements is that whatever I am going to use should be able to provide enough current to run multiple Raspberry Pi’s.

How to power Multiple Pi’s then?

I spent some time researching the power requirements of a Raspberry Pi. It is generally agreed on that at full load they can require about an amp of power. I finally decided on purchasing the Anker PowerPort 10 to run the cluster.

The Anker PowerPort 10 is designed as a high speed charger and is able to deliver 12 amps of power across its 10 USB ports. This has a maximum of 2.5 amps on any one USB port which is more than plenty for any one Pi.

This charger is one of the more powerful ones available and should be enough to power my cluster at full load. It was important to purchase a reputable brand as cheaper chargers can have noisy power lines. This can affect the operation of the device attached and at worst case damage them.

One of the features I like about the Anker power supply is the switch at the back. This means that to turn off the USB ports I wont need to access the power socket switch. This is important as I plan to tuck away the cabling to make the cluster have a clean interface.

 

Create a Samba Share on Raspberry Pi Cluster

Something I want to do with my Raspberry Pi Cluster is mount a hard drive and share it like a windows share. To do this I am going to set up Samba on a Raspberry Pi.

Installing the required packages

To run samba as a service we need to install a couple packages. Running the following command will install what you need.

sudo apt-get install samba samba-common-bin

Configuring Samba

To modify samba configuration on a Raspberry Pi you can use its config file. This file is located /etc/samba/smb.conf once you have installed the appropiate packages. To set up samba to be liking I am going to modify and add a couple lines to the base settings.

The workgroup setting defines which workgroup the user you will be logging in as will need. By default the setting is WORKGROUP but this can be changed to anything required. Here im going to change the workgroup to “bunker”.

workgroup = BUNKER #customize the workgroup

To ensure that only logged in users are able to access the shares I have set the security level to “user”. This method of security validates against samba user accounts and is the most basic level.

security = user #ensure security level is user only

The default samba settings will expose the  logged in users home directory however it will not be writeable. By changing “read only” to no this will allow editing the users home directory

[homes]
read only = no  #allow writing of home dir

Setting up a share folder

To finally set up the share folder you need to add in the details of the share. Again this is modifying the samba config file as above. Below is an example share folder configuration and an explanation of some of the settings.

[BUNKER1]
comment = Bunker Node1 Share
path = /usr/local/bunker
valid users = @samba
force group = samba
create mask = 0660
directory mask = 0771
read only = no
  • [BUNKER1] is the name that windows will assign to the folder
  • comment is used in some programs to describe the share
  • path is the local path on the Raspberry Pi that the share will be exposing
  • valid users lists all valid users which can be a single user, or list of usernames. Here I have used “@samba” to allow all users of the group “samba” to access the share
  • force group will force the accessing user to read files as that group. This can be used to determine what the user can access or do.
  • create mask is used to apply a bitwise and to the generated permissions. 0660 ensures files are not accessibly by any user, this applies to create files
  • directory mask works similarly to the above but applies to created directories. Here I am setting it to 0771 to ensure all directories are executable (browsable)
  • read only sets whether you are only allowed to write/delete the files

Configuring users to access samba

Once you have set up samba with the above settings you need to add a user to be able to access samba. Since I have set my folder to require the samba group I can add it to my user by running

sudo groupadd samba
sudo usermod -aG samba chewett
sudo smbpasswd -a chewett

By default Raspbian has no samba group so it needs to be created therefore the first command creates one. The second command then adds the “samba” group to the user account “chewett”. The third command will set the samba password for the same user account. This will let the user chewett access samba.

Now we need to restart samba so that config takes effect.

sudo /etc/init.d/samba restart

Accessing Samba from windows

Now you should be able to access samba from windows by going to \\hostname\ . Here the hostname is bunker-node1 so I access it by going to \\bunker-node1

Browsing via samba to my raspberry pi host “bunker-node1”

Once I have entered the hostname and selected a folder will present a login prompt asking for a username and password. If your computer is on the same workgroup as the samba config you will just need to enter the username and password. If they are running on different work groups you will need to enter workgroup\username as the username. In this case I need to enter bunker\chewett as bunker is the workgroup and chewett is the username.

Logging into the samba share with login details bunker\chewett

Now I have access to my raspberry pi files on windows. I can expand this by adding more folders to the samba config I can mount external drives and have them accessible on the windows network.

 

 

Installing Raspbian onto a Raspberry Pi

Here I suggest some recommended steps to install Raspbian on top of their install guide.

Choosing an OS for the Raspberry Pi

One of the main ways to install a Raspberry Pi OS is to download a disk image called NOOBS. This lets you choose to easily install a number of different OS’s. If you want to try a variety of OS’s or are unsure of what you want to install I recommend this. You can follow the guide below to burn this image to a memory stick.

I decided to install Raspbian Jessie with PIXEL instead of NOOBS. This is because I wanted a fully featured Debian derivative (which is what Raspbian is) installed.

Burning the Image to a SD Card

Now we need to burn the image to the SD card, this is going to explain what you need to do if you are using windows. If you are using Linux/Mac OS I assume you know what you are doing. If you are using windows you first need to unzip the OS image so you have the the .img file available.

Once you have downloaded and unzipped the image you need to burn it, you can do this with win32 Disk Imager. Selecting the image and SD drive and pressing write will burn the OS to the SD card.

Now you can put the SD card into the Raspberry Pi and turn it on.

After Installing Raspbian

When you have installed Raspbian you will want to perform a few bits of basic maintenance.

Changing the user password

The default username for the pi is pi and the default password is raspberry . This can be used to login to your pi but it is recommended that this is changed immediately. You can change the password of the current user by entering

passwd

Changing the hostname

Since I am planning to run multiple Raspberry Pi’s I need to change the hostname. The default hostname is raspberrypi which you can use to connect to it via ssh. However to change this you can modify the /etc/hosts file on the Raspberry Pi.  You can modify this by running the following command.

sudo nano /etc/hosts

Updating the Pi

The Raspbian images are created every now and then so are not going to be fully up to date. You can update the pi by running the following two commands

sudo apt-get update
sudo apt-get upgrade

Running these commands you will update the catalogue of packages and then upgrade any of them which are outdated.

Final words

These are some basic steps to install and set up a Raspberry Pi Raspbian install. As I find more steps that I want to perform each time I install Raspbian I will update this blogpost. If you have any questions feel free to ask in the comments.

Let’s Encrypt Auto SSL on Web Host Manager CPanel Server

This blog post describes how to set up free SSL certificates on a Web Host Manager CPanel server. This requires root access to the server, if you don’t have access to this then you must ask your service provider to install it for you.

What is Let’s Encrypt?

Let’s Encrypt is in their own words “free, automated, and open Certificate Authority” providing free SSL certificates to anyone who wants to use their services. The only requirement to obtain a certificate from them is to prove you own the domain. This service is backed by some of the big web companies including Google and Facebook so has a large technical group behind it.

Many SSL certificate providers do this through a convoluted process of manually adding DNS records or replying to emails found via DNS. Instead of having to do this you confirm your ownership by the newly developed ACME protocol.

One of the ways you can verify your domain is using an ACME client such as certbot. I wont be using that today as I wanted an automatic solution that worked with the CPanel servers I manage.

Let’s Encrypt with CPanel

To automatically install SSL certificates  CPanel provide an AutoSSL facility. By default doesn’t provide Lets Encrypt SSL Certificates but they can be enabled easily enough.

If you log into your server as root you can install the Let’s Encrypt Auto SSL module by running the following command:

  1. /scripts/install_lets_encrypt_autossl_provider

Once you have run this CPanel should now let you select Let’s Encrypt as your Auto SSL provider!

The developers of CPanel are testing this and is likely to be rolled out in the future. However at the moment you need to install it manually. More information can be found in their blog post.

Stacking multiple Raspberry Pi’s

For the Raspberry Pi cluster I wanted to make sure that they are neatly stored to keep them easy to reach.

Why nicely storing them is important

Each Raspberry Pi requires a power and network cable. When using a single raspberry pi the cables are not an issue but I am planning to use five as a baseline for my cluster. These cables can quickly start to become messy and make the cluster hard to reach.

Stacking the Raspberry Pi’s

Therefore I have selected a solution that would allow me to stack the Raspberry Pi’s on top of each other.

Image taken from aliexpress where I purchased the item from

This case allows excess heat to be vented through the sides which many case designs do not account for. Since I plan to be using the Pi’s extensively they will likely be running quite hot.

I plan to stack six raspberry Pi’s on top of each other so I have purchased three of these (two stacked) products.

VCHI initialization failed Raspberry Pi Fixed

vcgencmd get_mem arm VCHI initialization failed
Example showing VCHI initialization failed error

If when running vcgencmd on a raspberry pi you get VCHI initialization failed then you need to add the video group to your user. The vcgencmd tool requires you have this group role so without it, it will give VCHI initialization failed.

To add the user group to your user you can run:

sudo usermod -aG video <username>

Where <username> is the user you want to run the vcgencmd command with. This command adds the video group to the the user you specify.

Once you have ran the command any new logins will run the command successfully. Logging out and back into the pi will let you use the command.

Why this problem occurs

This issue happens when you try and use the vcgencmd command with a user that isn’t a member of the video group. This typically happens when you create a new user for the raspberry pi and don’t give it the same groups that the pi user has.

The solution above fixes this by adding the correct video group to the created user.