How to get llama 2 up and running , in a VM, with no GPU, and limited memory on Ubuntu

Image
OK I decided to write this up after unsuccessfully being able to find all the required info I needed in one place. In this setup we will be using Ubuntu Server 22.04.2 LTS as the OS. I have this running on a home lab ESXi server 8, on a HP Compaq Pro 6300 SFF CPU = Intel Core i7-3770 Installed Memory 16 GB I have some 10K SAS drives installed for the VM's If you have not already, navigate to  Get Ubuntu Server | Download | Ubuntu and download the 22.04.2 LTS ISO Next Lets create our VM that we are going to run this in. *Note Im using ESXi however you can probably do this in Workstation, Fusion, VirtualBox etc The main things to note on the VM creation. Set Ubuntu 64 bit as the guest OS Set your CPU relevant to the physicals CPU, I will be starting with 4 VCPU Set your Memory to as much as you can tolerate, I will be using 12 Disk Space - we are creating a 100G swap file, and the rest of the file can take up some room , so more is better if you can afford it Dont forget to add the U...

Google Authenticator Server - Proof of concept | VMware Horizon View or Identity Manager


Update 10/2017:  Since starting this project I was informed that such a thing already existed, so I will not be moving forward with this. You can use LinOTP in your enterprise environment.


As a continuation of my previous post I wanted to see if I could build a simple server to to allow users to generate google authentication keys, and authenticate to Horizon View.  After some research I was finally able to get a 'functional' server up and running and easily deplorable.

No going forward please realize as I said before this is a PROOF OF CONCEPT, you should not deploy this in your production environment, you have been warned (See notes at the end of this page), however if you want something to mess around with to build your own , here ya go.

To being your going to need an ubuntu server, see my original posts Part1 and Part2 to get a working Ubuntu server in your environment.(make the username gauth as it will make ruining the config scripts easier)

Once your have your ubuntu server up and running you will need to download the Gauth server package i have put in google driver HERE.

Download the Gauth.zip file and upload it to your /tmp/ directory on your server (i prefer filezilla but you can use what ever you want).

Once you have the Gauth.zip file on your server open putty (or what every terminal app you use) and connect to the server.

Run the following commands (this assumes you created your user name as gauth, if not change chown line to your username):

sudo su
cd /tmp/
mkdir /opt/gauth
chown gauth /opt/gauth
apt-get update
apt-get install unzip -y
apt-get install tomcat8 -y
apt-get install ntp -y 
apt-get install ntpdate -y
ntpdate pool.ntp.org -y
apt-get install postgresql postgresql-contrib -y
unzip radius.zip -d /opt/gauth/
unzip Gauth-1.0.war.zip -d /var/lib/tomcat8/webapps/

Now we will setup the SQL database that will hold the generated secret keys for the google authentication.

sudo -i -u postgres
createuser -d -e gauthdbuser
psql
ALTER ROLE gauthdbuser WITH PASSWORD 'P@ssword!';

While still in psql we will create the table and give the user access:


create table ga_users(
user_id varchar(20) PRIMARY KEY,
ga_key varchar(40) NOT NULL,
scratch1 varchar(40) NOT NULL,
scratch2 varchar(40) NOT NULL,
scratch3 varchar(40) NOT NULL,
scratch4 varchar(40) NOT NULL,
scratch5 varchar(40) NOT NULL,
cr_date varchar(40) NOT NULL);

GRANT ALL PRIVILEGES ON ga_users TO gauthdbuser;

\q
exit

Next we are creating a symbolic link for our properties file, this contains information on how to connect to the database, AD\LDAP etc.

ln -s /var/lib/tomcat8/webapps/Gauth-1.0/WEB-INF/classes/postgres.properties /opt/gauth/postgres.properties

Now we need to edit this file and put in the correct parameters.

vi /var/lib/tomcat8/webapps/Gauth-1.0/WEB-INF/classes/postgres.properties

Change the parameters to suit your needs:
PGuser is the user we created for the database, in this case 'gauthdbuser'
PGpassword is the password we setup earlier
PGdbserver - leave this as the loopback address
PGdb - change this to postgres as this is the default we are using
LDAP_SERVER - this is an LDAP or AD domain controller, if you setup DNS put the host name in , else use an IP adderess (you can only use one address at this time)
DOMAIN_NAME - this is your netbios domain name
Company - This is what ever you want, and shows up on the users local Google Authenticator App
SharedSecret - This will be the secret used between the View connection server and this server
ClientIP- this is the IP of your View connection server

PGuser=gauthdbuser
PGpassword=P@$$w0Rd
PGdbserver=127.0.0.1
PGdb=postgres
LDAP_SERVER=dc.company.com
DOMAIN_NAME=DOMAINNAME
Company=MyCompanyName
SharedSecret=P@$$w0Rd

ClientIP=192.168.1.1


Save your Changes.
Next we are going to run our application as a service:

vi /etc/init.d/gauthradius

Paste the following scrip in, save and close:
#!/bin/sh
SERVICE_NAME=gauthradius
PATH_TO_JAR=/opt/gauth/tinyradius-1.0.2.jar
PATH_TO_CLASS=com.gauth.GaServer
PID_PATH_NAME=/tmp/gauthradius-pid
case $1 in
    start)
        echo "Starting $SERVICE_NAME ..."
        if [ ! -f $PID_PATH_NAME ]; then
          nohup java -cp $PATH_TO_JAR $PATH_TO_CLASS 2>> /var/log/gauth/gauth.log >> /var/log/gauth/gauth.log &
                        echo $! > $PID_PATH_NAME
            echo "$SERVICE_NAME started ..."
        else
            echo "$SERVICE_NAME is already running ..."
        fi
    ;;
    stop)
        if [ -f $PID_PATH_NAME ]; then
            PID=$(cat $PID_PATH_NAME);
            echo "$SERVICE_NAME stoping ..."
            kill $PID;
            echo "$SERVICE_NAME stopped ..."
            rm $PID_PATH_NAME
        else
            echo "$SERVICE_NAME is not running ..."
        fi
    ;;
    restart)
        if [ -f $PID_PATH_NAME ]; then
            PID=$(cat $PID_PATH_NAME);
            echo "$SERVICE_NAME stopping ...";
            kill $PID;
            echo "$SERVICE_NAME stopped ...";
            rm $PID_PATH_NAME
            echo "$SERVICE_NAME starting ..."
            nohup java -jar $PATH_TO_JAR $PATH_TO_CLASS 2>> /var/log/gauth/gauth.log >> /var/log/gauth/gauth.log &
                        echo $! > $PID_PATH_NAME
            echo "$SERVICE_NAME started ..."
        else
            echo "$SERVICE_NAME is not running ..."
        fi
    ;;

esac

Once that has been saved, run the following:

chmod +x /etc/init.d/gauthradius
mkdir /var/log/gauth
reboot

once the server restarts login and check the temp directory 

ls /tmp/

if you dont see a 'gauthradius-pid ' file, the service is not running (another issue i need to iron out), start the server manually:

sudo su
service gauthradius start

check again, if the file is there we are good to go.

Open a browser to your now running server:
http://172.16.2.2:8080/Gauth-1.0/login




If everything was configured correctly you should be able to login with an AD username and password, in this case I'm signing in as Rick Sanchez who does not have a generated Key:



Mr Sanchez can generate a key by clicking the 'Generate G-Auth' button on the left hand side.




At this point the user can scan in the bar code into his google authenticator application and get his time code.



By generating the key we have also verified that the connection to the database works.
Now lets setup View to connect to our new server:

Open your connection serve https://servername/admin
navigate to 'view configuration' -> 'Servers' -> next click connection servers
select the connection server you are going to setup, and click [edit].

Next click the authentication Tab

Scroll down 2-Factor and select Radius, Check Enforce 2-Factor and windows user name matching

Select 'Create new'
Enter a description, such as G-Auth
Enter the IP of your G-Auth server
leave port 1812
and enter the password you setup in your .properties file earlier.
Click [next] -[finish] - [OK]
Your are now ready to try to login!

Open your View client, and connect to your server.

You should be prompted for your token code.
enter your token and you should pass auth:


And that's it!

You can tail the log if you like as well:


This would probably work with other applications that utilize radius auth. let me know if it does.
(Update 10/14/2017) Just tested this with VMware identity manager and it works as well:

Just follow the VMware doc here to setup VIDM , then change the 'ClientIP' in the postgres.properties and you are good to go!




Now, for the known issues \ future plans section:
As this server is not using any certificates, there is no encryption between the user and the server.
- Plan to add this in the future
Tomcat listens on port 8080 by default, in the interest of this quick start guide i just left it here, however you can change this if you like by modify tomcat.

I have not setup any mechanism for backuping up the postgres database, so this would need to be done manually

Passcodes that start with a '0' will fail. This is due to a internal conversion process and it strips out the leading zeros, can be fixed just takes more time.
Logins and other links on the user portal do noting - nothing was wirtten for these at this time
There is an admin portion /admin , however all it does at this time is shows the total number of registered users.

I have only tested this with LDAP on 389, and its hardcoded so not sure if it works on SLDAP 636

If there is significant interest, I want to re-write this in into a angluarJS app instead of java servlets, however that is a huge learning curve as i've never done one.

Thoughts for additional features:
Backup and restore process
Highly available dual VM's with postgres replication
Ability to use a MS SQl backend
Self signed certificates as default
Ability to install certificates
Secure Ldap configuration
Additional radius capable servers
AngularJS app
integration into a deploy-able OVF.
Automatic updates
Better logging
Log rotation
Database Key encryption
Administration to delete existing keys
Group membership requirement (Currently any AD authenticated user can generate a key)
database logging of user login times
Search function for admins to find\audit user login times



That's all i can think of at this time. Post any questions you may have and ill try to answer them.



Jeramy




Comments

Popular posts from this blog

vSphere 7 - Specify a vmkernel adapter to use for NFS datastores Step By Step \ Walkthrough on a DVS

Horizon View 2-factor Authentication for Free! with Google Authenticator or others

VMware View 2-factor authentication with Google Authenticator - Part Four