jfc'log

 At the time of the writing browsers like Firefox and Google Chrome only support PQC for key exchange, curl when compiling with openssl 3.5.x supports the exchange and the cert/key.

Based on my previous post, create a RSA key/cert pair for the browsers.

Create an MLDSA-65 for curl tests:

 openssl req \
    -x509 \
    -newkey mldsa65 \
    -keyout localhost-mldsa-65.key \
    -subj /CN=localhost \
    -addext subjectAltName=DNS:localhost \
    -days 30 \
    -nodes \
    -out localhost-mldsa-65.crt

Configure httpd.conf:

 Listen 4433
<VirtualHost *:4433>
SSLEngine on
SSLCertificateFile localhost.crt
SSLCertificateKeyFile localhost.key
# PQC cert/key
SSLCertificateFile localhost-mldsa-65.crt
SSLCertificateKeyFile localhost-mldsa-65.key
</VirtualHost>

Start Apache httpd.

Test with Firefox, accept the self-signed certificate and  you will get the "It works!" page.

Test with curl:

curl -k -v https://localhost:4433/ 

you get:
 * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65

Use a curl that doesn't support PQC (compiled with a 3.2.x openssl for example):
 curl -k -v https://localhost:4433/

you get:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS 

You can also tell a PQC curl to use  x25519 and ask for an RSA key/cert:
curl -k -v --curves X25519 --sigalgs RSA-PSS+SHA256 https://localhost:4433/

Or  X25519MLKEM768 and ask for an RSA key/cert:
curl -k -v --curves X25519MLKEM768 --sigalgs RSA-PSS+SHA256 https://localhost:4433/

 PQC = Post Quantum Cryptography

PQC can be used in 2 places: the key exchange and the key/cert themselves. 

For the moment browsers like firefox and google chrome  only supprt the key exchange part.

Create a PQC key/cert using openssl:

openssl req \
    -x509 \
    -newkey mldsa65 \
    -keyout localhost-mldsa.key \
    -subj /CN=localhost \
    -addext subjectAltName=DNS:localhost \
    -days 30 \
    -nodes \
    -out localhost-mldsa.crt

Start openssl s_server:

 openssl s_server \
    -cert localhost-mldsa.crt -key localhost-mldsa.key \
    -trace -port 4433

Use curl to test:

curl -k -v https://localhost:4433/

you will get:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65

If you try firefox you will get an error:
Error code: SSL_ERROR_NO_CYPHER_OVERLAP

that is expected as Firefox doesn't support the key/cert openssl is using.

Create a RSA key/cert using openssl:

openssl req \
    -x509 \
    -keyout localhost.key \
    -subj /CN=localhost \
    -addext subjectAltName=DNS:localhost \
    -days 30 \
    -nodes \
    -out localhost.crt

Start openssl s_server using the 2 keys and 2 certificates:
openssl s_server \
    -cert localhost-mldsa.crt -key localhost-mldsa.key \
    -dcert localhost.crt -dkey localhost.key \
    -trace -port 4433

Check that curl is working and using the PQC key/cert pair:

 curl -k -v https://localhost:4433/

 * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ml-dsa-65

Try Firefox now, the certificate is self-signed but now Firefox accepts it.

 

Check via lusb:

+++
[root@pc-86 ~]# lsusb
Bus 001 Device 004: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. SMSC9512/9514 Fast Ethernet Adapter
Bus 001 Device 002: ID 0424:9514 Standard Microsystems Corp. SMC9514 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
+++

Clone the source (you need make,  dkms, git etc):
+++
git clone https://github.com/gnab/rtl8812au.git
dkms add ./rtl8812au
+++
[root@pc-86 ~]# dkms add ./rtl8812au

Creating symlink /var/lib/dkms/8812au/4.2.3/source ->
                 /usr/src/8812au-4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3: added
+++
build it...
+++
ln -s /usr/src/kernels/5.3.16-300.fc31.aarch64/arch/arm64 /usr/src/kernels/5.3.16-300.fc31.aarch64/arch/aarch64
dkms build 8812au/4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3, 5.3.16-300.fc31.aarch64, aarch64: built
+++
install it...
+++
dkms install 8812au/4.2.3
+++
check it:
+++
[root@pc-86 ~]# dkms status
8812au, 4.2.3, 5.3.16-300.fc31.aarch64, aarch64: installed
and:
+++
[root@pc-86 ~]# lsmod | grep 8812au
8812au               1150976  0
[root@pc-86 ~]# iwconfig
wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=31 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on

wlan1     unassociated  Nickname:""
          Mode:Auto  Frequency=2.412 GHz  Access Point: Not-Associated
          Sensitivity:0/0
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

eth0      no wireless extensions.

lo        no wireless extensions.
+++


Then:
+++
yum install wpa_supplicant NetworkManager-tui
systemctl start wpa_supplicant
nmtui
+++
DONE!!!

Get the image and install it:

https://dl.fedoraproject.org/pub/fedora/linux/releases/31/Server/aarch64/images/Fedora-Server-31-1.9.aarch64.raw.xz

Copy to SD card:
arm-image-installer --image=/home/jfclere/Downloads/Fedora-Server-31-1.9.aarch64.raw.xz --target=rpi3 --media=/dev/mmcblk0 --norootpass --addkey=/home/jfclere/.ssh/id_rsa.pub --resizefs --relabel --selinux=ON

Easy but see https://bugzilla.redhat.com/show_bug.cgi?id=1785109

Boot it and using ssh to connect to it.

DS1307 on RPI3 with fedora 31:

yum install i2c-tools

Add in /boot/efi/config.txt:
dtoverlay=i2c-rtc,ds1307
Check dmesg:
++
[root@pc-75 ~]# dmesg | grep rtc
[    7.407923] hctosys: unable to open rtc device (rtc0)
[   15.057637] rtc-ds1307 1-0068: registered as rtc0
+++
Adjust /etc/chrony.conf:
+++
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Serve time even if not synchronized to any NTP server.
local stratum 10
+++

Create a /etc/systemd/system/hwclock.service to get the hard clock set at the RPI3 start time
+++
[Unit]
Description=Setup date and time via hwclock

[Service]
Type=oneshot
ExecStart=/usr/sbin/hwclock --hctosys

[Install]
WantedBy=multi-user.target
+++
Enable it and check it:
+++
[root@pc-75 ~]# systemctl enable hwclock
Created symlink /etc/systemd/system/multi-user.target.wants/hwclock.service → /etc/systemd/system/hwclock.service.
[root@pc-75 ~]# timedatectl set-local-rtc 0
[root@pc-75 ~]# timedatectl status
               Local time: Sun 2019-11-24 16:08:08 CET
           Universal time: Sun 2019-11-24 15:08:08 UTC
                 RTC time: Sun 2019-11-24 15:08:07
                Time zone: Europe/Zurich (CET, +0100)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no
+++

Set the firewall so we can send the date :D
+++
[root@pc-75 ~]# firewall-cmd --get-default-zone
FedoraServer
[root@pc-75 ~]# firewall-cmd --permanent --zone=FedoraServer --add-port=123/udp

 success
[root@pc-75 ~]# firewall-cmd --reload
success
+++

Prepare the wifi: 

All looked good but not working...
+++
[root@pc-75 ~]# cd /lib/firmware/brcm/
[root@pc-75 brcm]# ls -lt brcmfmac43430-sdio.txt
ls: cannot access 'brcmfmac43430-sdio.txt': No such file or directory
[root@pc-75 brcm]# ls -lt brcmfmac43430-sdio.raspberrypi,3-model-b.txt
-rw-r--r--. 1 root root 872 Sep 24 15:53 brcmfmac43430-sdio.raspberrypi,3-model-b.txt
[root@pc-75 brcm]# cp brcmfmac43430-sdio.raspberrypi,3-model-b.txt brcmfmac43430-sdio.txt
+++
init 0 and wait...
+++
[root@pc-75 ~]# nmcli dev show wlan0
GENERAL.DEVICE:                         wlan0
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         E2:65:23:25:88:06
GENERAL.MTU:                            1500
GENERAL.STATE:                          20 (unavailable)
GENERAL.CONNECTION:                     --
GENERAL.CON-PATH:                       --
+++
weird looks broken...
looking with other usb wifi and same for nmcli dev show wlan1:
+++
Nov 24 18:04:13 pc-75.home NetworkManager[832]:   [1574615053.7791] device (wlan1): driver supports Access Point (AP) mode
Nov 24 18:04:13 pc-75.home NetworkManager[832]:   [1574615053.7846] manager: (wlan1): new 802.11 Wi-Fi device (/org/freedesktop/NetworkManager/Devices/4)
Nov 24 18:04:13 pc-75.home NetworkManager[832]:   [1574615053.8954] device (wlan1): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
Nov 24 18:04:14 pc-75.home NetworkManager[832]:   [1574615054.5274] device (wlan1): set-hw-addr: set MAC address to 5A:2F:BD:3A:A0:D4 (scanning)
+++
looking to wpa_supplicant: it is stopped, not even installed!!! Problem fixed :D
+++
[root@pc-75 ~]# journalctl -b -u NetworkManager | grep wpa
Nov 24 17:35:54 localhost.localdomain NetworkManager[832]:   [1574613354.9928] supplicant: wpa_supplicant stopped
+++
Install "yum install wpa_supplicant" and start it:
[root@pc-75 ~]# systemctl enable wpa_supplicant
Created symlink /etc/systemd/system/multi-user.target.wants/wpa_supplicant.service → /usr/lib/systemd/system/wpa_supplicant.service.
[root@pc-75 ~]# systemctl start wpa_supplicant
[root@pc-75 ~]# journalctl -b -u NetworkManager | grep wpa
Nov 24 17:35:54 localhost.localdomain NetworkManager[832]:   [1574613354.9928] supplicant: wpa_supplicant stopped
Nov 24 18:23:53 pc-75.home NetworkManager[832]:   [1574616233.5877] supplicant: wpa_supplicant running
[root@pc-75 ~]# nmtui
+++
Working!!!

Use the installer:

arm-image-installer --image=Fedora-Server-armhfp-27-1.6-sda.raw.xz --media=/dev/mmcblk0 --target=rpi3 --norootpass --addkey=/home/jfclere/.ssh/id_rsa.pub

resize the image with the graphic tool:

gparted /dev/mmcblk0

boot the PI and find its address:

nmap -sn 192.168.1.0/24 (ifconfig to get the laptop address).
Nmap scan report for 192.168.1.39
Host is up (-0.057s latency).
MAC Address: B8:27:EB:D4:2E:85 (Raspberry Pi Foundation)

ssh -l root 192.168.1.39 you are in!!!

remove the auto configure

/bin/systemctl disable initial-setup.service

setting timezone:

ls -lt /usr/share/zoneinfo/Europe/Zurich
rm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Zurich /etc/localtime

install wifi: (PI3)

curl https://fedora.roving-it.com/brcmfmac43430-sdio.txt -o /lib/firmware/brcm/brcmfmac43430-sdio.txt
reboot

Done:
+++
root@localhost ~]# nmcli device status
DEVICE  TYPE      STATE      CONNECTION
eth0    ethernet  connected  eth0
lo      loopback  unmanaged  --
wlan0   wifi      unmanaged  --
+++
nmtui
SSID PI2
Mode
Channel
Security
Addresses 10.0.0.201/24
[X] Never use this network for default route
[X] Require IPv4 addressing for this connection
[X] Automatically connect
+++

add dhcp server and configure it.

yum install dhcp-server
use https://github.com/jfclere/tomcatPI/blob/master/conf/master/dhcpd.conf
enable and start it.
/bin/systemctl enable dhcpd
/bin/systemctl start dhcpd

add named and configure it.

use https://github.com/jfclere/tomcatPI/blob/master/conf/master/named.conf
copy the configuration files in /etc/bind (mkdir /etc/bind)
enable and start it.
/bin/systemctl enable named
/bin/systemctl start named

Don't forget the firewall on the PI:
firewall-cmd --permanent --zone=FedoraServer --add-port=53/tcp
firewall-cmd --permanent --zone=FedoraServer --add-port=53/udp
firewall-cmd --reload

Look to the previous blog and enable the services

/bin/systemctl disable initial-setup.service
/bin/systemctl enable named
/bin/systemctl enable dhcpd

Getting the GPIO working...

+++
[root@localhost ~]# yum search gpio
Last metadata expiration check: 2:55:33 ago on Mon 30 Apr 2018 06:50:28 CEST.
=================================================================== Summary & Name Matched: gpio ===================================================================
libgpiod-utils.armv7hl : Utilities for GPIO
sgpio.armv7hl : SGPIO captive backplane tool
libgpiod-devel.armv7hl : Development package for libgpiod
python2-RPi.GPIO.armv7hl : A class to control the GPIO on a Raspberry Pi
python3-RPi.GPIO.armv7hl : A class to control the GPIO on a Raspberry Pi
libgpiod.armv7hl : C library and tools for interacting with linux GPIO char device
+++

install + try:
+++
[root@localhost ~]# python3 jfcgpio.py
Segmentation fault (core dumped)
+++
Oops... broken :-(

install libgpiod-utils trying...

+++
[root@localhost ~]# /usr/bin/gpioinfo
gpiochip0 - 54 lines: 
        line   0:      unnamed       unused   input  active-high
        line   1:      unnamed       unused   input  active-high
...
+++
[root@localhost ~]# /usr/bin/gpiodetect
gpiochip0 [pinctrl-bcm2835] (54 lines)
gpiochip1 [raspberrypi-exp-gpio] (8 lines)
+++
Yes:
gpioset -m time -s 1 gpiochip0 18=1
LED ON!!!

install httpd and start it.

/bin/systemctl enable httpd
/bin/systemctl start httpd

open firewall for httpd
+++
[root@localhost ~]# firewall-cmd --get-default-zone
FedoraServer
+++
So use FedoraServer ;-)
+++
firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp
firewall-cmd --reload
+++

Arrange the permission (selinux = tricky).

+++
[root@localhost ~]# audit2allow -a


#============= httpd_sys_script_t ==============
allow httpd_sys_script_t gpio_device_t:chr_file { ioctl open read write };
allow httpd_sys_script_t initrc_var_run_t:file { lock open read };
allow httpd_sys_script_t pam_var_run_t:dir { add_name write };
allow httpd_sys_script_t pam_var_run_t:file { create getattr lock open read write };
allow httpd_sys_script_t self:capability { audit_write dac_read_search setgid setuid sys_resource };
allow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay };
allow httpd_sys_script_t self:process setrlimit;
allow httpd_sys_script_t shadow_t:file { getattr open read };
allow httpd_sys_script_t sudo_db_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dbus send_msg;
allow httpd_sys_script_t systemd_logind_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t httpd_sys_script_t:dbus send_msg;
+++
audit2allow -a -M door
semodule -i door.pp
(Not working... Need more time).

disabling selinux :_(

+++
[root@localhost ~]# sestatus
SELinux status:                 disabled
+++

 Add apache in sudoers: sudoedit /etc/sudoers add:

apache ALL=NOPASSWD: /usr/bin/gpioset -m time -s 1 gpiochip0 18=1

For the details on httpd configuration, html, cgi look to https://github.com/jfclere/door

1 - Add in the /boot/config.txt:
dtoverlay=i2c-rtc,ds1307

In dmesg:
+++
[    5.536541] rtc-ds1307 1-0068: rtc core: registered ds1307 as rtc0
[    5.540786] rtc-ds1307 1-0068: 56 bytes nvram
+++
the modules are loaded a boot now...
+++
[root@pc-8 ~]# i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- UU -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --
+++

[root@pc-8 ~]# hwclock -r
2017-09-09 17:58:49.868784+1:00
(well not too bad after 2 months (+~1 minute)

2 -  Get chrony to resynchronize my hardware clock (if I have a connection!)
In /etc/chrony.conf:
+++
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Serve time even if not synchronized to any NTP server.
local stratum 10
+++

********* basic installation ********

From: https://fedoraproject.org/wiki/Raspberry_Pi
fdisk /dev/mmcblk0
unmount and reinsert
looking for the images:
https://dl.fedoraproject.org/pub/fedora/linux/releases/24/Spins/armhfp/images/
There are a bunch of them...
https://dl.fedoraproject.org/pub/fedora/linux/releases/24/Server/armhfp/images/
Only one I have picked this one.
losetup --partscan --find --show /home/jfclere/Downloads/Fedora-Server-armhfp-24-1.2-sda.raw /dev/loop0
mount -r /dev/loop0p3 /tmp/img/
mkfs.vfat /dev/mmcblk0p1
mkswap /dev/mmcblk0p2
mkfs.ext4 /dev/mmcblk0p3
mkdir /tmp/rpi/
mount /dev/mmcblk0p3 /tmp/rpi/
mkdir /tmp/rpi/boot/
mount /dev/mmcblk0p1 /tmp/rpi/boot/
cp -rpv /tmp/img/* /tmp/rpi/
sync (takes ages)
losetup -d /dev/loop0
[root@jfcpc NOTES]# blkid | grep mmcblk0
/dev/mmcblk0: PTTYPE="dos"
/dev/mmcblk0p1: SEC_TYPE="msdos" UUID="DB85-3C4A" TYPE="vfat"
/dev/mmcblk0p2: UUID="5f07dbe9-2619-481e-b0b3-5f37a7f011bf" TYPE="swap"
/dev/mmcblk0p3: UUID="8df2bd5c-4692-4f80-96ec-da2e9697a713" TYPE="ext4"
edit and ajust /tmp/rpi/etc/fstab
/tmp/rpi/boot/cmdline.txt Add
"dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p3 rootfstype=ext4 elevator=deadline rootwait"
https://www.raspberrypi.org/documentation/configuration/config-txt.md (configuration stuff).
/tmp/rpi/boot/config.txt (do we need something?...) empty for the moment...
copy the boot and modules
download the firmware:
https://github.com/raspberrypi/firmware
what is: https://github.com/raspberrypi/firmware/archive/master.zip
it is like https://github.com/modcluster/mod_cluster/archive/master.zip (just a zip repo).
dowload and unzip
So https://github.com/raspberrypi/firmware/tree/master/boot
[root@jfcpc NOTES]# cp -r /home/jfclere/Downloads/firmware-master/boot/* /tmp/rpi/boot/
So https://github.com/raspberrypi/firmware/tree/master/modules (for + and -v7+ no idea how it is choosen)
Once running doing more /proc/cpuinfo:
+++
processor : 0
model name : ARMv7 Processor rev 4 (v7l)
+++
guessing we use the -v7+ ;-)
[root@jfcpc NOTES]# cp -r /home/jfclere/Downloads/firmware-master/modules/* /tmp/rpi/lib/modules/
sync
umount /tmp/rpi/boot/
umount /tmp/rpi/
network: (trying to check it)...
In fact the fedora24 use systemd
/tmp/rpi/etc/systemd/ (there something run at the first boot).
/tmp/rpi/etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
/tmp/rpi/lib/systemd/system/systemd-firstboot.service ?
and it run /usr/bin/systemd-firstboot --prompt-locale --prompt-timezone --prompt-root-password
+++
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/systemd-firstboot --prompt-locale --prompt-timezone --prompt-root-password
+++
For the curious:
+++
[jfclere@jfcpc ~]$ rpm -qf /usr/bin/systemd-firstboot
systemd-229-13.fc24.x86_64
+++
--locale=en_US.UTF-8
--timezone=Europe/Paris
--root-password=Changeit2016
+++
nmap -sn 192.168.1.0/24
found the PI:
+++
Nmap scan report for pc-151.home (192.168.1.111)
Host is up (0.047s latency).
MAC Address: B8:27:EB:C1:44:41 (Raspberry Pi Foundation)
+++
scanning it:
+++
[root@jfcpc Downloads]# nmap 192.168.1.111
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-07 22:15 CEST
Nmap scan report for pc-151.home (192.168.1.111)
Host is up (0.0044s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
9090/tcp open zeus-admin
MAC Address: B8:27:EB:C1:44:41 (Raspberry Pi Foundation)
Nmap done: 1 IP address (1 host up) scanned in 4.60 seconds
+++
Some how the password stuff failed... The stuff still asks :-(
copy my fedora laptop password that helps...
+++
[root@pc-151 ~]# ps -ef | grep tty1
root 343 1 0 18:23 tty1 00:00:00 /bin/bash /usr/libexec/initial-setup/run-initial-setup
root 348 343 12 18:23 tty1 00:00:23 /usr/bin/python3 /usr/libexec/initial-setup/initial-setup-text --no-stdout-log
root 720 696 0 18:26 pts/0 00:00:00 grep --color=auto tty1
+++
In it:
/bin/systemctl disable initial-setup.service (so it remove itself).
and it is a python script...
trying... mount
/dev/mmcblk0p3 on /run/media/jfclere/a440011a-a5ea-4eb7-ae01-95c8cd981673
[root@jfcpc Downloads]# grep ENCRYPT_METHOD /tmp/img/etc/login.defs
ENCRYPT_METHOD SHA512
echo -n root:Changeit2016 | chpasswd -c SHA512 -R /run/media/jfclere/a440011a-a5ea-4eb7-ae01-95c8cd981673 ?
selinux problems :-( and doesn't work.
echo -n root:Changeit2016 | chpasswd -c SHA512 in PI works...
setting timezone:
ls -lt /usr/share/zoneinfo/Europe/Zurich
rm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Zurich /etc/localtime
easy :D
Done forget to remove the base fedora kernel components (yum might get funny overrwise)...
dnf remove kernel kernel-core kernel-modules

************** configure wifi *************

The goal is to get a sort of captive portal to run an easy demo, the raspberry is acting as an AP and dhcp server and name server
+++
[root@pc-111 ~]# nmcli device status
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected eth0
lo loopback unmanaged --
+++
no wifi.
https://fedoraproject.org/wiki/Raspberry_Pi
$ cd /lib/firmware/brcm/
$ curl -O https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm80211/brcm/brcmfmac43430-sdio.bin
$ curl -O https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/master/brcm80211/brcm/brcmfmac43430-sdio.txt
reboot?
iw list
+++
Supported interface modes:
* IBSS
* managed
* AP
+++
it can do AP cool...
dnf install NetworkManager-tui NetworkManager-wifi
nmtui
SSID=PI
Mode <Access Point>
Channel <Automatic>
Security <None>
Addresses 10.0.0.201/24
[X] Never use this network for default route
[X] Require IPv4 addressing for this connection
[X] Automatically connect
from https://fedoraproject.org/wiki/Raspberry_Pi
From the laptop:
+++
wlp4s0 IEEE 802.11 ESSID:"PI"
Mode:Managed Frequency:2.412 GHz Access Point: B8:27:EB:94:11:14
+++
in PI:
++++
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b8:27:eb:94:11:14 txqueuelen 1000 (Ethernet)
+++
hm laptop doesn't get IP?
try dhcp (server?) 10.0.0.0 (give 10.0.0.201 to the PI)
Look to /etc/dhcp/dhcpd.conf
The important:
subnet 10.0.0.0 netmask 255.255.255.0 {
so it listens on 10.0.0.201
option domain-name "mysrv.world";
option domain-name-servers 10.0.0.201;
so the name are resolved by the bind of PI.
option routers 10.0.0.201
so it is the routers for the interface (we can use the PI as router!!!).
Looks nearly OK...
+++
Listening on LPF/wlan0/b8:27:eb:94:11:14/10.0.0.0/24
Sending on LPF/wlan0/b8:27:eb:94:11:14/10.0.0.0/24
+++
ifconfig on the laptop:
+++
wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.200 netmask 255.255.255.0 broadcast 10.0.0.255
+++
nmap -sn 10.0.0.0/24 (it finds the PI)
+++
[root@jfcpc APACHE-2.4.x]# nmap -sn 10.0.0.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-14 23:41 CEST
Nmap scan report for 10.0.0.201
Host is up (0.014s latency).
MAC Address: B8:27:EB:94:11:14 (Raspberry Pi Foundation)
Nmap scan report for 10.0.0.200
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 32.09 seconds
+++
easy... 192.168.1.109 (connected).
to find the address:
nmap -sn 192.168.1.0/24
(doesn't help... well run it as root = better...)
+++
Nmap scan report for pc-111.home (192.168.1.108)
Host is up (0.0067s latency).
MAC Address: B8:27:EB:7A:A6:98 (Raspberry Pi Foundation)
Nmap scan report for pc-111.home (192.168.1.109)
Host is up (0.0067s latency).
+++
name server: (based on http://serverfault.com/questions/396958/configure-dns-server-to-return-same-ip-for-all-domains)
yum install bind
/etc/named.conf
listen-on port 53 { 10.0.0.201; };
allow-query { 10.0.0.0/24; };
recursion no;
zone "." IN {
type master;
file "/etc/bind/db.fakeroot";
};
And in /etc/bind/db.fakeroot:
+++
@ IN SOA ns.domain.com. hostmaster.domain.com. ( 1 3h 1h 1w 1d )
IN NS 10.0.0.201
* IN A 10.0.0.201
+++
Don't forget the firewall on the PI:
firewall-cmd --permanent --zone=FedoraServer --add-port=53/tcp
firewall-cmd --permanent --zone=FedoraServer --add-port=53/udp
firewall-cmd --reload

********* Getting tomcat running *********

yum install java should be ready for tomcat).
yum install java maven
git clone https://github.com/jfclere/tomcatPI
cd tomcatPI/demo
java -jar ./target/demo-1.0-SNAPSHOT-jar-with-dependencies.jar
Don't forget the firewall (again).
firewall-cmd --permanent --zone=FedoraServer --add-port=80/tcp
firewall-cmd --reload

******** Getting Astro Hat examples running ********

HAT: https://github.com/RPi-Distro/python-sense-hat
https://github.com/raspberrypi/hats
https://github.com/RPi-Distro/python-sense-hat (looks the good one...)
A lot needs to be install gcc/python-devel/gcc-gfortran/redhat-rpm-config (hard to guess this one!) and building takes ages...
libz-devel, jpeg-devel
testing... /root/python-sense-hat/examples
mssing https://github.com/RPi-Distro/RTIMULib cmake/gcc-c++
in RTIMULib/RTIMULi/build (mkdir ) cmake ... make make install.
in RTIMULib/Linux need qt-devel
in RTIMULib/Linux/python (probably the only one really needed!).
./python-sense-hat/examples/colour_cycle.py (works...)
./RTIMULib/Linux/build/RTIMULibCal/RTIMULibCal (to get the RTIMULib.ini to pur in /etc according to the doc).
******* Playing with the 8X8 frame buffer ****
+++
[root@jfcpc java]# pwd
/home/jfclere/tomcatPI/demo/src/main/java
[root@jfcpc java]# java -cp . org.jfclere.tomcatPI.PIFrameBuffer
file is 4096Exception in thread "main" java.io.IOException: No such device
at sun.nio.ch.FileChannelImpl.map0(Native Method)
at sun.nio.ch.FileChannelImpl.map(FileChannelImpl.java:926)
at org.jfclere.tomcatPI.PIFrameBuffer.main(PIFrameBuffer.java:22)
+++ OK ++++ It can't read it :-(
According to Python code:
from sense_hat import SenseHat
The LED matrix is an RGB565 framebuffer
(more or less working now committed).
https://github.com/jfclere/tomcatPI/blob/master/demo/src/main/java/org/jfclere/tomcatPI/PIFrameBuffer.java

********* Sending information to ActiveMQ and consuming it *******

yum install stomppy
install activemq on laptop
check stomp port:
INFO | Listening for connections at: stomp://jfcpc:61613?maximumConnections=1000&wireFormat.maxFrameSize=104857600
INFO | Connector stomp started
http://127.0.0.1:8161/admin/ (we receive something binary UTF8 encoded string).
write a STOMP logic to send message to ActiveMQ (running on my laptop)
https://github.com/jfclere/tomcatPI/tree/master/python
write a small jms client to consum the messages from the raspberry
https://github.com/jfclere/tomcatPI/tree/master/reader

After updating to fedora23 I noted I cant use ssh from my laptop to servers I use to connect it. I have got the weird message ssh -vvv:  
debug1: Roaming not allowed by server

Obviously it isn't a server problem, while try to understand I have found:
 https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

Of course adding
PubkeyAcceptedKeyTypes=+ssh-dss
in .ssh/config helps
Checking the key shows that I need new key pairs soon:
-rw-------. 1 jfclere jfclere   736 Nov 22  2006 id_dsa
-rw-r--r--. 1 jfclere jfclere   619 Nov 22  2006 id_dsa.pub

I have being using the same keys for ~10 years in fact!!!
Well mostly only inside Red Hat vpn, time to change keys and spot the server I am using only from time to time...