Ten(ish) steps to set up a dockstar

This forum is for Marvell Kirkwood devices such as the GoFlex Home/Net, PogoPlug v1/v2, SheevaPlug, and ZyXEL devices.

Ten(ish) steps to set up a dockstar

Postby blurry » Tue Sep 21, 2010 3:55 pm

NOTE: The contents of this post have been updated and put into a wiki page here: http://Arch Linux ARM.com/index.php5?title=Ten(ish)_steps_to_setting_up_a_Segate_Dockstar -- please disregard the stuff here as it has changed slightly.

Or rather, "a summary of the torture I've bestowed on my dockstar" I'm putting together a writeup of how to take a factory dockstar and get it set up to be a stable, faithful pint-sized server. I haven't gotten around to doing the necessary html formatting and filling in a few sections, but please weigh in if anything looks wrong or if there are better options than the ones I've provided. The majority of the information I put together came from various posters, too many to list. Thanks everyone!

What can I do with a dockstar?
Once you void your warranty, quite a bit actually. You can even run Java on it if you dig through Oracle's webpage maze of twisty passages all alike. What I've managed to do is documented here:

  • Dockstar running Arch Linux ARM (Arch) Linux
  • Apache with WebDav (web folders) support
  • Samba windows share folders and networked cd-rom drive for driveless netbooks
  • MiniDLNA media/music/picture streaming to XBox 360 and PS3
  • Green/orange LED to indicate network activity and if OS is running

Why a dockstar?

There's a bit of a story to it, and the moral is that sometimes you have to wait for the right solution for the right price. Skip ahead if you have your own mind made up on why you're about to void your Dockstar's warranty. Read on if you're curious or if you're still on the fence.

Now that I have school-age kids, and more than two computers in active use in the house, we've been reeling from the lack of a centralized storage place for documents. Documents get lost among the different computers, and inevitably right before they're due. The kids also frequently ask me to look at photos that I've taken that sit on my computer. And it would be nice to let them view pictures or listen to MP3s on our various game consoles so we can free up computers needed for more important things.

I've tried setting up share folders from our always-on media center, but sometimes it just falls short. For one thing, it's loud and an energy drain. And we're mostly watching Netflix on demand and shutting down the media center when not in use. So much for always-on storage. So I needed a low-cost, low-energy platform. After the third time I had to reinstall windows because my kids, despite being instructed not to, used Internet Exploder and discovered a new trojan, I decided that the platform should also be linux-based -- if any other reason because I feel more comfortable securing a Linux box that a Windows box, being an Ubuntu user for over three years.

One day, a good friend picked up a Seagate Dockstar on W00t for dirt cheap. And I felt like quite envious for not moving fast enough when the deal was over. Time flies, and I finally get back to the growing pains previously described and thought about her dockstar. Another windows-reinstall later and I realize it's time to solve our in-house storage problem. And, thanks to the passage of time I was able to get the Dockstar for $36 and a 500gb drive for $80.

Pogo is, by default, a very nice setup for someone that likes what they got out of the box and doesn't aspire to squeeze out extra features. I'm not that type of user. I needed more, and I don't want third-parties having root-access to something inside my network.

In retrospect, I could have gone through this exercise with a pogoplug or sheeva with the same result. Since the dockstar only has 128mb ram, you might want to consider if that's going to be an issue for you before clicking the "Buy it now" button and compare specs to similar devices.

Step one: Buy insurance
Order a CA-42 data cable for $4 or less -- keep handy in case you goof up and have no way to connect to the box via network.

Step two: Get root shell access on dockstar
  • Method 1: First boot, don't connect to internet
    -If you have a wireless router with DHCP, disconnect router from internet
    -Use router client list to get IP address
    -If you only have a switch/hub, use nmap to scan for ip address (169.x.x.x)
  • Method 2: If not booting the first time and ssh is disabled
    -Enable from pogo
  • Method 3: Use serial cable (CA-42)

Step three: Install Jeff Doozan's uBoot
Instructions for doing this can be found on Jeff Doozan's site here: http://jeff.doozan.com/debian/uboot/

Step four: Set up Arch Linux ARM linux
Method 1: From pogo, the Arch Linux ARM install instructions detail how to format your linux drive from the dockstar directly.
Method 2: From a linux desktop. You can perform the same instructions directly from a linux desktop if you have one handy, since you're basically just getting the OS filesystem image and copying the files over. The advantage here is you can drag over other files, etc to seed the filesystem -- e.g. do some pre-configuration of other things that you want to set up, replace the kernel image up-front, etc.

Boot up the device to test and for first login, change your root password.

Optional: Create a swap file

By default there is no swap. This isn't a big deal for most small apps, but if you want to do a lot of things you might be in trouble without swap space since the device only has 128mb ram. This will create a 500mb swap file in /var/swap
$this->bbcode_second_pass_code('', 'dd if=/dev/zero of=/var/swap count=1000000
mkswap /var/swap
swapon /var/swap
')
Add this to the end of /etc/fstab
$this->bbcode_second_pass_code('', '/var/swap swap swap defaults 0 0')

Optional: Fix USB Sound
If you want to support USB audio, it will be choppy unless you do the following. Create file /etc/asound.conf
with the following content:

$this->bbcode_second_pass_code('', 'pcm.!default {
type hw
card 0
}

ctl.!default {
type hw
card 0
}
')

Step five: Configure dockstar light
-Install dockstar kernel, replacement dockstar kernel can be found here:
http://myplugbox.com/new/kernel26-dockstar/kernel26-dockstar-2.6.35.4-1-arm.pkg.tar.xz

-Install iptables
$this->bbcode_second_pass_code('', 'pacman -S iptables')

To get the orange LED to blink on TCP/IP access, edit /etc/rc.local and add the following:
$this->bbcode_second_pass_code('', '
#Set up orange LED to blink on incoming TCP traffic
iptables -A INPUT -p tcp -j LED --led-trigger-id tcpin --led-delay 100
echo netfilter-tcpin > /sys/class/leds/dockstar\:orange\:misc/trigger
')

To get the orange LED to blink a heartbeat when the OS has halted, add the following to /etc/rc.local.shutdown:
$this->bbcode_second_pass_code('', '
echo heartbeat > /sys/class/leds/dockstar\:orange\:misc/trigger
')
Step six: Configure automount
This is handy if you want to have a removable storage device (usb stick, dvd-rom, etc) that can be mounted and unmounted automatically. Nothing sucks more than having to SSH to your box just to eject a disk -- and setting up automount can save you a lot of frustration.

$this->bbcode_second_pass_code('', 'pacman -S automount')
Edit file: /etc/autofs/auto.master
$this->bbcode_second_pass_code('', '/media /etc/autofs/auto.misc --timeout=5')

Edit file: /etc/autofs/auto.misc
$this->bbcode_second_pass_code('', 'cdrom -fstype=auto,ro,nodev,nosuid :/dev/sr0
usbstick -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
')
Add automount to startup (add to daemons list) if you want it to run on boot

Add this to the end of /etc/fstab: (VALIDATE -- IS THIS STILL NECESSARY?)
$this->bbcode_second_pass_code('', '/media/cdrom /dev/sr0 auto ro 0 0')

Step seven: Configure samba
$this->bbcode_second_pass_code('', 'pacman -S samba')
Missing: Basic setup of smb.conf and setting up samba users/passwords -- this is a well-covered topic though so I don't plan to elaborate a whole lot...

Step eight: Configure minidlna
More info: http://Arch Linux ARM.com/index.php5?title=Application:MiniDLNA
$this->bbcode_second_pass_code('', 'pacman -Sy minidlna')

An example configuration: each user has a pictures, videos and music subdirectory set up. I've set up minidlna to show each of these as follows:
(/etc/minidlna.conf)
$this->bbcode_second_pass_code('', 'media_dir=A,/home/USER_A/music
media_dir=V,/home/USER_A/videos
media_dir=P,/home/USER_A/pictures
media_dir=A,/home/USER_B/music
media_dir=V,/home/USER_B/videos
media_dir=P,/home/USER_B/pictures
...
')

That way, these folders can be easily manipulated from Samba or Apache shared folders. If you set inotify to "yes" then you shouldn't have to restart minidlna in order to pick up new files.

Step nine: Configure apache with webdav enabled
Download apache httpd source, unpack it and build with:
$this->bbcode_second_pass_code('', './configure --prefix=/usr/apache --enable-dav-fs --enable-dav --enable-auth-digest --enable-deflate --enable-vhost-alias
make
make install
')

If you are using Windows XP
-You MUST use http and digest authentication, XP doesn't support https webdav correctly
-Usernames must have domain names (e.g. domain\user)

If you are using Windows Vista or Windows 7
-You can use https with basic authentication if you don't care to support XP
-If you need to support XP, use HTTP with digest authentication
-Install fix from microsoft (why? Because they ship it in a broken state in Vista and Windows 7 -- go figure!) http://www.microsoft.com/downloads/details.aspx?FamilyId=17C36612-632E-4C04-9382-987622ED1D64&displaylang=en
-Set up user names without domain name (and also with domain names if you are supporting XP as well)

Step ten: Set up port forwards, and secure that server!

WARNING: If you're not comfortable with setting up firewalls, monitoring your network for signs of intrusion, or reinstalling windows on compromised computers because you've failed to do one or both of the preceeding things mentioned, then you shouldn't bother with this step. Once you forward ports into your network, you're opening a hole, and it's up to you to ensure that doesn't lead to opening up Pandora's box in the process. Once your Arch Linux ARM install is compromised, it can function as a really handy place to run rootkits and so on. There are some things to consider:

CAVEAT EMPTOR: I don't know everything. I might have gotten some facts wrong. Do your own reading. Arm yourself with knowledge. Network security is not something you should walk into blindly, or rely on a single source of information. As with any computer hooked up to a network, keep on top of security bulletins for software used on it, such as Apache, Arch Linux, etc.

1) A lot of things can be updated by a simple "pacman -Su" once in a while. That's easy to do, only takes a couple of minutes and you should make it a habit. Hopefully as long as the Arch Linux ARM community remains active, the repositories will be kept up to date. (crosses fingers!)

2) You're running a recent distro with an up-to-date (as of the time of writing) kernel, and you've compiled a recent version of Apache from source. There is not much risk (for now) that your webserver will be compromised -- unless you've set it up to run daemons as root (why did you do that?), or unless you don't periodically check for updates and re-compile it once every few months just to stay on top of the latest security patches.
3) Some rootkits rely on x86 precompiled binaries. Your device is ARM5. Assuming script kiddies are uncreative (that's a pretty safe assumption), even someone rooting your box has to be smart enough to know how to do things in a platform-agnostic way or use the right kit. In the event someone breaks in and posesses actual talent, you might do well to set a few ground rules to make their lives more difficult:
- Uninstall anything you don't need. Not using PERL? Uninstall it. Not using Python or Ruby? Ditto. The less stuff is there, the less utilities someone will have at their disposal to do mean and nasty things. Consider putting the really power utilities on a thumbdrive, such as wget, gcc, make, ssh, telnet, pacman, etc -- such that the only way to do anything useful is if you plug in your "root-tastic" thumbdrive and mount it. Otherwise said attacker would have to find pre-compiled binaries for your system. If they couldn't figure out they're on an ARM5 box, then they'll probably give up sooner or later and find an easier target. (Note: This is only if you are in close proximity most of the time -- if you're away on vacation you might want to take the gamble that you'll need those things should you remotely log in to the box, otherwise you'll be stuck with an unsolvable problem until you get home)
- Consider walling off the rest of your network from the box and only accessing it from the "outside". See if it is feasible to set up DMZ with your router if possible. A compromized box in a DMZ is less of a threat than one sitting inside your network proper. DMZ might be found under "Applications and Gaming" or "Advanced", depending on your router.
- For the love of God, please change your router's root password to something besides "admin". DD-WRT is fun, and Tomatoes are delicious. But those are also very well known distributions and are easily rooted if you don't secure them properly. Don't need telnet? Turn it off. Probably best to leave SSH on in case you render your router's HTTP configuration unaccessable. But the moral here is don't leave the back door open and use easy-to-guess passwords. It's very trivial to compromise an entire network once a router is rooted.

Okay, enough of the paranoia diatribe. Let's pretend now that you've secured your server and network -- or you flat out don't care and are ready to ride the lightning. From your router, see if it supports DDNS. If so, set up a dyndns (or similar) account. After creating your domain, configure your router for dyndns.org and give it the domain name and login credentials.

Next go to the port forwarding configuration (In DD-WRT, it's the NAT/QOS tab). Set a forward from port 80 to your Arch Linux ARM install's IP address and apache's httpd port (probably also 80). If using ssh, also forward port 443. Select either "TCP" or "Both". Also don't forget to enable the port forward. If you want to SSH to your pogobox (think: cheap VPN solution), you can also forward port 22. If you want port 80 to only be available outside your network some of the time, consider only forwarding port 22 and using a SSH port tunnel when needed -- it's one less hole to deal with.

When you're done you should be able to use a browser from anywhere on the internet, go to http://yourdomain... and get to your webdav shares, webpages, or whatever no-good bidding Apache was set up to do for you. Likewise, SSH to your domain name if you've forwarded port 22.

SSH Port Tunneling (forwarding) info -- commandline: http://www.symantec.com/connect/articles/ssh-port-forwarding
PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty/
SSH Port Tunneling with PuTTY: http://www.ehow.com/how_2036605_create-ssh-putty.html

Sources:
  • Plug apps: http://Arch Linux ARM.com
  • Alexander Holler: http://ahsoftware.de/dockstar/
  • Jeff Doozan: http://jeff.doozan.com/debian/uboot/
  • firestorm_v1: http://www.yourwarrantyisvoid.com/2010/07/21/seagate-dockstar-add-an-accessible-serial-port/
  • http://www.yourwarrantyisvoid.com/2010/09/08/dead-dockstar-resurrected-with-jtag/
Last edited by blurry on Thu Sep 23, 2010 12:56 am, edited 1 time in total.
blurry
 
Posts: 17
Joined: Tue Aug 31, 2010 2:52 pm

Re: Ten(ish) steps to set up a dockstar

Postby blurry » Tue Sep 21, 2010 4:07 pm

I should have added that in order to compile apache you have to first install the necessary packages with pacman to compile it, e.g. make, gcc, etc.

Is there a way to enable the dav modules on the apache httpd in the Arch Linux ARM repo?
blurry
 
Posts: 17
Joined: Tue Aug 31, 2010 2:52 pm

Re: Ten(ish) steps to set up a dockstar

Postby falker » Tue Sep 21, 2010 6:13 pm

Good guide, perhaps add it to the wiki?

blurry: get the PKGBUILD for apache on modify it to your needs. You can get by using 'abs'.
falker
 
Posts: 24
Joined: Sat Jul 10, 2010 2:45 pm

Re: Ten(ish) steps to set up a dockstar

Postby blurry » Wed Sep 22, 2010 6:19 pm

Needs some polish though -- if I post to the wiki can you guys help edit it to smooth out the bumps?

Thx,
-B
blurry
 
Posts: 17
Joined: Tue Aug 31, 2010 2:52 pm

Re: Ten(ish) steps to set up a dockstar

Postby kmihelich » Wed Sep 22, 2010 11:55 pm

Step 5 is has actually been more completely documented by me here.

You can just pacman -S kernel26-dockstar instead of the whole download process.

For netfilter LED control, you forgot to mention modprobe xt_LED - that module needs to be there.

Overall, it's a good guide, but I can't help but feel that the gist of it is mainly covered in the install wiki page, albeit in a less user-friendly manner. Perhaps just linking to guides such as the Dockstar LED instead of just grabbing bits and pieces? Application install guides also provide the information to get them up and running. If there are more detailed examples of configuration or usage, I'd think those pages would be the place to post it. This would also enable information to be managed in one place. If there was a future change to instructions, it's far more time-consuming and error-prone to have to hunt down and change X number of guides, as opposed to changing guides specifically created for that purpose.
Arch Linux ARM exists and continues to grow through community support, please donate today!
kmihelich
Developer
 
Posts: 1133
Joined: Tue Jul 20, 2010 6:55 am
Location: aka leming #archlinuxarm

Re: Ten(ish) steps to set up a dockstar

Postby blurry » Thu Sep 23, 2010 12:33 am

Woah -- yeah modules work much better if you remember to load them. LOL

I agree with your overall point -- The majority of information is in the install instructions to some limited degree, but is in bits and pieces -- and some of the finer details only come from lurking the forms for a while. For one thing, the Arch Linux ARM installer relies on the broken uboot kernel, and I recommend going with Doozan's uBoot to make things much less brick-tastic. There are a lot of other bits of info, but it requires a lot of hunting around and so on. e.g. WebDAV was something that took a considerable amount of effort to get running. Originally I planned on just writing up what I did so that if I did something patently stupid I could replay my config again and get going much faster. At some point I realized it could be more instructional and helpful for anyone wanting to set up a similar configuration from start to finish, so some "why does this matter" type details were added at the start of each section.
blurry
 
Posts: 17
Joined: Tue Aug 31, 2010 2:52 pm

Re: Ten(ish) steps to set up a dockstar

Postby kmihelich » Thu Sep 23, 2010 12:51 am

As of a few weeks ago, the install wiki was changed to only use Jeff's u-boot, since it has been proven more or less to be stable. Though I do agree that the install page does need a major usability overhaul. That's a common flaw of developers writing wiki pages, designing interfaces, or doing sales (Office Space), we don't have people skills. The install page right now is more of a big mash-up of what we've figured out to work, without having much more information than a line to type.

I think adding your application install notes to the application wiki pages would be a good idea. Maybe create a new section at the bottom of each page titled "Possible Implementation Examples" or something. The application pages also seem to be missed a lot, as a lot of questions in IRC tend to be "how do I setup ___?" Something useful might be a set of guides for specific scenarios, maybe layered on themselves. My inspiration is remembering that one HTML instruction site that had a ton of articles titled "So you want to _____?" Follow those links and it tells you how to set up a generic version of _____. That's what's on my mind anyway.
Arch Linux ARM exists and continues to grow through community support, please donate today!
kmihelich
Developer
 
Posts: 1133
Joined: Tue Jul 20, 2010 6:55 am
Location: aka leming #archlinuxarm

Re: Ten(ish) steps to set up a dockstar

Postby blurry » Thu Sep 23, 2010 12:59 am

heheheh.. I'm a developer as well so I know the drill. But I also grew up reading Nibble magazine and typing in programs, so I have an equal respect for solid documentation as well as solid code. Anyway, I've incorporated some changes (and yes, I included the LED wiki link as well at the top of that respective section.) If the wiki page makes sense, please feel free to update or modify as necessary. If it doesn't make sense, feel free to borrow bits and pieces and reuse where appropriate elsewhere.
blurry
 
Posts: 17
Joined: Tue Aug 31, 2010 2:52 pm

Re: Ten(ish) steps to set up a dockstar

Postby jpearn » Tue Sep 28, 2010 12:28 pm

OK, I need a bit of help ! So I've got around to the installing Apache from source and used http://www.apache.org/dist/httpd/httpd-2.2.16.tar.gz downloaded into /tmp then installed the base-devel and ran ./configure / make / make install. Everything looked OK but there's nothing in /etc/rc.d to start Apache.
I guess I'm missing something simple ?? !! I was after the WebDAV access in particular.

Edit - OK I've found it's installed to /usr/apache and is started via '/usr/apache/bin/apachectl start'

So how can I make this start automatically on boot ??

Edit 2 - Adding a symbolic link 'ln -s /usr/apache/bin/apachectl /etc/rc.d/apache' works !
jpearn
 
Posts: 1
Joined: Mon Aug 30, 2010 11:27 am

Re: Ten(ish) steps to set up a dockstar

Postby hojnikb » Tue Sep 28, 2010 2:57 pm

Adding this command to rc.local would work aswell.
+°´°+,¸¸,+°´°~ +°´°+,¸¸,+°´°~I ♥ my DockStar :oops:~°´°+,¸¸,+°´°++°´°+,¸¸,+°´°~
Linux = Be root
Windows = reboot

+°´°+,¸¸,+°´°~DockStar, Marvell CPU @ 1.2Ghz, 128MB RAM, 4GB rootfs + 160GB°´°+,¸¸,+°´°+
hojnikb
 
Posts: 104
Joined: Thu Jul 08, 2010 11:57 am

Next

Return to Marvell Kirkwood

Who is online

Users browsing this forum: No registered users and 9 guests