Best way to install FW on a Raspberry Pi?


#21

Thanks Eliot - adding that line to the .env file then exporting it again did the trick! I was able to migrate my DB :smiley:
I configured SystemD - no problem.

Then I moved on to the reverse proxy setup, and hit a new snag…
When running
envsubst "env | awk -F = '{printf \" $%s\", $$1}'" \
< /etc/nginx/sites-available/funkwhale.template \
> /etc/nginx/sites-available/funkwhale.conf
I got the following error:
awk: program limit exceeded: maximum number of fields size=32767
FILENAME="-" FNR=10 NR=10
bash: /etc/nginx/sites-available/funkwhale.conf: Permission denied

Searching online, I found that using gawk should be a way to get around the “max number of fields” error - so I installed it, and tried the same command using gawk instead of awk. It solved the max number of fields error apparently.
However, I still get bash: /etc/nginx/sites-available/funkwhale.conf: Permission denied, even when sudoing…
(I’m using my default superuser Pi account for all these commands)

Should I modify the permissions of the funkwhale.conf file somehow? If so, I prefer to ask you how, before I do anything silly… :slight_smile:


#22

What are the current permissions in /etc/nginx/sites-available/ ? Could you post the output of ls -l in this folder ?


#23

Hi! This is what I get:

total 8
-rw-r--r-- 1 root root 2416 Nov  7 05:40 default
-rw-r--r-- 1 root root 3112 Dec  2 21:50 funkwhale.template

#24

It looks like it’s refusing to create /etc/nginx/sites-available/funkwhale.conf because when you run :
$ sudo envsubst "env | awk -F = '{printf \" $%s\", $1}'" \
< /etc/nginx/sites-available/funkwhale.template \
> /etc/nginx/sites-available/funkwhale.conf
the part on the right side of > is not executed with sudo. Try :
$ sudo -i
and then :
# envsubst "env | awk -F = '{printf \" $%s\", $1}'" \
< /etc/nginx/sites-available/funkwhale.template \
> /etc/nginx/sites-available/funkwhale.conf


#25

Thanks renon! It seems like switching to root did the trick.
So I finished the reverse-proxy config, created the symbolic link, and tested the nginx config file:

nginx: [alert] could not open error log file: open() “/var/log/nginx/error.log” failed (13: Permission denied)

2018/12/03 21:54:29 [warn] 14910#14910: the “user” directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

2018/12/03 21:54:29 [emerg] 14910#14910: BIO_new_file("/etc/letsencrypt/live/xxx.xxx.xyz/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/xxx.xxx.xyz/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: configuration file /etc/nginx/nginx.conf test failed

Looks like I’m not done with nginx quite yet…
Time for bed now, I’ll try debugging that tomorrow!


#26

Yup, we miss a bit of documentation for the SSL part, you can basically generate a let’s encrypt certificate with sudo certbot certonly --nginx --domain=yourdomain and reloading nginx should work, or use a custom SSL certificate and update the paths in the nginx configuration template :slight_smile:


#27

Thanks for the advice on the SSL, Eliot!

However, I haven’t found a way to grab an SSL certificate yet…
I keep bumping into the same error:

Type: connection
Detail: Fetching
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Confirmed using canyouseeme.org: “I could not see your service on port (80). Reason: Connection timed out.”

I have made sure that ports 80 and 443 are open in my ufw firewall; and I have also configured my router to forward these ports to my RPI’s IP.

So barring any mistake on my side, I see two possible explanations:

  1. my router’s firewall is causing the issue. I switched the FW security setting to “Low,” described on the router web interface as “WAN host can directly access LAN hosts, but can’t directly access the device itself (except echo-request).” Does that mean the firewall is now letting web traffic in towards the RPI server?
  2. my ISP is preventing me from forwarding ports 80/443.

Any advice on how to check who might be the culprit? If it’s the ISP, I guess I can just ask whoever wants to connect to use a non-standard port, right?

I’ve just tried forwarding to port 8080 - but it seems my Funkwhale instance isn’t in good shape anyway… (I just get a blank page)

Here are the logs:

[email protected]:~ $ sudo systemctl status funkwhale-server.service
● funkwhale-server.service - Funkwhale application server
   Loaded: loaded (/etc/systemd/system/funkwhale-server.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

[email protected]:~ $ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-12-10 23:12:58 GMT; 14s ago
     Docs: man:nginx(8)
  Process: 3216 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
  Process: 3213 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)

Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] still could not bind()
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 10 23:12:58 raspberrypi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Unit entered failed state.
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Failed with result 'exit-code'.
[email protected]:~ $ sudo service apache2 restart
[email protected]:~ $ journalctl -xe
Dec 10 23:09:04 raspberrypi sudo[3071]: pam_unix(sudo:session): session closed for user root
Dec 10 23:10:21 raspberrypi sudo[3125]:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ufw allow 8080
Dec 10 23:10:21 raspberrypi sudo[3125]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Dec 10 23:10:21 raspberrypi sudo[3125]: pam_unix(sudo:session): session closed for user root
Dec 10 23:11:09 raspberrypi sudo[3165]:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/nano /etc/apache2/sites-available/funkwhale
Dec 10 23:11:09 raspberrypi sudo[3165]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Dec 10 23:11:45 raspberrypi sudo[3165]: pam_unix(sudo:session): session closed for user root
Dec 10 23:11:53 raspberrypi sudo[3198]:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/nano /etc/nginx/sites-available/funkwhale.c
Dec 10 23:11:53 raspberrypi sudo[3198]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Dec 10 23:12:43 raspberrypi sudo[3198]: pam_unix(sudo:session): session closed for user root
Dec 10 23:12:56 raspberrypi sudo[3207]:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/systemctl restart nginx
Dec 10 23:12:56 raspberrypi sudo[3207]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Dec 10 23:12:56 raspberrypi systemd[1]: Starting A high performance web server and a reverse proxy server...
-- Subject: Unit nginx.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit nginx.service has begun starting up.
Dec 10 23:12:56 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:56 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:56 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:56 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:57 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Dec 10 23:12:58 raspberrypi nginx[3216]: nginx: [emerg] still could not bind()
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 10 23:12:58 raspberrypi systemd[1]: Failed to start A high performance web server and a reverse proxy server.
-- Subject: Unit nginx.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit nginx.service has failed.
-- 
-- The result is failed.
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Unit entered failed state.
Dec 10 23:12:58 raspberrypi systemd[1]: nginx.service: Failed with result 'exit-code'.
Dec 10 23:12:58 raspberrypi sudo[3207]: pam_unix(sudo:session): session closed for user root
Dec 10 23:13:50 raspberrypi sudo[3226]:       pi : TTY=pts/1 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/service apache2 restart
Dec 10 23:13:50 raspberrypi sudo[3226]: pam_unix(sudo:session): session opened for user root by pi(uid=0)
Dec 10 23:13:50 raspberrypi systemd[1]: Stopping The Apache HTTP Server...
-- Subject: Unit apache2.service has begun shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit apache2.service has begun shutting down.
Dec 10 23:13:50 raspberrypi apachectl[3235]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.
Dec 10 23:13:50 raspberrypi systemd[1]: Stopped The Apache HTTP Server.
-- Subject: Unit apache2.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit apache2.service has finished shutting down.
Dec 10 23:13:50 raspberrypi systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit apache2.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit apache2.service has begun starting up.
Dec 10 23:13:50 raspberrypi apachectl[3242]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.
Dec 10 23:13:50 raspberrypi systemd[1]: Started The Apache HTTP Server.
-- Subject: Unit apache2.service has finished start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit apache2.service has finished starting up.
-- 
-- The start-up result is done.
Dec 10 23:13:50 raspberrypi sudo[3226]: pam_unix(sudo:session): session closed for user root
Dec 10 23:15:01 raspberrypi CRON[3308]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 10 23:15:01 raspberrypi CRON[3312]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
Dec 10 23:15:01 raspberrypi CRON[3308]: pam_unix(cron:session): session closed for user root

#28

One way to see if your ISP if blocking http/s traffic is to instal nginx (you’ll need it for funkwhale anyway), ensure it’s running and listening on port 80 (sudo netstat -tlpn) and rerun the certbot command, or try to access your server using your domain name from outside your network :slight_smile:


#29

Yes, I’ve installed nginx following the install manual, but there seems to be something wrong with my config… (see logs above) Not sure what’s the exact issue :frowning:

It mentions systemd at the end, I guess I’ll try digging in that direction.

There’s also something about “reliably determining the server’s fully qualified domain name”… Weird (I’ve set up my domain name in both the Apache and Nginx conf files)


#30

Oh, I missed something from your log: since you have nginx and apache installed, nginx cannot start (because the port 80 is already taken by Apache). That’s probably the cause of your issue :slight_smile:


#31

In this situation, I’d probably remove nginx on the host and convert the Funkwhale nginx file to an Apache virtual host. I’m not sure it’s up to date, but you can get started here: https://docs.funkwhale.audio/installation/index.html#apache2


#32

Ahaaa so you mean I wasn’t supposed to install both Nginx AND Apache?
Sorry, reading the manual it seemed to me that I needed both… [facepalm]

OK then, so I’ve kicked Nginx out :slight_smile:

…But I’m still going crazy over this!! The worst thing is, I have no clue where the root of my problem is.

Experiment A:

  1. I forwarded port 8080 on my router to my Pi + opened ufw port 8080 + changed line in the funkwhale.conf virtualhost to <VirtualHost *:8080>
  2. When trying to access my server URL +port 8080 through my cellphone (not on wifi), the page doesn’t load at all (“the connection was reset”).
  3. When trying to access my server URL +port 8080 through my laptop (on wifi), same thing.
  4. When trying my RPI’s IP in my laptop +port 8080 through my laptop, same. (However, if I input the IP without port 8080, I land on the Apache2 Debian Default Page)

Experiment B:

  1. I forwarded port 80 on my router to my Pi + opened ufw port 80 + changed line in the funkwhale.conf virtualhost back to <VirtualHost *:80>
  2. When trying to access my server URL through port 80 (default) through my cellphone (not on wifi), the page times out.
  3. When trying to access my server URL through my laptop (on wifi), I land on my router’s admin login page.
  4. When trying my RPI’s IP in my laptop through my laptop, I land on the Apache2 Debian Default Page…

In both experiments, whenever I try getting a Let’s Encrypt certificate, same error:

So no matter what I do, I seem to always go back to square one!
At least, if I’m not doing nonsense in forwarding my ports + configuring my Apache virtualhost, it would seem that the issue isn’t the ISP, right?

Also, I suspect that my FW server isn’t properly running (see log below)… but that probably another issue altogether :open_mouth:


#33

Ok, you seem to have multiple distinct problem:

  1. Your server/IP is not accessible from the outside world
  2. You cannot reach your server on port 8080
  3. You cannot get a Let’s Encrypt certificate
  4. Funkwhale is not running

I cannot really help with Problem 1. It really depends on your ISP / router. There should be some way to expose your server to the outside world. But if I were you, I’d solve problem 2 and 4 before that.

Problem 2. likely comes from a firewall issue. But you can simply change the Vhost port from 8080 to 80 and get rid of the default vhost to solve this.

Problem 3 is caused by problem 1: if your domain is not reachable from the internet, Let’s Encrypt cannot issue you a certificate.

As for Problem 4, does sudo systemctl start funkwhale.target work?


#34

Thank you for your patience and kind help, Eliot!
Your analysis makes a lot of sense.
It really seems I have some weird firewall problem somewhere, probably in my router. No port is being forwarded at all (even in DMZ mode), even those that aren’t normally blocked by ISPs. Might be a firmware/hardware issue…:sob:

As for Funkwhale - thanks for the command line! I was looking for something like this. When I run it, the FW service is shown as functioning.

However, I cannot access the GUI when typing my RPI’s IP - all I see is the “Default Apache Debian Page” mentioned above… Is there another extra step that I’m missing?


#35

I’d remove that default host completely, since you’re not using a domain name to access your instance, I think it catches all the requests made via IP addresses :slight_smile:


#36

Any ideas what my problem is here? Looks like a postgresql error. Running on a rpi3 / debian install.

sudo systemctl status funkwhale-server.service
● funkwhale-server.service - Funkwhale application server
Loaded: loaded (/etc/systemd/system/funkwhale-server.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2018-12-15 10:46:19 AEDT; 34min ago
Main PID: 705 (daphne)
CGroup: /system.slice/funkwhale-server.service
└─705 /srv/funkwhale/virtualenv/bin/python3 /srv/funkwhale/virtualenv/bin/daphne -b 127.0.0.1 -p 5000 config.asgi:applicatio

Dec 15 10:50:27 raspf daphne[705]: self.connect()
Dec 15 10:50:27 raspf daphne[705]: File “/srv/funkwhale/virtualenv/lib/python3.5/site-packages/django/db/backends/base/base.py”, line
Dec 15 10:50:27 raspf daphne[705]: self.connection = self.get_new_connection(conn_params)
Dec 15 10:50:27 raspf daphne[705]: File “/srv/funkwhale/virtualenv/lib/python3.5/site-packages/django/db/backends/postgresql/base.py”
Dec 15 10:50:27 raspf daphne[705]: connection = Database.connect(**conn_params)
Dec 15 10:50:27 raspf daphne[705]: File “/srv/funkwhale/virtualenv/lib/python3.5/site-packages/psycopg2/init.py”, line 130, in co
Dec 15 10:50:27 raspf daphne[705]: conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
Dec 15 10:50:27 raspf daphne[705]: django.db.utils.OperationalError: could not connect to server: No such file or directory
Dec 15 10:50:27 raspf daphne[705]: Is the server running locally and accepting
Dec 15 10:50:27 raspf daphne[705]: connections on Unix domain socket “/var/run/postgresql/.s.PGSQL.5432”?


#37

@dmurphydrtc it looks like your database server is not running. what is the output of systemctl status postgresql ?

(if starting it does not solve the issue, can you please open a dedicated topic so I can help you ? :slight_smile:


#38

Eliot,

Corrupted SD card…Arrg. I’m sorted.


#39

Ouch, I hope you did not loose any critical data :frowning:


#40

Alas Eliot I needed to complete a rebuild. A dicky PSU. Anyway in the midst of rebuilding I came across
this error message when I ran migrate for the first time. I ran it for a second time and it completed without error… thought i’d ask.

python api/manage.py migrate

Exception ignored in: <function WeakValueDictionary.init.<locals>.remove at 0x75b7b3d8>

Traceback (most recent call last):

File “/usr/lib/python3.5/weakref.py”, line 117, in remove

TypeError: ‘NoneType’ object is not callable

Exception ignored in: <function WeakValueDictionary.init.<locals>.remove at 0x75b7b3d8>

Traceback (most recent call last):

File “/usr/lib/python3.5/weakref.py”, line 117, in remove

TypeError: ‘NoneType’ object is not callable

I carried on and completed the install but getting a lot of these messages when i run

sudo journalctl -xn -u funkwhale-server

Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42250 - - [17/Dec/2018:10:04:57] “WSCONNECTING /api/v1/activity” - -
Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42250 - - [17/Dec/2018:10:04:57] “WSCONNECT /api/v1/activity” - -
Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42250 - - [17/Dec/2018:10:04:57] “WSDISCONNECT /api/v1/activity” - -
Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42268 - - [17/Dec/2018:10:05:01] “WSCONNECTING /api/v1/activity” - -
Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42268 - - [17/Dec/2018:10:05:01] “WSCONNECT /api/v1/activity” - -
Dec 17 21:05:25 funkmusic daphne[698]: 127.0.0.1:42268 - - [17/Dec/2018:10:05:01] “WSDISCONNECT /api/v1/activity” - -

Should I be concerned?

Also this - seems to happen why I start / stop any Instance radios (favorites / Random etc…)

sudo journalctl -xn -u funkwhale-server
– Logs begin at Fri 2016-11-04 04:16:43 AEDT, end at Mon 2018-12-17 21:15:16 AEDT. –
Dec 17 21:15:10 funkmusic daphne[698]: session.radio.pick()
Dec 17 21:15:10 funkmusic daphne[698]: File “./funkwhale_api/radios/radios.py”, line 69, in pick
Dec 17 21:15:10 funkmusic daphne[698]: return self.pick_many(quantity=1, **kwargs)[0]
Dec 17 21:15:10 funkmusic daphne[698]: File “./funkwhale_api/radios/radios.py”, line 73, in pick_many
Dec 17 21:15:10 funkmusic daphne[698]: picked_choices = super().pick_many(choices=choices, quantity=quantity)
Dec 17 21:15:10 funkmusic daphne[698]: File “./funkwhale_api/radios/radios.py”, line 23, in pick_many
Dec 17 21:15:10 funkmusic daphne[698]: return random.sample(set(choices), quantity)
Dec 17 21:15:10 funkmusic daphne[698]: File “/usr/lib/python3.5/random.py”, line 324, in sample
Dec 17 21:15:10 funkmusic daphne[698]: raise ValueError(“Sample larger than population”)
Dec 17 21:15:10 funkmusic daphne[698]: ValueError: Sample larger than population

Last but not least…How do I connect to remote libraries correctly…I got this response when I tried connecting to

https://open.audio/federation/music/libraries/ce1fb6d4-fae6-464a-a34a-bdd46209ee82