iptables quick isolation

The fol­low­ing ipt­a­bles for quick iso­la­tion of port 8080 on eth1. eth0 is open for all.


# iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT
# iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -P INPUT DROP
Share
Posted in Uncategorized | Tagged , | Comments Off on iptables quick isolation

Notes on OCFS2

Cen­tOS 6.5, uname -r => 2.6.39–400.211.3.el6uek.x86_64, ocf­s2-tools ver­sion 1.8.0–10.el6

Complete mkfs commands:

  • To cre­ate a vmstore vol­ume: mkfs.ocfs2 -b 4K -C 1M -N 14 -L FSDS -T vmstore --cluster-name=ocfs2cluster --cluster-stack=o2cb --global-heartbeat /dev/mapper/fsdsp1.
  • To cre­ate a glob­al heart­beat device: mkfs.ocfs2 -b 4K -C 1M -N 14 -L HB1 --cluster-name=ocfs2cluster --cluster-stack=o2cb --global-heartbeat /dev/devX, notice that we do not par­ti­tion the device.
  • Chown to onead­min before mount­ing (done once!)

Timeouts

Setup

  • 4 heart­beat devices for glob­al heart­beat.
  • Heart­beat devices are not mul­ti­pathed.
  • O2CB_HEARTBEAT_THRESHOLD = 61 is 61 cause our stor­age vol­umes are mul­ti­pathed.
  • Heart­beat starts as soon as the vol­umes are mount­ed.
Share
Posted in Uncategorized | Tagged , | Comments Off on Notes on OCFS2

Preparing Linux Template VMs

Test­ed on Cen­tOS.

The orig­i­nal arti­cle is Prepar­ing Lin­ux Tem­plate VMs, please read that first! This arti­cle is for preser­va­tion and my own per­son­al use.

Step 1: Clean out yum and apt caches.

/usr/bin/yum clean all
apt-get clean

Step 2: Force the logs to rotate.

/usr/sbin/logrotate –f /etc/logrotate.conf
/bin/rm –f /var/log/-???????? /var/log/.gz

Step 3: Clear the audit log & wtmp.

/bin/cat /dev/null > /var/log/audit/audit.log
/bin/cat /dev/null > /var/log/wtmp

This whole /dev/null busi­ness is also a trick that lets you clear a file with­out restart­ing the process asso­ci­at­ed with it, use­ful in many more sit­u­a­tions than just tem­plate-build­ing.

Step 4: Remove the udev persistent device rules.

/bin/rm -f /etc/udev/rules.d/70*

Step 5: Remove the traces of the template MAC address and UUIDs.

/bin/sed -i ‘/^(HWADDR|UUID)=/d’ /etc/sysconfig/network-scripts/ifcfg-eth0
Just remov­ing unique iden­ti­fiers from the tem­plate so the cloned VM gets its own.

Step 6: Clean /tmp out.

/bin/rm –rf /tmp/*
/bin/rm –rf /var/tmp/*

Under nor­mal, non-tem­plate cir­cum­stances you real­ly don’t ever want to run rm on /tmp like this. Use tmp­watch or any man­ner of safer ways to do this, since there are attacks peo­ple can use by leav­ing sym­links and what­not in /tmp that rm might tra­verse (“whoops, I don’t have an /etc/passwd any­more!”). Plus, users and process­es might actu­al­ly be using /tmp, and it’s impo­lite to delete their files. How­ev­er, this is your tem­plate image, and if there are peo­ple attack­ing your tem­plate you should recon­sid­er how you’re doing busi­ness. Real­ly.

Step 7: Remove the SSH host keys.

/bin/rm –f /etc/ssh/key

If you don’t do this all your VMs will have all the same keys, which has neg­a­tive secu­ri­ty impli­ca­tions.

Step 8: Remove the root user’s shell history

/bin/rm -f ~root/.bash_history
unset HISTFILE
No sense in keep­ing this his­to­ry around, it’s irrel­e­vant to the cloned VM.

Share
Posted in Linux, OpenNebula | Tagged , | Comments Off on Preparing Linux Template VMs

Create a VM Image in OpenNebula

Test­ed on Open­Neb­u­la 4.4.1 on Cen­tOS 6.5. It should work on recent Open­Neb­u­la ver­sions.

This is almost copied from Tuto­r­i­al: Deploy VM Using Image Cre­at­ed On Open­Neb­u­la Direct­ly, for preser­va­tion and my own per­son­al use. Check the orig­i­nal link first.

Step 1. Uploading the Installation CD Image

a. Go to Virtual Resources -> Images -> Create
b. Set Type to CDROM.
c. Leave Persistent unchecked.
d. Use either Provide a path and set it to a URL point­ing to an OS instal­la­tion image or Upload and set it to an already down­loaded OS instal­la­tion image.

We now have an instal­la­tion cdrom image in our data­s­tore

Step 2. Creating an empty hard disk (Datablock)

a. Goto Virtual Resources -> Images -> Create
b. Set Type to Dat­a­block
c. Tick Persistent. Every change made to this dat­a­block needs to per­sist since this is going to be the hard dri­ve for each new­ly deployed VM.
d. e. Set Image Location to Emp­ty dat­a­block, set Size and (option­al­ly) FS type and FS Driver to qcow2.
e. Set Driver prefix to sd.
f. Last time I wasn’t set­ting FS Driver to qcow2 and ONE would barf

This will cre­ate an emp­ty dat­a­block which will be used to install the OS.

Step 3. Creating an OS image installation template

a. Goto Virtual Resources -> Templates -> Create
b. We are going to use the instal­la­tion CD (Step 1) and the Dat­a­block (Step 2). So, in Storage attach the instal­la­tion CD and set READONLY to yes and attach the dat­a­block as well.
c. Set the Net­work (select a nic)
d. Under OS Booting: In Boot set Boot to CDROM and in Features set ACPI to yes.
e. Under Input/Output set VNC and Listen IP to 0.0.0.0.
f. Under Context tick Add Network contextualisation and Add OnGate token.

Step 4. Deploy a VM based on the OS image installation template (Step 3)

a. Instan­ti­ate the tem­plate. This will cre­ate a VM, which will boot from the CDROM (Step 1) and install the OS in the dat­a­block disk (Step2).
b. Shut­down the VM when instal­la­tion is com­plete and delete the VM. Remem­ber, our dat­a­block is per­sis­tent so the OS is installed and all changes are per­sis­tent.
c. Goto Virtual Resources -> Images and change its Type from Dat­a­block to OS.

Step 5. Create a VM preparation template.

a. Cre­ate a nor­mal tem­plate. Under Storage attach only the disk we cre­at­ed on Step 4. The VM boots from this disk.
b. NB: don’t do this is you want to have noVNC work­ing!! Under Other pass the fol­low­ing in the RAW data sec­tion and set the Type to KVM. in order to enable ser­i­al con­sole access, from KVM side. This requires to enable it from the VM’s ker­nel side as well by tweak­ing the grub con­fig file that spec­i­fies ker­nel options dur­ing boot.
<devices><serial type="pty"><source path="/dev/pts/5"/><target port="0"/></serial><console type="pty" tty="/dev/pts/5"><source path="/dev/pts/5"/><target port="0"/></console></devices>
c. All oth­er set­tings just like Step 3.

Instan­ti­ate the tem­plate and start a VM.

Step 6. Contextualisation

In our new­ly cre­at­ed VM:

a. Go to Basic Con­tex­tu­al­i­sa­tion. The process is not straight for­ward so here’s a rough guide.
— Open VM’s VNC con­sole.
— Set­up the net­work for the VM.
— Set­up ONE repos­i­to­ry and install the con­tex­tu­al­i­sa­tion deb pack­age. UPDATE: Down­load it man­u­al­ly at http://dev.opennebula.org/attachments/download/750/one-context_4.4.0.deb since I can’t find it in the ONE repo.
b. NB: don’t do this is you want to have noVNC work­ing!! To enable ser­i­al con­sole access from the VM side, open /etc/default/grub and set the fol­low­ing:
GRUB_TERMINAL=serial
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
— Cre­ate /etc/init/ttyS0.conf with the fol­low­ing con­tents:
# ttyS0 - getty
#
# This service maintains a getty on ttyS0 from the point the system is
# started until it is shut down again.
start on stopped rc or RUNLEVEL=[12345]
stop on runlevel [!12345]
respawn
exec /sbin/getty -L -w 115200 ttyS0 vt102

— Full instruc­tions at https://help.ubuntu.com/community/SerialConsoleHowto
b. Pre­pare the VM, i.e. clean and make it pris­tine, fol­low­ing this guide.
c. Shut­down the VM and delete it.

Final­ly go to the OS image and set its Type to non per­sis­tent.

We can now use the OS image to instan­ti­ate new VMs.

Share
Posted in OpenNebula | Comments Off on Create a VM Image in OpenNebula

Using ansible to setup Elastix


title: Using ansi­ble to set­up Elastix
pub­lished: false

#### MacOS 10.9 Mav­er­icks and Home­brew instal­la­tion

- Mav­er­icks comes with Python 2.7.5
— No need to install python using brew
— ‘brew install ansi­ble‘

#### Cre­ate VM

> virt-install -n elastix-2.4 –ram 2048 –vcpus 2 –os-type lin­ux –os-variant=rhel6 –disk path=/var/lib/libvirt/images/elastix-2.4.img,bus=virtio,size=20 -l /var/lib/libvirt/images/Elastix-2.4.0-Stable-x86_64-bin-04feb2013.iso –graph­ics none –net­work bridge:br1,model=virtio -v -x “console=ttyS0”

- No addi­tion­al pack­ages installed!

#### To acti­vate Elastix
— Turn off SELin­ux
— ‘seten­force 0‘
— ‘vim /etc/selinux/config‘ and make it ‘per­mis­sive‘
— ‘ser­vice ipt­a­bles stop && chk­con­fig ipt­a­bles off‘
— Use ssh port 222 instead of 22
— and enable ‘Pub­keyAu­then­ti­ca­tion‘
— and ‘ser­vice sshd restart‘
— reboot

#### Pre ansi­ble tasks
— Gen­er­ate ssh key: ‘ssh-key­gen -t rsa -C“email@domain ansi­ble” and save it as ‘id_rsa_ansible‘ — **don’t over­write any exist­ing key pairs**.
— ‘cat ~/.ssh/id_dsa.pub | ssh you@remote ‘cat — » ~/.ssh/authorized_keys’‘ to place the ansi­ble pub­li key in /root/.ssh/authorized_keys in the newVM.
— *Take care of the dir and file per­mis­sions of the .ssh direc­to­ry in the VM*
— ‘ssh-add ansi­ble-pri­vate-key‘ local­ly to add the ansi­ble key to the keyring. ‘ssh-add -l‘ to list the keys in keyring.
— Cre­ate a ‘hosts‘ file some­where con­tain­ing the fol­low­ing:
> ‘elastix ansible_ssh_host= ansible_ssh_port=222 ansible_ssh_user=root‘

- *For Cen­tOS < 6* ‘ansi­ble elastix -i ./hosts -m raw -a“yum install -y python-sim­ple­j­son“‘ to install the json mod­ule need­ed for elastix to work.
See
— To test it: ‘ ansi­ble all -i ./hosts -m ping‘. Suc­cess if you get

    
    elastix | success >> {
        "changed": false,
        "ping": "pong"
    }
Share
Posted in Uncategorized | Comments Off on Using ansible to setup Elastix

Sinatra shortcuts


title: Sina­tra short­cuts
tags: ruby, sina­tra

published: false

Want to test some­thing and need to “deploy” an HTTP end­point? Enter Sina­tra.

  • gem install thin because WEBrick com­plains about the Con­tent-Length miss­ing head­er.
  • ruby -r sinatra -e "post('/form') { puts params }". The -r switch loads the giv­en library using require.
  • Test with some­thing like curl -I -X POST http://127.0.0.1:4567/form
Share
Posted in Uncategorized | Tagged , | Comments Off on Sinatra shortcuts

Notes on mbox to maildir migration


title: Notes on mbox to maildir migra­tion
cat­e­gories: Pos­tifx

published: true

  • The mb2md com­mand takes absolutes paths.
  • mb2md -s mbox-path -d maildir-path.
  • The maildir-path is cre­at­ed.
  • Maildir fold­er struc­ture is:

Maildir fold­er
|
|– new
|– cur
|– tmp

  • It seems safe to con­vert mbox­es to maildirs while the MTA is active and deliv­er­ing mails to the same fold­er. Need to dou­ble check this!.
  • Need to deac­ti­vate or update users’ .procmailrc.
  • The MTA builds the Maildir fold­er struc­ture for the INBOX, i.e. we don’t need to do any­thing.
  • No need to cre­ate the Maildir base fold­er as well as the Sent/Drafts/Trash fold­ers by hand. IMAP takes care of this.
  • Maildir fold­ers are named with a dot e.g. .Sent or .Trash. This is con­trol­lled by the IMAP serv­er (dove­cot).
  • The subscriptions file lists all the fold­ers mon­i­tored by IMAP.
Share
Posted in Uncategorized | Comments Off on Notes on mbox to maildir migration

Adding EPEL repository

  • wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • rpm -Uvh epel-release-6-8.noarch.rpm
Share
Posted in CentOS | Comments Off on Adding EPEL repository

KVM autostart/suspend/shutdown guests

Check /etc/sysconfig/libvirt-guests and http://maciek.lasyk.info/sysop/2013/04/29/kvm-libvirt-guests-autostart-shutdown-pause/

Share
Posted in CentOS, KVM | Comments Off on KVM autostart/suspend/shutdown guests

Installing HP snmp agents on a Proliant server

Note: This is on Cen­tOS 6.4

  • Down­load H SPP at http://h18013.www1.hp.com/products/servers/management/spp/index.html, get the lat­est.
  • # mount -o loop <SPPMDSLRH-filename> /mnt/SPP
  • # cd /mnt/SPP/hp/swpackages
  • yum localinstall the hp-health and the hp-snmp-agents pack­ages.
  • # /sbin/hpsnmpconfig
    • vi /etc/snmp/snmp.local.conf and add the line syscontact watchdog <watchdog@my.domain.com>
  • # vi /opt/hp/hp-snmp-agents/cma.conf.
    • Change the line con­tain­ing trapemail at its end to reflect the cor­rect email address.
  • # /etc/init.d/hp-snmp-agents start
  • # chkconfig hp-snmp-agents on

References

Share
Posted in CentOS, HP Proliant | Comments Off on Installing HP snmp agents on a Proliant server