iptables quick isolation

The following iptables for quick isolation of port 8080 on eth1. eth0 is open for all.


# iptables -A INPUT -s 127.0.0.1 -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT
# iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -P INPUT DROP
Share
Posted in Uncategorized | Tagged , | Leave a comment

Notes on OCFS2

CentOS 6.5, uname -r => 2.6.39-400.211.3.el6uek.x86_64, ocfs2-tools version 1.8.0-10.el6

Complete mkfs commands:

  • To create a vmstore volume: mkfs.ocfs2 -b 4K -C 1M -N 14 -L FSDS -T vmstore --cluster-name=ocfs2cluster --cluster-stack=o2cb --global-heartbeat /dev/mapper/fsdsp1.
  • To create a global heartbeat device: mkfs.ocfs2 -b 4K -C 1M -N 14 -L HB1 --cluster-name=ocfs2cluster --cluster-stack=o2cb --global-heartbeat /dev/devX, notice that we do not partition the device.
  • Chown to oneadmin before mounting (done once!)

Timeouts

Setup

  • 4 heartbeat devices for global heartbeat.
  • Heartbeat devices are not multipathed.
  • O2CB_HEARTBEAT_THRESHOLD = 61 is 61 cause our storage volumes are multipathed.
  • Heartbeat starts as soon as the volumes are mounted.
Share
Posted in Uncategorized | Tagged , | Leave a comment

Preparing Linux Template VMs

Tested on CentOS.

The original article is Preparing Linux Template VMs, please read that first! This article is for preservation and my own personal use.

Step 1: Clean out yum and apt caches.

/usr/bin/yum clean all
apt-get clean

Step 2: Force the logs to rotate.

/usr/sbin/logrotate –f /etc/logrotate.conf
/bin/rm –f /var/log/-???????? /var/log/.gz

Step 3: Clear the audit log & wtmp.

/bin/cat /dev/null > /var/log/audit/audit.log
/bin/cat /dev/null > /var/log/wtmp

This whole /dev/null business is also a trick that lets you clear a file without restarting the process associated with it, useful in many more situations than just template-building.

Step 4: Remove the udev persistent device rules.

/bin/rm -f /etc/udev/rules.d/70*

Step 5: Remove the traces of the template MAC address and UUIDs.

/bin/sed -i ‘/^(HWADDR|UUID)=/d’ /etc/sysconfig/network-scripts/ifcfg-eth0
Just removing unique identifiers from the template so the cloned VM gets its own.

Step 6: Clean /tmp out.

/bin/rm –rf /tmp/*
/bin/rm –rf /var/tmp/*

Under normal, non-template circumstances you really don’t ever want to run rm on /tmp like this. Use tmpwatch or any manner of safer ways to do this, since there are attacks people can use by leaving symlinks and whatnot in /tmp that rm might traverse (“whoops, I don’t have an /etc/passwd anymore!”). Plus, users and processes might actually be using /tmp, and it’s impolite to delete their files. However, this is your template image, and if there are people attacking your template you should reconsider how you’re doing business. Really.

Step 7: Remove the SSH host keys.

/bin/rm –f /etc/ssh/key

If you don’t do this all your VMs will have all the same keys, which has negative security implications.

Step 8: Remove the root user’s shell history

/bin/rm -f ~root/.bash_history
unset HISTFILE
No sense in keeping this history around, it’s irrelevant to the cloned VM.

Share
Posted in Linux, OpenNebula | Tagged , | Leave a comment

Create a VM Image in OpenNebula

Tested on OpenNebula 4.4.1 on CentOS 6.5. It should work on recent OpenNebula versions.

This is almost copied from Tutorial: Deploy VM Using Image Created On OpenNebula Directly, for preservation and my own personal use. Check the original link first.

Step 1. Uploading the Installation CD Image

a. Go to Virtual Resources -> Images -> Create
b. Set Type to CDROM.
c. Leave Persistent unchecked.
d. Use either Provide a path and set it to a URL pointing to an OS installation image or Upload and set it to an already downloaded OS installation image.

We now have an installation cdrom image in our datastore

Step 2. Creating an empty hard disk (Datablock)

a. Goto Virtual Resources -> Images -> Create
b. Set Type to Datablock
c. Tick Persistent. Every change made to this datablock needs to persist since this is going to be the hard drive for each newly deployed VM.
d. e. Set Image Location to Empty datablock, set Size and (optionally) FS type and FS Driver to qcow2.
e. Set Driver prefix to sd.
f. Last time I wasn’t setting FS Driver to qcow2 and ONE would barf

This will create an empty datablock which will be used to install the OS.

Step 3. Creating an OS image installation template

a. Goto Virtual Resources -> Templates -> Create
b. We are going to use the installation CD (Step 1) and the Datablock (Step 2). So, in Storage attach the installation CD and set READONLY to yes and attach the datablock as well.
c. Set the Network (select a nic)
d. Under OS Booting: In Boot set Boot to CDROM and in Features set ACPI to yes.
e. Under Input/Output set VNC and Listen IP to 0.0.0.0.
f. Under Context tick Add Network contextualisation and Add OnGate token.

Step 4. Deploy a VM based on the OS image installation template (Step 3)

a. Instantiate the template. This will create a VM, which will boot from the CDROM (Step 1) and install the OS in the datablock disk (Step2).
b. Shutdown the VM when installation is complete and delete the VM. Remember, our datablock is persistent so the OS is installed and all changes are persistent.
c. Goto Virtual Resources -> Images and change its Type from Datablock to OS.

Step 5. Create a VM preparation template.

a. Create a normal template. Under Storage attach only the disk we created on Step 4. The VM boots from this disk.
b. NB: don’t do this is you want to have noVNC working!! Under Other pass the following in the RAW data section and set the Type to KVM. in order to enable serial console access, from KVM side. This requires to enable it from the VM’s kernel side as well by tweaking the grub config file that specifies kernel options during boot.
<devices><serial type="pty"><source path="/dev/pts/5"/><target port="0"/></serial><console type="pty" tty="/dev/pts/5"><source path="/dev/pts/5"/><target port="0"/></console></devices>
c. All other settings just like Step 3.

Instantiate the template and start a VM.

Step 6. Contextualisation

In our newly created VM:

a. Go to Basic Contextualisation. The process is not straight forward so here’s a rough guide.
– Open VM’s VNC console.
– Setup the network for the VM.
– Setup ONE repository and install the contextualisation deb package. UPDATE: Download it manually at http://dev.opennebula.org/attachments/download/750/one-context_4.4.0.deb since I can’t find it in the ONE repo.
b. NB: don’t do this is you want to have noVNC working!! To enable serial console access from the VM side, open /etc/default/grub and set the following:
GRUB_TERMINAL=serial
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
– Create /etc/init/ttyS0.conf with the following contents:
# ttyS0 - getty
#
# This service maintains a getty on ttyS0 from the point the system is
# started until it is shut down again.
start on stopped rc or RUNLEVEL=[12345]
stop on runlevel [!12345]
respawn
exec /sbin/getty -L -w 115200 ttyS0 vt102

– Full instructions at https://help.ubuntu.com/community/SerialConsoleHowto
b. Prepare the VM, i.e. clean and make it pristine, following this guide.
c. Shutdown the VM and delete it.

Finally go to the OS image and set its Type to non persistent.

We can now use the OS image to instantiate new VMs.

Share
Posted in OpenNebula | Leave a comment

Using ansible to setup Elastix


title: Using ansible to setup Elastix
published: false

#### MacOS 10.9 Mavericks and Homebrew installation

– Mavericks comes with Python 2.7.5
– No need to install python using brew
– `brew install ansible`

#### Create VM

> virt-install -n elastix-2.4 –ram 2048 –vcpus 2 –os-type linux –os-variant=rhel6 –disk path=/var/lib/libvirt/images/elastix-2.4.img,bus=virtio,size=20 -l /var/lib/libvirt/images/Elastix-2.4.0-Stable-x86_64-bin-04feb2013.iso –graphics none –network bridge:br1,model=virtio -v -x “console=ttyS0″

– No additional packages installed!

#### To activate Elastix
– Turn off SELinux
– `setenforce 0`
– `vim /etc/selinux/config` and make it `permissive`
– `service iptables stop && chkconfig iptables off`
– Use ssh port 222 instead of 22
– and enable `PubkeyAuthentication`
– and `service sshd restart`
– reboot

#### Pre ansible tasks
– Generate ssh key: `ssh-keygen -t rsa -C”email@domain ansible” and save it as `id_rsa_ansible` – **don’t overwrite any existing key pairs**.
– `cat ~/.ssh/id_dsa.pub | ssh you@remote ‘cat – >> ~/.ssh/authorized_keys’` to place the ansible publi key in /root/.ssh/authorized_keys in the newVM.
– *Take care of the dir and file permissions of the .ssh directory in the VM*
– `ssh-add ansible-private-key` locally to add the ansible key to the keyring. `ssh-add -l` to list the keys in keyring.
– Create a `hosts` file somewhere containing the following:
> `elastix ansible_ssh_host= ansible_ssh_port=222 ansible_ssh_user=root`

– *For CentOS < 6* `ansible elastix -i ./hosts -m raw -a”yum install -y python-simplejson”` to install the json module needed for elastix to work.
See
– To test it: ` ansible all -i ./hosts -m ping`. Success if you get

    
    elastix | success >> {
        "changed": false,
        "ping": "pong"
    }
Share
Posted in Uncategorized | Leave a comment

Sinatra shortcuts


title: Sinatra shortcuts
tags: ruby, sinatra

published: false

Want to test something and need to “deploy” an HTTP endpoint? Enter Sinatra.

  • gem install thin because WEBrick complains about the Content-Length missing header.
  • ruby -r sinatra -e "post('/form') { puts params }". The -r switch loads the given library using require.
  • Test with something like curl -I -X POST http://127.0.0.1:4567/form
Share
Posted in Uncategorized | Tagged , | Leave a comment

Notes on mbox to maildir migration


title: Notes on mbox to maildir migration
categories: Postifx

published: true

  • The mb2md command takes absolutes paths.
  • mb2md -s mbox-path -d maildir-path.
  • The maildir-path is created.
  • Maildir folder structure is:

Maildir folder
|
|– new
|– cur
|– tmp

  • It seems safe to convert mboxes to maildirs while the MTA is active and delivering mails to the same folder. Need to double check this!.
  • Need to deactivate or update users’ .procmailrc.
  • The MTA builds the Maildir folder structure for the INBOX, i.e. we don’t need to do anything.
  • No need to create the Maildir base folder as well as the Sent/Drafts/Trash folders by hand. IMAP takes care of this.
  • Maildir folders are named with a dot e.g. .Sent or .Trash. This is controllled by the IMAP server (dovecot).
  • The subscriptions file lists all the folders monitored by IMAP.
Share
Posted in Uncategorized | Leave a comment

Adding EPEL repository

  • wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
  • rpm -Uvh epel-release-6-8.noarch.rpm
Share
Posted in CentOS | Leave a comment

KVM autostart/suspend/shutdown guests

Check /etc/sysconfig/libvirt-guests and http://maciek.lasyk.info/sysop/2013/04/29/kvm-libvirt-guests-autostart-shutdown-pause/

Share
Posted in CentOS, KVM | Leave a comment

Installing HP snmp agents on a Proliant server

Note: This is on CentOS 6.4

  • Download H SPP at http://h18013.www1.hp.com/products/servers/management/spp/index.html, get the latest.
  • # mount -o loop <SPPMDSLRH-filename> /mnt/SPP
  • # cd /mnt/SPP/hp/swpackages
  • yum localinstall the hp-health and the hp-snmp-agents packages.
  • # /sbin/hpsnmpconfig
    • vi /etc/snmp/snmp.local.conf and add the line syscontact watchdog <watchdog@my.domain.com>
  • # vi /opt/hp/hp-snmp-agents/cma.conf.
    • Change the line containing trapemail at its end to reflect the correct email address.
  • # /etc/init.d/hp-snmp-agents start
  • # chkconfig hp-snmp-agents on

References

Share
Posted in CentOS, HP Proliant | Leave a comment