Todd Smith Org

April 20, 2009

Setup RAID on Ubuntu Desktop

Filed under: Uncategorized — admin @ 9:37 am

I have a client who needed a nice little web design station using open source software. One of the requirements is to have RAID. So, having used linux software RAID for about 10 years now, I am very comfortable with it. Unfortunately the installer in Ubuntu Intrepid does not seem to have support for configuring the software RAID, LVM, Encryption and all that rot.

So let’s do it from the terminal, Install as normal and then use the following process.

Change the partition types on your disk to 0xfd. I reconfigured /dev/sda as follows:

root@ubuntu:~# fdisk -l /dev/sda

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x965c0f26

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          20      160618+  fd  Linux raid autodetect
/dev/sda2              21       60000   481789350   fd  Linux raid autodetect
/dev/sda3           60001       60801     6434032+  83  Linux
root@ubuntu:~#

Then copy that partition table to /dev/sdb

dd if=/dev/sda of=/dev/sdb count=1 bs=512

Now reboot, or Call “Call ioctl() to re-read partition table.”

Now it’s time to install mdadm

apt-get -f -y install mdadm

And finally, setup the RAID

mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2

Verify the raid status with:

cat /proc/mdstat

Change the /etc/fstab

instead of LABEL=blahblah

change to /dev/md0

I’m sorry, this is incomplete

R

April 18, 2009

Configure XenServer 5.0 Free for Software RAID 1

Filed under: Server Technology,Unix Administration — admin @ 4:35 pm

I used the notes from some guy on the Citrix forums. I wish that I had his name so I could give him credit but it’s not here on the stuff I printed out.

On with the show.

To make this work, you need to drives in your system. The second drive must be identical or larger than the first, and you must have installed XenServer to the first drive without selecting the second drive as part of the storage pool.

Install XenServer as usual. Do not select any extra drives as storage pools.

After installation, boot up, and login into console 3 (Alt-F3) as root

type fdisk -l to list the partitions:

Most likely your disks are represented by SCSI device names under linux / XenServer 5.0

in that case your boot disk would be /dev/sda,

To copy the partition table from /dev/sda to /dev/sdb you can use dd

dd if=/dev/sda of=/dev/sdb bs=512 count=1

Now set the partition table up on /dev/sdb the way it should be for Linux RAID. This means setting the partition types to 0xfd.

I used the following command:

echo -e "\nt\n1\nfd\nt\n3\nfd\nw\nx" | fdisk /dev/sdb

That tells says to fdisk, “tag partition 1 as type 0xfd, tag partition 3 as type 0xfd”

Check to make sure the /dev/md? devices are present

[ -e /dev/md0 ] || mknod /dev/md0 b 9 0
[ -e /dev/md1 ] || mknod /dev/md1 b 9 1

Startup the degraded RAID devices

mdadm --create /dev/md0 --level=1 --raid-devices=2 missing /dev/sdb1
mdadm --create /dev/md1 --level=1 --raid-devices=2 missing /dev/sdb3

The following procedure is directly from the other guys notes. I’ve modified the commands to what I think works a little better.

pvcreate /dev/md1
volume_group=`vgscan | grep VG | awk -F \" '{print $2}'`
vgextend $volume_group /dev/md1
pvmove /dev/sda3 /dev/md1
# If this is a fresh install, then there won't be any data to move
vgreduce $volume_group /dev/sda3

Now we’re ready to copy the filesystem over to the RAID device /dev/md0

mkfs.ext3 /dev/md0
cd / && mount /dev/md0 /mnt && rsync -a --progress --exclude=/sys --exclude=/proc --exclude=/dev/shm --exclude=/dev/pts / /mnt
mkdir /mnt/sys
mkdir /mnt/proc
sed -r -i 's,LABEL=root-\w+ ,/dev/md0 ,g' /mnt/etc/fstab

Now let’s setup initrd

mkdir /root/initrd && cd /root/initrd
zcat /boot/initrd-`uname -r`.img | cpio -i && \
cp /lib/modules/`uname -r`/kernel/drivers/md/raid1.ko lib

Now we have to edit the init file

q="echo Waiting for driver initialization."
sed -r -i "s,^${q}$,\n\necho Loading raid1.ko module\ninsmod /lib/raid1.ko\n${q}\n,g" init
q="resume /var/swap/swap.001"
sed -r -i "s,^${q}$,${q}\necho Running raidautorun\nraidautorun /dev/md0\nraidautorun /dev/md1,g" init
r=`grep mkroot /root/initrd/init`
sed -r -i "s|^${r}$|${r/sda1/md0}|g" init

Now we’ll copy the initial ramdisk to the /boot on the new RAID

find . -print | cpio -o -c | gzip -c > /boot/initrd-`uname -r`.img
sed -r -i 's,LABEL=root-\w+ ,/dev/md0 ,g' /mnt/etc/fstab
sed -r -i 's,LABEL=root-\w+ ,/dev/md0 ,g' /etc/fstab

And setup the boot loader

sed -r -i 's,root=LABEL=root-\w+ ,root=/dev/md0 ,g' /mnt/boot/extlinux.conf
sed -r -i 's,root=LABEL=root-\w+ ,root=/dev/md0 ,g' /boot/extlinux.conf
cat /usr/lib/syslinux/mbr.bin > /dev/sdb
cd /mnt && extlinux -i boot/
extlinux -i boot/

If you’ve done this remotely, you can try the following.

cp /mnt/boot/extlinux.conf /boot/
cp /mnt/boot/initrd-`uname -r`.img /boot

Unmount /dev/md0, sync, and reboot

cd ; umount /mnt || umount /dev/md0
sync
reboot

First we tag the partitions as type Linux raid, then we have to add /dev/sda to the RAID.

echo -e "\nt\n1\nfd\nt\n3\nfd\nw\nx" | fdisk /dev/sda
mdadm -a /dev/md0 /dev/sda1
mdadm -a /dev/md1 /dev/sda3

Troubleshooting

The first time I did this procedure I got stuck because my rsync didn’t copy /proc and /sys like I asked it not to. So I had to add the step of creating those two directories so they could be mounted at boot.

After messing around with it a little, I came up with this command line to boot XenServer 5 from extlinux.

mboot.c32 /boot/xen.gz dom0_mem=752M --- /boot/vmlinuz-2.6-xen root=/dev/md0  single --- /boot/initrd-2.6-xen.img

April 17, 2009

Intel AMT bios support

Filed under: Device Configuration,Server Technology — admin @ 12:51 pm

Intel AMT, allows enhanced hardware-based isolation and recovery for embedded systems that go offline, and the IntelĀ® Rapid Recover Technology, which allows embedded devices to recover data and return the system to an operational status in the event of hard drive failure or massive data corruption.

Intel VT-d Bios Support

Filed under: Device Configuration,Server Technology — admin @ 12:50 pm

A technology in the Intel Q35 chipset; Intel VT-d, provides advanced remote management capabilities for I/O devices. The technology enables partitioning of I/O devices to virtual machines to distribute system resources and protect assets. Intel VT-d will improve performance by increasing the bandwidth and lowering the latency attributed to software virtualization. Industrial automation applications and network appliances are two key segments that could benefit from this technology.

April 9, 2009

Extreme Summit 48s NAT Howto

Filed under: Device Configuration — admin @ 3:26 pm

This is a simple HOWTO configuration for NAT on an Extreme Summit 48s

This assumes two VLANs an internal and external:

Nat Configuration

The steps to get NAT running are:

  1. Add a NAT rule
  2. Set the NAT timeout
  3. Configure “internal” vlan(s)
  4. Configure “external” vlan(s)
  5. enable nat

Assuming you have an external vlan called “ext” and an internal block of IPs at 172.16.166.0/24 and an external address 198.168.0.10/32; you can use the following:

Configure a NAT rule

configure nat add “ext” map source 172.16.166.1/32 to 198.168.0.10/32

Configure the NAT timeout

configure nat timeout 300

Configure the internal VLAN for NAT

configure nat “webserver-internal” inside

Configure the external VLAN for NAT

configure nat ext outside
configure nat Default outside

Enable NAT

enable nat

That should be all there is to it. I hope this worked for you.

April 1, 2009

Howto Create your own Certificate Authority (the easy way)

Filed under: Security Technology,Unix Administration,Web Hosting — admin @ 6:54 pm

Create your own Certificate Authority in less than 10 minutes

This allows you to create a Certificate Authority otherwise known as a CA so you can sign your own certificates. This script has two requirements. A *nix machine with /bin/sh, /bin/bash or a compatible shell, and openssl from the OpenSSL project. You can start the timer now…

I’ve written a script to greatly simplify and automate the processes of both creating the Certificate Authority, and creating Certificates. The script has two basic functions:

  1. Create a Certificate Authority
  2. Create keys, certificates, and certificate signing requests, and sign them using the Certificate Authority

Directions for Use

To get this all setup in running, you just need to create a directory, create two files, and execute one of them. Edit the openssl.cnf with your favorite text editor (vim, emacs, nano, pico, ed, joe, whatever), put in your info and then run CAAdmin.sh to get started

From here open a terminal to get started

Create a working directory (copy and paste this block of code into your terminal)

mkdir Certificate_Authority_Admin
cd Certificate_Authority_Admin

Create openssl.cnf (copy and paste this block of code into your terminal)

cat << EoF > openssl.cnf
#
# OpenSSL configuration file.
# 

# Establish working directory.
dir = "CA"

[ ca ]
default_ca = CA_default 

[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/public/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 730
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match 

[ policy_match ]
countryName = supplied
stateOrProvinceName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
# Variable name   Prompt string
#----------------------   ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64

# Default values for the above, for consistency and less typing.
# Variable name   Value
#------------------------------   ------------------------------
0.organizationName_default = ToddSmith, Org
organizationalUnitName_default = Secure Services
countryName_default = US
localityName_default = Los Angeles
emailAddress_default = ca@toddsmith.org
stateOrProvinceName_default = California
commonName_default = toddsmith.org

[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always 

[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
EoF

Create the CAAdmin Script (copy and paste this block of code into your terminal)

cat << EoF > CAAdmin.sh
#!/bin/bash
cadir=CA
conf="openssl.cnf"
cwd=`pwd`

echo -n "Do you want to create a Certificate Authority? [yes or no] : " && read answer
if [ "X$answer" == "Xyes" ] ; then
        mkdir -p CA
        cd CA
        mkdir public crl newcerts private
        echo 01 > serial
        cp /dev/null index.txt
        if [ ! -f ../openssl.cnf ] ; then
                echo "Must setup an openssl.cnf"
                exit 1
        fi
        openssl req -new -x509 -keyout private/cakey.pem -out public/cacert.pem -days 365 -config ../openssl.cnf
        cd $cwd
fi

echo -n "Do you want to create a certificate for an SSL enabled server? [yes or no] : " && read answer
[ $answer == "yes" ] || exit 1

echo -n "What is the name of this cert / key? (certfilename) : " && read certfile
if [ $certfile != "" ] ; then
        unset answer
        openssl req -new -nodes -out req.pem -config $conf && \
        mv key.pem "${certfile}.key.pem" && \
        mv req.pem "${certfile}.req.pem" && \
        openssl req -in "${certfile}.req.pem" -text -verify -noout && \
        echo -n "Does information look correct? [yes or no] : " && read answer
        if [ $answer == "yes" ] ; then
                unset answer
                openssl ca -out "${certfile}.crt.pem" -config "$conf" -infiles "${certfile}.req.pem"
        fi
        echo -n "Do you want to strip the certificate? [yes or no] : " && read answer
        if [ $answer == "yes" ] ; then
                unset answer
                mv "${certfile}.crt.pem" "${certfile}.crt.tmp"
                openssl x509 -in "${certfile}.crt.tmp" -out "${certfile}.crt.pem" && \
                export key_stripped=1 && \
                rm "${certfile}.crt.tmp"
        fi
        if [ $key_stripped == 1 ] ; then
                echo -n "Do you want to create a combined cert/key file? [yes or no] : " && read answer
                if [ $answer == "yes" ] ; then
                        unset answer;
                        cat ${certfile}.crt.pem ${certfile}.key.pem > ${certfile}.crtkey.pem
                fi
        fi
fi
EoF

Edit the openssl.cnf with your favorite editor to customize it for you.

Now I’m gonna run you through the script one time and you can see how simple it is.

tsmith@tejinashi:~/Certificate_Authority_Admin$ ls
CAAdmin.sh      openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$ sh CAAdmin.sh
Do you want to create a Certificate Authority? [yes or no] : yes
Generating a 1024 bit RSA private key
....................++++++
.++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:
Do you want to create a certificate for an SSL enabled server? [yes or no] : yes
What is the name of this cert / key? [certfile] : mail.toddsmith.org
Generating a 1024 bit RSA private key
..............................++++++
............................................++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [ToddSmith, Org]:
Organizational Unit Name (department, division) [Secure Services]:
Email Address [ca@toddsmith.org]:
Locality Name (city, district) [Los Angeles]:
State or Province Name (full name) [California]:
Country Name (2 letter code) [US]:
Common Name (hostname, IP, or your name) [toddsmith.org]:mail.toddsmith.org
verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=ToddSmith, Org, OU=Secure Services/emailAddress=ca@toddsmith.org, L=Los Angeles, ST=California, C=US, CN=mail.toddsmith.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d1:be:57:f7:e1:35:5b:01:fb:0d:20:06:23:dc:
                    44:f7:89:0e:f7:f6:71:5f:17:91:58:01:99:2f:75:
                    00:0d:e1:d7:0b:35:c1:90:e8:f9:56:a5:82:7b:a1:
                    97:79:b1:5b:7e:70:fd:cd:e0:95:5d:d1:f4:38:4d:
                    3f:00:fe:8a:a0:9a:66:2a:3c:45:27:e0:b1:98:3d:
                    40:2b:03:3c:5e:95:e1:48:79:a9:03:65:78:19:9b:
                    e9:39:06:6f:d6:ad:6f:12:55:dd:18:45:76:50:fd:
                    40:9a:60:7e:53:fb:67:0d:1b:1e:7f:e6:70:0d:ab:
                    2b:4c:45:5e:0e:df:c9:3f:5d
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                56:61:49:B0:F8:DA:58:9E:4A:14:EF:3B:61:D4:74:AF:B6:AF:3A:ED
    Signature Algorithm: md5WithRSAEncryption
        b5:8d:6f:16:87:1f:cb:78:16:03:9f:95:cf:4b:8d:b8:81:c0:
        a9:e4:a0:de:c1:72:b0:3c:c8:2f:26:5e:ff:af:24:de:68:76:
        e9:d0:f3:36:6d:d6:ea:40:27:19:33:91:ec:89:42:7b:ac:18:
        82:59:bf:c3:22:83:77:79:19:a1:05:92:6f:43:be:17:0d:c0:
        e8:f5:f6:a0:fe:1b:05:ab:fd:56:b8:3a:3b:81:d0:e3:c4:60:
        14:db:2f:de:27:a7:da:bc:72:10:e7:de:77:16:18:5e:30:81:
        d2:c6:1e:bf:96:f6:23:42:c2:0a:2e:3e:15:ff:bf:82:be:9d:
        0d:16
Does information look correct? [yes or no] : yes
Using configuration from openssl.cnf
Enter pass phrase for CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :P RINTABLE:'ToddSmith, Org'
organizationalUnitName:PRINTABLE:'Secure Services'
localityName          :P RINTABLE:'Los Angeles'
stateOrProvinceName   :P RINTABLE:'California'
countryName           :P RINTABLE:'US'
commonName            :P RINTABLE:'mail.toddsmith.org'
Certificate is to be certified until Apr  2 01:42:45 2011 GMT (730 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Do you want to strip the certificate? [yes or no] : yes
Do you want to create a combined cert/key file? [yes or no] : yes
tsmith@tejinashi:~/Certificate_Authority_Admin$ ls -1
CA
CAAdmin.sh
mail.toddsmith.org.crt.pem
mail.toddsmith.org.crtkey.pem
mail.toddsmith.org.key.pem
mail.toddsmith.org.req.pem
openssl.cnf
tsmith@tejinashi:~/Certificate_Authority_Admin$

There you have it. If you want to create another key, run it again. From this point forward you will probably want to answer “no” when the script asks if you want to create a new Certificate Authority. I have not tested it.

I hope that you found this useful.

March 29, 2009

Certificate and Key management with OpenSSL

Filed under: Unix Administration,Web Hosting — admin @ 9:29 pm

Generate a Certificate Signing Request (CSR)

If you want to provide secure communications between your webserver and the clients that visit your website, you’re going to need an SSL certificate (SSLCert) signed by a well-known Certificate Authority (CA).

I’m just gonna outline the process of generating one.

Prerequisites:

  1. OpenSSL
  2. Domain Name
  3. Entity information (Name, Address, Etc..)

Steps

Create a CSR in 3 easy steps

  1. Use this command to create your working directory, and change to it so you’ve got everything in one place. You can change my_certs to anything you want.

    mkdir my_certs && cd my_certs

  2. Use this command to generate an encrypted private key. If you enter a pass-phrase here, you’ll need to use it any time you start-up your web-server. You should enter a pass-phrase here. We can remove it later. If you lose or forget the pass-phrase, you’re gonna have to do all this over again… And you might have to purchase another certificate from your provider.

    openssl genrsa -des3 -out toddsmith.org.key 1024

  3. Next use this command to create a CSR from the RSA private key. You cannot use any special characters (< > ~ ! @ # $ % ^ * / \ ( ) ?.,&). You’ll need the following information:
    • Common Name: This is the full name of your website. For example: www.toddsmith.org
    • Organization: Your name or the legal name of your company.
    • Organization Unit: The department you work in or this server provides service for: For example: IT Services
    • City: The City you or your organization is in.
    • State: The State you or your organization is in.
    • Country: The 2 letter abbreviation of your country

    openssl req -new -key toddsmith.org.key -out toddsmith.org.csr

Remove Encryption from Private Key

Use the following steps to remove encryption from the private key for use with dovecot, sendmail or to remove the start-up pass phrase dialog from apache, etc…

  1. Make a backup of the key file

    cp toddsmith.org.key toddsmith.org.key.encrypted

  2. Make a backup of the key file

    openssl rsa -in toddsmith.org.key.encrypted -out toddsmith.org.key

The -out file toddsmith.org.key is now your unencrypted private key. Lose it, and anyone can use it now.

Use certificate for Microsoft Internet

Now you’ve received your certificate from your provider and you want to use it for Internet

To use the certificate you just created for Internet Explorer, you have to convert it to the PFX format. It’s currently in PEM format.

  1. To create a PFX formatted certificate/key combination. The following command is one line.

    openssl pkcs12 -export -out toddsmith.org.pfx -inkey \ toddsmith.org.key -in toddsmith.org.crt

Convert key and certificate to use with Sendmail, Dovecot, or others

To do this, you’ll need the certificate issued from your Certificate Authority, and your unencrypted key file. If your key is still encrypted, use the process above to remove the encryption from the key.

All set? Okay let’s do it.

  1. Run the following command to combine the key and certificate for use with Sendmail, Dovecot, uw-imap, and many others

    cat toddsmith.org.key toddsmith.org.crt > toddsmith.org.pem

All done, now you can use it with your favorite MTA, or Email software.

March 28, 2009

iptables troubleshooting

Filed under: Uncategorized — admin @ 12:49 pm

Troubleshooting

iptables v1.4.2: Unknown arg `(null)’

Try adding -p to the equation

root@host:~# iptables -I OUTPUT –dport 6660:6669 -j DROP
iptables v1.4.2: Unknown arg `(null)’
Try `iptables -h’ or ‘iptables –help’ for more information.
root@host:~# iptables -I OUTPUT -p tcp –dport 6660:6669 -j DROP
root@host:~#

Unix, Linux and BSD find tricks

Filed under: Unix Administration — admin @ 11:34 am

I’m gonna show you some tricks here that I’ve learned over the years. I hope they help.

Find files named yahoo.com owned by user user

find /dev -user d0ncortez -name ‘yahoo.com’

Find files named CorteZ owned by the group Linux-Team

find /dev -group Linux-Team -name ‘CorteZ’

Find all files on the file-system with the SETUID bits set

find / -perm +4000 -print

Print a list of all directories

find / -type f -print

Print a list of files only

find / -type f -print

Delete all files owned by a specific user

find / -user mean-person -exec rm -rf {} \;

Fix directory permissions on a bunch of directories

find / -type f -exec chmod 644 {} \;
find / -type d -exec chmod 755 {} \;

March 23, 2009

Setup Trac on Ubuntu via APT

Filed under: Uncategorized — admin @ 10:30 pm

HOWTO Setup Trac on Ubuntu via APT

Installing Trac

Comments (1)

« Newer PostsOlder Posts »

Powered by WordPress