Linux.com

Community Blogs



Xen DomU clock issues

I just setup a Xen DomU (Debian Lenny) and found that when I tried to live migrate it between hosts, any pings would just hang.  I found my logs filled with clock warnings about going backwards in time.  Here is how I resolved this.

Read more... Comment (0)
 

Xen: Create a Jaunty DomU using xen-create-image

These are instructions for creating an Ubuntu Jaunty DomU on Debian Lenny Dom0 using Xen 3.2.1 that comes with Lenny.  I'm installing into an LVM rather than using a file image.  See this HowtoForge article for background of my particular setup.  This tutorial assumes you're working from a similar setup with an iscsi target and LVM-based VMs.

 The reason I'm posting this is because I had such a hard time finding some combination of tools that worked correctly to do this.  I tried a few options but had little success:

  • debootstrap - Didn't seem to work with Jaunty at all.  It would just crash
  • vm-install - Doesn't support LVM-based VMs by default, but there is a procedure for converting the qcow image to an LVM
What I found is that I could find no way of creating the LVM-based VM in Lenny.  I actually had to create a sid instance first and then install my open-iscsi and xen-utils into the sid VM, then use SID to populate the VM. 

Perform the following actions in your SID vm or workstation

Note:  You'll need your /etc/xen-tools/xen-tools.conf setup like the instructions in the HowtoForge article (things like gateway, netmask, broadcast, passwd, fs type, install-method, etc).

Whenever I would try to build the vm with the default partitions, it would always fail.  For some reason the resulting vm would have an fstab that shows something like sda1 and sda2 instead of xvda1 and xvda2.  I had to create my own partition scheme before anything would work right.  Here's mine:

$ sudo cat /etc/xen-tools/partitions.d/with-data
[root]
size=4G
type=ext3
mountpoint=/
options=sync,errors=remount-ro

[swap]
size=512M
type=swap

[data]
size=4G
type=ext3
mountpoint=/data
options=nodev

 You will need to create a symlink for jaunty so that the option is recognized at the command-line. 

$ cd /usr/lib/xen-tools

$ sudo ln -s edgy.d jaunty.d 

Now, finally, you can create the image.  This step may take some time

$ xen-create-image --hostname=myserver --dhcp --lvm=vg_xen --dist=jaunty --mirror=http://archive.ubuntu.com/ubuntu --size=4Gb --memory=512Mb --swap=512MB --arch=i386 --partitions=with-data

 Since you're building the LVM on a different machine than it will eventually run on, you'll need to  copy the resulting xen config to the correct server:

$ scp /etc/xen/myserver.cfg root@realhost:/etc/xen/

That should be all you need to get this working.

 

Remote port tunnelling with SSH

Hi there, here's a quick blog about SSH port forwarding, let's describe the scenario with an example, of course port forwarding may be applied to everythin, not only to mysql as reported in the sample

 

Assume you've a remote host with MySQL server installed and running, of course for security reasons you've forbidden TCP connections from every machine except localhost, or at least this is how I usually configure my services. Your Python, PHP, Java apps and even CLI apps are happy with it, they can access mysql backend by connecting to localhost on 3306 port.

For security reasons when you're inside the mysql server you can connect to my by using:
myserver:~$ mysql --host=127.0.0.1 --user= --password=
pretty safe and good, I usually configure MySQL in this way:
myserver:~$ cat /etc/mysql/my.cnf|grep "bind-address"
bind-address = 127.0.0.1

so far, everything is perfect now but if you need to manage your remote db with MySQL Administrator or with your preferred tool how can you connect to this machine ? Easy, let's forward remote 3306 port to local 3306 or other port if needed, then you can connect to localhost and use the SSH tunnel in between. from your local machine:
localmachine:~$ ssh -l -L 3306:localhost:3306
So you open an ssh console to your machine from your localhost, with the connection you ask remote to port forward its 3306 port to your local 3306.
Now try to open your remote db from localhost, so if you use mysql command line utility you need to type:
localmachine:~$ mysql --host=127.0.0.1 --user= --password=
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 254
Server version: 5.0.51a-24 (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>

And that's it !

Obviously you can even use your favorite admin tool, not only mysql cli

 

Pretty easy and quick

Hope it helps someone

Ben

 

Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3)

Zeroshell Linux: Captive Portal, Internet Gateway and Router (part3) is the last part of Eric Geier's excellent series on using Zeroshell Linux to provide secure LAN services, such as wireless access point, name services, firewall, and lots more. Enjoy!
 

Preventing unauthorized SSH access using Denyhosts

Once when I was doing a regular tail -f /var/log/messages, I came across a number of messages like these.

sshd[29924]: PAM_NAM: User donk unknown to the authentication module
sshd[29924]: Failed password for invalid user donk from 'IP address here' port 63410 ssh2

My SSH was under continuous attack! . Hmm.., until I found DenyHosts..

DenyHosts is a cool little python script by Phil Schwartz, which will parse the logs and identify repeated authentication failures and add the IP address of the offenders to /etc/hosts.deny, thus preventing them to connect to the server in the first place.

Installation

As the program was not available in the official repositories for SLES 10 SP1, I had to do some manual configuration. The installation steps were detailed in the ‘Readme.txt' file within the package.

First, the python-devel package has to be installed. It is not installed by default

zypper install python-devel

Download the latest version of DenyHosts from http://denyhosts.sourceforge.net/

The version available at the time of my setup was 2.6. After uncompressing the sources

tar zxvf DenyHosts-2.6.tar.gz

cd DenyHosts-2.6

python setup.py install

The above step install the scripts and config files in /usr/share/denyhosts and in the site-packages of the python directory.

Configuration

Before proceeding the file denyhosts.cfg must be edited to suit the installation environment.The example config file is fully commented so it should be easy to follow. I had the following config

#/usr/share/denyhosts/denyhosts.cfg

SECURE_LOG = /var/log/messages
HOSTS_DENY = /etc/hosts.deny
LOCK_FILE = /var/run/denyhosts.pid

After this, I did the following step (as mentioned in the readme) to run denyhosts as a daemon during system start.

cd /usr/share/denyhosts

chmod 700 daemon-control

ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts

/etc/init.d/denyhosts start

tail -f /var/log/denyhosts # will contain messages related to the start

If it is working as intended, enable it to start automatically by doing

chkconfig denyhosts on

It had happend occassionally that some valid IP's are listed in /etc/hosts.deny. To prevent this, the genuine IPs from which users connect can be added to a file called ‘allowed-hosts' in /usr/share/denyhosts/data. There is no specific format. Just add the IPs to the file one below the other. Also, edit denyhosts.cfg to change the following variable and restart denyhosts.

ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES

That's it..

 

Testing mail servers with swaks

Article Source: http://www.cmdln.org
Date: April 16th 2009

 I hadn’t seen this tool before so I figured I would share. Swaks is the swiss army knife SMTP according to the homepage.

Full Entry

 

Perl : Creating a compiled daemon

One of the more exciting techniques I learned while working on my server project for the last year was how to create a daemon in Perl and then compile it.

Yes Perl can be compiled. I had no idea, but its a wonderful thing. Combine this with a fork statement, a while loop and your all set to have a daemon.
Read more... Comment (0)
 

Improving debians nginx init script

Article Source: http://www.cmdln.org
Date: April 27th 2009

nginx is a high performance HTTP and mail proxy server written by Igor Sysoev.

I’m not sure what the init scripts do for other distros but it seems a bit of an oversight to leave out checking the config file when running the init script

Full Entry

 

Project Review: eBox Platform

eBox Logo

The eBox Platform is a suite of software for managing networking and other features.  I stumbled onto eBox a few years ago and have since used it in many locations including my home network.  The project was and still is hosted in Spain by some very capable folks.  Community involvement and grants have supported some of the developers.

Read more... Comment (0)
 

Puppet, what was I doing?!?

Been busy today setting up puppet on a Xen virtual environment. 5 virtual machines in my lab managed by puppet.

Puppet is a system that enabled you to manage configuration files and information across multiple hosts.

I really dont know what I've been doing without it. Basicly you can setup your configuration profile and all machines current and future consume that configuration set.

Today I have been trying it with distributiong sudoers, ldap authentication, nfs configuration, firewall.. It's really usefull.

I definiently recomend this for anyone that wants a "standardized multinode environment".

 

tc - show / manipulate traffic control settings

Since I've spent the last year learning a lot of little things about Linux I thought I'd share some fun stuff for anyone who's interested.

This was a good one. There is a LOT more information then I could ever explain on the topic found at http://lartc.org

If you've ever wondered how to rate limit users on your network, this tutorial will save you a lot of research time. I've done most of the leg work for you and can say that this method has been tested and shown to work on medium sized networks with 1-50 users. The only downfall is that it will only rate limit the users download speed. I have not found a way to do upload speeds.

Read more... Comment (0)
 
Page 8 of 9

Upcoming Linux Foundation Courses

  1. LFS230 Linux Network Management
    06 Oct » 09 Oct - Virtual
    Details
  2. LFD331 Developing Linux Device Drivers
    13 Oct » 17 Oct - Virtual
    Details
  3. LFS430 Linux Enterprise Automation
    13 Oct » 16 Oct - Virtual
    Details

View All Upcoming Courses


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board