Toreishi.net ~Now with more SNAP~
Mar 15 2014
Internal scattershot
A challenge when performing service refactoring is that you now need to start worrying a lot more about connection security. When everything's on one box, and you're connecting via ports on localhost, you don't generally need to worry much. However, once you start splitting out services, relying on trust and unencrypted connections becomes less viable.
Here are some notes regarding PostgreSQL, as an example:
- Your users should be already set up with encrypted passwords (you did, right?).
- Next, you need to prepare SSL certificates for PostgreSQL, assuming that your installation has SSL support (CentOS compiles it in by default), install them in the correct location, and enable them in postgresql.conf.
- If your internal CA is based on Windows Server, it's a little trickier to generate the certificate and its private key. I prefer to generate the certificate request on the CA with an .inf file, import the certificate on the CA, export the public and private key from the CA, and then convert the .pfx file into a .crt and .key file on the target host.
- Once you have your SSL certificates up and running, the next step is to define PostgreSQL connection restrictions (using hostssl, of course).
- From there, it's a matter of adjusting your database connection strings appropriately.
- PHP uses the sslmode parameter, although it's odd that the value list is in a comment and not in the documentation.
- JDBC uses the ssl parameter, although since Java keeps its own CA database, you may need to import your CA certificate into the Java truststore.
Mar 11 2014
Linux networking miscellania
A few interesting things I've stumbled across while finalizing some of my migration preparations from my previous server to the new one
- If you have multiple network adapters, your default route might not be the one you want. At least in CentOS, you can configure that in /etc/sysconfig/network with GATEWAY and GATEWAYDEV. This could be the problem if you're finding that you can't connect to your system (ping, ssh, etc.) even when it's capable of reaching the outside world... and even more, that if you disable your internal network adapter, everything "magically works." netstat -r/route -e might reveal that your default gateway isn't the one you think it is.
- Brute force ssh attacks aren't fun, and they've been pretty common for a while. True, they're probably not going to hack into your box (You have disabled root ssh access, right? And you don't have any of the standard accounts they try to hack in with?), but they can be rather annoying. Fortunately, it's actually pretty easy to use iptables to limit the number of ssh connections per minute.
Feb 24 2014
Hitting a purple brick wall
Yesterday, while installing some more software, the fans on my ESXi system spun up to high, then all my sessions halted. That's never a good thing.
I took a look at what was on the physical screen of my system, and I got to learn about the joys of the PSOD. Initially, I thought the issue was bad memory, so I ran MemTest86 for a little over 20 hours. Nope. Not the problem.
A bit more searching revealed this little gem of a VMware knowledge base article.
Really, VMware? You're going to have a patch available for 5.0 and 5.1, but not 5.5? What the hell?!
Feb 22 2014
Fun (or not) with VPN
For the past several days, I've been working on getting a VPN working for my little cluster. There are several different options available for Windows Server. It didn't take too long to get PPTP working, which I would consider the base level. I'd prefer not to try to implement L2TP, as that would require installing client certificates on all systems, which is annoying.
As a result, I've been spending the past several days trying to get SSTP working instead, which looks pretty straightforward on paper. Unfortunately, there are all too many problems you can stumble across, and the one I've been fighting for a while has been error 0x80092013 (which lots of other people also seem to fight with). What's depressing is that Windows offers almost no logging, so I've been slowly working through all the issues, but I've now hit a dead end.
- The CDP and DeltaCRL locations now refer only to externally-accessible locations (verified via Enterprise PKI).
- The certificate's CRL distribution point is externally-accessible.
- The domain CA certificate is installed on the VPN client.
- IIS double-escaping has been enabled.
Disabling the CRL check does let SSTP work (which means that this is strictly a CDP issue), but that's far from ideal. What's particularly frustrating is, as I mentioned previously, there are several different places where this could be breaking, and Windows is being very opaque as to where. For example, the IIS server logs don't show any download attempts of the CRL or delta CRLs.
On the other hand, this isn't something I want to sink too much more time into, however, especially when I have several other things to work on.... I'll probably come back later to work with it more.
Edit: Predictably, I end up fixing this because I found I couldn't log in via SSTP any longer. As it turns out, it's pretty easy to have IIS SSL settings clobber your SSTP port binding (really?), so Microsoft has a knowledge base article on how to fix that. I ended up disabling the Default Web Site (largely to remove contention for the 0.0.0.0:443 binding, as I'll be using SNI for my SSL sites), which ended up fixing the CDP issue as well.
Feb 14 2014
Building out Windows Server 2012
For what I'm building out, having a Windows Server installation (or two) can be quite useful.
As part of this process, I've found that one of the nice things they added back in Windows Server 2008 is a Server Core installation mode, which strips out almost the entire user interface, causing most of the interaction to occur via Computer Management and Windows PowerShell. An interesting development for an operating system that's been built up almost completely around its GUI.
Not surprisingly, they've had to add a couple of tools to make this work more smoothly. The two most useful ones are sconfig.cmd, designed to run on the host system for initial setup, and the Remote Server Administration Tools (RSAT), the most recent version of which only runs on Windows 8.1 (for Windows Server 2012 R2 support).
Oddly, though, the application for which most people would want to run Windows Server for, Microsoft Exchange, doesn't support running in Windows Server Core mode. From the system requirements documentation for Exchange 2013:
To compound matters, most management of Exchange 2013 is now performed via a web browser anyways... so why does Exchange require a full Windows Server installation? Hell if I know....
Edit: It's apparently because Exchange (mailbox role) requires the Windows Media Audio Voice Codec. This doesn't require just the GUI, it requires the Desktop Experience add-on. Microsoft really couldn't pull that dependency out separately...?
Additional notes
- Since I'm building out a replacement domain, and I'd prefer to use the same NetBios name (although a different domain name), using rendom is helpful. Feasible because it's only the NetBios name I'm changing, and not generally recommended for production.
- Dealing with Windows MAK activations and virtual machines can be... irritating. The Datacenter license allows for an unlimited number of activations on a single physical server, but if you're not running Hyper-V, the instances apparently don't know that they're all running on a single physical server. Add to this the lack of GUI in Windows Server Core mode, and you end up needing to use the command line to activate Windows instead.
- The problem with building out a system in Windows Server Core mode is that it becomes very painful to add major features (like a GUI) back in the longer you wait, as you end up needing to troll through the Windows Update Catalog to manually download all updates to the system.
- I was getting an odd error while promoting the system to be a domain controller in the Post-deployment Configuration via a remote Server Manager, as it was complaining about an permissions error, while unfortunately not leaving behind any logs to indicate what the problem was. I did, however, stumble across this blog article that uses Install-ADDSForest in PowerShell to create a new domain, and it's not a stretch to find the TechNet article from there for full details. Alternately, using Install-WindowsFeature Server-Gui-Mgmt-Infra works too.
- When dealing with entirely too many different networks, knowing whether or not the domain should be accessible (and why) can sometimes be tricky. In this situation, your DNS can often be the cause of the problem, and nslookup can be very helpful then.
- Manipulating disks on a Windows Server Core system can be rather difficult, unless you really like playing with diskpart. Fortunately, you can enable Disk Management remotely, although it requires changes both on the server and the client sides.
Needing to enable the full blown GUI just so you can run the DirectAccess Getting Started Wizard bites.DirectAccess is cool... but you need to be running Ultimate or Enterprise editions of Windows. Ouch.- User Profile Wizard is pretty darn awesome if you're migrating users between local/domain and local/domain. I've done it by hand before, and this makes life *so* much easier.
Feb 13 2014
Building a base CentOS image
As noted previously, I'll be working on setting up an VMware ESXi system. I personally lean toward using CentOS for my systems, and there's an official CentOS EC2 AMI that's designed to be a secure, minimal profile. Unfortunately, contrary to its description, the CentOS AWS wiki page doesn't actually describe how they're built. There's been at least one person asking on the CentOS-virt mailing list about how they're created, but nothing on the list describes the procedure (at least back through January, 2013).
So, how to spec out the package list? Easy! Launch a simple EC2 instance. Here's the list from CentOS 6 (x86_64), version 6 (2013/05/27). Naturally, you should run yum update, but this should serve as a pretty good starting point.
acpid-1.0.10-2.1.el6.x86_64
attr-2.4.44-7.el6.x86_64
audit-2.2-2.el6.x86_64
audit-libs-2.2-2.el6.x86_64
b43-openfwwf-5.2-4.el6.noarch
basesystem-10.0-4.el6.noarch
bash-4.1.2-14.el6.x86_64
binutils-2.20.51.0.2-5.36.el6.x86_64
bzip2-1.0.5-7.el6_0.x86_64
bzip2-libs-1.0.5-7.el6_0.x86_64
ca-certificates-2010.63-3.el6_1.5.noarch
centos-release-6-4.el6.centos.10.x86_64
checkpolicy-2.0.22-1.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
coreutils-8.4-19.el6_4.2.x86_64
coreutils-libs-8.4-19.el6_4.2.x86_64
cpio-2.10-11.el6_3.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
cronie-1.4.4-7.el6.x86_64
cronie-anacron-1.4.4-7.el6.x86_64
crontabs-1.10-33.el6.noarch
curl-7.19.7-36.el6_4.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
dash-0.5.5.1-4.el6.x86_64
db4-4.7.25-17.el6.x86_64
db4-utils-4.7.25-17.el6.x86_64
dbus-glib-0.86-6.el6.x86_64
dbus-libs-1.2.24-7.el6_3.x86_64
deltarpm-3.5-0.5.20090913git.el6.x86_64
dhclient-4.1.1-34.P1.el6.centos.x86_64
dhcp-common-4.1.1-34.P1.el6.centos.x86_64
diffutils-2.8.1-28.el6.x86_64
dracut-004-303.el6.noarch
dracut-kernel-004-303.el6.noarch
e2fsprogs-1.41.12-14.el6.x86_64
e2fsprogs-libs-1.41.12-14.el6.x86_64
efibootmgr-0.5.4-10.el6.x86_64
elfutils-libelf-0.152-1.el6.x86_64
ethtool-3.5-1.el6.x86_64
expat-2.0.1-11.el6_2.x86_64
file-5.04-15.el6.x86_64
file-libs-5.04-15.el6.x86_64
filesystem-2.4.30-3.el6.x86_64
findutils-4.4.2-6.el6.x86_64
fipscheck-1.2.0-7.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
gamin-0.1.10-9.el6.x86_64
gawk-3.1.7-10.el6.x86_64
gdbm-1.8.0-36.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.107.el6.x86_64
glibc-common-2.12-1.107.el6.x86_64
gmp-4.3.1-7.el6_2.2.x86_64
gnupg2-2.0.14-4.el6.x86_64
gpgme-1.1.8-3.el6.x86_64
grep-2.6.3-3.el6.x86_64
groff-1.18.1.4-21.el6.x86_64
grub-0.97-81.el6.x86_64
grubby-7.0.15-3.el6.x86_64
gzip-1.3.12-18.el6.x86_64
hwdata-0.233-7.9.el6.noarch
info-4.13a-8.el6.x86_64
initscripts-9.03.38-1.el6.centos.1.x86_64
iproute-2.6.32-23.el6.x86_64
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
iputils-20071127-16.el6.x86_64
kbd-1.15-11.el6.x86_64
kbd-misc-1.15-11.el6.noarch
kernel-2.6.32-358.6.2.el6.x86_64
kernel-firmware-2.6.32-358.6.2.el6.noarch
keyutils-libs-1.4-4.el6.x86_64
krb5-libs-1.10.3-10.el6_4.2.x86_64
less-436-10.el6.x86_64
libacl-2.2.49-6.el6.x86_64
libattr-2.4.44-7.el6.x86_64
libblkid-2.17.2-12.9.el6_4.3.x86_64
libcap-2.16-5.5.el6.x86_64
libcap-ng-0.6.4-3.el6_0.1.x86_64
libcom_err-1.41.12-14.el6.x86_64
libcurl-7.19.7-36.el6_4.x86_64
libdrm-2.4.39-1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
libffi-3.0.5-3.2.el6.x86_64
libgcc-4.4.7-3.el6.x86_64
libgcrypt-1.4.5-9.el6_2.2.x86_64
libgpg-error-1.7-4.el6.x86_64
libidn-1.18-2.el6.x86_64
libnih-1.0.1-7.el6.x86_64
libpciaccess-0.13.1-2.el6.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
libsemanage-2.0.43-4.2.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libss-1.41.12-14.el6.x86_64
libssh2-1.4.2-1.el6.x86_64
libstdc++-4.4.7-3.el6.x86_64
libusb-0.1.12-23.el6.x86_64
libuser-0.56.13-5.el6.x86_64
libutempter-1.1.5-4.1.el6.x86_64
libuuid-2.17.2-12.9.el6_4.3.x86_64
libxml2-2.7.6-12.el6_4.1.x86_64
logrotate-3.7.8-16.el6.x86_64
lua-5.1.4-4.1.el6.x86_64
m4-1.4.13-5.el6.x86_64
MAKEDEV-3.24-6.el6.x86_64
man-1.6f-32.el6.x86_64
mingetty-1.08-5.el6.x86_64
module-init-tools-3.9-21.el6.x86_64
mysql-libs-5.1.69-1.el6_4.x86_64
ncurses-5.7-3.20090208.el6.x86_64
ncurses-base-5.7-3.20090208.el6.x86_64
ncurses-libs-5.7-3.20090208.el6.x86_64
net-tools-1.60-110.el6_2.x86_64
newt-0.52.11-3.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
nss-util-3.14.0.0-2.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
pam-1.1.1-13.el6.x86_64
passwd-0.77-4.el6_2.2.x86_64
pciutils-3.1.10-2.el6.x86_64
pciutils-libs-3.1.10-2.el6.x86_64
pcre-7.8-6.el6.x86_64
pinentry-0.7.6-6.el6.x86_64
plymouth-0.8.3-27.el6.centos.x86_64
plymouth-core-libs-0.8.3-27.el6.centos.x86_64
plymouth-scripts-0.8.3-27.el6.centos.x86_64
policycoreutils-2.0.83-19.30.el6.x86_64
popt-1.13-7.el6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
procps-3.2.8-25.el6.x86_64
psmisc-22.6-15.el6_0.1.x86_64
pth-2.0.7-9.3.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
python-2.6.6-36.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
python-libs-2.6.6-36.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
python-urlgrabber-3.9.1-8.el6.noarch
readline-6.0-4.el6.x86_64
redhat-logos-60.0.14-12.el6.centos.noarch
rootfiles-8.1-6.1.el6.noarch
rpm-4.8.0-32.el6.x86_64
rpm-libs-4.8.0-32.el6.x86_64
rpm-python-4.8.0-32.el6.x86_64
rsync-3.0.6-9.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
sed-4.2.1-10.el6.x86_64
selinux-policy-3.7.19-195.el6_4.5.noarch
selinux-policy-targeted-3.7.19-195.el6_4.5.noarch
setup-2.8.14-20.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
slang-2.2.1-1.el6.x86_64
sqlite-3.6.20-1.el6.x86_64
sudo-1.8.6p3-7.el6.x86_64
system-config-firewall-base-1.2.27-5.el6.noarch
system-config-firewall-tui-1.2.27-5.el6.noarch
sysvinit-tools-2.87-4.dsf.el6.x86_64
tar-1.23-11.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
tzdata-2013b-1.el6.noarch
udev-147-2.46.el6.x86_64
upstart-0.6.5-12.el6.x86_64
ustr-1.0.4-9.1.el6.x86_64
util-linux-ng-2.17.2-12.9.el6_4.3.x86_64
vim-minimal-7.2.411-1.8.el6.x86_64
which-2.19-6.el6.x86_64
xz-4.999.9-0.3.beta.20091007git.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
xz-lzma-compat-4.999.9-0.3.beta.20091007git.el6.x86_64
yum-3.2.29-40.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-14.el6.noarch
yum-presto-0.6.2-1.el6.noarch
zlib-1.2.3-29.el6.x86_64
What's particularly interesting is when you compare this against the list of RPMs installed by the CentOS 6.5 minimal CD.
attr-2.4.44-7.el6.x86_64
audit-2.2-2.el6.x86_64
audit-libs-2.2-2.el6.x86_64
authconfig-6.1.12-13.el6.x86_64
b43-openfwwf-5.2-4.el6.noarch
basesystem-10.0-4.el6.noarch
bash-4.1.2-14.el6.x86_64
binutils-2.20.51.0.2-5.36.el6.x86_64
bridge-utils-1.2-10.el6.x86_64
bzip2-1.0.5-7.el6_0.x86_64
bzip2-libs-1.0.5-7.el6_0.x86_64
ca-certificates-2010.63-3.el6_1.5.noarch
centos-release-6-4.el6.centos.10.x86_64
checkpolicy-2.0.22-1.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
coreutils-8.4-19.el6.x86_64
coreutils-libs-8.4-19.el6.x86_64
cpio-2.10-11.el6_3.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
cronie-1.4.4-7.el6.x86_64
cronie-anacron-1.4.4-7.el6.x86_64
crontabs-1.10-33.el6.noarch
cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64
curl-7.19.7-35.el6.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
dash-0.5.5.1-4.el6.x86_64
db4-4.7.25-17.el6.x86_64
db4-utils-4.7.25-17.el6.x86_64
dbus-glib-0.86-5.el6.x86_64
dbus-libs-1.2.24-7.el6_3.x86_64
device-mapper-1.02.77-9.el6.x86_64
device-mapper-event-1.02.77-9.el6.x86_64
device-mapper-event-libs-1.02.77-9.el6.x86_64
device-mapper-libs-1.02.77-9.el6.x86_64
device-mapper-multipath-0.4.9-64.el6.x86_64
device-mapper-multipath-libs-0.4.9-64.el6.x86_64
device-mapper-persistent-data-0.1.4-1.el6.x86_64
dhclient-4.1.1-34.P1.el6.centos.x86_64
dhcp-common-4.1.1-34.P1.el6.centos.x86_64
diffutils-2.8.1-28.el6.x86_64
dracut-004-303.el6.noarch
dracut-kernel-004-303.el6.noarch
e2fsprogs-1.41.12-14.el6.x86_64
e2fsprogs-libs-1.41.12-14.el6.x86_64
efibootmgr-0.5.4-10.el6.x86_64
elfutils-libelf-0.152-1.el6.x86_64
ethtool-3.5-1.el6.x86_64
expat-2.0.1-11.el6_2.x86_64
file-5.04-15.el6.x86_64
file-libs-5.04-15.el6.x86_64
filesystem-2.4.30-3.el6.x86_64
findutils-4.4.2-6.el6.x86_64
fipscheck-1.2.0-7.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
fuse-2.8.3-4.el6.x86_64
gamin-0.1.10-9.el6.x86_64
gawk-3.1.7-10.el6.x86_64
gdbm-1.8.0-36.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.107.el6.x86_64
glibc-common-2.12-1.107.el6.x86_64
gmp-4.3.1-7.el6_2.2.x86_64
gnupg2-2.0.14-4.el6.x86_64
gpgme-1.1.8-3.el6.x86_64
grep-2.6.3-3.el6.x86_64
groff-1.18.1.4-21.el6.x86_64
grub-0.97-81.el6.x86_64
grubby-7.0.15-3.el6.x86_64
gzip-1.3.12-18.el6.x86_64
hwdata-0.233-7.9.el6.noarch
info-4.13a-8.el6.x86_64
initscripts-9.03.38-1.el6.centos.x86_64
iproute-2.6.32-23.el6.x86_64
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
iputils-20071127-16.el6.x86_64
iscsi-initiator-utils-6.2.0.873-2.el6.x86_64
kbd-1.15-11.el6.x86_64
kbd-misc-1.15-11.el6.noarch
kernel-2.6.32-358.el6.x86_64
kernel-firmware-2.6.32-358.el6.noarch
keyutils-libs-1.4-4.el6.x86_64
kpartx-0.4.9-64.el6.x86_64
krb5-libs-1.10.3-10.el6.x86_64
less-436-10.el6.x86_64
libacl-2.2.49-6.el6.x86_64
libaio-0.3.107-10.el6.x86_64
libattr-2.4.44-7.el6.x86_64
libblkid-2.17.2-12.9.el6.x86_64
libcap-2.16-5.5.el6.x86_64
libcap-ng-0.6.4-3.el6_0.1.x86_64
libcom_err-1.41.12-14.el6.x86_64
libcurl-7.19.7-35.el6.x86_64
libdrm-2.4.39-1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
libffi-3.0.5-3.2.el6.x86_64
libgcc-4.4.7-3.el6.x86_64
libgcrypt-1.4.5-9.el6_2.2.x86_64
libgpg-error-1.7-4.el6.x86_64
libidn-1.18-2.el6.x86_64
libnih-1.0.1-7.el6.x86_64
libpciaccess-0.13.1-2.el6.x86_64
libselinux-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64
libsemanage-2.0.43-4.2.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libss-1.41.12-14.el6.x86_64
libssh2-1.4.2-1.el6.x86_64
libstdc++-4.4.7-3.el6.x86_64
libudev-147-2.46.el6.x86_64
libusb-0.1.12-23.el6.x86_64
libuser-0.56.13-5.el6.x86_64
libutempter-1.1.5-4.1.el6.x86_64
libuuid-2.17.2-12.9.el6.x86_64
libxml2-2.7.6-8.el6_3.4.x86_64
logrotate-3.7.8-16.el6.x86_64
lua-5.1.4-4.1.el6.x86_64
lvm2-2.02.98-9.el6.x86_64
lvm2-libs-2.02.98-9.el6.x86_64
m4-1.4.13-5.el6.x86_64
MAKEDEV-3.24-6.el6.x86_64
mdadm-3.2.5-4.el6.x86_64
mingetty-1.08-5.el6.x86_64
module-init-tools-3.9-21.el6.x86_64
mysql-libs-5.1.66-2.el6_3.x86_64
ncurses-5.7-3.20090208.el6.x86_64
ncurses-base-5.7-3.20090208.el6.x86_64
ncurses-libs-5.7-3.20090208.el6.x86_64
net-tools-1.60-110.el6_2.x86_64
newt-0.52.11-3.el6.x86_64
newt-python-0.52.11-3.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
nss-util-3.14.0.0-2.el6.x86_64
openldap-2.4.23-31.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
openssl-1.0.0-27.el6.x86_64
pam-1.1.1-13.el6.x86_64
passwd-0.77-4.el6_2.2.x86_64
pciutils-libs-3.1.10-2.el6.x86_64
pcre-7.8-6.el6.x86_64
pinentry-0.7.6-6.el6.x86_64
plymouth-0.8.3-27.el6.centos.x86_64
plymouth-core-libs-0.8.3-27.el6.centos.x86_64
plymouth-scripts-0.8.3-27.el6.centos.x86_64
policycoreutils-2.0.83-19.30.el6.x86_64
popt-1.13-7.el6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
procps-3.2.8-25.el6.x86_64
psmisc-22.6-15.el6_0.1.x86_64
pth-2.0.7-9.3.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
python-2.6.6-36.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
python-libs-2.6.6-36.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
python-urlgrabber-3.9.1-8.el6.noarch
readline-6.0-4.el6.x86_64
redhat-logos-60.0.14-12.el6.centos.noarch
rootfiles-8.1-6.1.el6.noarch
rpm-4.8.0-32.el6.x86_64
rpm-libs-4.8.0-32.el6.x86_64
rpm-python-4.8.0-32.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
sed-4.2.1-10.el6.x86_64
selinux-policy-3.7.19-195.el6.noarch
selinux-policy-targeted-3.7.19-195.el6.noarch
setup-2.8.14-20.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
slang-2.2.1-1.el6.x86_64
sqlite-3.6.20-1.el6.x86_64
sudo-1.8.6p3-7.el6.x86_64
system-config-firewall-base-1.2.27-5.el6.noarch
sysvinit-tools-2.87-4.dsf.el6.x86_64
tar-1.23-11.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
tzdata-2012j-1.el6.noarch
udev-147-2.46.el6.x86_64
upstart-0.6.5-12.el6.x86_64
ustr-1.0.4-9.1.el6.x86_64
util-linux-ng-2.17.2-12.9.el6.x86_64
vim-minimal-7.2.411-1.8.el6.x86_64
which-2.19-6.el6.x86_64
xfsprogs-3.1.1-10.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
yum-3.2.29-40.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-14.el6.noarch
zlib-1.2.3-29.el6.x86_64
A quick and dirty comparison of the packages shows these as the differences:
Only in AWS EC2 | Only in CentOS |
---|---|
acpid | authconfig |
deltarpm | bridge-utils |
man | cryptsetup-luks |
pciutils | cryptsetup-luks-libs |
rsync | device-mapper |
system-config-firewall-tui | device-mapper-event |
xz | device-mapper-event-libs |
xz-lzma-compat | device-mapper-libs |
yum-presto | device-mapper-multipath |
device-mapper-multipath-libs | |
device-mapper-persistent-data | |
fuse | |
iscsi-initiator-utils | |
kpartx | |
libaio | |
libudev | |
lvm2 | |
lvm2-libs | |
mdadm | |
newt-python | |
xfsprogs |
The necessity (or not) of these packages is left as an exercise for the reader. 😛
- Although, it is rather frustrating if I then end up hitting a kernel panic while trying to build my base CentOS image on my desktop....
- It also sucks when the minimal installation ISO fails to boot, and it takes you a while to figure out why.
- The image (at least temporarily) needs enough memory, otherwise you'll get the text installer, which has limited configurability.
Feb 12 2014
Building an ESXi system
It can be interesting learning on the fly. It's like being thrown into the deep end of the pool - you either sink, or you swim.
Several useful things to know about ESXi:
- Using SSH keys instead of passwords (since they have to do things in a non-standard way).
- Setting up port forwarding for vSphere Client (to go with the above).
- Patching manually (without vSphere Update Manager).
Additional notes to come as I stumble across them.
Additional notes
- Replacing the default ESXi SSL certificates with your own, officially signed certificates isn't very difficult, and is probably a good idea.
- Running ESXi on a USB flash drive allows for pretty quick operating system recovery/replacement, at the potential cost of USB flash drives being less reliable than magnetic platter drives with RAID1. This can, of course, be counterbalanced by having a spare USB flash drive with ESXi ready to go, but then you would want a configuration backup handy and ready to go. Even though vCLI's vicfg-cfgbackup doesn't work (since you need a client system), there is fortunately another tool that can be used instead, although you need to be running in evaluation mode (as it doesn't work with free ESXi licenses).
- Alternately, you can perform a backup and restore by hand. Which works with free licenses as well.
Feb 10 2014
Installation: XWiki
Setting up XWiki to act exactly the way I wanted was... interesting. Even now, I would argue that not everything's perfect (although it's pretty close). Miscellaneous installation notes:
- I don't understand why Jetty (and I assume Tomcat) doesn't support the ability to have a WAR where you can maintain a separate directory with any changes you'd like to make on top of it. It looks like they had it in for a handful of point releases, and then removed it for 9.1. It was dropped out of their 9.0.6.v20130930 release as well, even though their source code tag claims otherwise (sloppy, imho). Why the development team couldn't have a replacement ready before removing it? Hell if I know....
- See, the nice thing about this is that it lets you maintain your configuration changes separate from upstream, especially given that applications are often distributed as WARs. When the common use case is that I then have to extract it because I want to make a few configuration changes, and then have to hand-maintain those changes? Yeah... not so much. Which is why I'm just throwing the whole thing into a version source control system to manage. it'd be nice if I didn't need to, though.
- The Jetty startup script is... kinda sloppy, imho, from a system administrator's perspective. If you're not running on a Debian-based system (i.e. you don't have start-stop-daemon), it tries to run su. Except you should generally be running daemons as separate accounts with /sbin/nologin?
su - "$JETTY_USER" -c "
exec ${RUN_CMD[*]} --daemon &
disown \$!
echo \$! > '$JETTY_PID'"
- If you want to build out start-stop-daemon yourself, here's a quick primer:
# https://packages.debian.org/wheezy/dpkg
$ curl -o dpkg.tar.xz 'http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.16.12.tar.xz'
# .xz isn't a common compression format yet.
$ tar xfvJ dpkg.tar.xz
$ cd dpkg-1.16.12
# The default prefix is /usr/local, and there's nothing wrong with that, but
# services don't always have /usr/local/bin and /usr/local/sbin in their paths.
$ ./configure --prefix=/usr
$ cd lib/compat
$ make
$ cd ../utils
$ make
$ make install /usr/sbin/start-stop-daemon
- It's always disappointing when the configuration implies you can do something, but it doesn't actually work. Case in point, xwiki.defaultweb, referenced on the Configuration documentation page as well as xwiki.cfg.
# xwiki.defaultweb=Main
#-# Hide the /Space/ part of the URL when the space is the default one. Warning: use 1 to hide, 0 to show.
# xwiki.usedefaultweb=0
- Doesn't actually do anything unless you use xwiki.usedefaultweb, in which case it just does the wrong thing instead (sends you to Main.WebHome instead of the space you've picked). Searches tell you to use the Redirect macro instead.
- It's remarkable how much of a pita it is to have XWiki use short URLs. Although at least it works.
Update: Semi-mea culpa: So you don't actually need to use start-stop-daemon to run Jetty as a non-privileged user... although they don't do actively push it in front of you the way other daemons do. Jetty has a SetUID module... although the documentation is incorrect on the changes you need to make to start.ini. You need to add this instead (in addition to the change to jetty-setuid.xml):
etc/jetty-setuid.xml
Feb 09 2014
Now loading...
Welcome!
This is the newly set up home for toreishi.net, which will serve both as a personal soapbox for the infrequent times I have something to say, as well as a reference site for users of the site (as I find time to document things, at least!). Things will be a bit cluttered for now, but bear with the mess - it'll get better!
Apologies for the short term use of reCAPTCHA for anonymous comments - I find that it tends to create some fairly ridiculous entries, but I'll need to get better at my Ruby hacking skills before I can replace it with are you a human, which I find much more tolerable.
Feb 09 2014
Upcoming changes
I've been somewhat busy over the past few months, which has led to a definite dearth of updates, but I'm now at the point where I'm starting to work on a number of technical projects.
- As you can see, I've moved over the blog from using Wagn to using XWiki. A good piece of this has to do with the annoyance of trying to using Ruby Gems from a system administrator's perspective (running gem as root, which you normally want to do since it's installing files in /usr, then creates files that have bad permissions) and with dealing with Ruby app servers (for some reason, Passenger was magically working, and then equally magically broke). I don't love Ruby enough to fight with it, especially given how Gems are administratively unfriendly in how they're too much like the Wild West to be packaged in a native manner.
- I'm working on migrating from two physical servers to a single physical server running VMware ESXi with multiple virtualized hosts. This should allow me to better isolate systems from each other.
- Along with the above, I'm working on moving the physical server to be colocated, which should help buffer users from anything I may be doing with my connection.