Toreishi.net ~Now with more SNAP~

Last modified by Administrator on 2022/01/30 10:10

Mar 15 2014

Internal scattershot

A challenge when performing service refactoring is that you now need to start worrying a lot more about connection security. When everything's on one box, and you're connecting via ports on localhost, you don't generally need to worry much. However, once you start splitting out services, relying on trust and unencrypted connections becomes less viable.

Here are some notes regarding PostgreSQL, as an example:

Mar 11 2014

Linux networking miscellania

A few interesting things I've stumbled across while finalizing some of my migration preparations from my previous server to the new one

  • If you have multiple network adapters, your default route might not be the one you want. At least in CentOS, you can configure that in /etc/sysconfig/network with GATEWAY and GATEWAYDEV. This could be the problem if you're finding that you can't connect to your system (ping, ssh, etc.) even when it's capable of reaching the outside world... and even more, that if you disable your internal network adapter, everything "magically works." netstat -r/route -e might reveal that your default gateway isn't the one you think it is.
  • Brute force ssh attacks aren't fun, and they've been pretty common for a while. True, they're probably not going to hack into your box (You have disabled root ssh access, right? And you don't have any of the standard accounts they try to hack in with?), but they can be rather annoying. Fortunately, it's actually pretty easy to use iptables to limit the number of ssh connections per minute.

Feb 24 2014

Hitting a purple brick wall

Yesterday, while installing some more software, the fans on my ESXi system spun up to high, then all my sessions halted. That's never a good thing.

I took a look at what was on the physical screen of my system, and I got to learn about the joys of the PSOD. Initially, I thought the issue was bad memory, so I ran MemTest86 for a little over 20 hours. Nope. Not the problem.

A bit more searching revealed this little gem of a VMware knowledge base article.

Really, VMware? You're going to have a patch available for 5.0 and 5.1, but not 5.5? What the hell?!

Feb 22 2014

Fun (or not) with VPN

For the past several days, I've been working on getting a VPN working for my little cluster. There are several different options available for Windows Server. It didn't take too long to get PPTP working, which I would consider the base level. I'd prefer not to try to implement L2TP, as that would require installing client certificates on all systems, which is annoying.

As a result, I've been spending the past several days trying to get SSTP working instead, which looks pretty straightforward on paper. Unfortunately, there are all too many problems you can stumble across, and the one I've been fighting for a while has been error 0x80092013 (which lots of other people also seem to fight with). What's depressing is that Windows offers almost no logging, so I've been slowly working through all the issues, but I've now hit a dead end.

  • The CDP and DeltaCRL locations now refer only to externally-accessible locations (verified via Enterprise PKI).
  • The certificate's CRL distribution point is externally-accessible.
  • The domain CA certificate is installed on the VPN client.
  • IIS double-escaping has been enabled.

Disabling the CRL check does let SSTP work (which means that this is strictly a CDP issue), but that's far from ideal. What's particularly frustrating is, as I mentioned previously, there are several different places where this could be breaking, and Windows is being very opaque as to where. For example, the IIS server logs don't show any download attempts of the CRL or delta CRLs.

On the other hand, this isn't something I want to sink too much more time into, however, especially when I have several other things to work on.... I'll probably come back later to work with it more.

Edit: Predictably, I end up fixing this because I found I couldn't log in via SSTP any longer. As it turns out, it's pretty easy to have IIS SSL settings clobber your SSTP port binding (really?), so Microsoft has a knowledge base article on how to fix that. I ended up disabling the Default Web Site (largely to remove contention for the 0.0.0.0:443 binding, as I'll be using SNI for my SSL sites), which ended up fixing the CDP issue as well.

Feb 14 2014

Building out Windows Server 2012

For what I'm building out, having a Windows Server installation (or two) can be quite useful.

As part of this process, I've found that one of the nice things they added back in Windows Server 2008 is a Server Core installation mode, which strips out almost the entire user interface, causing most of the interaction to occur via Computer Management and Windows PowerShell. An interesting development for an operating system that's been built up almost completely around its GUI.

Not surprisingly, they've had to add a couple of tools to make this work more smoothly. The two most useful ones are sconfig.cmd, designed to run on the host system for initial setup, and the Remote Server Administration Tools (RSAT), the most recent version of which only runs on Windows 8.1 (for Windows Server 2012 R2 support).

Oddly, though, the application for which most people would want to run Windows Server for, Microsoft Exchange, doesn't support running in Windows Server Core mode. From the system requirements documentation for Exchange 2013:

We don't support the installation of Exchange 2013 on a computer that's running in Windows Server Core mode. The computer must be running the full installation of Windows Server.

To compound matters, most management of Exchange 2013 is now performed via a web browser anyways... so why does Exchange require a full Windows Server installation? Hell if I know....

Edit: It's apparently because Exchange (mailbox role) requires the Windows Media Audio Voice Codec. This doesn't require just the GUI, it requires the Desktop Experience add-on. Microsoft really couldn't pull that dependency out separately...?

Additional notes

Feb 13 2014

Building a base CentOS image

As noted previously, I'll be working on setting up an VMware ESXi system. I personally lean toward using CentOS for my systems, and there's an official CentOS EC2 AMI that's designed to be a secure, minimal profile. Unfortunately, contrary to its description, the CentOS AWS wiki page doesn't actually describe how they're built. There's been at least one person asking on the CentOS-virt mailing list about how they're created, but nothing on the list describes the procedure (at least back through January, 2013).

So, how to spec out the package list? Easy! Launch a simple EC2 instance. Here's the list from CentOS 6 (x86_64), version 6 (2013/05/27). Naturally, you should run yum update, but this should serve as a pretty good starting point.

AWS CentOS
acl-2.2.49-6.el6.x86_64
acpid-1.0.10-2.1.el6.x86_64
attr-2.4.44-7.el6.x86_64
audit-2.2-2.el6.x86_64
audit-libs-2.2-2.el6.x86_64
b43-openfwwf-5.2-4.el6.noarch
basesystem-10.0-4.el6.noarch
bash-4.1.2-14.el6.x86_64
binutils-2.20.51.0.2-5.36.el6.x86_64
bzip2-1.0.5-7.el6_0.x86_64
bzip2-libs-1.0.5-7.el6_0.x86_64
ca-certificates-2010.63-3.el6_1.5.noarch
centos-release-6-4.el6.centos.10.x86_64
checkpolicy-2.0.22-1.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
coreutils-8.4-19.el6_4.2.x86_64
coreutils-libs-8.4-19.el6_4.2.x86_64
cpio-2.10-11.el6_3.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
cronie-1.4.4-7.el6.x86_64
cronie-anacron-1.4.4-7.el6.x86_64
crontabs-1.10-33.el6.noarch
curl-7.19.7-36.el6_4.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
dash-0.5.5.1-4.el6.x86_64
db4-4.7.25-17.el6.x86_64
db4-utils-4.7.25-17.el6.x86_64
dbus-glib-0.86-6.el6.x86_64
dbus-libs-1.2.24-7.el6_3.x86_64
deltarpm-3.5-0.5.20090913git.el6.x86_64
dhclient-4.1.1-34.P1.el6.centos.x86_64
dhcp-common-4.1.1-34.P1.el6.centos.x86_64
diffutils-2.8.1-28.el6.x86_64
dracut-004-303.el6.noarch
dracut-kernel-004-303.el6.noarch
e2fsprogs-1.41.12-14.el6.x86_64
e2fsprogs-libs-1.41.12-14.el6.x86_64
efibootmgr-0.5.4-10.el6.x86_64
elfutils-libelf-0.152-1.el6.x86_64
ethtool-3.5-1.el6.x86_64
expat-2.0.1-11.el6_2.x86_64
file-5.04-15.el6.x86_64
file-libs-5.04-15.el6.x86_64
filesystem-2.4.30-3.el6.x86_64
findutils-4.4.2-6.el6.x86_64
fipscheck-1.2.0-7.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
gamin-0.1.10-9.el6.x86_64
gawk-3.1.7-10.el6.x86_64
gdbm-1.8.0-36.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.107.el6.x86_64
glibc-common-2.12-1.107.el6.x86_64
gmp-4.3.1-7.el6_2.2.x86_64
gnupg2-2.0.14-4.el6.x86_64
gpgme-1.1.8-3.el6.x86_64
grep-2.6.3-3.el6.x86_64
groff-1.18.1.4-21.el6.x86_64
grub-0.97-81.el6.x86_64
grubby-7.0.15-3.el6.x86_64
gzip-1.3.12-18.el6.x86_64
hwdata-0.233-7.9.el6.noarch
info-4.13a-8.el6.x86_64
initscripts-9.03.38-1.el6.centos.1.x86_64
iproute-2.6.32-23.el6.x86_64
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
iputils-20071127-16.el6.x86_64
kbd-1.15-11.el6.x86_64
kbd-misc-1.15-11.el6.noarch
kernel-2.6.32-358.6.2.el6.x86_64
kernel-firmware-2.6.32-358.6.2.el6.noarch
keyutils-libs-1.4-4.el6.x86_64
krb5-libs-1.10.3-10.el6_4.2.x86_64
less-436-10.el6.x86_64
libacl-2.2.49-6.el6.x86_64
libattr-2.4.44-7.el6.x86_64
libblkid-2.17.2-12.9.el6_4.3.x86_64
libcap-2.16-5.5.el6.x86_64
libcap-ng-0.6.4-3.el6_0.1.x86_64
libcom_err-1.41.12-14.el6.x86_64
libcurl-7.19.7-36.el6_4.x86_64
libdrm-2.4.39-1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
libffi-3.0.5-3.2.el6.x86_64
libgcc-4.4.7-3.el6.x86_64
libgcrypt-1.4.5-9.el6_2.2.x86_64
libgpg-error-1.7-4.el6.x86_64
libidn-1.18-2.el6.x86_64
libnih-1.0.1-7.el6.x86_64
libpciaccess-0.13.1-2.el6.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
libsemanage-2.0.43-4.2.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libss-1.41.12-14.el6.x86_64
libssh2-1.4.2-1.el6.x86_64
libstdc++-4.4.7-3.el6.x86_64
libusb-0.1.12-23.el6.x86_64
libuser-0.56.13-5.el6.x86_64
libutempter-1.1.5-4.1.el6.x86_64
libuuid-2.17.2-12.9.el6_4.3.x86_64
libxml2-2.7.6-12.el6_4.1.x86_64
logrotate-3.7.8-16.el6.x86_64
lua-5.1.4-4.1.el6.x86_64
m4-1.4.13-5.el6.x86_64
MAKEDEV-3.24-6.el6.x86_64
man-1.6f-32.el6.x86_64
mingetty-1.08-5.el6.x86_64
module-init-tools-3.9-21.el6.x86_64
mysql-libs-5.1.69-1.el6_4.x86_64
ncurses-5.7-3.20090208.el6.x86_64
ncurses-base-5.7-3.20090208.el6.x86_64
ncurses-libs-5.7-3.20090208.el6.x86_64
net-tools-1.60-110.el6_2.x86_64
newt-0.52.11-3.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
nss-util-3.14.0.0-2.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
pam-1.1.1-13.el6.x86_64
passwd-0.77-4.el6_2.2.x86_64
pciutils-3.1.10-2.el6.x86_64
pciutils-libs-3.1.10-2.el6.x86_64
pcre-7.8-6.el6.x86_64
pinentry-0.7.6-6.el6.x86_64
plymouth-0.8.3-27.el6.centos.x86_64
plymouth-core-libs-0.8.3-27.el6.centos.x86_64
plymouth-scripts-0.8.3-27.el6.centos.x86_64
policycoreutils-2.0.83-19.30.el6.x86_64
popt-1.13-7.el6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
procps-3.2.8-25.el6.x86_64
psmisc-22.6-15.el6_0.1.x86_64
pth-2.0.7-9.3.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
python-2.6.6-36.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
python-libs-2.6.6-36.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
python-urlgrabber-3.9.1-8.el6.noarch
readline-6.0-4.el6.x86_64
redhat-logos-60.0.14-12.el6.centos.noarch
rootfiles-8.1-6.1.el6.noarch
rpm-4.8.0-32.el6.x86_64
rpm-libs-4.8.0-32.el6.x86_64
rpm-python-4.8.0-32.el6.x86_64
rsync-3.0.6-9.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
sed-4.2.1-10.el6.x86_64
selinux-policy-3.7.19-195.el6_4.5.noarch
selinux-policy-targeted-3.7.19-195.el6_4.5.noarch
setup-2.8.14-20.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
slang-2.2.1-1.el6.x86_64
sqlite-3.6.20-1.el6.x86_64
sudo-1.8.6p3-7.el6.x86_64
system-config-firewall-base-1.2.27-5.el6.noarch
system-config-firewall-tui-1.2.27-5.el6.noarch
sysvinit-tools-2.87-4.dsf.el6.x86_64
tar-1.23-11.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
tzdata-2013b-1.el6.noarch
udev-147-2.46.el6.x86_64
upstart-0.6.5-12.el6.x86_64
ustr-1.0.4-9.1.el6.x86_64
util-linux-ng-2.17.2-12.9.el6_4.3.x86_64
vim-minimal-7.2.411-1.8.el6.x86_64
which-2.19-6.el6.x86_64
xz-4.999.9-0.3.beta.20091007git.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
xz-lzma-compat-4.999.9-0.3.beta.20091007git.el6.x86_64
yum-3.2.29-40.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-14.el6.noarch
yum-presto-0.6.2-1.el6.noarch
zlib-1.2.3-29.el6.x86_64

What's particularly interesting is when you compare this against the list of RPMs installed by the CentOS 6.5 minimal CD.

CentOS minimal
acl-2.2.49-6.el6.x86_64
attr-2.4.44-7.el6.x86_64
audit-2.2-2.el6.x86_64
audit-libs-2.2-2.el6.x86_64
authconfig-6.1.12-13.el6.x86_64
b43-openfwwf-5.2-4.el6.noarch
basesystem-10.0-4.el6.noarch
bash-4.1.2-14.el6.x86_64
binutils-2.20.51.0.2-5.36.el6.x86_64
bridge-utils-1.2-10.el6.x86_64
bzip2-1.0.5-7.el6_0.x86_64
bzip2-libs-1.0.5-7.el6_0.x86_64
ca-certificates-2010.63-3.el6_1.5.noarch
centos-release-6-4.el6.centos.10.x86_64
checkpolicy-2.0.22-1.el6.x86_64
chkconfig-1.3.49.3-2.el6.x86_64
coreutils-8.4-19.el6.x86_64
coreutils-libs-8.4-19.el6.x86_64
cpio-2.10-11.el6_3.x86_64
cracklib-2.8.16-4.el6.x86_64
cracklib-dicts-2.8.16-4.el6.x86_64
cronie-1.4.4-7.el6.x86_64
cronie-anacron-1.4.4-7.el6.x86_64
crontabs-1.10-33.el6.noarch
cryptsetup-luks-1.2.0-7.el6.x86_64
cryptsetup-luks-libs-1.2.0-7.el6.x86_64
curl-7.19.7-35.el6.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
dash-0.5.5.1-4.el6.x86_64
db4-4.7.25-17.el6.x86_64
db4-utils-4.7.25-17.el6.x86_64
dbus-glib-0.86-5.el6.x86_64
dbus-libs-1.2.24-7.el6_3.x86_64
device-mapper-1.02.77-9.el6.x86_64
device-mapper-event-1.02.77-9.el6.x86_64
device-mapper-event-libs-1.02.77-9.el6.x86_64
device-mapper-libs-1.02.77-9.el6.x86_64
device-mapper-multipath-0.4.9-64.el6.x86_64
device-mapper-multipath-libs-0.4.9-64.el6.x86_64
device-mapper-persistent-data-0.1.4-1.el6.x86_64
dhclient-4.1.1-34.P1.el6.centos.x86_64
dhcp-common-4.1.1-34.P1.el6.centos.x86_64
diffutils-2.8.1-28.el6.x86_64
dracut-004-303.el6.noarch
dracut-kernel-004-303.el6.noarch
e2fsprogs-1.41.12-14.el6.x86_64
e2fsprogs-libs-1.41.12-14.el6.x86_64
efibootmgr-0.5.4-10.el6.x86_64
elfutils-libelf-0.152-1.el6.x86_64
ethtool-3.5-1.el6.x86_64
expat-2.0.1-11.el6_2.x86_64
file-5.04-15.el6.x86_64
file-libs-5.04-15.el6.x86_64
filesystem-2.4.30-3.el6.x86_64
findutils-4.4.2-6.el6.x86_64
fipscheck-1.2.0-7.el6.x86_64
fipscheck-lib-1.2.0-7.el6.x86_64
fuse-2.8.3-4.el6.x86_64
gamin-0.1.10-9.el6.x86_64
gawk-3.1.7-10.el6.x86_64
gdbm-1.8.0-36.el6.x86_64
glib2-2.22.5-7.el6.x86_64
glibc-2.12-1.107.el6.x86_64
glibc-common-2.12-1.107.el6.x86_64
gmp-4.3.1-7.el6_2.2.x86_64
gnupg2-2.0.14-4.el6.x86_64
gpgme-1.1.8-3.el6.x86_64
grep-2.6.3-3.el6.x86_64
groff-1.18.1.4-21.el6.x86_64
grub-0.97-81.el6.x86_64
grubby-7.0.15-3.el6.x86_64
gzip-1.3.12-18.el6.x86_64
hwdata-0.233-7.9.el6.noarch
info-4.13a-8.el6.x86_64
initscripts-9.03.38-1.el6.centos.x86_64
iproute-2.6.32-23.el6.x86_64
iptables-1.4.7-9.el6.x86_64
iptables-ipv6-1.4.7-9.el6.x86_64
iputils-20071127-16.el6.x86_64
iscsi-initiator-utils-6.2.0.873-2.el6.x86_64
kbd-1.15-11.el6.x86_64
kbd-misc-1.15-11.el6.noarch
kernel-2.6.32-358.el6.x86_64
kernel-firmware-2.6.32-358.el6.noarch
keyutils-libs-1.4-4.el6.x86_64
kpartx-0.4.9-64.el6.x86_64
krb5-libs-1.10.3-10.el6.x86_64
less-436-10.el6.x86_64
libacl-2.2.49-6.el6.x86_64
libaio-0.3.107-10.el6.x86_64
libattr-2.4.44-7.el6.x86_64
libblkid-2.17.2-12.9.el6.x86_64
libcap-2.16-5.5.el6.x86_64
libcap-ng-0.6.4-3.el6_0.1.x86_64
libcom_err-1.41.12-14.el6.x86_64
libcurl-7.19.7-35.el6.x86_64
libdrm-2.4.39-1.el6.x86_64
libedit-2.11-4.20080712cvs.1.el6.x86_64
libffi-3.0.5-3.2.el6.x86_64
libgcc-4.4.7-3.el6.x86_64
libgcrypt-1.4.5-9.el6_2.2.x86_64
libgpg-error-1.7-4.el6.x86_64
libidn-1.18-2.el6.x86_64
libnih-1.0.1-7.el6.x86_64
libpciaccess-0.13.1-2.el6.x86_64
libselinux-2.0.94-5.3.el6.x86_64
libselinux-utils-2.0.94-5.3.el6.x86_64
libsemanage-2.0.43-4.2.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libss-1.41.12-14.el6.x86_64
libssh2-1.4.2-1.el6.x86_64
libstdc++-4.4.7-3.el6.x86_64
libudev-147-2.46.el6.x86_64
libusb-0.1.12-23.el6.x86_64
libuser-0.56.13-5.el6.x86_64
libutempter-1.1.5-4.1.el6.x86_64
libuuid-2.17.2-12.9.el6.x86_64
libxml2-2.7.6-8.el6_3.4.x86_64
logrotate-3.7.8-16.el6.x86_64
lua-5.1.4-4.1.el6.x86_64
lvm2-2.02.98-9.el6.x86_64
lvm2-libs-2.02.98-9.el6.x86_64
m4-1.4.13-5.el6.x86_64
MAKEDEV-3.24-6.el6.x86_64
mdadm-3.2.5-4.el6.x86_64
mingetty-1.08-5.el6.x86_64
module-init-tools-3.9-21.el6.x86_64
mysql-libs-5.1.66-2.el6_3.x86_64
ncurses-5.7-3.20090208.el6.x86_64
ncurses-base-5.7-3.20090208.el6.x86_64
ncurses-libs-5.7-3.20090208.el6.x86_64
net-tools-1.60-110.el6_2.x86_64
newt-0.52.11-3.el6.x86_64
newt-python-0.52.11-3.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
nss-tools-3.14.0.0-12.el6.x86_64
nss-util-3.14.0.0-2.el6.x86_64
openldap-2.4.23-31.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
openssl-1.0.0-27.el6.x86_64
pam-1.1.1-13.el6.x86_64
passwd-0.77-4.el6_2.2.x86_64
pciutils-libs-3.1.10-2.el6.x86_64
pcre-7.8-6.el6.x86_64
pinentry-0.7.6-6.el6.x86_64
plymouth-0.8.3-27.el6.centos.x86_64
plymouth-core-libs-0.8.3-27.el6.centos.x86_64
plymouth-scripts-0.8.3-27.el6.centos.x86_64
policycoreutils-2.0.83-19.30.el6.x86_64
popt-1.13-7.el6.x86_64
postfix-2.6.6-2.2.el6_1.x86_64
procps-3.2.8-25.el6.x86_64
psmisc-22.6-15.el6_0.1.x86_64
pth-2.0.7-9.3.el6.x86_64
pygpgme-0.1-18.20090824bzr68.el6.x86_64
python-2.6.6-36.el6.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
python-libs-2.6.6-36.el6.x86_64
python-pycurl-7.19.0-8.el6.x86_64
python-urlgrabber-3.9.1-8.el6.noarch
readline-6.0-4.el6.x86_64
redhat-logos-60.0.14-12.el6.centos.noarch
rootfiles-8.1-6.1.el6.noarch
rpm-4.8.0-32.el6.x86_64
rpm-libs-4.8.0-32.el6.x86_64
rpm-python-4.8.0-32.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
sed-4.2.1-10.el6.x86_64
selinux-policy-3.7.19-195.el6.noarch
selinux-policy-targeted-3.7.19-195.el6.noarch
setup-2.8.14-20.el6.noarch
shadow-utils-4.1.4.2-13.el6.x86_64
slang-2.2.1-1.el6.x86_64
sqlite-3.6.20-1.el6.x86_64
sudo-1.8.6p3-7.el6.x86_64
system-config-firewall-base-1.2.27-5.el6.noarch
sysvinit-tools-2.87-4.dsf.el6.x86_64
tar-1.23-11.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64
tzdata-2012j-1.el6.noarch
udev-147-2.46.el6.x86_64
upstart-0.6.5-12.el6.x86_64
ustr-1.0.4-9.1.el6.x86_64
util-linux-ng-2.17.2-12.9.el6.x86_64
vim-minimal-7.2.411-1.8.el6.x86_64
which-2.19-6.el6.x86_64
xfsprogs-3.1.1-10.el6.x86_64
xz-libs-4.999.9-0.3.beta.20091007git.el6.x86_64
yum-3.2.29-40.el6.centos.noarch
yum-metadata-parser-1.1.2-16.el6.x86_64
yum-plugin-fastestmirror-1.1.30-14.el6.noarch
zlib-1.2.3-29.el6.x86_64

A quick and dirty comparison of the packages shows these as the differences:

 Only in AWS EC2  Only in CentOS
 acpid         authconfig
 deltarpm      bridge-utils
 man           cryptsetup-luks
 pciutils      cryptsetup-luks-libs
 rsync         device-mapper
 system-config-firewall-tui  device-mapper-event
 xz            device-mapper-event-libs
 xz-lzma-compat  device-mapper-libs
 yum-presto    device-mapper-multipath
  device-mapper-multipath-libs
  device-mapper-persistent-data
  fuse
  iscsi-initiator-utils
  kpartx
  libaio
  libudev
  lvm2
  lvm2-libs
  mdadm
  newt-python
  xfsprogs

The necessity (or not) of these packages is left as an exercise for the reader. 😛

  • Although, it is rather frustrating if I then end up hitting a kernel panic while trying to build my base CentOS image on my desktop....
  • It also sucks when the minimal installation ISO fails to boot, and it takes you a while to figure out why.
  • The image (at least temporarily) needs enough memory, otherwise you'll get the text installer, which has limited configurability.

Feb 12 2014

Building an ESXi system

It can be interesting learning on the fly. It's like being thrown into the deep end of the pool - you either sink, or you swim.

Several useful things to know about ESXi:

Additional notes to come as I stumble across them.

Additional notes

  • Replacing the default ESXi SSL certificates with your own, officially signed certificates isn't very difficult, and is probably a good idea.
  • Running ESXi on a USB flash drive allows for pretty quick operating system recovery/replacement, at the potential cost of USB flash drives being less reliable than magnetic platter drives with RAID1. This can, of course, be counterbalanced by having a spare USB flash drive with ESXi ready to go, but then you would want a configuration backup handy and ready to go. Even though vCLI's vicfg-cfgbackup doesn't work (since you need a client system), there is fortunately another tool that can be used instead, although you need to be running in evaluation mode (as it doesn't work with free ESXi licenses).

Feb 10 2014

Installation: XWiki

Setting up XWiki to act exactly the way I wanted was... interesting. Even now, I would argue that not everything's perfect (although it's pretty close). Miscellaneous installation notes:

  • I don't understand why Jetty (and I assume Tomcat) doesn't support the ability to have a WAR where you can maintain a separate directory with any changes you'd like to make on top of it. It looks like they had it in for a handful of point releases, and then removed it for 9.1. It was dropped out of their 9.0.6.v20130930 release as well, even though their source code tag claims otherwise (sloppy, imho). Why the development team couldn't have a replacement ready before removing it? Hell if I know....
    • See, the nice thing about this is that it lets you maintain your configuration changes separate from upstream, especially given that applications are often distributed as WARs. When the common use case is that I then have to extract it because I want to make a few configuration changes, and then have to hand-maintain those changes? Yeah... not so much. Which is why I'm just throwing the whole thing into a version source control system to manage. it'd be nice if I didn't need to, though.
  • The Jetty startup script is... kinda sloppy, imho, from a system administrator's perspective. If you're not running on a Debian-based system (i.e. you don't have start-stop-daemon), it tries to run su. Except you should generally be running daemons as separate accounts with /sbin/nologin?
Putting in a FIXME comment does not justify sloppy coding....
# FIXME: Broken solution: wordsplitting, pathname expansion, arbitrary command execution, etc.

su - "$JETTY_USER" -c "
  exec 
${RUN_CMD[*]} --daemon &
  disown \$!
  echo \$! > '
$JETTY_PID'"
  • If you want to build out start-stop-daemon yourself, here's a quick primer:
# Grab the wheezy (stable) package as of this moment. Find the current one here:
# https://packages.debian.org/wheezy/dpkg
$ curl -o dpkg.tar.xz 'http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.16.12.tar.xz'
# .xz isn't a common compression format yet.
$ tar xfvJ dpkg.tar.xz
$ cd dpkg-1.16.12
# The default prefix is /usr/local, and there's nothing wrong with that, but
# services don't always have /usr/local/bin and /usr/local/sbin in their paths.
$ ./configure --prefix=/usr
$ cd lib/compat
$ make
$ cd ../utils
$ make
$ make install /usr/sbin/start-stop-daemon
  • It's always disappointing when the configuration implies you can do something, but it doesn't actually work. Case in point, xwiki.defaultweb, referenced on the Configuration documentation page as well as xwiki.cfg.
xwiki.cfg
#-# The name of the default space. This is displayed when the URL specifies a document, but not a space, or neither.
# xwiki.defaultweb=Main
#-# Hide the /Space/ part of the URL when the space is the default one. Warning: use 1 to hide, 0 to show.
# xwiki.usedefaultweb=0
  • Doesn't actually do anything unless you use xwiki.usedefaultweb, in which case it just does the wrong thing instead (sends you to Main.WebHome instead of the space you've picked). Searches tell you to use the Redirect macro instead.
  • It's remarkable how much of a pita it is to have XWiki use short URLs. Although at least it works.

Update: Semi-mea culpa: So you don't actually need to use start-stop-daemon to run Jetty as a non-privileged user... although they don't do actively push it in front of you the way other daemons do. Jetty has a SetUID module... although the documentation is incorrect on the changes you need to make to start.ini. You need to add this instead (in addition to the change to jetty-setuid.xml):

start.ini
--module=setuid
etc/jetty-setuid.xml

Feb 09 2014

Now loading...

Welcome!

This is the newly set up home for toreishi.net, which will serve both as a personal soapbox for the infrequent times I have something to say, as well as a reference site for users of the site (as I find time to document things, at least!). Things will be a bit cluttered for now, but bear with the mess - it'll get better!

Apologies for the short term use of reCAPTCHA for anonymous comments - I find that it tends to create some fairly ridiculous entries, but I'll need to get better at my Ruby hacking skills before I can replace it with are you a human, which I find much more tolerable.

Feb 09 2014

Upcoming changes

I've been somewhat busy over the past few months, which has led to a definite dearth of updates, but I'm now at the point where I'm starting to work on a number of technical projects.

  • As you can see, I've moved over the blog from using Wagn to using XWiki. A good piece of this has to do with the annoyance of trying to using Ruby Gems from a system administrator's perspective (running gem as root, which you normally want to do since it's installing files in /usr, then creates files that have bad permissions) and with dealing with Ruby app servers (for some reason, Passenger was magically working, and then equally magically broke). I don't love Ruby enough to fight with it, especially given how Gems are administratively unfriendly in how they're too much like the Wild West to be packaged in a native manner.
  • I'm working on migrating from two physical servers to a single physical server running VMware ESXi with multiple virtualized hosts. This should allow me to better isolate systems from each other.
  • Along with the above, I'm working on moving the physical server to be colocated, which should help buffer users from anything I may be doing with my connection.