Category Archives: Server config

Adding a new sudo user to CentOs

Our new user will be called batman:

  1. groupadd admins
  2. adduser batman -G admins
  3. passwd batman
  4. visudo (this will open sudoers file in vim)
  5. Add this to the file:
    %admins     ALL=(ALL)     ALL

Any users in the group called ‘admins’ will be sudoers.  So additional users just need to be added to this group.

Getting certificates from Windows p7b certificate files

I was given a binary certificate chain and needed the ASCII versions of the CA certificates.  Unfortunately, I wasn’t able to get openssl to do this, and had to resort to using a Windows machine (on Win7 I got an ‘install certificate’ menu item when right-clicking on the p7b file in windows explorer).  Double click on the file and you’ll be able to navigate to the certificates in the window that opens (with crypto shell extensions).  You can then right-click > all tasks > export for the individual certificates, and export into a der file, which openssl can then convert to pem.

Here are the errors I got from various ssl commands that I tried:

user@ubuntu:~/certs$ openssl x509 -inform der -in Certificate.p7b -out Certificate.pem
unable to load certificate
31083:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
31083:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_CINF
31083:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=cert_info, Type=X509

user@ubuntu:~/certs$ openssl pkcs7 -print_certs -in Certificate.p7b -out Certificate.pem
unable to load PKCS7 object
31109:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: PKCS7

user@ubuntu:~/certs$ openssl pkcs12 -in Certificate.p7b
31162:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
31162:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:828:
31162:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=version, Type=PKCS12

user@ubuntu:~/certs$ openssl nseq -in Certificate.p7b
Error reading sequence file Certificate.p7b
31475:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: CERTIFICATE

Installing DKIM and DomainKeys for postfix on Ubuntu 10.04

Servername: web1.domain.com
From address: noreply@example.com

Aim: validate DKIM and DomainKeys for this email address sending from this server.

Requirements: access to enter TXT DNS records for domain.com and example.com, and root access to web1.domain.com server.

  1. apt-get install dkim-filter; apt-get install dk-filter
  2. vi /etc/dkim-filter.conf
    Uncomment UMask
    Uncomment Domain, and set to “*” (without quotation marks)
    Underneath Domain, create the following “KeyList    /etc/mail/dkim_domains.key”
    Uncomment Selector and set to “mail”
    You can also uncomment AutoRestart if you want and set to “yes”, and Statistics
    Do not uncomment Version – it’s not a valid setting
    Save and close
  3. vi /etc/postfix/main.cf
    Append the following:
    # DKIM & DomainKeys
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891,inet:localhost:8892
    non_smtpd_milters = inet:localhost:8891,inet:localhost:8892
  4. cd /etc/mail
  5. dkim-genkey -t -s mail -d web1.domain.com (dkim key)
  6. openssl genrsa -out domainkey.key 1024 (domainkeys private key)
  7. openssl rsa -in domainkey.key -out domainkey.pub -pubout -outform pem (domainkeys public key)
  8. mv mail.private mail
  9. vi /etc/default/dk-filter
    Uncomment out DAEMON_OPTS and SOCKET and set them like so:
    DAEMON_OPTS=”$DAEMON_OPTS -d example.com t -s /etc/mail/domainkey.key -S web1″ (the selector here is web1; this is because the DNS record has to go on example.com for DomainKeys, so for every server you want to send example.com mail for you’ll need a seperate record)
    SOCKET=”inet:8892@localhost”
  10. Open up mail.txt; you need to create the DNS record for DKIM for web1.domain.com from this.  I use a managed DNS service for domain.com, so I put “mail._domainkey.web1” in the subdomain/selector, and paste the bit in quotes as the record content.  Notice the mail.txt file does not have the domain appended, but I’ve added my subdomain web1 in my record.
  11. Make two more DNS records, this time on example.com:
    _domainkey IN TXT “t=y; o=~;”
    web1._domainkey IN TXT “k=rsa; t=y; p=<INSERT KEY FROM DOMAINKEYS.PUB HERE>”
  12. vi /etc/mail/dkim_domains.key  (new file)
    Paste in the following:
    *:web1.domain.com:/etc/mail/mail
  13. Start/restart services; service dkim-filter restart; service dk-filter restart; service postfix restart (dkim went a bit funny for me here; may be better for dkim-filter and dk-filter to stop, then start them)
  14. To check the DNS is set up properly, go to http://domainkeys.sourceforge.net/selectorcheck.html and put in web1._domainkey.example.com, then go to http://dkimcore.org/tools/dkimrecordcheck.html and put in mail for the selector, and web1.domain.com for the domain name.
  15. To check it works; send an email to yahoo address, and check out View Full Header (under the cog button), you should find a line:
    Authentication-Results: mta1066.mail.ird.yahoo.com  from=example.com; domainkeys=pass (ok);  from=web1.domain.com; dkim=pass (ok)

 

You’ll notice that DKIM and DomainKeys use different parts of the header for validation.  DKIM is looking at the server name given by postfix, and DomainKeys is looking at the domain of the From address.

With the solution above, for every additional server sending emails from example.com, you’ll need to set up a DKIM record for the server hostname, and a DomainKeys record for example.com (with a separate selector).

Installing CentOS 6.2 on XenServer 6.0

Choose to install from URL, and enter the following URL (or your nearest mirror equivalent): http://mirror01.th.ifl.net/centos/6.2/os/x86_64/

The installer is looking for the following path: isolinux/isolinux.cfg

Choose to start VNC (as per: http://forums.citrix.com/thread.jspa?threadID=302677)

Start up your VNC client (eg tightVNC), connect to <IP>:1, put in your password

Once you’ve finished the installation you can install XenServer Tools:

  1. Put the XS Tools cd into the VM cd drive
  2. mkdir /mnt/xs-tools
  3. mount /dev/xvdd /mnt/xs-tools
  4. bash /mnt/xs-tools/Linux/install.sh

This should auto-detect your OS, install required packages, and ask you to reboot the machine.

Modifying the existing WordPress login/registration/lost password form

I wanted to make a few changes to the WordPress login page (wp-login.php) but keep all existing functionality.  I didn’t want to mess around with any core WP files.  Sounds like it should be easy…unfortunately not.

Here’s how you can make a copy of the existing wp-login.php, put it in your own theme, and make it useable so you can then go on to modify it however you like.

  1. copy wp-login.php to your theme directory, call it whatever you like
  2. replace the following lines:
      2 /**
      3  * WordPress User Page
      4  *
      5  * Handles authentication, registering, resetting passwords, forgot password,
      6  * and other user handling.
      7  *
      8  * @package WordPress
      9  */
     10
     11 /** Make sure that the WordPress bootstrap has run before continuing. */
     12 require( dirname(__FILE__) . ‘/wp-load.php’ );
    with:
      2 /*
      3 Template Name: Your Custom Login/Registration Page
      4 */
  3. If you’re using the vim editor, use the following two lines:
    :%s/$_REQUEST[‘action’]/$_REQUEST[‘do’]/g
    :%s/?action/?do/g
    Otherwise, use whatever find and replace function your editor has to replace $_REQUEST[‘action’] with $_REQUEST[‘do’], and ?action with ?do
  4. Create a page on your site, select the new template, and note down the page ID and slug
  5. Back to the custom login file, do the following in vim (where 591 is your page ID, and ‘login-register’ is your page slug):
    :%s/wp_login_url()/get_permalink(591)/g
    :%s/wp-login.php/login-register/g
    :%s/wp_lostpassword_url()/get_permalink(591).’?do=lostpassword’/g
    Or if not using vim, replace wp_login_url() with get_permalink(<your page ID>), replace wp-login.php with <your page slug>, and wp_lost_password_url() with get_permalink(<your page ID>).?do=lostpassword

That should be it.  If you now go to that page it should show you the normal WP login form, and the links for registering and lost passwords should also go to your custom page.  The lost password feature will also direct the user back to the custom page to reset their password.

 

You can now edit the page however you like!

 

NB: point 3 may seem a bit unenecessary; we’re changing the ?action= to ?do=, however, wierdly, if you leave as-is and post new user registration data to http://yoursite.com/customlogin?action=register, WP calls the register_post action (which registers new users) before it even loads your custom template, and then it calls it again during your template.  Very bizarre, but changing it works fine.

Accessing a GUI on Ubuntu XenServer VM

If you try and start the GUI on a paravirtualized Ubuntu VM in XenServer, you’ll get the following error:

Primary device is not PCI
(EE) open /dev/fb0: No such file or directory
(EE) No devices detected

Peter Bats from Citrix said the following:
In a paravirtualized world there is no such thing as a physical console (nor is there a physical CPU, physical memory etc). Hence for completely paravirtualized OSes (with a paravirtualized kernel like Xen) there’s no GUI console.

PS: With the upcoming move/approach of something called PV on HVM (Paravirtualized Linux I/O drivers for a HVM machine, that in this was can profit from the latest developments by Intel/AMD at the hardware levels like EPT/NPT etc.) one will have the option to have both. And a hardware console GUI and good paravirtualized I/O.
This is already available for the RHEL/SLES distros, but not for the general Linux kernel or debian based distributions. There’s work underway to get this included into upstream Linux very soon.

 

In other words, use VNC for now.

To do that:

  1. Install a GUI onto your Ubuntu server:
    apt-get install ubuntu-desktop (for gnome)
    apt-get install –without-recommends ubuntu-desktop (for gnome without libreoffice and some other stuff)
    apt-get install xubuntu-desktop (xfce)
    apt-get install kubuntu-desktop (KDE)
  2. Install VNC
    apt-get install vnc4server
  3. Set the VNC resolution (whatever resolution you want to see on your desktop machine you’ll be using the VNC client on
    vncserver -geometry 1280×1024 -depth 24
  4. Create a password and VNC server should create some configuration files and start up
  5. Now we need to edit one of the configuration files
    vncserver -kill :1
    vim ~/.vnc/xstartup
  6. Change the file to look like the following (Ubuntu 10.04 and 10.10 only, other versions look different):
    #!/bin/sh

    # Uncomment the following two lines for normal desktop:
    unset SESSION_MANAGER
    exec sh /etc/X11/xinit/xinitrc

    [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
    [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
    xsetroot -solid grey
    vncconfig -iconic &
    x-terminal-emulator -geometry 1280×1024+10+10 -ls -title “$VNCDESKTOP Desktop” &
    x-window-manager &

  7. Save and quit vim
    :wq
  8. Start up the VNC server again
    vncserver -geometry 1280×1024 -depth 24
  9. Now you can connect to the server via a VNC client.  On windows, you can use TightVNC
  10. To connect to the server, you want to use IP:1, for example, my server’s IP is 10.0.0.30, then I need to connect to 10.0.0.30:1
  11. Put in the VNC password when requested by TightVNC and it should bring up the server’s desktop

 

 

References:
http://forums.citrix.com/message.jspa?messageID=1488656#1488656
http://www.havetheknowhow.com/Configure-the-server/Install-VNC.html

Fixing proFTP overwrite problems in Virtualmin

For some reason, the proFTP configuration in Virtualmin (v3.88) was not allowing files to be overwritten, despite the configuration in /etc/proftpd/proftpd.conf as follows:

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022  022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

 

To solve this, add the following to the bottom of the config file (/etc/proftpd/proftpd.conf):

<Global>
        AllowOverwrite  on
</Global>

 

Then restart proFTP:

service proftpd restart

Editing corosync config with VIM

This also works when you’re getting the error “id is already in use”.

First, display config: crm configure show

Then edit config:
crm configure
edit
[make your changes, save and quit]

Then commit config:
commit

Then exit crm configure and check your configuration again
quit (or Ctrl+C)
crm configure show

XenServer install one-off CentOS packages (aka install a package from a disabled repo with yum)

This is not specific to XenServer, or to CentOS, but it was what I was trying to do at the time.

XenServer, by default, only has the Citrix repository enabled, so there will be lots of packages you can’t install.

If you want to install a package but don’t want to enable the CentOS repository, you can use the following command:

yum –enablerepo=base install mutt

This installs mutt from the base repo.  If you want a list of available repos, you can do the following:

yum repolist disabled

Example output:

[root@testxenserver yum.repos.d]# yum repolist disabled
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id                         repo name                               status
addons                          CentOS-5 – Addons                       disabled
base                            CentOS-5 – Base                         disabled
c5-media                        CentOS-5 – Media                        disabled
centosplus                      CentOS-5 – Plus                         disabled
contrib                         CentOS-5 – Contrib                      disabled
extras                          CentOS-5 – Extras                       disabled
updates                         CentOS-5 – Updates                      disabled
repolist: 0

And to see enabled repos:

[root@testxenserver yum.repos.d]# yum repolist
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
repo id                   repo name                                   status
citrix                    XenServer 5.6.100 updates                   enabled: 0
repolist: 0

Openfiler 2.99 iSCSI SR backend failed to complete

Check your ACL.  I was using a netmask of 255.255.0.0, and couldn’t get this error to go away until I specified particular IPs with netmask of 255.255.255.255.

Also, after updating the system ACL, go back to the iSCSI target ACL and just ‘update’ on the host allow page.  This page was showing the new IPs for me, but the config file on the server (/etc/initiators.allow) was out of date until I updated.