Monthly Archives: November 2012

Centos OpenVPN Setup

openvpn

A friend asked me to setup openvpn on a openvz VPS he had, First thing we needed to do which he had already done is contact host to add support for tun/tap devices, for idea of what host had to do here it is: Host Setup His website is leadingvpn.com so lets use that for this, obviously change to your own domain. We will be doing this for Centos 6 64bit
Basically for a quick rundown of what to do on a centos host:

echo "modprobe tun" >> /etc/rc.d/rc.local; modprobe tun
echo "modprobe ipt_mark" >> /etc/rc.d/rc.local; modprobe ipt_mark
echo "modprobe ipt_MARK" >> /etc/rc.d/rc.local; modprobe ipt_MARK
CTID=101 (change to your CTID)
vzctl set $CTID --devnodes net/tun:rw --save
vzctl set $CTID --devices c:10:200:rw --save
vzctl set $CTID --capability net_admin:on --save
vzctl exec $CTID mkdir -p /dev/net
vzctl exec $CTID chmod 600 /dev/net/tun
vzctl restart $CTID

#Now in container lets run these 2 lines as well as add them to startup

myip=1.1.1.1 (change to your ip address)
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $myip
echo "iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip" >> /etc/rc.d/rc.local
echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $myip" >> /etc/rc.d/rc.local

#enable forwarding

sysctl net.ipv4.ip_forward = 1
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

#We need to enable right repository for this OS install
#Remember to change to right rpm for your OS

rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
cd /etc/yum.repos.d
wget http://repos.openvpn.net/repos/yum/conf/repos.openvpn.net-CentOS6-snapshots.repo
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openvpn openssl-devel -y
cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
nano vars

#change following:

export KEY_SIZE=4096
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="LeadingVPN"
export KEY_EMAIL="admin@leadingvpn.com"
#export KEY_CN=changeme
#export KEY_NAME=changeme
#export KEY_OU=changeme
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

#run ./build-dh command before going for lunch

source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server secure.leadingvpn.com
openvpn --genkey --secret keys/ta.key

#build as many client certificates as needed(if you need to add more just cd into here and add another vpn to sign against the above)

./pkitool client1.leadingvpn.com
./pkitool client2.leadingvpn.com

#make directories and copy directory files

rm -rf /etc/openvpn/secure /etc/openvpn/client1 /etc/openvpn/client2 
mkdir /etc/openvpn/secure    (server file directory)
mkdir /etc/openvpn/client1  (client1 directory)
mkdir /etc/openvpn/client2     (client2 directory)
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key ta.key dh4096.pem secure.leadingvpn.com.crt secure.leadingvpn.com.key /etc/openvpn/secure  (files needed for server, ca.key if want to be CA to)
cp ca.crt ta.key client1.leadingvpn.com.crt client1.leadingvpn.com.key /etc/openvpn/client1 (client1 client1.leadingvpn.com)
cp ca.crt ta.key client2.leadingvpn.com.crt client2.leadingvpn.com.key /etc/openvpn/client2 (client2 client2.leadingvpn.com)
cd /etc/openvpn
nano secure.conf

TO BE CONTINUED….

Linux ISCSI with FreeBSD ZFS

iscsi, , ,

How many of you would love to use ZFS on linux for its excellent snapshot features, but cannot? How about we setup a FreeBSD host with ZFS, then on linux we mount the ZFS as ISCSI, format it as ext4 then we can snapshot that partition anytime we want and roll it back anytime we want? I have been using FreeBSD for years on ZFS with over 10TB of data, its very stable on this OS, let’s see how I’d go about accomplishing keeping ZFS for backup snapshots:

#ISCSI
#Freebsd- Lets Setup Server Portion Of ISCSI:
#notice how df will not show data/iscsitest, as we creating a block device
zfs destroy data/iscsitest
zfs create -V 20G data/iscsitest
zfs list -o name,used,avail,volsize
cd /usr/ports/net/istgt; make install
cd /usr/local/etc/istgt/
cp auth.conf.sample auth.conf
cp istgt.conf.sample istgt.conf
cp istgtcontrol.conf.sample istgtcontrol.conf
pico istgt.conf
[PortalGroup1]

Portal DA1 192.168.0.3:3269 …

[InitiatorGroup1]

Netmask 192.168.0.0/24 …

[LogicalUnit1]

LUN0 Storage /dev/zvol/data/iscsitest Auto

/usr/local/etc/rc.d/istgt start

#Linux:
yum install iscsi-initiator-utils
service iscsi start
iscsiadm -m discovery -t sendtargets -p 192.168.0.3
fdisk -l(find the new device…perhaps it is /dev/sdf)
gdisk /dev/sdf (partition it…maybe sdf1 as ext4)
mkfs.ext4 /dev/sdf1
mkdir /mnt; mount -t ext4 /dev/sdf1 /mnt
(toss in /etc/fstab if you like as: /dev/sdf1 /mnt ext4 _netdev 0 0) #notice the _netdev option is needed
chkconfig iscsi on

#OPTIONAL: How would we change size of partition?: (can delete old targets with : iscsiadm -m node -p 192.168.0.3 –op=delete)
Freebsd:
zfs set volsize=40G data/iscsitest
zfs list -o name,volsize
/usr/local/etc/rc.d/istgt restart
Linux:
(umount any iscsi partitions)
service iscsi restart
fdisk -l (check what /dev/sdaX it is and new size to confirm)
gdisk /dev/sdf (delete all partitions and save)
gdisk /dev/sdf (recreate it with max size and save)
resize2fs /dev/sdf1
(go ahead and mount it again, should have new size)

#FreeBSD snapshot test:
zfs snapshot data/iscsitest@test

(now time goes on and data gets written to /mnt on linux box, but something happens and we want to roll back)

#rollback:
Freebsd:
/usr/local/etc/rc.d/istgt stop
zfs rollback data/iscsitest@test
/usr/local/etc/rc.d/istgt start

Linux:
umount /mnt
mount /mnt (should be recovered)

#make your life easier crontab the snapshots Daily and Monthly:
21 4 * * * (/usr/local/etc/rc.d/istgt stop; zfs destroy data/iscsitest@`/bin/date +\%A`; zfs snapshot data/iscsitest@`/bin/date +\%A`; /usr/local/etc/rc.d/istgt start) > /dev/null 2>&1
0 0 1 * * (/usr/local/etc/rc.d/istgt stop; zfs destroy data/iscsitest@`/bin/date +\%B`; zfs snapshot data/iscsitest@`/bin/date +\%B`; /usr/local/etc/rc.d/istgt start) > /dev/null 2>&1

Until next time,

Dan.

CPanel FFMPEG and Centos 6.3 setup

ffmpeg, , ,

Install a pre-requisite for perl-SGMLSpm

 
yum install openjade
alias pico='nano -w'

Install some decent repositories:
64 Bit:

 
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh ftp://rpmfind.net/linux/centos/6.3/os/x86_64/Packages/perl-SGMLSpm-1.03ii-21.el6.noarch.rpm

32 Bit:

 
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
rpm -Uvh ftp://rpmfind.net/linux/centos/6.3/os/i386/Packages/perl-SGMLSpm-1.03ii-21.el6.noarch.rpm

Install Dag repository

pico /etc/yum.repos.d/dag.repo

Insert:

 
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
gpgcheck=1
enabled=1

Install CPanel Ruby and flvtool2

 
/scripts/installruby
gem install flvtool2

Next lets install base we need:

yum install ffmpeg ffmpeg-devel mplayer mencoder gpac gpac-libs

Lets get ffmpeg-php

 
wget http://downloads.sourceforge.net/ffmpeg-php/ffmpeg-php-0.6.0.tbz2
tar xjf ffmpeg-php-0.6.0.tbz2
cd ffmpeg-php-0.6.0
sed -i 's/PIX_FMT_RGBA32/PIX_FMT_RGB32/g' ffmpeg_frame.c
phpize
./configure
make

Note: If you are running php5.4 you may need to make following change then run “make” above again:

 
pico ffmpeg_movie.c

in ffmpeg_movie.c: row 311: list_entry *le; TO zend_rsrc_list_entry *le; row 346: list_entry new_le; TO zend_rsrc_list_entry new_le; row 360: hashkey_length+1, (void *)&new_le, sizeof(list_entry), TO hashkey_length+1, (void *)&new_le,sizeof(zend_rsrc_list_entry),
Now let’s really install everything

 
make install
Installing shared extensions:     /usr/local/lib/php/extensions/no-debug-non-zts-20090626/
pico /usr/local/lib/php.ini

Now add following to end of file but substitute no-debug-non-zts-20090626 below for where it installed it in your “make install” command above

 
extension_dir = "/usr/local/lib/php/extensions/no-debug-non-zts-20090626"
extension="ffmpeg.so"

Restart Apache

 
/scripts/restartsrv_httpd

Now go check a php script with this in it to verify it worked: 

 
phpinfo();

DKIM and postfix setup on centos 6.3

dkim, , ,

This is meant as a quick 5 min get it going, and a 5 min quick testing to get dkim going.I do recommend actually reading man pages etc if you have extra time, but this guide should get you going.

Install EPEL repository:
64 bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
32 bit:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

Install DKIM:
# yum install opendkim
# export domain=YOURDOMAIN.com
# mkdir /etc/opendkim/keys/$domain
# cd /etc/opendkim/keys/$domain
# opendkim-genkey -d $domain -s default
# chown -R opendkim:opendkim /etc/opendkim/keys/$domain
# echo "default._domainkey.$domain $domain:default:/etc/opendkim/keys/$domain/default.private" >> /etc/opendkim/KeyTable
# echo "*@$domain default._domainkey.$domain" >> /etc/opendkim/SigningTable

If you have internal hosts relaying through that you want to sign mail for to:
# echo "192.168.0.0/24" >> /etc/opendkim/TrustedHosts

Edit DNS:
# cat /etc/opendkim/keys/$domain/default.txt >> /var/named/master/YOUR_DOMAIN_DNS_ZONE_FILE
(what I normally do at this point is increment serial number in DNS zone file, login to slaves, delete their zone files and restart named there to get it going quickly)
# nano -w /etc/opendkim.conf
◦Mode sv
◦Domain YOURDOMAIN.com
◦uncomment everything except KeyFile
(Find this line: SigningTable /etc/opendkim/SigningTable and change it to:
SigningTable refile:/etc/opendkim/SigningTable to enable regex wildcards on SigningTable)

Configure Postfix
# nano -w /etc/postfix/main.cf (add following)
# opendkim setup
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

Restart Services
# service opendkim start
# service postfix restart
# service named reload
# chkconfig opendkim on

Test our setup
# echo "DKIM Test" | mail -s "DKIM Testing" SOMEUSER@gmail.com
# tail -100 /var/log/maillog
Now make sure maillog log shows it signed, check gmail headers of email you sent, make sure everything passes fine


Dan

How to partition an openvz host to take snapshots

openvz, ,

#Partitioning:
/dev/sda1 - /boot - 250 MB (because kernel cannot be on LVM)
/dev/sda2 - LVM - rest of space
volume group=vps
root - / - 102400 MB (100 GB) (logical volume name "root")
swap - N/A - 4096 MB (4 GB) (logical volume name "swap")
/vz - /vs - (logical volume name "vz")(here you take remaining space and subtract it from amount of space you want for snapshots)

Now you have 3 LVM’s in /dev/vps/*, and you have remaining space for snapshots. You should keep at least 10GB free for snapshots depending how much your data changes. If alot changes you would be better off with 100GB of free space. In my examples for snapshots I am going to assume I left 10GB free of space for snapshots.

History on snapshots:
#snapshot–snapshots only require enough space for how much data you think will be changed(copy on write)
# –longer a snapshot left sitting there, more snapshot may grow with changes to take out
# –ie: you create a new 2G file after snapshot is taken, snapshot grows 2G so it can take that file out after
Lets begin:
Lets say I want to take a snapshot of /vz(where all my openvz hosts reside)
I know I have 10GB left of free space, a way to check( do a “pvdisplay” will show you the “PV Size”, then do a “lvdisplay” which shows you all LV’s and their sizes, add up all the “LV Size” of each, then use that to subtract from “PV Size” for remaining space for snapshots. WARNING: never attempt to shrink a LV to get extra space for snapshots, backup the LV , delete it, recreate it, and copy data back)
# lvcreate --snapshot --name snap --size 10GB /dev/vps/vz
(in this example I just created a file /dev/vps/snap, that will be good for 10GB worth of changes to the /dev/vps/vz logical volume.)
(Now let’s mount it for example if we wanted to back it up)
# mkdir /mnt; mount /dev/vps/snap /mnt; ls -al /mnt
(now we have /mnt available for a backup with ie: rsync)
(to unmount and remove snapshot to get our 10GB of free space back for another snapshot:)
# umount /mnt; lvremove /dev/vps/snap
(simple as that, now you are an expert at snapshots)

Now lets get more advanced, lets say I want to take that 10GB of space and take snapshots of /dev/vps/vz daily and once a month, as well as take a monthly snapshot of host itself: /dev/vps/root, so that we have ability to get back anything we accidently deleted anywhere.

Lets setup a cronjob:
#crontab -e
(lets add the following:)
#10 Gigabytes available for snapshots, 7 days in a week=7GB+2GB monthly snapshot+1GB host snapshot=10GB
#daily snapshots
0 0 * * * (lvremove -f /dev/vps/snap-`/bin/date +\%A`; lvcreate --snapshot --name snap-`/bin/date +\%A` --size 1GB /dev/vps/vz) > /dev/null 2>&1
#monthly snapshot
0 0 1 * * (lvremove -f /dev/vps/snap-Monthly; lvcreate --snapshot --name snap-Monthly --size 2GB /dev/vps/vz) > /dev/null 2>&1
#host snapshot once a month
0 0 1 * * (lvremove -f /dev/vps/snap-host-Monthly; lvcreate --snapshot --name snap-host-Monthly --size 1GB /dev/vps/root) > /dev/null 2>&1

(and there you have it, everyday we will get /dev/vps/snap-Thursday for example day of week snapshots, 1 monthly snapshot, and 1 monthly snapshot of host itself we can mount anytime
to /mnt and do any recovery or backups needed)

My recommendation if you have the space is have a backup LVM the same size of /vz. My preference for backups personally is ZFS filesystem using freebsd, which you can easily
install as a VPS under KVM virtualization, share the disk to the VM then have freebsd do a ZFS raid on them, but thats for another article.

As far as LVM goes, what I personally do is rsync the /vz directory each night to a ZFS filesystem, and take snapshots there, ZFS is much nicer to work with when dealing with snapshots, but where LVM comes in handy is to snapshot the LVM(because we use ext4 on linux) for something like a mysql database, mount it, then rsync it off to a ZFS filesystem.

Dan