Skip to content

Run your own realhostip

Realhostip.com is a DNS (and SSL) service run by Citrix to provide certain SSL functionality. To quote from the Cloudstack wiki:

Periodically we get questions asking about what realhostip DNS name is exactly doing in CloudStack. Realhostip.com domain exists to make HTTPS work across all CloudStack installations in different customer sites, without administrators to worry about how to load a SSL certificate due to deployment environment changes. SSL certificates are used in CloudStack system VMs to host HTTPS connections, for example, console proxy VM and Secondary storage VM, both uses it in its HTTP server. Realhostip.com SSL certificate is signed with wild-match addresses, all DNS names under *.realhostip.com are qualified to use the certificate. Because of the fact that every CloudStack customer has its own environment, every each one has their own sets of system VMs in their installations and each system VM instance has their own sets of IP addresses. To use ONE certificate to apply for all these instances among different customers, we came out with a solution by providing dynamic DNS service hosted by CloudStack, the DDNS service basically translates following form of DNS names to IP addresses xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx CloudStack has control of IP address in each installation, so whenever we need a SSL certificate, does not matter which customer is running the installation, with such DDNS service is available, we can always assign it a suffix under realhostip.com domain on top of ever-changing IP addresses, this is the trick we play to make ONE SSL certificate applicable universally among all CloudStack installations. In most of these cases, the ugly formed DNS name is not visible to end users, since its main purpose is to help establish secure communication channel (not truly to certify a site), however, there are cases that customer may do care, therefore, Console proxy VM does provide customizable way for users to use their own SSL certificates
Realhostip will disappear from future versions of Cloudstack as it adds extra complexity and makes the setup dependent on a 3rd party service, not to mention it requires one to have a working connection to the Internet which is not always the case with private cloud deployments.

With the introduction out of the way, let's proceed to the actual steps required to run such a service yourself. You will need 3 things mainly:
- the software who runs the wildcard DNS service
- a domain name
- a wildcard certificate for this domain name (can be self-signed if you don't mind the browser complaints)

Tip: You can also have a look at this if you don't want to run this DNS software: http://support.citrix.com/article/CTX133468
In my setup I have dedicated a virtual machine with CentOS 6.5 64bit and a public IP address to run both the cloudstack management server and the "realhostip" DNS service. Read below how to install it (copy/paste style):
# get all the prerequisites
yum -y install git java-1.7.0-openjdk-devel
cd /usr/local
git clone https://github.com/ke4qqq/RHIP
cd RHIP
# RHIP was built with java 1.5 originally, we need to modify the build script to use 1.7
sed -i s/1.5/1.7/g build.sh
# build it
./build.sh
# build the zone file for your domain
cp named.realhostip.com named.mydomain.tld
sed -i s/realhostip.com/mydomain.tld/g named.mydomain.tld
# open named.mydomain.tld in your favourite editor and update it with your own details, the ns A entries should point to the local machine
vi named.mydomain.tld
# make sure there is no DNS server running on this machine already
# launch the program, it requires the following 4 parameters: domain name, zone file, port and log configuration file
# add the line below to /etc/rc.local if you want it to start at boot
cd /usr/local/RHIP/; setsid ./run.sh mydomain.tld named.mydomain.tld 53 log4j.properties
If at the registrar of your domain name you have pointed the nameserver to the box running RHIP then you should be able to already get some DNS records:
host 1-2-3-8.mydomain.tld
1-2-3-8.mydomain.tld has address 1.2.3.8


The software is installed, configured and running, now we need to configure the Cloudstack part of things.
Login as admin in the UI, go to Infrastructure, click on SSL Certificate (upper right), in the Certificate box paste the contents of your certificate (PEM/Apache2 format is ok), in the PKCS#8 Private Key field paste the contents of your key and in the DNS Domain Suffix field put your own domain, e.g. mydomain.tld.
After you click OK Cloudstack will restart the system VMs so they load the new certificate and next time you open a console you will be using your own service instead of realhostip.com

We are almost done. In many cases the certificate comes with an intermediare CA certificate. In my case I ended up with a PossitiveSSL wildcard cert from Comodo (the cheapest I could find), so when they sent me the certificate they also sent an intermediate one... The problem is the intermediate CA cert cannot be added from the web interface. What I did is to install phpMyAdmin on the virtual machine and add it manually from there. Here's how:
- install and login in phpMyAdmin
- select the "cloud" database and click on the "keystore" table
- you should see a row with your certificate from the previous step and one for realhostip.com, delete the realhostip.com one
- insert a new row, id can be anything, 2, 3, etc; name can be anything; in the "certificate" text box add your CA intermediate, key can be "null" so tick the null check box, domain_suffix is mydomain.tld
- the "seq" field is important, the intermediate seq number needs to be smaller, ie use 1 for it and 2 for the existing row, like here


Good luck!

Installing a 64bit kernel into a 32bit CentOS OS

Today I needed to make a CentOS 6 32bit OS see 24 GB RAM. Unfortunately, although the default 32bit kernel from RH already has PAE enabled, it will not handle more than 16 GB RAM, the only solution that came to mind was to use a 64bit kernel.
This is possible, but does not seem like a very good or elegant solution, at least not for long term; however it's WAY quicker than a full reinstall.
All one needs to do is get the 64 bit kernel from a mirror and install it via rpm:
wget http://mirrors.coreix.net/centos/6/os/x86_64/Packages/kernel-2.6.32-431.el6.x86_64.rpm
rpm -ivh --force --ignorearch kernel-2.6.32-431.el6.x86_64.rpm
That's it, now edit /boot/grub/menu.lst to make it default and off you go: reboot!

Forcing a reboot or shutdown in Linux

Sometimes we need to test various things in Linux that require instant and/or abrupt reboots or shutdowns.
While for reboots one can use `reboot -f`, I was not aware of a way to do a forced shutdown, until now.
The trick is to use the Magic SysRq key:
# reboot
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
# shutdown
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger

Happy testing! :)

Taking KVM volume snapshots with Cloudstack 4.2 on CentOS 6.5

Apache Cloudstack cannot currently take KVM VM snapshots, but it can handle ROOT and DATA volume snapshots using qemu-img. This functionality can be enabled in Global Settings -> "kvm.snapshot.enabled".
This feature worked fine in previous versions of CentOS (6.0-6.4), however starting with 6.5 qemu-img no longer recognises the "-s" parameter that Cloudstack uses to take the volume snapshots.

This problem can be worked around in many ways, for example by downgrading qemu-img to the 6.4 version, but this idea may not appeal to those who like to stay up to date.

Another more elegant workaround that I've discovered since getting my hands dirty with ACS is that the script[1] which is responsible for taking the snapshot first looks for a "cloud-qemu-img" in the $PATH, if it can't find any it will fallback on whatever `which qemu-img` returns. So, the solution is as simple as getting the old qemu-img installed as cloud-qemu-img; this can be done like this:

mkdir cloud-qemu-img
cd cloud-qemu-img
wget http://vault.centos.org/6.4/updates/x86_64/Packages/qemu-img-0.12.1.2-2.355.el6_4_4.1.x86_64.rpm
rpm2cpio qemu-img-0.12.1.2-2.355.el6_4_4.1.x86_64.rpm |cpio -idmv
cp ./usr/bin/qemu-img /usr/bin/cloud-qemu-img
Voilà! This is probably the best solution because it doesn't modify the Cloudstack script nor does it interfere with the stock qemu packages.

[1] - /usr/share/cloudstack-common/scripts/storage/qcow2/managesnapshot.sh

Stella 6.5, new ISOs

Hello,
It looks like I should have waited a bit with the 6.5 release, in the few days since CentOS 6.5 launch there were many important updates; worth mentioning kernel, firefox and thunderbird updates.

The kernel update fixes a weird kernel panic, whereas the firefox and thunderbird updates bump the version from 17 ESR to 24 ESR, with all the bug fixes and new features implied.

New ISOs have been generated and available from the usual places:
32 bit ISO or the 64 bit one (more mirrors available from the project's page).

Stella6.5 v3 ISOs contain all the updates up until today, including the kernel and mozilla ones.

Another change is that I'm bundling the kernel-ml-NONPAE with the 32bit ISO and I will no longer generate an image especially for this kernel. The syslinux menu still needs some love, but until that happens, the first entries are for the stock kernel, the second ones for kernel-ml.

If you have problems or comments you can find me on the Stella forums or IRC channel.

Enjoy! =)

Stella GNU/Linux 6.5

Hello, following the release of CentOS 6.5 earlier I'm pleased to announce the release of updated Stella ISOs carrying the same version numbers - 6.5.

Download the 32 bit ISO or the 64 bit one (more mirrors available from the project's page).

If you are interested in more details you should check out the RHEL 6.5 release notes:
https://www.redhat.com/about/news/press-archive/2013/11/red-hat-launches-latest-version-of-red-hat-enterprise-linux-6
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/6.5_Release_Notes/index.html

Enjoy! :-)

Setting up Confluence behind mod_proxy

I've recently tried to set up Confluence behind Apache HTTPD (mod_proxy) and it did not go as smoothly as the Atlassian docs suggest.

Here's what needs doing:
1 - Go here and download the 64 bit Linux installer (I'm on Centos 6 64bit)
2 - Make it executable and execute it, use the default values when asked or what you think is appropriate
3 - If you want to use a MySQL DB download this and extract from it mysql-connector-java-5.1.27-bin.jar, putting it in /opt/atlassian/confluence/confluence/WEB-INF/lib/ on the server
4 - Restart Confluence: service confluence restart
5 - Go to http://confluence.example.com:8090 and finish the setup, then go in Confluence Admin -> General Configuration and edit the Site Configuration Edit, updating Server Base Url to match the subdomain you want to use in the end, e.g. http://confluence.example.com or https://confluence.example.com if you want SSL. Save the settings.
6 - Enable proxing in Apache httpd; edit /etc/httpd/conf/httpd.conf and modify your virtualhost such that it looks like this:
<VirtualHost 12.34.56.78:443>
DocumentRoot "/var/www/confluence"
ServerName confluence.example.com
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8090/
ProxyPassReverse / http://127.0.0.1:8090/
</VirtualHost>
7 - Edit /opt/atlassian/confluence/conf/server.xml and add this in the Connector's line: proxyName="confluence.example.com" proxyPort="443" scheme="https" so that it resembles this
8 - Restart both httpd and confluence services
9 - Go to https://confluence.example.com and enjoy!

10 years of SELinux

Apparently the EL and Fedora world has been using SELinux for 10 years now. It also made it in Debian.
Here's a very nice article about it:
 We are celebrating the SELinux 10th year anversary this year. Hard to believe it.
 SELinux was first introduced in Fedora Core 3 and later in Red Hat Enterprise Linux 4. 
 For those who have never used SELinux, or would like an explanation...

 SElinux is a labeling system. Every process has a label. 
Every file/directory object in the operating system has a label.
Even network ports, devices, and potentially hostnames have labels assigned to them. 
 We write rules to control the access of a process label to an a object label like a file. We call this policy. The kernel enforces the rules.
Sometimes this enforcement is called Mandatory Access Control (MAC). 

 The owner of an object does not have discretion over the security attributes of a object.
Standard Linux access control, owner/group + permission flags like rwx, is often called Discretionary Access Control (DAC).
SELinux has no concept of UID or ownership of files. Everything is controlled by the labels. Meaning an SELinux system can be setup without an all powerful root process.
Read more ...

Cloudstack 4.2.0 is out!

The Apache foundation announces version 4.2 of Cloudstack cloud platform!
There are loads of new interesting features, check them out:

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.2.0/html/Release_Notes

Non-ergonomic ergonomic keyboards

After many years of extensive computer use my body is starting to complain through various pains in various places.

I have looked into investing in appropriate, ergonomic equipment and having bought a Steel Case chair, I'm now looking for a good, ergonomic keyboard and am really disappointed with my findings.

Virtually all sub-£100 keyboards that I found are sporting a bad design. Observe this Microsoft keyboard (like all Microsoft keyboards):

Have you noticed it yet?


It's the numpad. It's too big and should not exist. I don't care about the numpad, I can use the other numeric keys.
It should not exist because in order to use the mouse my hand needs to move 20-40 cm, back and forth and back and forth, countless times per day. This is not good for my aching hand.

99% of the so called ergonomic keyboards have this problem. The ones that do not are the Kinesis Advantage Ergonomic Contoured Keyboard and the Truly Ergonomic Mechanical Keyboard (there may be others that I missed), but they are quite expensive.

I wonder, what would happen to that keyboard if you physically cut off the numpad?


PS: And of course, this has been tried already, successfully! I really like the Truly Ergonomic, but I think I'll try the cheap way first and see how it goes. :-)