Skip to content

Changing an AD password from CentOS Linux

Changing the AD password from linux is surprisingly straighforward.
Just run the passwd command as you would normally!
If that doesn't do it, then just issue this command, replacing of course the variables with your own values:
smbpasswd -r $AD-server -U $AD-username

Voilà, enjoy!

Nested virt - Xenserver on KVM

At we need to test templates on Xenserver and KVM, however the basic OS for the build environment is CentOS 7 (with KVM).
In order to test the templates on Xenserver we had to run this HV as a KVM guest (gotta love virtualisation!); however by default Xenserver will complain that you can't run any HVM guests, only paravirt ones (PV). This sucks because PV is used less and less with HVM being in the spotlight.

Luckily with KVM we can forward the VMX CPU flag to a guest and as such make it available to Xenserver, for it's HVM mode.

There are a few things to be aware of though:
1 - in libvirt do give the Xenserver VM a good CPU profile (I used Core2duo) and make sure the VMX flag is set on "require"
2 - stock CentOS 7 kernel has a problem with nested virt at the moment, do use a newer kernel[1] (I'm using kernel-ml from elrepo-kernel)
3 - make sure the kvm_intel module is loaded with the option nested=1. For this to happen I reload/rebooted with this in /etc/modprobe.d/kvm-intel.conf:
options kvm-intel nested=1

Now enjoy docker on centos, in xenserver on kvm on centos. :-)

[1] - - this will likely be fixed in future CentOS/RH kernel updates, I hope

Stella 6.6 released

As a result of CentOS 6.6 release we have bumped up the version as well, so enjoy all the goodies of CentOS + extra desktop stuff with the new Stella.

Download it from the usual locations and let us know if you run into any issues!


The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks: (local copy)

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.

- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.

Install Skype on CentOS 7 (and other RH clones)

Hello there. CentOS 7 is a fresh and major release, but fear not, Skype works well on it.
As usual, just yum install skype if you have my nux-dextop repo installed or just grab the latest RPM from here and install it.

Don't be shy and let me know if you encounter any issues - rpm at !

512k routes ought to be enough for everyone

Today someone announced some more IPv4 classes on the Internet, nothing new here, but this meant the global routing table has exceeded 500k entries (501,525 as we speak).
This has caused a lot of very popular Cisco router models to go belly up because their default value for the IPv4 table size is 512k which in this case was not enough to hold the global table.[1]
Here in UK I noticed a lot of companies had problems, from smaller ones like Coreix to bigger ones like BT, the impact was pretty large. I imagine this problem was felt globally.

This default value can be changed easily[2], but it requires a reboot of the router which in the network engineering world is a big thing as it is one of the most critical pieces of infrastructure; everyone should plan their maintenance windows accordingly.

[1] - Theoretically the table should hold up to 512k entries, but the memory is not exclusively used for it, some of it goes to IPv6, some to maintaining various sessions, MPLS etc, so it crapped out at around 500k.
[2] -

New Shutter packages for EL6 & EL7

Shutter is a wonderful project which started as a screenshot tool, but I find myself using its editing capabilities more and more. I barely touch GIMP nowadays!
I have updated the Shutter packages for EL6 and EL7 the other day. You may notice some improvements and a few UI changes (nice icons).
To install it you need EPEL and nux-dextop repos on your system. Check this page for how to do that if you do not have them already:

Once that's done, just:
yum install shutter



Horn from my country. - the first Cloudstack "market place"

This week I have launched OpenVM.EU.
OpenVM is a repository of templates and appliances for various Linux distributions, made specifically for Apache Cloudstack.
So far it is very much work in progress, but images will start pouring in shortly.

Thanks go to Ian for being willing to help with creating the Debian/Ubuntu images!

Run your own realhostip is a DNS (and SSL) service run by Citrix to provide certain SSL functionality. To quote from the Cloudstack wiki:

Periodically we get questions asking about what realhostip DNS name is exactly doing in CloudStack. domain exists to make HTTPS work across all CloudStack installations in different customer sites, without administrators to worry about how to load a SSL certificate due to deployment environment changes. SSL certificates are used in CloudStack system VMs to host HTTPS connections, for example, console proxy VM and Secondary storage VM, both uses it in its HTTP server. SSL certificate is signed with wild-match addresses, all DNS names under * are qualified to use the certificate. Because of the fact that every CloudStack customer has its own environment, every each one has their own sets of system VMs in their installations and each system VM instance has their own sets of IP addresses. To use ONE certificate to apply for all these instances among different customers, we came out with a solution by providing dynamic DNS service hosted by CloudStack, the DDNS service basically translates following form of DNS names to IP addresses to IP address CloudStack has control of IP address in each installation, so whenever we need a SSL certificate, does not matter which customer is running the installation, with such DDNS service is available, we can always assign it a suffix under domain on top of ever-changing IP addresses, this is the trick we play to make ONE SSL certificate applicable universally among all CloudStack installations. In most of these cases, the ugly formed DNS name is not visible to end users, since its main purpose is to help establish secure communication channel (not truly to certify a site), however, there are cases that customer may do care, therefore, Console proxy VM does provide customizable way for users to use their own SSL certificates
Realhostip will disappear from future versions of Cloudstack as it adds extra complexity and makes the setup dependent on a 3rd party service, not to mention it requires one to have a working connection to the Internet which is not always the case with private cloud deployments.

With the introduction out of the way, let's proceed to the actual steps required to run such a service yourself. You will need 3 things mainly:
- the software who runs the wildcard DNS service
- a domain name
- a wildcard certificate for this domain name (can be self-signed if you don't mind the browser complaints)

Tip: You can also have a look at this if you don't want to run this DNS software:
In my setup I have dedicated a virtual machine with CentOS 6.5 64bit and a public IP address to run both the cloudstack management server and the "realhostip" DNS service. Read below how to install it (copy/paste style):
# get all the prerequisites
yum -y install git java-1.7.0-openjdk-devel
cd /usr/local
git clone
# RHIP was built with java 1.5 originally, we need to modify the build script to use 1.7
sed -i s/1.5/1.7/g
# build it
# build the zone file for your domain
cp named.mydomain.tld
sed -i s/ named.mydomain.tld
# open named.mydomain.tld in your favourite editor and update it with your own details, the ns A entries should point to the local machine
vi named.mydomain.tld
# make sure there is no DNS server running on this machine already
# launch the program, it requires the following 4 parameters: domain name, zone file, port and log configuration file
# add the line below to /etc/rc.local if you want it to start at boot
cd /usr/local/RHIP/; setsid ./ mydomain.tld named.mydomain.tld 53
If at the registrar of your domain name you have pointed the nameserver to the box running RHIP then you should be able to already get some DNS records:
host 1-2-3-8.mydomain.tld
1-2-3-8.mydomain.tld has address

The software is installed, configured and running, now we need to configure the Cloudstack part of things.
Login as admin in the UI, go to Infrastructure, click on SSL Certificate (upper right), in the Certificate box paste the contents of your certificate (PEM/Apache2 format is ok), in the PKCS#8 Private Key field paste the contents of your key and in the DNS Domain Suffix field put your own domain, e.g. mydomain.tld.
After you click OK Cloudstack will restart the system VMs so they load the new certificate and next time you open a console you will be using your own service instead of

We are almost done. In many cases the certificate comes with an intermediare CA certificate. In my case I ended up with a PossitiveSSL wildcard cert from Comodo (the cheapest I could find), so when they sent me the certificate they also sent an intermediate one... The problem is the intermediate CA cert cannot be added from the web interface. What I did is to install phpMyAdmin on the virtual machine and add it manually from there. Here's how:
- install and login in phpMyAdmin
- select the "cloud" database and click on the "keystore" table
- you should see a row with your certificate from the previous step and one for, delete the one
- insert a new row, id can be anything, 2, 3, etc; name can be anything; in the "certificate" text box add your CA intermediate, key can be "null" so tick the null check box, domain_suffix is mydomain.tld
- the "seq" field is important, the intermediate seq number needs to be smaller, ie use 1 for it and 2 for the existing row, like here

Good luck!