Skip to content

Stella 6.6 released

As a result of CentOS 6.6 release we have bumped up the version as well, so enjoy all the goodies of CentOS + extra desktop stuff with the new Stella.

Download it from the usual locations and let us know if you run into any issues!


Nux!

The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks:
https://www.imperialviolet.org/2014/10/14/poodle.html (local copy)
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.


- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.

Install Skype on CentOS 7 (and other RH clones)

Hello there. CentOS 7 is a fresh and major release, but fear not, Skype works well on it.
As usual, just yum install skype if you have my nux-dextop repo installed or just grab the latest RPM from here http://li.nux.ro/download/nux/dextop/el7/x86_64/ and install it.

Don't be shy and let me know if you encounter any issues - rpm at li.nux.ro !

512k routes ought to be enough for everyone

Today someone announced some more IPv4 classes on the Internet, nothing new here, but this meant the global routing table has exceeded 500k entries (501,525 as we speak).
This has caused a lot of very popular Cisco router models to go belly up because their default value for the IPv4 table size is 512k which in this case was not enough to hold the global table.[1]
Here in UK I noticed a lot of companies had problems, from smaller ones like Coreix to bigger ones like BT, the impact was pretty large. I imagine this problem was felt globally.

This default value can be changed easily[2], but it requires a reboot of the router which in the network engineering world is a big thing as it is one of the most critical pieces of infrastructure; everyone should plan their maintenance windows accordingly.






[1] - Theoretically the table should hold up to 512k entries, but the memory is not exclusively used for it, some of it goes to IPv6, some to maintaining various sessions, MPLS etc, so it crapped out at around 500k.
[2] - http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html

New Shutter packages for EL6 & EL7

Shutter is a wonderful project which started as a screenshot tool, but I find myself using its editing capabilities more and more. I barely touch GIMP nowadays!
I have updated the Shutter packages for EL6 and EL7 the other day. You may notice some improvements and a few UI changes (nice icons).
To install it you need EPEL and nux-dextop repos on your system. Check this page for how to do that if you do not have them already:
http://li.nux.ro/repos.html

Once that's done, just:
yum install shutter

Enjoy!

Bucium

Horn from my country.

Openvm.eu - the first Cloudstack "market place"

This week I have launched OpenVM.EU.
OpenVM is a repository of templates and appliances for various Linux distributions, made specifically for Apache Cloudstack.
So far it is very much work in progress, but images will start pouring in shortly.

Thanks go to Ian for being willing to help with creating the Debian/Ubuntu images!

Run your own realhostip

Realhostip.com is a DNS (and SSL) service run by Citrix to provide certain SSL functionality. To quote from the Cloudstack wiki:

Periodically we get questions asking about what realhostip DNS name is exactly doing in CloudStack. Realhostip.com domain exists to make HTTPS work across all CloudStack installations in different customer sites, without administrators to worry about how to load a SSL certificate due to deployment environment changes. SSL certificates are used in CloudStack system VMs to host HTTPS connections, for example, console proxy VM and Secondary storage VM, both uses it in its HTTP server. Realhostip.com SSL certificate is signed with wild-match addresses, all DNS names under *.realhostip.com are qualified to use the certificate. Because of the fact that every CloudStack customer has its own environment, every each one has their own sets of system VMs in their installations and each system VM instance has their own sets of IP addresses. To use ONE certificate to apply for all these instances among different customers, we came out with a solution by providing dynamic DNS service hosted by CloudStack, the DDNS service basically translates following form of DNS names to IP addresses xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx CloudStack has control of IP address in each installation, so whenever we need a SSL certificate, does not matter which customer is running the installation, with such DDNS service is available, we can always assign it a suffix under realhostip.com domain on top of ever-changing IP addresses, this is the trick we play to make ONE SSL certificate applicable universally among all CloudStack installations. In most of these cases, the ugly formed DNS name is not visible to end users, since its main purpose is to help establish secure communication channel (not truly to certify a site), however, there are cases that customer may do care, therefore, Console proxy VM does provide customizable way for users to use their own SSL certificates
Realhostip will disappear from future versions of Cloudstack as it adds extra complexity and makes the setup dependent on a 3rd party service, not to mention it requires one to have a working connection to the Internet which is not always the case with private cloud deployments.

With the introduction out of the way, let's proceed to the actual steps required to run such a service yourself. You will need 3 things mainly:
- the software who runs the wildcard DNS service
- a domain name
- a wildcard certificate for this domain name (can be self-signed if you don't mind the browser complaints)

Tip: You can also have a look at this if you don't want to run this DNS software: http://support.citrix.com/article/CTX133468
In my setup I have dedicated a virtual machine with CentOS 6.5 64bit and a public IP address to run both the cloudstack management server and the "realhostip" DNS service. Read below how to install it (copy/paste style):
# get all the prerequisites
yum -y install git java-1.7.0-openjdk-devel
cd /usr/local
git clone https://github.com/ke4qqq/RHIP
cd RHIP
# RHIP was built with java 1.5 originally, we need to modify the build script to use 1.7
sed -i s/1.5/1.7/g build.sh
# build it
./build.sh
# build the zone file for your domain
cp named.realhostip.com named.mydomain.tld
sed -i s/realhostip.com/mydomain.tld/g named.mydomain.tld
# open named.mydomain.tld in your favourite editor and update it with your own details, the ns A entries should point to the local machine
vi named.mydomain.tld
# make sure there is no DNS server running on this machine already
# launch the program, it requires the following 4 parameters: domain name, zone file, port and log configuration file
# add the line below to /etc/rc.local if you want it to start at boot
cd /usr/local/RHIP/; setsid ./run.sh mydomain.tld named.mydomain.tld 53 log4j.properties
If at the registrar of your domain name you have pointed the nameserver to the box running RHIP then you should be able to already get some DNS records:
host 1-2-3-8.mydomain.tld
1-2-3-8.mydomain.tld has address 1.2.3.8


The software is installed, configured and running, now we need to configure the Cloudstack part of things.
Login as admin in the UI, go to Infrastructure, click on SSL Certificate (upper right), in the Certificate box paste the contents of your certificate (PEM/Apache2 format is ok), in the PKCS#8 Private Key field paste the contents of your key and in the DNS Domain Suffix field put your own domain, e.g. mydomain.tld.
After you click OK Cloudstack will restart the system VMs so they load the new certificate and next time you open a console you will be using your own service instead of realhostip.com

We are almost done. In many cases the certificate comes with an intermediare CA certificate. In my case I ended up with a PossitiveSSL wildcard cert from Comodo (the cheapest I could find), so when they sent me the certificate they also sent an intermediate one... The problem is the intermediate CA cert cannot be added from the web interface. What I did is to install phpMyAdmin on the virtual machine and add it manually from there. Here's how:
- install and login in phpMyAdmin
- select the "cloud" database and click on the "keystore" table
- you should see a row with your certificate from the previous step and one for realhostip.com, delete the realhostip.com one
- insert a new row, id can be anything, 2, 3, etc; name can be anything; in the "certificate" text box add your CA intermediate, key can be "null" so tick the null check box, domain_suffix is mydomain.tld
- the "seq" field is important, the intermediate seq number needs to be smaller, ie use 1 for it and 2 for the existing row, like here


Good luck!

Installing a 64bit kernel into a 32bit CentOS OS

Today I needed to make a CentOS 6 32bit OS see 24 GB RAM. Unfortunately, although the default 32bit kernel from RH already has PAE enabled, it will not handle more than 16 GB RAM, the only solution that came to mind was to use a 64bit kernel.
This is possible, but does not seem like a very good or elegant solution, at least not for long term; however it's WAY quicker than a full reinstall.
All one needs to do is get the 64 bit kernel from a mirror and install it via rpm:
wget http://mirrors.coreix.net/centos/6/os/x86_64/Packages/kernel-2.6.32-431.el6.x86_64.rpm
rpm -ivh --force --ignorearch kernel-2.6.32-431.el6.x86_64.rpm
That's it, now edit /boot/grub/menu.lst to make it default and off you go: reboot!

Forcing a reboot or shutdown in Linux

Sometimes we need to test various things in Linux that require instant and/or abrupt reboots or shutdowns.
While for reboots one can use `reboot -f`, I was not aware of a way to do a forced shutdown, until now.
The trick is to use the Magic SysRq key:
# reboot
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger
# shutdown
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger

Happy testing! :)