Tuesday, August 10, 2010

 

Quick CentOS domu install on LVM on CentOS dom0 host

Overview


This process depends on the Xen host being CentOS. It could be made to work somewhere else but this is easy and happens to be where I do installs often.

Volumes are created in LVM not image files. Config file will need to be updated to point to the correct VG.

The domu created is a very minimal CentOS 5.4 install.

The create script



#!/bin/bash

if [ "$1" = "" ] ; then
echo "usage: $0 "
exit
elif [ ! -f "$1" ] ; then
echo "Could not open $1"
exit
fi

config="$1"
. $config

echo "This script only works when ran on a CentOS system for the moment"
echo -n "Type YES if you want to create $SYSVOL and $SWAPVOL: "
read resp
if [ ! "$resp" = "YES" ] ; then
exit
fi

set -x

lvcreate --size $SYSVOLSIZE --name $SYSVOL ${VG}
lvcreate --size $SWAPVOLSIZE --name $SWAPVOL ${VG}
mkfs.ext3 /dev/${VG}/$SYSVOL
mkswap /dev/${VG}/$SWAPVOL

mkdir /mnt/server
mount /dev/${VG}/$SYSVOL /mnt/server
mkdir -p /mnt/server/dev /mnt/server/etc /mnt/server/proc /mnt/server/var/lock/rpm /mnt/server/var/lib/rpm /mnt/server/var/log
MAKEDEV -d /mnt/server/dev -x random
MAKEDEV -d /mnt/server/dev -x console
MAKEDEV -d /mnt/server/dev -x zero
MAKEDEV -d /mnt/server/dev -x null
mount -t proc none /mnt/server/proc
wget $CENTOSRPM
rpm --initdb --root=/mnt/server
rpm -ivh --root=/mnt/server --nodeps centos-release*.rpm
#yum groupinstall Core --installroot=/mnt/server
#yum groupinstall Core --installroot=/mnt/server
yum groupinstall $CENTOSGROUPS --installroot=/mnt/server --disableplugin=protectbase --disableplugin=fastestmirror
cp -a base/* /mnt/server
cd /mnt/server
vi etc/fstab etc/resolv.conf etc/sysconfig/network etc/sysconfig/network-scripts/ifcfg-eth0 etc/hosts



Config file




Currently some config options are not being used as I have not ported an old script to create the xen config

Config example:

VG=vg0
SYSVOL=www1-root
SWAPVOL=www1-swap
SYSVOLSIZE=3G
SWAPVOLSIZE=1G
MEMORY=512
VCPUS=1
CENTOSRPM="http://mirror.centos.org/centos/5.4/os/x86_64/CentOS/centos-release-5-4.el5.centos.1.x86_64.rpm"
CENTOSGROUPS="Core"
KERNEL="/var/lib/xen/boot/vmlinuz-2.6.18-164.el5xen.img"


Sample xen config



kernel = "/var/lib/xen/boot/vmlinuz-2.6.18-164.el5xen"
ramdisk = "/var/lib/xen/boot/initrd-2.6.18-164.el5xen.img"
memory = 512
vcpus = 1
name = "www1"
vif = [ '' ]
disk = ['phy:vg0/www1-root,sda1,w', 'phy:vg0/www1-swap,sda2,w']

root = "/dev/sda1"
extra = "fastboot"

on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'



Using Kickstart is nice too as well as using some of the built in install stuff for Xen. CentOS has a nice wiki page - Installing CentOS DomU

 

Initial install of OpenSSH 5.x on CentOS 5.4 with jailed sftp root enabled

Install CentOS with only Base group (keep it minimal)

Install some RPM packages required to get and build OpenSSH
    yum install -y gcc  wget zlib-devel perl make xauth
Get newest source from openssl.org. Example
pushd /tmp
wget http://openssl.org/source/openssl-0.9.8o.tar.gz
Build it
tar zxvf openssl-*
cd openssl-*
./config --prefix=/opt/depot/`basename $(pwd)` --openssldir=/opt/depot/`basename $(pwd)`
make
make install
pushd /opt/depot
ln -s openssl* openssl
popd

Download newest 5.x OpenSSH from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/. Example
    wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.5p1.tar.gz
Build it
tar zxvf openssh*
cd openssh-*
./configure --prefix=/opt/depot/`basename $(pwd)` --with-ssl-dir=/opt/depot/openssl
make
make install
mkdir -p /opt/depot/openssh/var/run
pushd /opt/depot
ln -s openssh* openssh
Update /etc/init.d/sshd to point to the correct paths

KEYGEN=/opt/depot/openssh/bin/ssh-keygen
SSHD=/opt/depot/openssh/sbin/sshd
RSA1_KEY=/opt/depot/openssh/etc/ssh_host_key
RSA_KEY=/opt/depot/openssh/etc/ssh_host_rsa_key
DSA_KEY=/opt/depot/openssh/etc/ssh_host_dsa_key
PID_FILE=/opt/depot/openssh/var/run/sshd.pid


Replace subsystem lines with
    Subsystem       sftp    internal-sftp
Add the following group config lines

Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no


Restart ssh and make sure it you see 5.x for the version
    service sshd restart
Create system group info
    groupadd sftponly
chown root:root /srv
chmod 755 /srv
Create some sftp only users
     useradd  -g sftponly -d /srv/user1  -s /bin/false user1



This guide was based on the one at on http://adamsworld.name/chrootjailv5.php

Most modifications were to fit my auto-install for xen virtual host and other little bits like that. Plus I'd rather use built in packages like zlib-dev where possible. Hopefully next CentOS release the openssl lib build will not be needed either (mabye even OpenSSH).

Saturday, January 31, 2009

 

QuickPwn for iPhone firmware 2.2.1

When updating my iphone 2G with the new 2.2.1 firmware I was required to run QuickPwn after doing the update but could not get it past "QuickPwn is about to run on your iPhone"

There was a USB related update in OS X 10.5.6 which makes it so the iPhone is not detected when in DFU (restore) mode.  You can either go through the process of using some old 10.5.5 drivers from Apple ADC for the update then reinstall the 10.5.6 drivers or just plug your iphone in via a usb hub.  I had a simple VAKOSS non-powered hub and it worked fine.

If you have not jailbroken your iphone before you may want to use PwnageTool to select specific packages and create a custom restore image.


Labels:


Monday, May 05, 2008

 

Yum on RHEL4 with out up2date support

Its ugly... go download
  • python-urlgrabber
  • python-sqlite
  • python-elementtree
  • python-urlgrabber
  • yum
  • sqlite
from http://mirror.centos.org/centos/4/os/x86_64/CentOS/RPMS/

Force install yum with the --force --nodeps (it requires yumconf which I can not find, but we are creating our own config)

Now go edit /etc/yum.conf and use the following (adjust as desired)

[main]
cachedir=/var/cache/yum
debuglevel=2
logfile=/var/log/yum.log
pkgpolicy=newest
installonlypkgs=kernel kernel-smp kernel-devel kernel-smp-devel kernel-largesmp
kernel-largesmp-devel kernel-hugemem kernel-hugemem-devel
#distroverpkg=centos-release
distroverpkg=redhat-release
tolerant=1
exactarch=1
retries=20
obsoletes=1
gpgcheck=1
plugins=1


[base]
name=Red Hat Linux-$releasever - Base
baseurl=http://mirror.centos.org/centos/4/os/x86_64/
gpgcheck=1

[updates]
name=Red Hat Linux $releasever - Updates
baseurl=http://mirror.centos.org/centos/4/updates/x86_64/
gpgcheck=1

You should now be able to add RHEL4 compatiable packages easily via yum at this point.  If you actually have RHN access you can add the ability to connect via yum, but you will need to go read about that else where.

Sunday, April 27, 2008

 

OpenSource VoiceXML platform

A full opensource voicexml platform that does IVR/TTS/ASR etc is hard to find.. there have been some attempts such as PublicVoicexml (last activity was 2006 for v4.0)... Pretty much what you find is various components for interacting with voicexml - jvoicexml (java based vxml interpreter), OpenVXi [1][2](vxml interpreter spec v2.0),  SpeakRight (java framework for generating VXML), Oktopous PIK (BSD licensed CCXML toolkit in C++), VoiceXML::Client (Perl extension for VXML clients, including useragent, parser and interpreter), as well as BladeWareVXML [sf site] which is based on OpenVXi.

Also RocketSource has some opensource VoiceXML enabled solutions such as one for an autoattendent and another for voicemail.

Three possibilities  for a more complete platform are:  SIPfoundries sipX products including sipXecs, sipXvxml (part of  sipX MediaServer);  VoiceGlue which uses OpenVXi, flite for tts, asterisk, and other components; VOCP system which is built around VoiceXML::Client, vgetty, and some other Perl code.
 
Otherwise you need to build it yourself... Which I assume is the reason Nuance, Voxeo, Vocalocity, etc are making big money for complete solutions.

If you just need to interpret VXML from a 3rd party one solution could be to use something such as jvoicexml and asterisk along with one or more of the java libraries for interfacing asterisk including: asterisk-java which uses the manager API; JAsterisk which spawns a jvm in asterisk that has full access to its internals; JastAgi (or JAGIServer which is not active) for AGI interfacing; put it all together an build a "translator" from vxml to asterisk API calls.

What I want is a VoiceXML parsing library for Ruby so I can use it with Adhearsion.

For a free but non-opensource solution one option is Voxeo's Prophecy platform.  I6net has an asterisk product called VXI* VoiceXML browser which does both video and voice for IVR (or simply IVVR).  For development purposes you can use Voxeo's free development platform found on their community developer site.

Labels: , , ,


Sunday, April 06, 2008

 

Setting up a chroot SFTP only environment.

Options
  1. chroot-ssh by itself
  2. chroot-ssh + normal openssh
  3. default openssh using modified sftp-server (no environment required)
There are other solutions such as rssh, scponly, and openssh versions 4.9+.  These 3 were the most appropriate for the needs I had at the time.



I. chroot-ssh replacing normal openssh

For source install follow the directions from the chroot source forge page.
For building an RPM for Centos 4.4 go to

http://blog.wanderinglost.ca/?p=9

You can use the useradd script listed on the blog or skip it completely since I cover that below. In case I would read through the User and evironment setup section to make sure everything is covered. 


II - chroot-sshd + normal sshd

If you want to run both a chroot ssh environment and a normal ssh server do the following.. Otherwise jump to the next section.
  1. change normal sshd (/etc/ssh/sshd_config) to listen to just the current interfaces.
  2. create a new interface and IP address for chroot ssh
  3. download and build chrootssh
wget http://chrootssh.sourceforge.net/download/openssh-4.5p1-chroot.tar.bz2
 
tar jxvf openssh-4.5p1-chroot.tar.bz2
cd openssh-4.5p1-chroot
./configure --datarootdir=/opt/depot/$(basename `pwd`) --docdir=/opt/depot/$(basename `pwd`) --prefix=/opt/depot/$(basename `pwd`) --with-md5-passwords

*NOTE* add what other options you need such as those for Kerberos support. also --with-pid-dir=PATH

make
make install

To stop chroot users from getting in via the normal openssh do the following

  1. add a group to /etc/group called chroot. Add all chroot users to the new group. 
  2. add "DenyGroups chroot" to /etc/ssh/sshd_conf
  3. Send SIGHUP to the normal sshd PID to force re-read of config
Now jump to the User and environement setup section below



III. default openssh + sftp-server binary modifications by minstrel

Download openssh source (http://www.openssh.org/portable.html).
Download sftp-server.c from http://www.minstrel.org.uk/papers/sftp/
Either copy it in replacing the one from openssh or manually add the listed changes.
I suggest manually applying the changes unless you are getting the exact same version.

Build as needed to have sftp-server with correct options. Eg

./configure --with-md5-passwords --without-zlib-version-check --with-tcp-wrappers
make

Rename sftp-server to sftp-serverc so you know this version does chroot

Now copy it somewhere.. Such as

/opt/depot/openssh/libexec/sftp-serverc

It needs suid to do chroot

chmod +s /opt/depot/openssh/libexec/sftp-serverc

Edit /etc/ssh/sshd_conf and change Subsystem sftp to point to the new sftp-serverc

Subsystem sftp /usr/local/libexec/sftp-serverc

Send SIGHUP to the sshd PID to force re-read of config.

NOTE: If you are using option 3 (sftp-server source modifications for chroot) you do not need to setup any chroot environment. Just follow these next user setup instructions and you are done.  The following will chroot them to their home dir.

User setup

add a user normally then run

usermod -d /home/USER/./ USER

Set the users shell
usermod -s /opt/depot/openssh/libexec/sftp-serverc USER

sftp-server will just sit for a minute and then drop the connection for SSH.  As an alternative you can use minstrel's sftpsh which is listed on the website above.



User and environment setup for options 1 and 2


NOTE:  Either all chroot users can share a common chroot virtual root or you can have each user have all the needed system files.

The following instructions will apply to the former. If you wish to have full separation adjust change CHROOT_DIR to be the users home directory. Eg.


CHROOT_DIR=/chroot/bob

Create a user with home dir like CHROOT_DIR/home/USERNAME. eg

useradd -d CHROOT_DIR/home/bob


Then set their home dir to be chroot

usermod -d CHROOT_DIR/./home/bob

If you want to chroot someone to their normal /home/USER dir then run

usermod -d /home/USER/./

To stop any other users from seeing their files run

chown USER CHROOT_DIR/home/USER
chmod 700 CHROOT_DIR/home/USER

You may want to remove their .bash files etc...

find CHROOT_DIR/home/USER -type f -exec rm '{}' \;

If you are using the shared chroot you can run the following

chmod 711 CHROOT_DIR/home

to make it so users will not be able to see what other chroot users are on the system. You can even do this to the top level chroot directory (eg. /chroot) and users will not be able to see any of the chroot system directories. These actions may alleviate the need for full duplication of the chroot environment for each user.

Now run the following script passing the base chroot... Eg

./mkchroot-env /chroot

or

./mkchroot-env /chroot/bob

#!/bin/sh
if [ "$1" = "" ] ; then
CHROOT_DIR=/chroot
else
CHROOT_DIR="$1"
fi
REQUIRED_CHROOT_FILES=" /bin/cp \
/bin/ls \
/bin/mkdir \
/bin/mv \
/bin/rm \
/bin/rmdir \
/lib/libnss_files.so.2 \
/lib/ld-linux.so.2 \
/lib/libtermcap.so.2"

# Create CHROOT_DIR
[ ! -d $CHROOT_DIR ] && mkdir $CHROOT_DIR
cd $CHROOT_DIR

# Copy REQUIRED_CHROOT_FILES and shared library dependencies
# to chroot environment

for FILE in $REQUIRED_CHROOT_FILES
do
DIR=`dirname $FILE | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
cp $FILE `echo $FILE | cut -c2-`
for SHARED_LIBRARY in `ldd $FILE | awk '{print $3}'`
do
DIR=`dirname $SHARED_LIBRARY | cut -c2-`
[ ! -d $DIR ] && mkdir -p $DIR
[ ! -s "`echo $SHARED_LIBRARY | cut -c2-`" ] && cp $SHARED_LIBRARY `echo $SHARED_LIBRARY | cut -c2-`
done
done

# Create device files
mkdir $CHROOT_DIR/dev
mknod $CHROOT_DIR/dev/null c 1 3
mknod $CHROOT_DIR/dev/zero c 1 5

# Create chroot /etc/passwd placeholder
mkdir $CHROOT_DIR/etc
touch $CHROOT_DIR/etc/passwd
Since we do not want the users to ssh we want to set their shell to the sftp-server binary and make a few more changes. First copy the sftp-server(c) binary into the chroot... Adjust the paths based on your install choices earlier. Example for sftp-serverc (minsterl version)

mkdir -pv CHROOT_DIR/opt/depot/openssh/libexec
cp PATH/TO/sftp-serverc $CHROOT_DIR/opt/depot/openssh/libexec/

Set the users shell
usermod -s /opt/depot/openssh/libexec/sftp-serverc USER

Copy the passwd entry into the chroot

grep USER /etc/passwd >> /chroot/etc/passwd



REFERENCES

chrootssh project - http://chrootssh.sourceforge.net/
minsterel sftp-server modifications - http://www.minstrel.org.uk/papers/sftp/

OpenSSH + ChRoot RPM for CentOS 4.4
http://blog.wanderinglost.ca/?p=9
chroot sshd/sftp tips and scripts
http://www.brandonhutchinson.com/chroot_ssh.html
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
SSH Chroot in ISPConfig Centos-4.6
http://www.linuxweblog.com/blogs/sandip/20080228/ssh-chroot-ispconfig-centos-46


Various other howtos, mailing list posts, etc... including
http://www.debian-administration.org/articles/94
http://www.howtoforge.com/chrooted_ssh_howto_debian
http://www.technicalarticles.org/index.php/How_to_Setup_a_Chroot_Jail
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-10/0202.html
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config

Debugging and other issues
http://www.snailbook.com/faq/sftp-corruption.auto.html
http://www.cyberciti.biz/tips/openssh-deny-or-restrict-access-to-users-and-groups.html

Alternatives not pursued in full but were considered and researched thoroughly.

Scponly
http://sublimation.org/scponly/wiki/index.php/Main_Page
SFTP Setup for CentOS 4.5-5.x
http://www.fusionnetwork.us/index.php?option=com_content&task=view&id=13&Itemid=9
http://www.freebsdwiki.net/index.php/SSH:_Limiting_to_SCP_or_Rsync_only
http://dag.wieers.com/rpm/packages/scponly/
http://ubuntuforums.org/showthread.php?t=451510
http://lists.freebsd.org/pipermail/freebsd-isp/2003-August/000921.html
http://www.nslu2-linux.org/wiki/Optware/Scponly

Rssh
http://www.pizzashack.org/rssh/
http://dag.wieers.com/rpm/packages/rssh/
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html
http://ubuntuforums.org/showthread.php?t=195266
http://ubuntuforums.org/showthread.php?t=128206
http://www.mail-archive.com/rssh-discuss@lists.sourceforge.net/msg00064.html





I did not feel like finishing the formatting as I wrote all of this out in plain text originally while documenting what I was doing. I'll come back later and clean things up.

Labels: , , , , ,


Tuesday, August 14, 2007

 

Short tutorial for creating a Ruby on Rails app

Assumptions:

* You have Ruby and Rails already installed.
* You are using mongrel, webrick for the web server.
* Using sqlite3 for the database and you have it installed

Before starting I would suggest deciding on using some version control. RCS is better than nothing.

Now decide on the app name. This is the top level app name. It can have related stuff below it... Example your app could be to log all data about your health. Lets call it myhealth. So run

rails myhealth

That creates the base framework for the app. Now go into the new myhealth directory.

Edit config/database.yml and for sqlite3 use
mode: sqlite3
dbfile: db/myhealth_development

(Note: if you call it myhealth_development.db RoR does not seem to find it)

For this health example we could have several things such as Eating, Sleeping, Illness (could include headaches), as well as various types of excercise. I will just use one type of exercise, cycling, which will log ride data...

Now we need to create the model which ties everything to the database. This will create several things including the skeleton migration script for setting up the database.

./script/generate model Ride

Edit the initial migration in db/migrations/. You create new ones with

./script/generate migration name_of_migration_script

(Note: underscores or camelcase is required)

The migration script should look like

class CreateRides < limit =""> 40
t.column :comment, :string
end
end

def self.down
drop_table :rides
end
end

Now run

rake db:migrate

This will create the database and tables.

(Note: By default you are in development mode... if you want to generate the db for others use - rake environment RAILS_ENV=test db:migrate)

Create the controller and views
./script/generate controller Rides list view new edit

This creates the different "pages" (views) as well as the controller script which talks to the model.

Before starting any coding I suggest putting everything in version control. You probably want to exclude the log/, tmp/ and db/ directory. You can backup the database (and add the backup to version control) with sqlite3 path/to/db .dump

After that you can start editing the model, controller, and views. Here is the view.rhtml:

<h2><%= @ride.name %></h2>

<p>
<br />
Trip Dist: <%= @ride.trip_distance %><br />
Trip Time: <%= @ride.trip_time_t.to_s %>(<%= @ride.trip_time %>)<br />
Avg Speed: <%= @ride.avg_speed %><br />
Max Speed: <%= @ride.max_speed %><br />
Riders: <%= @ride.riders %><br />
Comments:
<blockquote>
<%= @ride.comment %>
</blockquote>

<hr noshade />

<%=link_to "List", :action => "list" %>
<%= link_to "Edit", :action => "edit", :id => @ride.id %>
<%= link_to "Delete", { :action => "destroy", :id => @ride.id} ,
:confirm => "Are you sure?", :method => "post" %>
</p>

and here is the controller code for this view:

def view
@ride = Ride.find(params["id"])
end


See the reference links below for more detailed information.

TIPS
Test and manipulate stuff from the console
./script/console

Run rake (with no arguments) to run some tests against all your stuff.


REFERENCES
Tutorials, etc
http://www.tutorialspoint.com/ruby-on-rails/
RoR Wiki - Tutorial
http://www.sitepoint.com/article/ruby-on-rails


Migrations
RoR Wiki - UsingMigrations
Ruby on Rails Migrations Reloaded/
API docs for ActiveRecord/Migration
Oracle article on Rails Migrations
Rails migrations using sqlite3 on Mac OS X

Misc
RoR Wiki - RailsBestPractices
Calendar Date Select: A Lightweight, Prototype-based Date/Time Picker for Rails Developers

Labels: , , ,


This page is powered by Blogger. Isn't yours?