Search This Blog

Monday, May 22, 2017

Apply SSL Certificate via HAproxy


Hi Again,


Just thought to share, how a SSL certificate is applied to HAproxy LB

First we need to generate “pem” file which includes private key  from “pfx”. It promts for password

# openssl pkcs12 -in dummy.pfx -out dummy.pem  -nodes

Note: pem file which includes private key is important and not just pem file without private key content

Copy this "pem" file to a specific location, say like

# cp dummy.pem /etc/haproxy/ssl/

Configure SSL cert to Haproxy  - In the front end section

frontend www-https
    mode http
    option forwardfor
    option http-server-close
    bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/dummy.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend web-backend

and Restart haproxy service

# service haproxy restart

Ola!!!!   When you access your application you must see something like this on the address bar J



Thursday, March 9, 2017

Centos - How to undo a package Installation - Yum 


Hi Friends,

Yesterday someone in my server, accidently updated libvirt packages while trying to install something else.

Puff !!!
All my VMs started failing on reboot
Identified that verions of libvirt and qemu does nt work anymore.

Ona  quick research learnt this

"YUM HISTORY UNDO <NUM>"

It is a life saver

I initially tried "yum downgrade" - but it usually failed in downgrading dependency.

So let me explain you the magic.


Step 1: Find the history

# yum history
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
     8 | root <root>              | 2011-10-03 14:40 | Install        |    1   
     7 | root <root>              | 2011-09-21 04:24 | Install        |    1 ##
     6 | root <root>              | 2011-09-21 04:23 | Install        |    1 ##
     5 | root <root>              | 2011-09-16 13:35 | Install        |    1   
     4 | root <root>              | 2011-09-16 13:33 | Erase          |    1   
     3 | root <root>              | 2011-09-14 14:36 | Install        |    1   
     2 | root <root>              | 2011-09-12 15:48 | I, U           |   80   
     1 | System <unset>           | 2011-09-12 14:57 | Install        | 1025  

Step 2: Revert the change

# yum history undo 8

Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating Red Hat repositories.
Undoing transaction 8, from Mon Oct  3 14:40:01 2011
    Install screen-4.0.3-16.el6.i686
Resolving Dependencies
--> Running transaction check
---> Package screen.i686 0:4.0.3-16.el6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved
================================================================================
 Package          Arch       Version            Repository              Size
================================================================================
Removing:
 screen           i686       4.0.3-16.el6       @rhel-6-server-rpms     783 k

<snip>

Removed:
  screen.i686 0:4.0.3-16.el6
Complete!
Hope this helps someone. Ola ... have a great day

Wednesday, October 15, 2014

OpenStack - Do you know how to evacuate Instances from server which has gone down - "nova host-evacuate"

Hello again,

Recently my server running openstack-compute had to be brought down for maintenance (which was running some 60 VMs). This is when i learnt how to use "nova evacuate"

This is a cool feature in openstack using which you can get back instances from the server which has gone down. Ya, but it requires some prior configuration.

The important stuff is how you keep you root disk. Openstack allows three different configurations to fetch the root disk.

1. Root on volume (EBS volumes) - By this instance can be brought up in other server with the same EBS(root) volume.

2. Instances folder in shared mode using NFS, GlusterFS, etc - Basically the disk file needs to be accessed across all nodes, i.e mount point for instances folder must be shared across all nodes. GlusterFS appears to work super cool in this method.

3. Disks are cleaned but instances are recreated from fresh disk from glance - Even though the disk is ultra new, instance information (like IP, instance Id,etc.,) are retained just as it was before evacuation.

Once the server is down, all you need to do is issue the following command

# nova host-evacuate --target_host <server where the VMs need to be transferred> --on-shared-storage <server which got down>

Eg:

# nova host-evacuate --target_host old_node --on-shared-storage new_node

I have added a video demonstration of the entire flow. I hope this helps someone. Have a great day


                                                  :) :) :) :) :) :) :) :)

Tuesday, October 14, 2014

Cool aliases that i found from my friend's GitHub

Hey Guys,
If you are a linux fan, you probably will love these aliases (short cuts or short forms of commands)

https://github.com/rushiagr/myutils/tree/master/aliases

If you are tired to copy it to your system, just use the script below to install these aliases :)

https://github.com/rushiagr/myutils/blob/master/install-aliases.sh

These save a lot of time for developers..

Thanks to Rushi Agarwal













See ya all.

Monday, August 18, 2014

Really Cool Python debugging Tool - "PUDB"

Hi once again,
I came across this really cool python debugging tool called "PUDB". Now i would rather say am using this tool for every code trace on openstack.

" PuDB is a full-screen, console-based visual debugger for Python. Its goal is to provide all the niceties of modern GUI-based debuggers in a more lightweight and keyboard-friendly package. PuDB allows you to debug code right where you write and test it--in a terminal. If you've worked with the excellent DOS-based Turbo Pascal or C tools, PuDB's UI might look familier. "

How to install PUDB

# sudo pip install pudb

How to debug

The place you feel debugger needs to start, insert the following piece of code  

import pudb;pu.db 

How does it look like ?



PUDB has the following panes
  • Debugger pane
  • Console Pane
  • Variables Pane
  • Stack Pane
  • BreakPoints pane
Basic Key Navigations
  • Use Left,Right,Up,Down arrow keys to navigate between the panes.
  • press 's' for step into a method
  • press 'n' for executing next line
  • press 'b' key to toggle break points
  • press 'r' for completing the method
  • press 'q' to quit debugger
  • press '?' for help and more key navigations
  • ctrl + x to navigate between debugger pane and console pane.
  • TAB key acts as auto-suggest/auto-fill while in console pane. It also brings down methods available.
Credits to my friend Rushi Agarwal - who pointed out to me about this tool while i was struggling to debug a piece of code with pdb :)
 

Tuesday, July 8, 2014

"apt-mirror" does not understand non standard port

Hey,
Today when i was setting up configuration for apt-mirror, i faced this problem of apt-mirror not recognizing non-standard port. I thought i would post the fix for the bug, as this might be helpful for others as well

Step 1: Edit the apt-mirror script

# nano /usr/bin/apt-mirror

Step 2: Look for the line

$uri =~ s&:\d+/&/&; # and port information

Change it to,

$uri =~ s&:\d+/$&/&; # and port information

Step 3: Run your apt-mirror command

There you go !!! You have your mirror fetching from non-standard port.

Monday, April 7, 2014

Eth0 Getting Incremented while Cloning

Hi everybody,
Today i came across a situation, that my network interface(s) number gets incremented when ever i clone my virtual machine (by virtual box or other means). For some or the other reason certain people do not like their interfaces to be changed.
   Started investigating the cause and found that udev was the daemon which increments the number on the interface. It has certain set of rules written which reinitiate the device number. Here is the small patch that can be handy for some users.

Note: These commands has to be performed as root

Step 1: Edit the file /lib/udev/write_net_rules and make the following changes

# vi /lib/udev/write_net_rules

Orginally looks like this

#!/bin/sh -e

# This script is run to create persistent network device naming rules
# based on properties of the device.
# If the interface needs to be renamed, INTERFACE_NEW=<name> will be printed
# on stdout to allow udev to IMPORT it.

# variables used to communicate:
#   MATCHADDR             MAC address used for the match
#   MATCHID               bus_id used for the match
#   MATCHDEVID            dev_id used for the match
#   MATCHDRV              driver name used for the match
#   MATCHIFTYPE           interface type match
#   COMMENT               comment to add to the generated rule
#   INTERFACE_NAME        requested name supplied by external tool
#   INTERFACE_NEW         new interface name returned by rule writer

# Copyright (C) 2006 Marco d'Itri <md@Linux.IT>
# Copyright (C) 2007 Kay Sievers <kay.sievers@vrfy.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# debug, if UDEV_LOG=<debug>
if [ -n "$UDEV_LOG" ]; then
if [ "$UDEV_LOG" -ge 7 ]; then
set -x
fi
fi

RULES_FILE='/etc/udev/rules.d/70-persistent-net.rules'
. /lib/udev/rule_generator.functions

interface_name_taken() {
local value="$(find_all_rules 'NAME=' $INTERFACE)"
if [ "$value" ]; then
return 0
else
return 1
fi
}

find_next_available() {
raw_find_next_available "$(find_all_rules 'NAME=' "$1")"
}

write_rule() {
local match="$1"
local name="$2"
local comment="$3"

{
if [ "$PRINT_HEADER" ]; then
PRINT_HEADER=
echo "# This file was automatically generated by the $0"
echo "# program, run by the persistent-net-generator.rules rules file."
echo "#"
echo "# You can modify it, as long as you keep each rule on a single"
echo "# line, and change only the value of the NAME= key."
fi

echo ""
[ "$comment" ] && echo "# $comment"
echo "SUBSYSTEM==\"net\", ACTION==\"add\"$match, NAME=\"$name\""
} >> $RULES_FILE
}

if [ -z "$INTERFACE" ]; then
echo "missing \$INTERFACE" >&2
exit 1
fi

# Prevent concurrent processes from modifying the file at the same time.
lock_rules_file

# Check if the rules file is writeable.
choose_rules_file

# the DRIVERS key is needed to not match bridges and VLAN sub-interfaces
if [ "$MATCHADDR" ]; then
match="$match, DRIVERS==\"?*\", ATTR{address}==\"$MATCHADDR\""
fi

if [ "$MATCHDRV" ]; then
match="$match, DRIVERS==\"$MATCHDRV\""
fi

if [ "$MATCHDEVID" ]; then
match="$match, ATTR{dev_id}==\"$MATCHDEVID\""
fi

if [ "$MATCHID" ]; then
match="$match, KERNELS==\"$MATCHID\""
fi

if [ "$MATCHIFTYPE" ]; then
match="$match, ATTR{type}==\"$MATCHIFTYPE\""
fi

if [ -z "$match" ]; then
echo "missing valid match" >&2
unlock_rules_file
exit 1
fi

basename=${INTERFACE%%[0-9]*}
match="$match, KERNEL==\"$basename*\""

if [ "$INTERFACE_NAME" ]; then
# external tools may request a custom name
COMMENT="$COMMENT (custom name provided by external tool)"
if [ "$INTERFACE_NAME" != "$INTERFACE" ]; then
INTERFACE=$INTERFACE_NAME;
echo "INTERFACE_NEW=$INTERFACE"
fi
else
# if a rule using the current name already exists, find a new name
if interface_name_taken; then
INTERFACE="$basename$(find_next_available "$basename[0-9]*")"
# prevent INTERFACE from being "eth" instead of "eth0"
[ "$INTERFACE" = "${INTERFACE%%[ \[\]0-9]*}" ] && INTERFACE=${INTERFACE}0
echo "INTERFACE_NEW=$INTERFACE"
fi
fi

write_rule "$match" "$INTERFACE" "$COMMENT"

unlock_rules_file

exit 0


Change it as follows

#!/bin/sh -e

# This script is run to create persistent network device naming rules
# based on properties of the device.
# If the interface needs to be renamed, INTERFACE_NEW=<name> will be printed
# on stdout to allow udev to IMPORT it.

# variables used to communicate:
#   MATCHADDR             MAC address used for the match
#   MATCHID               bus_id used for the match
#   MATCHDEVID            dev_id used for the match
#   MATCHDRV              driver name used for the match
#   MATCHIFTYPE           interface type match
#   COMMENT               comment to add to the generated rule
#   INTERFACE_NAME        requested name supplied by external tool
#   INTERFACE_NEW         new interface name returned by rule writer

# Copyright (C) 2006 Marco d'Itri <md@Linux.IT>
# Copyright (C) 2007 Kay Sievers <kay.sievers@vrfy.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# debug, if UDEV_LOG=<debug>
if [ -n "$UDEV_LOG" ]; then
if [ "$UDEV_LOG" -ge 7 ]; then
set -x
fi
fi

RULES_FILE='/etc/udev/rules.d/70-persistent-net.rules'
dnc='/etc/udev/rules.d/dnc-network'
. /lib/udev/rule_generator.functions

interface_name_taken() {
local value="$(find_all_rules 'NAME=' $INTERFACE)"
if [ "$value" ]; then
return 0
else
return 1
fi
}

find_next_available() {
raw_find_next_available "$(find_all_rules 'NAME=' "$1")"
}

write_rule() {
local match="$1"
local name="$2"
local comment="$3"

{
if [ "$PRINT_HEADER" ]; then
PRINT_HEADER=
echo "# This file was automatically generated by the $0"
echo "# program, run by the persistent-net-generator.rules rules file."
echo "#"
echo "# You can modify it, as long as you keep each rule on a single"
echo "# line, and change only the value of the NAME= key."
fi

echo ""
[ "$comment" ] && echo "# $comment"
echo "SUBSYSTEM==\"net\", ACTION==\"add\"$match, NAME=\"$name\""
} >> $RULES_FILE
}

if [ -z "$INTERFACE" ]; then
echo "missing \$INTERFACE" >&2
exit 1
fi

# Prevent concurrent processes from modifying the file at the same time.
lock_rules_file

# Check if the rules file is writeable.
choose_rules_file

# the DRIVERS key is needed to not match bridges and VLAN sub-interfaces
if [ "$MATCHADDR" ]; then
match="$match, DRIVERS==\"?*\", ATTR{address}==\"$MATCHADDR\""
fi

if [ "$MATCHDRV" ]; then
match="$match, DRIVERS==\"$MATCHDRV\""
fi

if [ "$MATCHDEVID" ]; then
match="$match, ATTR{dev_id}==\"$MATCHDEVID\""
fi

if [ "$MATCHID" ]; then
match="$match, KERNELS==\"$MATCHID\""
fi

if [ "$MATCHIFTYPE" ]; then
match="$match, ATTR{type}==\"$MATCHIFTYPE\""
fi

if [ -z "$match" ]; then
echo "missing valid match" >&2
unlock_rules_file
exit 1
fi

basename=${INTERFACE%%[0-9]*}
match="$match, KERNEL==\"$basename*\""

if [ "$INTERFACE_NAME" ]; then
# external tools may request a custom name
COMMENT="$COMMENT (custom name provided by external tool)"
if [ "$INTERFACE_NAME" != "$INTERFACE" ]; then
INTERFACE=$INTERFACE_NAME;
echo "INTERFACE_NEW=$INTERFACE"
fi
else
# if a rule using the current name already exists, find a new name
if interface_name_taken; then
  if ! [ -e $dnc ]; then
INTERFACE="$basename$(find_next_available "$basename[0-9]*")"
# prevent INTERFACE from being "eth" instead of "eth0"
[ "$INTERFACE" = "${INTERFACE%%[ \[\]0-9]*}" ] && INTERFACE=${INTERFACE}0
echo "INTERFACE_NEW=$INTERFACE"
  fi
fi
fi

write_rule "$match" "$INTERFACE" "$COMMENT"

unlock_rules_file

exit 0


Step 2: Create a file named /etc/udev/rules.d/dnc-network

# touch /etc/udev/rules.d/dnc-network

Step 3: Shutdown the virtual machine and clone the machine to test

Enjoy :)