20150107

GLBer

GLBer Notes



GLBer Creates the RouterOS configuration commands and a RouterOS script for the g0 Load BalanER aka GLBer. Then the Mikrotik RouterOS Router with the multiple point-to-point or point-to-multipoint uplinks balances the traffic among all uplinks without using source based policy routing.



You need to copy the configuration commands and the RouterOS script that GLBer produces from a host that has bash to the RouterOS router e.g. from a bash shell in a Terminal to a winbox terminal in the RouterOS.



RouterOS flushes the routing table every 10 minutes and then there is a good chance to reset the masqueraded connections. The RouterOS script created by GLBer runs every 10 minutes and resets the equal cost multipath route raising more the chance for the masqueraded connections to reset in a 10 minutes period.



Install GLBer
# wget https://raw.githubusercontent.com/ipduh/glber/master/glber -O /usr/bin/glber && chmod 755 /usr/bin/glber




Create the RouterOS GLBer Configuration For 3 point-to-point uplinks
$ glber 

GLBer, g0 2014
Quick How-To: http://sl.ipduh.com/glber

Enter gateways: alfa beta gama
Enter interfaces: 

If all the uplink interfaces are point-to-point just enter their names when asked for gateways and just hit enter when glber asks you for interfaces.



Create the RouterOS GLBer configuration for 4 point-to-point uplinks and an uplink available in the LAN through the router's eth5 interface.
$ glber 

GLBer, g0 2014
Quick How-To: http://sl.ipduh.com/glber

Enter gateways: 10.21.241.101 alfa beta gama delta
Enter interfaces: eth5 alfa beta gama delta





GLBer logs all runs in ~/glber/UTC-UNIX-EPOCH.log

To Clean a RouterOS from the GLBer configuration find the UTC-UNIX-EPOCH in the RouterOS created by GLBer e.g. for the epoch 1420624338 you would run
$ glber file ~/glber/1420624338.log
and run the GLBer RouterOS commands under
###RouterOS commands to remove the GLBer configuration###
in the RouterOS terminal.











old glber



glber

20150102

Virtualbox or VMware vmdk to KVM qcow2

Migrate Virtualbox or VMware guest (on vmdk) to KVM




See disk image information.
# qemu-img info lwa-flat.vmdk 
image: lwa-flat.vmdk
file format: raw
virtual size: 50G (53687091200 bytes)
disk size: 50G




Convert the vmdk image to a qcow2 image.
# qemu-img convert -O qcow2 lwa-flat.vmdk lwa-flat.qcow2




Create a guest definition and start guest.
# virt-install --connect qemu:///system --import -n lwa \
--vcpus=1 --ram=2048 \
--disk path=/home/vm/fromvbox/lwa-flat.qcow2,device=disk,format=qcow2 \
--vnc --noautoconsole --os-type linux --description lwa \
--network=bridge:b0 --hvm




Migrate VMware or Virtualbox vmdk to KVM qcow2



20141230

ipduh v3

Finally! done "upgrading" ipduh to v3 ...


Some of the most noticeable changes-improvements are:










ipduh v3



20141229

dovecot imap over ssl in debian notes

IMAP over SSL with dovecot in debian

Install the Dovecot IMAP deamon
# apt-get install dovecot-imapd


For a quick (& perhaps sloppy) debian setup just append the following to /etc/dovecot/dovecot.conf
listen = 192.0.2.1
syslog_facility = mail
mail_location = maildir:~/Maildir
ssl = yes
ssl_cert = </etc/ssl/certs/imap.signed.crt
ssl_key = </etc/ssl/private/imap.private.pem
ssl_verify_client_cert = no
protocol imap {
  imap_client_workarounds = tb-extra-mailbox-sep
}
auth_mechanisms = plain login


The IMAP daemon listens at 192.0.2.1
and Maildir mailboxes are used by the Mail system.
The imap_client_workarounds definition is used to work around Thunderbird peculiarities and the auth_mechanisms definition to add login --work around Outlook pecularities.

For a cleaner configuration file you may do the following.
# cd /etc/dovecot
# stor dovecot.conf
# doveconf -n > dovecot.conf


Restart the imap daemon
# /etc/init.d/dovecot restart


However, it seems like it speaks up to SSLv3 and not TLS at all.



dovecot SSL IMAP



Trust the ipduh CA certificate in debian





Trust the ipduh CA certificate in debian.
# wget https://raw.githubusercontent.com/ipduh/ipduhca/master/ipduhca.crt -O /usr/local/share/ca-certificates/ipduhca.crt
# update-ca-certificates




Trust the ipduh CA



20141220

clone a KVM guest





"Clone" a KVM debian guest notes.



Shutdown or Suspend the host.



Create a clone of the host democritos.
# virt-clone -o democritos -n thales -f /home/vm/thales.qcow2 -d
...
Clone 'thales' created successfully.
...
The clone disk is at /home/vm/thales.qcow2

This is good enough if we just need a clone with a different MAC Address and a different UUID. However, if we need a host that can work simultaneously with the original host we (most likely) need a bit more variation.



Log in to the clone or mount it's image to change hostname, IP address(es), etc.



Change Hostname.
# cd /etc
# grep -ril `hostname -f` |tee hostname.file.list
apache2/sites-available/000.dup.ipduh.awmn.conf
postfix/main.cf
hostname
hosts
mailname
ssh/ssh_host_ecdsa_key.pub
ssh/ssh_host_rsa_key.pub
ssh/ssh_host_dsa_key.pub
aliases.db
# perl -i.0 -p -e 's/demokritos/thales/g;' `cat hostname.file.list`




Change IP address.
# grep -ril '192.0.2.61' /etc |tee ip.file.list
/etc/network/interfaces
/etc/hosts
# perl -i.old_ip -p -e 's/192.0.2.61/192.0.2.62/g;' `cat ip.file.list`




Reboot Clone
# shutdown -r now




Log in to thales ( the cloned system )



Create a new RSA ssh key
# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
a6:fc:76:OF:F1:33:7C:04:77:07:ce:5a:cf:23:48:3a root@thales
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|             .   |
|            . .  |
|        S  . ----|
|     . o   .=  o.|
|      +   o..o..=|
|       ..E....o++|
|       ....  o=++|
+-----------------+




Overwrite the DSA SSH key with a new one.
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa




Overwrite the ECDSA SSH key with a new with the largest (practical) key-size (allowed).
# ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521




In a debian based system you may use dpkg to replace the SSH keys
# dpkg-reconfigure openssh-server














clone a KVM guest



20141213

move kvm guest notes

Move (not live migration) a KVM VM from a host B to a host C.

Assuming that the guest VM is bridged and that both KVM hosts are in the same ethernet segment.

Shutdown guest VM.

Copy guest VM image from host B to host C.
b# scp /vm/vm2.qcow2 root@c:/vm


Dump XML definition and copy it to the destination host.
b# virsh dumpxml vm2 > vm2.xml
b# scp vm2.xml root@c:/etc/libvirt/qemu


On host C (the destination host) define the quest xml definition.
c# virsh define /etc/libvirt/qemu/vm2.xml
Domain vm2 defined from /etc/libvirt/qemu/vm2.xml


Start VM guest on the destination system.
c# virsh start vm2
Domain vm2 started


Disable autostart for the VM guest in B (the original host).
b# virsh autostart vm2 --disable
Domain vm2 unmarked as autostarted


Enable autostart for the moved VM guest in C (the destination host).
c# virsh autostart vm2
Domain vm2 marked as autostarted






Move KVM guest to another Host



20141212

install debian-packaged awstats





Notes on installing and using debian-packaged AWStats to analyze Apache logs.



Install debian packaged awstats ( now v7.0 )
# apt-get install awstats




I would use the following setup in apache2 installations with site(s) or virtual host(s) that belong to the same person-organization and I would NOT use it in a shared hosting environment.



Get the apache configuration file.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf -O /etc/apache2/conf.d/awstats.conf


Restart Apache.
# /etc/init.d/apache2 restart




Enable ipduh_intel awstats plugin and disable PTR lookups.
# wget https://raw.githubusercontent.com/ipduh/apache2_awstats_conf/master/awstats.conf.local -O /etc/awstats/awstats.conf.local
IP numbers relay much more information than PTR names and PTR names can be (and commonly are) abused-manipulated.



Install the ipduh_intel awstats plugin.
# wget https://raw.githubusercontent.com/ipduh/awstats_plugins/master/ipduh_intel.pm -O /usr/share/awstats/plugins/ipduh_intel.pm




Create the apache password file and add the user 'user' with password 'userpass'
# htpasswd -cb /etc/awstats/A2Passwords user userpass
Add the user 'user2' with password 'user2pass' to the apache passwords file
# htpasswd -b /etc/awstats/A2Passwords user2 user2pass




Create an awstats configuration file for each (virtual) host in /etc/awstats. The configuration files should have the form awstats.host.conf e.g. for a host named example.com the configuration file would be awstats.example.com.conf and it could look like the following.
Include "/etc/awstats/awstats.conf"
SiteDomain="example.com"
HostAliases="www.example.com"
DirData="/logs/sites/example.com/awstats"
LogFile="/logs/sites/example.com/access_all"





Analyze for first time the access logs of one host.
# cat /logs/sites/example.com/access/* >> /logs/sites/example.com/access_all
# /usr/lib/cgi-bin/awstats.pl --configdir=/etc/awstats/ -config=example.com




View the awstats analysis with a web browser at http://example.com/awstats/awstats.pl?config=example.com



Get rid of debian package cronjob
# rm /etc/cron.d/awstats




Install debian packaged awstats