Ruby on Rails – CentOS 5.6/5.7

This one presented quite a challenge for me. It seems that the magical solution is using the right versions. There are a number of ways (supposedly) to install ruby on rails. I started out trying to use ruby packages included in CentOS. I quickly realized that was not going to work. It kept running all kinds of issues with libraries missing or incorrect versions. So then, I opted to just build from source. Well, this got me much closer but I ended up having an openssl issue that I thought I resolved, but the gem command was having all kinds of issues. Something clearly was not right. So, I then went back to using RVM, which I had tried earlier. This time I started completely over with a new HPCloud CentOS 5.6 image. The following is what worked for me.

As I mentioned above, I started with a clean HPCloud CEntOS 5.6 image ( ami-000004d2 – local (CentOS 5.6 Server 64-bit) ).

# yum groupinstall “Development Libraries” “Development Tools”

The next step, of course, turned my 5.6 instance into a 5.7 instance:
# yum update
# shutdown -r now

Add the EPEL repository:

# cd /usr/local/src
# wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
# rpm -ivh epel-release-5-4.noarch.rpm
# yum install git

Remove certificate requirement for curl, when installing rvm:
# echo insecure >> ~/.curlrc

# bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)

# vigr
...
rvm:x:500:root

Update environment variables:
# source /etc/profile.d/rvm.sh

Install other dependencies for ruby determined by running rvm requirements:
# yum install -y gcc-c++ patch readline readline-devel zlib zlib-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison iconv-devel

# rvm install 1.9.2
# rvm use 1.9.2

Note: You can use the following command to make this version the system default:
# rvm use 1.9.2 –default

To verify that all is right at this point:
# type rvm | head -1
rvm is a function is the expected output.

# cd $(rvm gemdir)

The following will install the gem command:
# rvm rubygems current

This will allow you to install rails:
# gem install rails

This has allowed me (rails is not needed for this) to install hpcloud command to manage my Storage Object.

# wget http://build.hpcloud.com/sites/default/files/downloads/hpfog.tar
# tar -xvf hpfog.tar
# wget http://build.hpcloud.com/sites/default/files/downloads/hpcloud.tar
# tar -xvf hpcloud.tar
# gem install hpfog-x.x.x.gem
# gem install hpcloud-x.x.x.gem

# hpcloud
Tasks:
hpcloud account:setup # set up or modify your credentials
hpcloud acl # view the ACL for an object or container
hpcloud acl:set # set a given resource to a canned ACL
hpcloud containers # list available containers
hpcloud containers:add # add a container
hpcloud containers:remove # remove a container
hpcloud copy # copy files from one resource to another
hpcloud get # fetch an object to your local directory
hpcloud help [TASK] # Describe available tasks or one specific task
hpcloud info # info about the HP Cloud CLI
hpcloud list # list container contents
hpcloud location # display the URI for a given resource
hpcloud move # move objects inside or between containers
hpcloud remove # remove an object or container

Serial console saga … again.

This doesn’t come up for me very often, but when it does, it is always a pain. Well, I finally had enough … again. I needed a serial console connection much like those needed for network equipment (routers, switches, etc). Last time, I was determined not to use HyperTerm, one of the worst applications (Why is this still in the documentation for these devices?). I decided to approach it from a linux client, instead of Windows. I happily used minicom in linux, until today when I needed to upload firmware to a SAN controller using XMODEM 1K. It would not work no matter what I tried including adding -k to the sw command.

So, back to Windows I went. I tried putty, because it is light and no installation is required. However, putty does support XMODEM at all. Nonetheless, putty provides great quick console access.

Next, I tried Tera Term VT, and this worked well. Got connected right up to the console, and it seems to support XMODEM 1k as well. I have been able to transfer the firmware to the controller, however, the firmware is not installing despite saying that the download was successful. It looked so promising too.

Inital @HPCloud observations.

I posted my initial thoughts or observations about @hpcloud as a comment on my google+ account.

How to reset MySQL root password, when forgotten..

These are the steps used to reset the root password in MySQL running on a linux system. In my case, it was CentOS 5.6.

Login as root.

Check to see what user ID MySQL is running under. In CentOS/RedHat it is mysql.

# su – mysql

Stop MySQL if it is currently running.

# kill `cat /var/run/mysqld/mysqld.pid`

or, as root:

# service mysqld stop

Create a temporary sql script containing the following:

# vi tmp.sql
UPDATE mysql.user SET Password=PASSWORD(‘newpassword‘) WHERE User=’root’;
FLUSH PRIVILEGES;

Start up MySQL in safe mode using the initialization script you just created:

# mysqld_safe –init-file=tmp.sql &

Test the new password:

# mysql -u root -p newpassword
mysql>

As root:

# service mysqld stop
# service mysqld start

More fun with ldapsearch and Active Directory.

Since I started this little investigation of LDAP today, I decided to look into using the ldapsearch command in linux to display Windows Active Directory attributes and information. This is a bit of what I came up with:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “searchbase

Some explanation:

someinteger: Because of the “noprompt” switch, this number is not really important. All matching entries will be displayed. You can set it some integer with a “prompt” switch, and only that number of entries will be displayed before you are prompted for more. The -E option is available in later versions of openldap. I tested version 2.3. It is not an option in 2.0.

adsuser@mydomain.com: This can be any user account in the directory, because they have read only access to the directory. I used the -W option to prompt me to enter my password, however you can use the -w option and pass it your ADS password on the command line.

searchbase: The search base is where things get interesting. You can use something like the following to search for only users:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com

Or computers:
# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=computers,dc=mydomain,dc=com

Or everything under DC=mydomain,DC=com:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W

You can also filter for certain distinguished names:

This will display attributes and values for all relative distinguished names:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=*)”

This will display all relative distinguished names that start with the letter “z” under the users distinguished name:

# ldapsearch -x -LLL -E pr=someinteger/noprompt -h host -D ‘adsuser@mydomain.com‘ -W -b “cn=users,dc=mydomain,dc=com” -s sub “(cn=z*)”

Fun stuff, but not exactly sure what I would do with this information. Maybe access ADS information without having to login to Windows.

How to search and modify an LDAP record from the command line.

The following was verified on openldap versions 2.0 and 2.3:

To display all attributes associated with a particular cn:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=Some CN’

Or using a wildcard:
# ldapsearch -x -b ‘distinguished name‘ ‘cn=startswith*’

Example:
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCN’
# ldapsearch -x -b ‘dc=mydomain,dc=com’ ‘cn=myCNstartwith*’

This information can help you to determine what you want to modify.

How to modify an attribute value for a particular cn:

#ldapmodify -x -D ‘distinguished name‘ -w password -f filename

Contents of filename:

dn: distinguished name
changetype: modify
replace: attribute
attribute: newvalue

Example:
# ldapmodify -x -D ‘cn=admin,dc=mydomain,dc=com’ -w MyPassword -f myfile

# cat myfile
dn: cn=”Lastname, Firstname”, dc=mydomain, dc=com
changetype: modify
replace: mail
mail: myaccount@mydomain.com

How to enable Hyper-V Tools

Installing a Microsoft Hyper-V server is simple enough, but what to do once you have installed? The pieces fall into place once you can figure out where download/install/enable the Hyper-V Manager. This is the interface you will need to use in a small implementation to manage and create your virtual machines on your Hyper-V server.

In Windows 7, go to Control Panel/Programs/Programs and Features, and click on “Turn Windows features on or off.”

This will bring up the Windows Features window, where you can check/uncheck features that you want to enable/disable.

Check the Hyper-V Tools box to enable the Hyper-V Manager.

Note: The Hyper-V Manager mmc plugin can also be found in the Remote Administration software for Windows 7/Vista. Further information can found on the Microsoft website.

Jailbreak iPhone 4s IOS 5.0.1

I finally got around jail breaking my iPhone 4s, and it was easy enough. Here are the steps I used:

Computer OS: MacOS Lion 10.7.2

Connected phone to computer using the USB cable.

Opened up iTunes

Right mouse clicked on my phone in iTunes, and selected Backup

Download the Absinthe program from http://cache.greenpois0n.com/dl/absinthe-mac-0.1.2-2.zip.

Unzipped the program by double clicking it.

I closed iTunes, and launched Absinthe.

Clicked “Jailbreak”. This step take quite and while, and looks like it is restoring.

Once complete, you will see a message stating that you are almost done.

Unlock you phone, and tap the Absinthe icon that was added.

This will briefly display the Greenp0ison website, and then reboot.

This will replace the Absinthe icon with a Cydia icon.

Launch Cydia, and you get a “Preparing Filesystem” message and the Springboard will re-launch.

Update: I had to re-setup the Wi-Fi Sync. I did this by plugging my phone into my computer with iTunes running. I turned off Wi-Fi Sync by unchecking it in iTunes, and applying. Then, I turned it back on and applied. This took care of it.

Migrating virtual machines from VMware Server 1.x to VMware ESXi 5.0.

I needed to get some Windows 2003 virtual machines migrated from a VMware Server 1.x implementation to an ESXi host (In my case, this was controlled under vCenter.). Here is the procedure I used that worked rather well despite some limitations. Note: this procedure was used to migrate Windows 2003 VMs.

Verify that you have no snapshots. If you do, remove them. Also, if you want maintain the same MAC address and IP address, you should note them before starting.

Shutdown the virtual machine from the VMware Server console.

Copy the VM over to your ESXi server (You need to have ssh enabled on the ESXi host.).

Add the copied over VM to your vSphere client inventory.

Use the VMware Standalone Converter to convert the powered off VM you just copied over. The destination is going to the same as your ESXi host (or any other ESXi). I did uncheck “Remove restore checkpoints”, but this should not be necessary.

Once converted, boot the newly converted VM.

Install or upgrade VMware tools.

Then, if you want to preserve the MAC address and IP address, shutdown the VM.

Modify the MAC address via the vSphere client by manually setting it in the Network Adapter settings.

Boot the VM.

Configure the static IP address, if you had one before the migration.

This process went very well and without an issue. However, you do need to be able to have enough space to have two copies of the VM on the ESXi host if you only have one ESXi host in your environment.

How to block/allow proxy access via squid proxy using ADS authentication and group membership.

The following procedures were used on RedHat Enterprise Linux 5.x.

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :

Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x

The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.

# cat /etc/squid/squid.conf

# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_dir null /tmp

access_log /var/log/squid/access.log common

# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"

# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group

# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.

# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.

acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java

acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken

http_access allow all java
http_access allow all allowsites

# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group

http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default

# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains

acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_group squid

coredump_dir /var/spool/squid

memory_pools off

half_closed_clients off

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:

.mydomain.com

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.

Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.

If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.

Return top

INFORMATION

LinkedIn Profile
Follow Me on Tumblr