Category: Development


Configuring a new OpenAFS cell on Ubuntu Server

Filed Under: Development, Home Network, Technology by breandan — Leave a comment
2/9/2012

After doing a lot of reading online, I’ve finally built a new OpenAFS cell in my home network. This involved reading piles of terribly out-of-date documentation and HOWTO’s, and a lot of frustration on my part. I help administer OpenAFS at work, but I’d never set up a new cell before, and the process of working out the right Kerberos keys and setting up the servers with bos were throwing me for a loop.

Eventually, I found the guides hosted on spinlocksolutions.com, which have a very clear walkthrough, with up-to-date explanations on how to setup a Debian-based OpenAFS cell, as well as a Kerberos 5 domain and an OpenLDAP server. They can be used with Ubuntu Server almost without alteration. This is good, as I have a passing knowledge of Ubuntu from previous projects.

However, there were two gotchas I ran into when doing an install with Ubuntu Server:

  1. The Ubuntu installer had added my FQDN to /etc/hosts with an IP address of 127.0.2.1, which makes the afs-newcell script lose it’s mind when trying to create the CellServeDB entry it needs.
  2. The Ubuntu apt-get delivered copy of the afs-newcell perl script has an error in it, that it doesn’t add the -noauth flag when creating the dafs server. You will see errors about not having permissions to create the dafs server. Simply edit the script and add the ‘-noauth’ flag.

Once afs-newcell runs properly, everything else goes exactly according to the documentation – afs-rootcell creates things as it’s supposed to, and the various Debian/Ubuntu packages to configure PAM work as expected.

Comment

BadTraffic on github

Filed Under: Development, Technology by breandan — Comments Off
2/4/2012

After several months of hemming and hawing, I’ve finally gotten my free-time project to a state that it deserves looking at by a wider community: the BadTraffic perl module is now on GitHub. It’s a Perl module that allows a group of Solaris, RHEL or Mac OS X hosts to subscribe to a database driven list of blocked hosts, as well as contribute to the list. The blocks are selectable from the command line based on tags assigned to the blocks when they are entered, and there is a whitelist feature.

The long and short of it, if you run a cluster of web servers, when one node blocks an IP address for abusive traffic, the rest of the nodes will block the address before the spammer/script kiddie/whoever tries the next node in the cluster. It also helps when you know netblocks that primarily generate illegitimate traffic, and you can block them outright and be done with it.

The strangest part of the module is that you can use BadTraffic to build Net::CIDR::Lite objects based on subnet subtraction: if you whitelist 10.0.1.0/24, and then blacklist 10.0.0.0/22, BadTraffic is smart enough to add blacklist entries for 10.0.0.0/24 and 10.0.2./23. This feature was added primarily for Solaris 8 hosts, who have no default built in firewall, so block are done with blackhole routes. As Solaris 8 really is a dead OS, and people should stop using it, the feature may disappear in BadTraffic 2.0, it’s in for the 1.x series.

More robust documentation is coming, as well as examples for setup and long term maintenance. I retain all copyright of the module and the associated scripts, for now.

Tags: ,
Permalink

VMWare Perk SDK and Runtime Issues

Filed Under: Development, Technology by breandan — Comments Off
1/3/2012

If you are using the VMWare Perl SDK, you need to avoid using the find_entity_views unless you also call it with a property filter, such as properties => ['vm', 'summary']. This keeps the API from gathering all the available information about each node it traverses. There is a lot of data, and some of it (like performance counters) are generated each time they are asked for. This makes runtime operations very slow. My script to parse VMWare info went from an 8 minute run to less then 20 seconds after properly filtering down the property list.

Tags: ,
Permalink

cthulhu-manip and OSX

Filed Under: Development, Home Network, Technology by breandan — Comments Off
6/1/2011

I’m almost done with an initial feature set that extends cthulhu-manip fully to Snow Leopard. You need DBD::mysql and Parse::Syslog. If you install Parse::Syslog via CPAN, you’ll likely get a lot of warning messages about the way syslog reports multiple events. To silence them:

sudo find /Library/Perl -type f -name "Syslog.pm" \
-exec sed -i e 's@warn \"WARNING: line@#warn \"WARNING: line@g'

The other significant difference between RHEL and OSX for this project is that RHEL uses iptables while OSX uses ipfw, and instead of having a stable crontab to use OSX uses launchd. Neither are better or worse than the other, but they are different, and makes coding things up a little interesting. The script in bin/installer does it’s best at the moment to set things up properly.

I’m still planning on merging the block_ipfw and block_iptables commands in cthulhu.pm, as the detection code also runs inside the perl module, and there’s no reason to make the end user have to figure it out and code up separate blocks when we already know what we have to do.

Tags: ,
Permalink

DBD::MySQL and Snow Leopard

Filed Under: Development, Technology by breandan — 1 Comment
5/29/2011

Getting cthulhu-manip running on Mac OS X means getting the DBD::MySQL perl modules installed. Which means, sadly, installing MySQL. The good news is it’s actually easy. Just go to dev.mysql.com and download the Mac OS X Intel 64 bit (x86_64) version, and untar the file as /usr/local/mysql:


bwdezend@harbinger:[~/Desktop] $ tar xvzf mysql-5.5.12-osx10.6-x86_64*
bwdezend@harbinger:[~/Desktop] $ sudo mv mysql-5.5.12-osx10.6-x86_64 /usr/local/mysql

Then, go build DBD::mysql with CPAN:


bwdezend@godzilla:[~] $ sudo perl -MCPAN -e shell
Password:
cpan[1]> install DBD::mysql

It will print a bunch of crap on the screen as it installs, and then you’re all done, and you can use DBD::mysql, which is needed for my auto-blocking scripts to work.

Tags: , , , ,
Permalink