Category Archives: Linux

Provisioning VMs with cloud init

One of the easiest ways to deploy a virtual machine in oVirt is first to install the OS then turn it into a template. This will allow you to copy that template to deploy new instances. One mundane task after a new template is copied to a new instance is logging in, changing the IP, setting the hostname, setting up Puppet, running puppet, etc. cloud-init is the tool designed to fix that mundane task process by allowing those steps to be automated. oVirt/RHEV (as well as OpenStack, AWS, and others) allow you to pass in user data which is then supplied to cloud-init after the template is copied over and turned on. This allows for scripting on the new VM – easing deployment.

For my environment, I wanted a CentOS 7 template. To have that, I must first install CentOS on a new VM and seal it (Windows calls this Sysprep). Before I seal it, I must install cloud-init and any other tools I might use for deployment – such as puppet. Here are the steps to obtain just that:

Continue reading Provisioning VMs with cloud init

Securing PWM

In last week’s post we set up PWM insecurely. In this post, we are going to secure it down and install mysql to store the reset questions. This guide assumes you have this CentOS 7 server publicly accessible with ports 80 and 443 available to the entire world. First, we will need to install mysql, set up a database, and add a user to that database. To do that, we need to edit our manifest.pp and append the following:

 class { '::mysql::server':
     root_password           => 'My4cc0unt$$password!',
     remove_default_accounts => true,
     package_name            => 'mariadb-server',
     package_ensure          => 'installed',
     service_name            => 'mariadb',
 }

 mysql::db { 'pwm':
     user     => 'pwm',
     password => 'pwm_passworD2!', # Can't do a password hash here :(
 }

 class { 'mysql::bindings':
     java_enable => true,
 }

file { '/opt/tomcat8/pwm/lib/mysql-connector-java.jar':
     ensure  => link,
     target  => '/usr/share/java/mysql-connector-java.jar',
     require => Class['mysql::bindings']
}

We will also need to install additional modules: Continue reading Securing PWM

Linux training on sale until 7/31/16

The Linux Foundation is offering select courses at a discount until 7/31/16. Some offers are up to 55% off. You can also get an additional 10% off in check-out by using the code GSHOP. That brings the prices down to:

$180 – For Essentials of System Administration (LFS201) or Linux Networking and Administration (LFS211)

$315 – Essentials of System Administration AND Linux Networking and Administration

$269.10 – Certified Linux SysAdmin or Certified Linux Engineer

$495 – Certified Linux Rockstar

You can find these prices by using their special system administrator appreciation sale page and using the checkout code GSHOP. If you were looking for a time to level up your Linux knowledge, now is the time to do it.

OpenWRT Captive Portal

In a previous post, I explained how to set up a captive portal on a Raspberry Pi which was running Raspbian (Debian). If you read that article, you can skip the next paragraph.

A captive portal is a piece of software that prompts for user interaction before allowing the client to access the internet or other resources on the network. It is a combination of a firewall and a webserver. In this tutorial, I will explain how to create an open WiFi network on OpenWRT firmware. Before deploying an open WiFi network, you may want to consult a lawyer of the legality and restrictions for having one. You can also review what has been said by lawyers here and here.

To set up a captive portal on a wireless access point (WAP), you will need to have the OpenWRT firmware installed and have at least 5mb of free space. My TP-Link 1043ND had enough space and this article was tested against it. This article assumes you have OpenWRT installed without any additional addons and have plenty of space to spare.

Continue reading OpenWRT Captive Portal

Learn GNU/Linux the easy way

Let’s face it, Linux is a kernel and no matter what distribution you use, it is all the same. You have a repository of packages, you get a package manager to manage your packages, you get a desktop environment, and you get freedom to tinker down to the lowest level of the kernel to configure things like IP routing and forwarding.

Differences lie in the release cycle of the distribution, package names, and the default desktop environment – though you can find spins to even change that part. Each are trying to tackle a specific problem and come with a solution. It may be security, research, UI, stability, or even high performance computing.

If starting out, pick a user friendly distribution like Ubuntu or Debian. Use it with the defaults for 6 months while trying to learn as much as you can. Then move onto the specific use cases for Enterprise, you can use CentOS, RedHat, Ubuntu, or SUSE (you will get the best hardware/software support if you go that route) for home use, you may want to go with Debian, Ubuntu, Arch, Gentoo, Fedora or anything you want to use; for embedded, you may go with Debian, Yocto, Gentoo, OpenEmbedded, OpenWRT, and others; for stability and security, you may want to go with Debian or one of the Enterprise distributions.

At the end of the day, it is all built upon the Linux kernel – unless you are using the Debian BSD fork.

Why I can’t use Ubuntu on Production Servers

Do not get me wrong – I use Ubuntu and try to contribute to bugs (making and fixing). In fact, I am testing out 16.04 on my Chromebook and work computer right now (Fedora 23 is on my Home Desktop). However, I can’t find myself placing an Ubuntu server in production for one simple reason:

Continue reading Why I can’t use Ubuntu on Production Servers

Access Samba shares from Chromebook

Chromebooks are cloud focused. Many Chromebooks come with very limited storage in hopes you would be storing everything in the cloud. While this is a great habit to practice, in all reality, how likely are you to store 2tb of data in the cloud? Not many cloud providers even offer plans for that much storage. Continue reading Access Samba shares from Chromebook

Cloud computing cost analysis

Having a server in the cloud scared me at first. It wasn’t the fact that being in a multi-tenant environment posed the possibility of others gaining access to my code/files – it was the cost that scared me. Not knowing if I was getting the best deal always plagued my mind. Especially since electricity, a/c, and hardware maintenance were never factored into my budgets it made it hard to justify a server in the cloud when on-premise appeared to be so cheap.

Continue reading Cloud computing cost analysis

Wayfinding with RPi

A few years ago I was tasked at looking at solutions for digital, static wayfinding. While there are some cool solutions available now for free with minimum setup, none of these were available to me. We currently were locked in with a digital signage company that charged $7,000/year for generating 640×480 graphics with events that showed up in our Exchange 2007 calendar.

The jump to Exchange 2010/2013 was dependant upon our vendor to upgrade their software to support the new EWS protocol over the older protocols. This was a classic case of vendor lock-in which is a horrible state to be in. Maintaining legacy software to keep an outdated system running should be avoided like the plague.

After taking a trip to Google HQ in mountain view, CA (back when they did tours), I was encouraged by the motto they plastered all over the buildings: “the most complex problems are rarely solved with blunt force objects.” What also intrigued me was their form of digital wayfinding. It was an e-ink display with a wireless antenna which showed all of its circuitry – definitely made in house. This allowed me to formulate my own configuration after seeing the release of the Raspberry Pi.

After about a week of coding, I was able to make RPi-wayfinding. It is a simple PHP website that pulls in information from Exchange 2007+ (using EWS), a Google Calendar, or Planning Center Online Resources and displays it on a 1920×1080 resolution. This setup has been running smoothly for close to 3 years.

Linux, nginx, MySQL 5.7, and PHP 7 (LEMP) on AWS with free SSL

A stack is a group of software that creates a foundation to build upon. The LEMP stack is a web software stack which allows for delivering web applications. It is one of the most common of the web stacks to deliver a PHP application. LEMP uses a Linux kernel, Nginx for the webserver, MySQL or MariaDB for the database, and PHP for the scripting language.

Nearly all distributions of GNU/Linux will have the same instructions to install the required packages. There is also little change between versions of Ubuntu to warrant a special blog post entitled “LEMP on Ubuntu 14.04” and “LEMP on Ubuntu 16.04” as they will contain the same exact instructions. There are a few oddities on the Amazon Linux AMI to get Let’s Encrypt working on the t2.nano (1 CPU, 512 RAM) instance which I will cover here.

Continue reading Linux, nginx, MySQL 5.7, and PHP 7 (LEMP) on AWS with free SSL

oVirt mobile

I particularly enjoy using a web browser to administer GUI appliances. In the case of oVirt, it does become a little painful to do the Chrome-zoom-click on my massive 4k Android phone. It appears the oVirt devs have also seen this pain point and have released an Android app to make adminstration easier on Android.

moVirt (mobile oVirt) makes common administrative tasks easier – migrating VMs, spinning down servers, spinning up stopped servers, etc.

moVirt has become an essential tool that I use on an infrequent basis. Now, if I can only figure out how to spin up VMs with Puppet.

Secure MySQL 5.7 installation

With the release of MySQL 5.7, I was pleasantly surprised to see the install generated a random, secure password. This prevented me from going through the normal step of running mysql_secure_installation after starting and enabling services. To find the generated password, issue one of the commands below: Continue reading Secure MySQL 5.7 installation

The Linux Academy (review)

I recently received a subscription to Linux Academy. Linux Academy has courses in Linux, AWS, DevOps, and OpenStack to help users achieve professional certificates such as the LFCS, LFCE, RHSCA, RHCE, and others. Since my LFCS is expiring this year (and I hope to achieve a RHCE), Linux Academy seemed like a place to help me achieve that goal.

The first thing I noticed is that the Introduction to Linux Academy videos were current. The content was exactly how I saw it, and I did not have to alter the steps in anyway to follow the videos. The videos even described how to switch from Flash to HTML5 so that you could use the playback speed controls. This appealed to me as I like listening to videos in 2.0x speed (especially if the instructor is a slow talker). Keeping videos current in a rapidly changing environment speaks volumes of how dedicated these instructors are at teaching me the latest material. So far they have proven to be on top of things.
Continue reading The Linux Academy (review)

Atom editor on Fedora

The atom editor has quickly become my favorite IDE for working with web projects. I still use Vi/Vim for CLI stuff, but atom is the icon I click when I want a GUI program.

It was becoming a little mundane to go to the atom website and download the new version to install. This is why package managers exist – so users don’t have to visit your website to download a new update. A quick search at copr yielded mosquito’s repo of atom – success! Below is how to add the repo and keep atom updated for Fedora.

sudo dnf install dnf-plugins-core
sudo dnf copr enable mosquito/atom
sudo dnf install atom

WiFi Captive Portal

A captive portal is a piece of software that prompts for user interaction before allowing the client to access the internet or other resources on the network. It is a combination of a firewall and a webserver. In this tutorial, I will explain how to create an open WiFi network. Before deploying an open WiFi network, you may want to consult a lawyer of the legality and restrictions for having one. You can also review what has been said by lawyers here and here.

When a device first connects to any network, it sends out a HTTP request and expects an HTTP status code of 200. If the device receives a HTTP 200 status code, it assumes it has unlimited internet access. Captive portal prompts are displayed when you are able to manipulate this first HTTP message to return a HTTP status code of 302 (redirect) to the captive portal of your choice.

To set up a captive portal on a Raspberry Pi, you will need a wired network (I will refer to this as WAN or uplink) and a wireless network (such as the Ralink RT5372 or the Ralink RT5370) which you can set into AP mode. A server with 2 NICs would also suffice if you want to perform this on a wired LAN instead.

 

UPDATE 2/15/2017: If you get the too many redirects error, look at the hotspot.localnet nginx configuration. It could be that the dollar signs $ are not present. The below block is what the location / block should look like in the hotspot.localnet virtual host.

     location / {
         try_files $uri $uri/ index.php;
     }

Continue reading WiFi Captive Portal