Wednesday, March 25, 2009

Learning Linux at 84

I am sure I have never encountered a person at the grand age of 84 learning Linux before today. As it turned out I sold a Fedora 10 DVD from my website ( www.thelinuxcdstore.com ) to a gentleman in Auckland who needed some help. Usually I shy away from supporting Linux unless it is something related to the media I sell. In this particular case I needed to get involved because I needed to determine where the problem my customer had came from.

We got on the phone together and I ran up a fresh install of Fedora 10 on a VMWare Virtual machine so I could guide the customer through the install.

Considering the initial failure as the customer described it was most likely related to Anaconda, I decided that a text install might be more successful. Fedora keeps the text installer hidden. You have to hit the TAB key to edit the boot parameters when the DVD boots up and add the word "text" at the end of the line. After that the DVD boots into a TEXT only installer.

We had a scary moment at the partitioning stage where I wasn't 100% sure that we were not going to destroy the windows partition that the customer wanted to keep for dual booting. My customer was very understanding when I said that I wanted no responsibility for the loss of any important data... Fortunately all went well and the grub installer found the "other" OS which we changed to be Windows.

The last thing that needed to be done, which I have had to email to the customer because we have long since hung up and which I only found out after my version of the install was complete was set the run-level back to 5 and manually create a user for him to login with on the console.

Steps to complete this last process:

Log into the console as root.

# nano /etc/inittab

Scroll to the end of the file and change the line, "id:3:initdefault:" to "id:5:initdefault:"

# groupadd peter
# useradd -g peter -m -s /bin/bash peter
# passwd peter
Enter password
Confirm password

reboot
And that's about the end of it. After the machine reboots you will be able to log in as peter with the password you typed in the above commands.

Wednesday, March 18, 2009

Simple Cluster with Heartbeat

Following on from my previous post about setting up a reverse proxy in Fedora 10, I now delve into high availability. The plan here is to create two reverse proxy servers and cluster them together in an Active / Passive configuration with automatic fail-over.

So here is our trusty network diagram:


You will notice the shared IP and Proxy02 with connected to Proxy01 with the cross-over cable.

You need the cross-over cable for the heartbeat keep-alive messages. As I am using VMWare I have used the HOST ONLY network configuration for the second nics on the servers thus simulating a physical cross-over cable.


Here is the network configuration on each proxy server:

Proxy01:
eth0- ( same network and subnet as the client )
IP =192.168.0.11
SUBNET MASK=255.255.255.0
DEFAULT GW =192.168.0.1
HOSTNAME = proxy01.latham.internal

eth1 - ( different network and subnet as the client )
IP = 192.168.169.11
SUBNET MASK = 255.255.255.0
DEFAULT GW = none

Proxy02:
eth0- ( same network and subnet as the client )
IP =192.168.0.12
SUBNET MASK=255.255.255.0
DEFAULT GW =192.168.0.1
HOSTNAME = proxy02.latham.internal

eth1 - ( different network and subnet as the client )
IP = 192.168.169.12
SUBNET MASK = 255.255.255.0
DEFAULT GW = none

In my environment I have actually used DHCP and statically assigned leases for the eth0 nics on my proxy servers.

You will need to ensure the availability of a shared IP address for the eth0 nics. In my case I chose 192.168.0.10 No other server should own this ip address.

Next up we will install heartbeat on the proxy servers.
As usual in Fedora we leverage the excellent package manager ( YUM ) and install it:
# yum install heartbeat
Once heartbeat and all required dependencies are installed you will need to edit some configuration items. First lets start with the basics in preparation for Heartbeat managing the resources.

NOTE: At the time of writing this tutorial I have not worked out the required SELINUX directives so have turned SELINUX off. I recommend getting Heartbeat working with SELINUX turned on.
# setenforce 0

1. Ensure that the Apache web-service does not auto-start:
# chkconfig httpd off

2. Ensure that httpd will listen on the correct IP address. This will be the shared IP address. In my lab this is 192.168.0.10
# vim /etc/httpd/conf/httpd.conf
[ update the listen directive to read: ]
...
Listen 192.168.0.10
...

Heartbeat arrives totally unconfigured. You have to create 3 files in order to make it work. These files live in /etc/ha.d and are called:
  • ha.cf
  • haresources
  • authkeys
Here follow my examples: IMPORTANT: These are identical on both servers.

ha.cf
bcast eth1
keepalive 2
warntime 10
deadtime 30
initdead 120
udpport 694
crm no
auto_failback no
node proxy01.latham.internal
node proxy02.latham.internal

haresources
proxy01.latham.internal 192.168.0.10 apache::/etc/httpd/conf/httpd.conf

authkeys
auth 1
1 crc

The authkeys file must be made secure with:
# chmod 600 authkeys

The crc method of authenticating is fast but insecure. The insecurity of it is offset by the security of the cross-over cable. In a more paranoid or less secure environment you might consider either md5 or sha1.

Testing:
Make sure httpd is stopped on both nodes:
# service httpd stop
Start heartbeat on both nodes:
# service heartbeat start
Note that there might be a message stating that a resource is stopped. This will be becuase at the time of starting heartbeat the httpd resource was stopped. In a short while heartbeat will start httpd for you.
Now try to browse the example html page that you configured in your reverse proxy but with the shared ip address this time, and note in the access logs for proxy01 the traffic.
Try removing proxy01 from the cluster with
# service heartbeat stop
and note that in a short while proxy02 will take over the shared IP address and start httpd.

Other tests I have performed:
1. stop httpd on the primary node and watch it start up again after 30 seconds.
2. shut the primary node down altogether and watch the secondary node take over.
3. Bring the primary node back into the cluster and watch it take over the shared up and start httpd while stopping httpd on the secondary node. ( AUTO FAIL_BACK = yes ) - This feature seemed not to work. All my failback testing resulted in a failback regardless of this setting.

Other considerations:
1. sync your webserver files.
2. test ssl connections.

Monday, March 16, 2009

Clustered Reverse Proxy with Fedora

I was given the enviable task of setting up a reverse proxy in Fedora.

A reverse proxy is a piece of software that is installed on a device that has network access to an external and internal network. The proxy acts as a bridge between the two networks. A normal proxy as installed in most company networks allows all users on the internal network to access the external network. A reverse proxy allows clients on the external network to access services hosted on the internal network. It can be installed on the front end of the network and will proxy specified traffic through to the internal network.

Here is a diagram of my lab network. In this example we can see:
  • Multiple clients are connecting to the proxy cluster. ( more on clustering in the next article. )
  • Only one node in the cluster has possession of the shared IP address.
  • The Apache web service on the proxies are configured to listen on the shared IP address.
  • The host web server behind the resource zone is serving traffic to the active node.
  • All servers shown in this lab were built from the Fedora 10 Installation DVD. Required dependancies were installed using YUM. It helps if the machines can be built while connected to a network with access to the internet.

Configuring the
Reverse Proxy Server.

Networking:
ETH0:
  • DHCP or Statically assigned.
  • Must be on same network or accessible by the clients.
  • In VMWARE use "Bridged" so you can access it from your host.
ETH1:
  • Statically assigned.
  • Cross Over cable ( in VMWARE use "Host Only" )

Software:
  • Install the basics and the apache webservice. In Fedora 10 mod_proxy is already included and ready to be enabled.
  • Install gcc ( yum install gcc ) Required to compile the mod_proxy_html module.
  • Follow these procedures in LISTING 1 to get "mod_proxy_html" installed. Mod_proxy_html is required for rewriting URL links in the web pages served from behind the resource firewall. All links will need to point to the shared ip or hostname.
  • Edit /etc/httpd/conf/httpd.conf. After all the LoadModule directives ensure that these two lines appear.

LISTING 1:
(/etc/httpd/conf/httpd.conf )
Proxy Configuration - httpd.conf: LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so

LISTING 2:
wget "http://apache.webthing.com/mod_proxy_html/mod_proxy_html.c"
yum install httpd-devel libxml2 libxml2-devel
apxs -c -a -I /usr/include/libxml2 -i mod_proxy_html.c

The apxs command above will insert the "LoadModule" directive for prxoy_html_module. I needed to edit the path to read, "modules/mod_proxy_html.so"

Restart httpd on your proxy servers after installing mod_proxy_html with:
# service httpd restart
Create a reverse proxy config file in /etc/httpd/conf.d/reverse_proxy.conf.

Here is my example: ( read up on the reasoning here: http://www.apachetutor.org/admin/reverseproxies )
ProxyRequests off
ProxyPass /test/ http://192.168.0.200/
ProxyHTMLURLMap http://192.168.0.200 /test

ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /test/
ProxyHTMLURLMap /test /test
RequestHeader unset Accept-Encoding

RewriteEngine on
RewriteRule ^/test$ test/ [R]


The rewrite rule at the end will allow for any urls that miss the trailing slash on directories. It will add a trailing slash in automatically.

Restart httpd with:
# service httpd restart
Testing:
Create 2 html pages on the internal network. One should link to the other using the IP address of the internal httpd server so we can see how the HTML links are rewritten.

My next instalment will cover how to create a simple auto-failover cluster using heartbeat from the Linux HA Project.

Sunday, March 8, 2009

Commandline to reliably burn an ISO ( On My Machine )

In order to reliably burn an ISO image to CD or DVD there are a couple of options that need to be set. That's if you are planning on using terminal commands ( command line tools ) to do the job.
  1. The disk must be written in DAO ( Disk At Once ) also known as SAO ( Session At Once )
  2. The disk must be written in as slow a speed as possible. On my PC that is about 8x for a CD and 4x for a DVD. Remember speed ratios differ between DVD and CD.

My Scripts: ( saved in /usr/local/bin )

[dave@fedora10 bin]$ cat burn-cd
#/bin/bash

#burn CD
# Usage - Enter full path to distro here.
/usr/bin/wodim dev=/dev/sr0 driveropts=burnfree fs=14M speed=9 -dao -v -eject $1
[dave@fedora10 bin]$ cat burn-dvd
#/bin/bash

#burn CD
# Usage - Enter full path to distro here.
/usr/bin/wodim dev=/dev/sr0 driveropts=burnfree fs=14M speed=4 -dao -v -eject $1
The options for wodim ( cdrecord as it is called nowdays )
Note the Speed, Burnfree and -dao options. -dao tells Wodim that you want to burn the ISO image in one go. No separte tracks.