Configure Desired State Configuration (DSC) on CentOS 7

Here’s a quick guide on how to set up DSC on CentOS 7. This requires OMI and DSC for Linux. It’s a bit of a pain to track down the downloads for these, and the OMI one doesn’t play ball when using wget, so I’ve put them on Dropbox for ease of use:

I always use the Minimal installation of CentOS. I started with CentOS-7-x86_64-Minimal-1511.iso

  1. Install CentOS, configure an IP address
  2. Connect in via SSH, or the console, run the following commands:
    1. yum install wget -y
    2. cd /home
    3. wget http://bit.ly/omi1084
    4. wget http://bit.ly/dsc_linux_111
    5. tar -zxvf omi1084
    6. tar -zxvf dsc_linux_111
    7. rpm -ivh omi-1.0.8.ssl_100.x64.rpm
    8. systemctl start omid.service
    9. rpm -ivh dsc-1.1.1-70.ssl_100.x64.rpm

To test connectivity from a Windows machine, do the following:

$session = New-CimSession -Credential (Get-Credential) -Authentication Basic -ComputerName <name or IP here> -SessionOption (New-CimSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck -UseSsl)
Get-CimInstance -CimSession $session -ClassName OMI_Identify -Namespace root/omi

You’ll be prompted to enter credentials after that first line. Then, after running Get-CimInstance you should see an output as per below:

2016-02-28 12_36_47

The CentOS machine is now ready to receive configs using DSC. I’ll be blogging more related stuff soon, but there’s a great write-up on the PowerShell Documentation pages that goes into more detail:

Get started with Desired State Configuration (DSC) for Linux

Compiling & Installing Python 2.7 on the Netgear ReadyNAS Duo2

I wanted to get some automation working on my NAS at home, and I needed to install Python. Being an ARM-powered model, it was traditionally hard to get compatible binaries from sources like APT, so I’d previously used the add-on found at ReadyNASExtras. This time, I ran into issues with some dependencies. I couldn’t install and compile all of the Python modules that I needed, so I was required to compile Python from source.

Continue reading

Adding style and Google Analytics to an Apache directory index (mod_autoindex)

I recently had to spruce up a password-protected Apache directory index site that is being used to host some files for download.

In addition to making it look more presentable, I also discovered that you can inject code into the <head> of the index page. This allowed me to achieve what I’d wanted to do for a while on that site – track visitors using Google Analytics.

To do so you already need to be using indexes and FancyIndexing. Then, simply add the following to your .htaccess file:

IndexHeadInsert "var _gaq = _gaq || [];_gaq.push(['_setAccount', '{INSERT TRACKING CODE HERE}']);_gaq.push(['_trackPageview']);(function() {var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);})();"

Here’s the rest of my .htaccess file, excluding the security section:

Options +Indexes

IndexOptions +FancyIndexing
IndexOptions +FoldersFirst
IndexOptions +XHTML
IndexOptions +HTMLTable
IndexOptions +SuppressRules
IndexOptions +NameWidth=*
IndexOptions +SuppressDescription

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t /resources /cgi-bin

IndexStyleSheet "/resources/style.css"

IndexHeadInsert "var _gaq = _gaq || [];_gaq.push(['_setAccount', '{INSERT TRACKING CODE HERE}']);_gaq.push(['_trackPageview']);(function() {var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);})();"

How to install a Windows-CA-Signed Certificate on VMWare Server 2.0x

  1. Make a backup of /etc/vmware/ssl/rui.crt and rui.key
  2. Generate a new server key: openssl genrsa -out rui.key 2048
  3. Generate a CSR: openssl req -new -key rui.key -out server.csr
  4. Go to the Certificate Services web interface on one of your DCs, and select “Request a Certificate”
    1. Select “advanced certificate request”
    2. Select “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
    3. Paste the CSR text into the “Saved Request” field, and select “Web Server”, and Submit the request
    4. Select “Base 64 encoded”, and “Download certificate”
  5. Transfer the certificate to the Linux box running VMWare Server
  6. Copy/rename the new certificate (certnew.cer) over rui.crt
  7. Do a “service vmware restart”
  8. Voila! A trusted certificate. No more web browser/VMWare Client messages about invalid certificates

Printing through the SSL-Explorer Agent

SSL-Explorer’s Community Version doesn’t give you full network access like some commercial SSL VPN solutions, but that shouldn’t stop you from printing.

This assumes that you’ve got some sort of network-enabled printer – such as a HP with an internal JetDirect card. From memory, if you’ve got an external JetDirect device with multiple physical Parallel or USB ports, the network port number changes according to the physical port used.

The setup is as follows:

  1. Go to Access Control, Policies, and create a new policy. Assign some users to the policy if you like.
  2. Go to Resources, SSL Tunnels, and create a new Tunnel with the following properties:
    1. Source Interface: 127.0.0.1
    2. Source Port: 9100
    3. Destination Host: Printer’s IP Address
    4. Destination Port: 9100
    5. Auto Start: Ticked, if you want the tunnel to be enabled as soon as the Java client starts
    6. Type: Local
  3. Assign the policy that was created in step one to this tunnel.

That’s it for the SSL-Explorer side of things. In Windows, make sure you’ve got the driver for your printer handy, and follow these steps:

  1. Go to Control Panel, Printers and Faxes, and add a new Local Printer (untick ‘Automatically Detect’ if it’s ticked)
  2. Create a new Standard TCP/IP Port
  3. As the address for the port, enter 127.0.0.1
  4. Click ‘Custom’, and leave the settings as:
    1. RAW mode
    2. Port 9100
    3. IP 127.0.0.1
  5. Point the Wizard to the correct printer driver, and finish the installation. If you want to print a test page, make sure that the SSL Tunnel is activated first. This can be verified by right-clicking on the SSL client’s tasktray icon and selecting ‘Tunnel Monitor’. You should see and entry for port 9100.

The way this works is that once the tunnel is enabled, it listens on 127.0.0.1 on the port you’ve specified, and redirects traffic to the IP and port specified on the network behind the SSL VPN.

In addition to this, you can add a ‘Web Forward’ of type ‘Tunneled proxy’ to the printer’s port 80 if you’d like to check up on the printer’s status via the web interface. You can then add this ‘Web Forward’ to the policy created in step 1.

SSL-Explorer on Centos

Here is a brief guide to installing SSL-Explorer, a great SSL VPN solution, on Centos. I used Centos 4.4, as there is currently no Server CD for version 5. I had to search around a bit in order to find out how to set the JAVA_HOME environment variable to the correct location, so here it is – to save you time.

Centos was installed with a minimum of options – no Apache, no X. If you install Apache, you’ll have to either change the ports it listens on, or change the ports SSL-Explorer listens on. If you don’t, then you’ll get conflicts. Configure the firewall to allow port 443, as that’s what SSLExplorer will be running on.

[root@server ~]# service ipchains stop
[root@server ~]# cd /root
[root@server ~]# wget http://link.to.sf.net/download
[root@server ~]# chmod 755 sslexplorer_linux_0_2_12.rpm

Download JRE, and copy to /root. I used FileZilla with FTP/SSH to put the file on the linux box

[root@server ~]# chmod 755 jre-6u1-linux-i586-rpm.bin
[root@server ~]# ./jre-6u1-linux-i586-rpm.bin
[root@server ~]# /usr/local/bin/install-sslexplorer

Configure using Web interface

[root@server /]# export JAVA_HOME=/usr/java/jre1.6.0_01
[root@server /]# /opt/sslexplorer/install/platforms/linux/install-service
[root@server /]# service sslexplorer start

Note that if you’re copying and pasting these directions, get the link to the newest version from sourceforge, and replace the generic link on the 3rd line.

Setting up Zabbix on Fedora Core 5

Zabbix LogoJust been looking into a replacement systems monitoring box for work. It seems that Zabbix is the most professional. ZenOSS looked good, but requires Python to be installed on the Windows Server clients in order to run the monitoring client. We’re currently running a combination of Hobbit, Cacti, Syslog-NG logging to a MySQL database, and PHPSyslog-NG. I’m trying to determine if Zabbix is a viable alternative to Hobbit.

ZABBIX is all-in-one 24×7 monitoring solution without high cost.

ZABBIX is software for monitoring of your applications, network and servers. ZABBIX supports both polling and trapping techniques to collect data from monitored hosts. A flexible notification mechanism allows easy and quickly configure different types of notifications for pre-defined events.

Here is a tutorial created from the notes I took while setting Zabbix up on a virtual machine.

Continue reading