vennedey.net

Build & install ceph-deploy RPM package on CentOS 7

On Tue, 03 Jan 2017 12:44:02 +0100 by Falco Vennedey - Write a comment

The last weeks I spend some time testing Openstack and setting up an Openstack cluster using Ansible for deployment and configuration management. Now I like to take a closer look into Ceph, since it can be used as a backend for Cinder, Glance and Swift. But when following the instructions for CentOS 7 as outlined in the docs and trying to install ceph-deploy from the repository I ran into some dependency problem:

[root@host ~]# yum install ceph-deploy
...
Error: Package: ceph-deploy-1.5.36-0.noarch (ceph-noarch)
           Requires: python-distribute
           Available: python-setuptools-0.9.8-4.el7.noarch (base)
               python-distribute = 0.9.8-4.el7
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

There are other people who have had the same problem and there is also a patch available. Since the patch came without any further instructions I needed to figure out how to apply it. I used a fresh CentOS 7 Docker image to setup the build environment. Of course this will also work without Docker but if you just need a quick throwaway environment it becomes a handy tool.

root@workstation:~# docker run -it --name=ceph-deploy centos

[root@cc9153b3d205 /]# cd
[root@cc9153b3d205 ~]# yum install git python-virtualenv curl gnupg redhat-lsb-core createrepo which rpm-build rpm-sign epel-release
[root@cc9153b3d205 ~]# git clone https://github.com/ceph/ceph-deploy.git
[root@cc9153b3d205 ~]# cd ceph-deploy/
[root@cc9153b3d205 ceph-deploy]# ./bootstrap
[root@cc9153b3d205 ceph-deploy]# curl -L -O http://tracker.ceph.com/attachments/download/2389/ceph-deploy.spec.patch
[root@cc9153b3d205 ceph-deploy]# patch ceph-deploy.spec < ceph-deploy.spec.patch
[root@cc9153b3d205 ceph-deploy]# yum install python-mock python-tox pytest

The build script needs a local GnuPG key to sign the resulting rpm package. To generate a new one, run:

[root@cc9153b3d205 ceph-deploy]# gpg --gen-key

If your terminal got destroyed after key generation (specific to Docker), run reset to restore it.

Now you need to find out the ID of the freshly generated key.

[root@cc9153b3d205 ceph-deploy]# gpg --list-keys

The ID is a 8 digit hex number. If you got it, you are ready to build the package.

[root@cc9153b3d205 ceph-deploy]# export KEYID=8D42C98B; scripts/build-rpm.sh

The package can now be retrieved from /root/ceph-deploy/rpmbuild/RPMS/noarch/ceph-deploy-1.5.36-0.noarch.rpm and can be installed on the traget system using yum:

[root@host ~]# yum --nogpgcheck localinstall ceph-deploy-1.5.36-0.noarch.rpm

If you used Docker to set up your build environment, exit from the container and remove it:

[root@cc9153b3d205 ~]# exit
root@workstation:~# docker rm ceph-deploy

Virtualmin: Break sharing SSL certificates

On Mon, 19 Dec 2016 19:31:54 +0100 by Falco Vennedey - Write a comment

I recently ran into some problems trying to activate https for some virtual servers in Virtualmin. After enabling SSL for the virtual server foo.bar.example.com and clicking Manage SSL Certificate I got the message

This virtual server shares its SSL certificate with baz.example.com, so it cannot be edited on this page. Use its Manage SSL Certificate page to change SSL settings.

Since baz.example.com has a wildcard certificate *.example.com, I think that Virtualmin tries to be smart and wants to use the same certificate for foo.bar.example.com, which will not work since foo.bar.example.com is not part of *.example.com.

To get around this and allow separate SSL configuration for foo.bar.example.com one need to break the link between these both virtual servers SSL configurations. To do so, first find the Virtualmin configuration for the given virtual server:

root@host:~# cd /etc/webmin/virtual-server/domains
root@host:~# grep -rFx 'dom=foo.bar.example.com' .
./145382287315480:dom=foo.bar.example.com

Open the file and edit the ssl_cert, ssl_key and ssl_chain directives to point to a location individual for the virtual server. Do not use locations served by the apache webserver!

/etc/webmin/virtual-server/domains/145382287315480
ssl_cert  = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.cert
ssl_key   = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.key
ssl_chain = /var/www/vserver/bar.example.com/domains/foo.bar.example.com/ssl.ca

Now delete the ssl_same=… directive from the configuration. This will isolate the SSL configuration for this virtual server.

Save the configuration, and in Virtualmin click Manage SSL Certificate again. You are now able to change SSL settings for the given virtual server.

Install TeamViewer 11 on Debian Stretch amd64

On Thu, 27 Oct 2016 19:19:31 +0200 by Falco Vennedey - Write a comment

To install the TeamViewer Debian package on a 64 bit Debian Stretch system and encounter the problems of a missing libpng12-0 and the error architecture (i386) does not match system (amd64) run the following commands in order:

root@host:~# wget http://ftp.de.debian.org/debian/pool/main/libp/libpng/libpng12-0_1.2.50-2+deb8u2_i386.deb
root@host:~# dpkg -i libpng12-0_1.2.50-2+deb8u2_i386.deb
root@host:~# dpkg --add-architecture i386
root@host:~# apt-get update
root@host:~# dpkg -i teamviewer_11.0.67687_i386.deb # The errors and warnings can be ignored for now
root@host:~# apt-get install -f

If the last command was executed without any errors you should be able to launch TeamViewer by running

user@host:~$ teamviewer

Set up an onion address for your website

On Tue, 25 Oct 2016 15:58:58 +0200 by Falco Vennedey - Write a comment

I finally managed to connect this page properly to the Tor network by setting up a Tor hidden service that redirects to this site. To use it download the Tor browser bundle and connect to the onion address http://seodnwkezyf3msbj.onion.

If you want to know about my motivation to set this up, please read this article on the Tor blog and watch this video recorded at the 32c3 explaining why hidden service are useful.

For now there is only a http version available for my onion address since the only CA issuing TLS certificates for onion addresses is DigiCert who wants to be paid for it. There is some hope that Let's Encrypt will issue certificates for onion addresses in the future. Anyway it is not a real security risk if you care for transport encryption between Tor terminating the connection to the onion address and your endpoint (e.g. web server) since connections to onion sites are encrypted and authenticated by the onion address itself. Securing the connection to the endpoint can be achieved by either running Tor on the same machine as the endpoint, or by creating a SSH/VPN tunnel or in case of a web server using a proxy connecting both using https. For a quick introduction on how to setup a Tor hidden service have a look at the article in the Tor documentation.

To forward HTTP requests sent to the onion site to your web server using https you can use the following simple NGINX configuration:

/etc/nginx/conf.d/example-com.onion.conf
server {
        listen 0.0.0.0:80;
        listen [::]:80;
        server_name youronionaddress.onion;

        location / {
                proxy_set_header original-host $http_host;
                proxy_pass https://www.example.com:443;
        }
}

This will also add an additional header original-host to the forwarded request so that you have an easy way to distinguish between requests that came by using the onion address and requests that came by using the classic domain.