Monthly Archives: January 2013

Monitor APC smart-UPS with apcupsd

apcupsd is a daemon which will monitor your APC SmartUPS to shutdown your system when the UPS' power is going to fail. apcupsd will work with most of APC's Smart-UPS models as well as most simple signalling models such a Back-UPS, and BackUPS-Office.

  1. install the daemon: [codesyntax lang="bash"]
    apt-get install apcupsd

    [/codesyntax]

  2. edit /etc/apcupsd/apcupsd.conf and change these lines
    1. UPSNAME myownups
    2. UPSCABLE usb
    3. UPSTYPE usb
    4. comment out DEVICE (it contains a TTY link, which will prevent it from working)
  3. edit /etc/default/apcupsd
    1. change ISCONFIGURED from no to yes
  4. start apcupsd daemon[codesyntax lang="bash"]
    /etc/init.d/apcupsd start

    [/codesyntax]

  5. check ups status[codesyntax lang="bash"]
    apcaccess status

    [/codesyntax]

  6. install APCUPSD-CGI web interface: [codesyntax lang="bash"]
    apt-get install apcupsd-cgi

    [/codesyntax]Note: For this to work you MUST have CGI enabled in your Apache configuration and the CGI directory should be pointed at /usr/lib/cgi-bin/

  7. access the web address: http://localhost/cgi-bin/apcupsd/multimon.cgi

Debian: How to determine services are enabled at boot

If you are using CentOS the answer is pretty simple:

[codesyntax lang="bash"]

chkconfig --list | grep $(runlevel | awk '{ print $2}'):on

[/codesyntax]

But how about Debian Linux? How is this done?

[codesyntax lang="bash"]

R=$(runlevel | awk '{ print $2}')
for s in /etc/rc${R}.d/*; do basename $s | grep '^S' | sed 's/S[0-9].//g' ;done

[/codesyntax]

If you like - and I am sure most of you will - you can use rcconf, Debian Runlevel configuration tool.

Paravirtulization with Citrix XenServer 5.5 and Ubuntu 9.10

Few days ago I had a task to P2V an old Ubuntu 9.10 machine. The P2V process was very easy and went smooth. The challenge was how to get this VM paravirtualized. After reading on the net how others have done this and what problems they had, I managed to finish my task pretty quick. Anyway... I hope maybe this post helps someone - definitely will help me if I will have to do this task again.

This post describes with simple step-by-step instructions how to install Ubuntu 9.10 VM as a paravirtualized virtual machine on a Citrix XenServer 5.5.

Creating Our Guest Ubuntu VM
Our first step is to get an Ubuntu VM installed as a typical HVM. You can find many different options on the web about partitioning and recommended partition sizes. A default installation of Ubuntu 9.10 will install on two partitions:

  • a root (/) partition, which includes the boot system (/boot), and
  • a swap partition.

For this article I installed Ubuntu with default partition options.

Configuring XenServer

First login on XenServer console.

Get UUID for the new created VM.

[codesyntax lang="bash"]

xe vm-list name-label="ubuntu-vm" params=uuid --minimal

[/codesyntax]

ed788e42-aabd-f78e-180a-5e46ec8b2465

Find the VM’s hard drive, known as a virtual block device (VBD):

[codesyntax lang="bash"]

xe vm-disk-list uuid=ed788e42-aabd-f78e-180a-5e46ec8b2465

[/codesyntax]

Disk 0 VBD:
uuid ( RO)             : ceb500b7-b154-2251-2fcd-5de05da50368
    vm-name-label ( RO): ubuntu10.04
       userdevice ( RW): 0

Mark the VBD as bootable:

[codesyntax lang="bash"]

xe vbd-param-set uuid=ceb500b7-b154-2251-2fcd-5de05da50368 bootable=true

[/codesyntax]

We don't want our VM to run as HVM:

[codesyntax lang="bash"]

xe vm-param-set uuid=ed788e42-aabd-f78e-180a-5e46ec8b2465 HVM-boot-policy=
xe vm-param-set uuid=ed788e42-aabd-f78e-180a-5e46ec8b2465 PV-bootloader=pygrub

[/codesyntax]

pygrub can’t handle grub2, so we have to manually set these parameters for paravirtualization:

[codesyntax lang="bash"]

xe vm-param-set uuid=ed788e42-aabd-f78e-180a-5e46ec8b2465 PV-bootloader-args="--kernel=/boot/vmlinuz-2.6.31-14-generic --ramdisk=/boot/initrd.img-2.6.31-14-generic"
xe vm-param-set uuid=ed788e42-aabd-f78e-180a-5e46ec8b2465 PV-args="root=UUID=706a70b4-09ee-4682-8f08-c8eb79ddd410 ro quiet"

[/codesyntax]

Notes:

  • 706a70b4-09ee-4682-8f08-c8eb79ddd410 - UUID for the bootable partition. You can find it in grub configuration file or using blkid command
  • if you have a separate partition for boot then you will have to change kernel and ramdisk parameters to --kernel=/vmlinuz-2.6.31-14-generic --ramdisk=/initrd.img-2.6.31-14-generic

Close and restart your XenCenter client (it appears to be a bit buggy and doesn’t let you type into the new console until it’s restarted), and boot up your VM (which will now start in PV mode).

Install XenServer tools

Attach the XenServer tools ISO image (xs-tools.iso) and mount the CD on your VM.

[codesyntax lang="bash"]

mount /dev/cdrom /mnt

[/codesyntax]

Install XenServer tools

[codesyntax lang="bash"]

dpkg -i /mnt/Linux/xe-guest-utilities_5.5.0-466_amd64.deb

[/codesyntax]

During the install, you would have likely noticed a couple errors, specifically:

update-rc.d: warning: xe-linux-distribution start runlevel arguments (S) do not match LSB Default-Start values (2 3 4 5)
...
[: 31: configure: unexpected operator

The package was build for Debian, not for Ubuntu so we don't have to worry about error message. We need to adjust the default start/kill runlevels.

[codesyntax lang="bash"]

update-rc.d -f xe-linux-distribution remove
update-rc.d xe-linux-distribution defaults

[/codesyntax]

Since now we are paravirtualized, XenServer will want to use HVC0, not the traditionally TTY.

[codesyntax lang="bash"]

sed -e "s/tty1/hvc0/ig" /etc/init/tty1.conf | sudo bash -c 'cat > /etc/init/hvc0.conf'

[/codesyntax]

Accessing GUI on ubuntu paravirtualized VM

If you try and start the GUI on a paravirtualized Ubuntu VM in XenServer, you’ll get the following error:

Primary device is not PCI
(EE) open /dev/fb0: No such file or directory
(EE) No devices detected

In a paravirtualized world there is no such thing as a physical console (nor is there a physical CPU, physical memory etc). Hence for completely paravirtualized OSes (with a paravirtualized kernel like Xen) there’s no GUI console.

In other words, use VNC for now:

Install VNC
[codesyntax lang="bash"]

apt-get install vnc4server

[/codesyntax]

Set the VNC resolution (whatever resolution you want to see on your desktop machine you’ll be using the VNC client on
[codesyntax lang="bash"]

vncserver -geometry 1280x1024 -depth 24

[/codesyntax]

Create a password and VNC server should create some configuration files and start up.

Now we need to edit one of the configuration files

[codesyntax lang="bash"]

vncserver -kill :1

[/codesyntax]

[codesyntax lang="bash"]

vim ~/.vnc/xstartup

[/codesyntax]

#!/bin/sh
# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec sh /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
x-terminal-emulator -geometry 1280x1024+10+10 -ls -title “$VNCDESKTOP Desktop” &
x-window-manager &
[codesyntax lang="bash"]

:wq

[/codesyntax]

Start up the VNC server again
[codesyntax lang="bash"]

vncserver -geometry 1280x1024 -depth 24

[/codesyntax]

Troubleshooting

Can't type at login prompt.

I ran into one instance where I could see the login prompt but nothing I typed appeared.  First, make sure you click inside the console window.  If that does not resolve the issue, close and reopen XenCenter.  This fixed the issue when I encountered it.

PV is not working and I need to get the VM back up.

[codesyntax lang="bash"]

xe vm-param-set uuid= HVM-boot-policy="BIOS order"

[/codesyntax]

To return to PV mode, clear the HVM-boot-policy parameter.

[codesyntax lang="bash"]

xe vm-param-set uuid= HVM-boot-policy=

[/codesyntax]

Please note that HVM-boot-policy parameter IS case sensitive.

Links:
http://www.aikidokatech.com/?p=30
http://blog.403labs.com/post/1546501840/paravirtulization-with-citrix-xenserver-5-5-and-ubuntu
http://sysadmin.circularvale.com/server-config/accessing-a-gui-on-ubuntu-xenserver-vm/

Setting up a L2TP over IPSec VPN on Debian on 10 steps

This document describes the required steps to make a fully functional L2TP/IPSEC PSK VPN PSK (with pre-shared keys) on debian squeeze.

L2TP/IPSec is an advanced protocol formally standardized in IETF RFC 3193 and now the recommended replacement for PPTP where secure data encryption is required. The L2TP payload is encrypted using the standardized IPSec protocol. Regarding speed, L2TP/IPSEC encapsulates data twice making it less efficient and slightly slower than PPTP and OpenVPN.

L2TP/IPSEC uses 500/udp for the the initial key exchange, protocol 50 for the IPSEC encrypted data (ESP), 1701/udp for the initial L2TP configuration and 4500/udp for NAT traversal. L2TP/IPSec is easier to block than OpenVPN due to its reliance on fixed protocols and ports.

1. Install required packages

[codesyntax lang="bash"]

apt-get install xl2tpd openswan

[/codesyntax]

Note: Answer NO when asked if an X.509 certificate for this host can be automatically created or imported. This certificate can be created and imported later using:

[codesyntax lang="bash"]

dpkg-reconfigure openswan

[/codesyntax]

2. I always backup the original configuration files (you may skip this step if you want, but I highly not recommend it)

[codesyntax lang="bash"]

mv /etc/ipsec.conf /etc/ipsec.conf.orig
mv /etc/ipsec.secrets /etc/ipsec.secrets.orig
mv /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.orig
mv /etc/ppp/options.l2tpd /etc/ppp/options.l2tpd.orig

[/codesyntax]

3. Configure the Linux Kernel using command below

[codesyntax lang="bash"]

for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done

[/codesyntax]

4. Configure /etc/ipsec.conf to work with PSK rather than X.509 certificates.

[codesyntax lang="bash"]

vim /etc/ipsec.conf

[/codesyntax]

config setup
protostack=netkey
nat_traversal=yes
oe=off

conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=x.x.x.x # <-- replace this IP address with the IPv4 address of this machine
leftprotoport=17/1701
right=%any
rightprotoport=17/1701

conn passthrough-for-non-l2tp
type=passthrough
left=x.x.x.x # <-- replace this IPv4 address with the IPv4 address of this machine
leftnexthop=0.0.0.0
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route

5. Enter your prefer PSK to /etc/ipsec.secrets:

[codesyntax lang="bash"]

vim /etc/ipsec.secrets

[/codesyntax]

x.x.x.x %any: "mysecretpresharedkeypassword"

Note: The first field is the IPv4 address of this machine, the second field is the remote address (I am using %any to match anything) and the third field is the PSK password in quotes. You can have multiple lines in this file should you wish to add more entries.

6. Make sure the file /etc/ipsec.secrets is readable only by root and nothing else.

[codesyntax lang="bash"]

chmod 600 /etc/ipsec.secrets

[/codesyntax]

7. Setting up xl2tpd

[codesyntax lang="bash"]

vim /etc/xl2tpd/xl2tpd.conf

[/codesyntax]

[global]
port = 1701
auth file = /etc/xl2tpd/l2tp-secrets
access control = no
rand source = dev

[lns default]
exclusive = no
; enter the IP range you wish to give out to your clients here
ip range = 192.168.1.240 - 192.168.1.243
; address of the L2TP end of the tunnel (i.e. this machine)
local ip = 192.168.1.1
refuse authentication = yes
refuse pap = yes
refuse chap = yes
ppp debug = no
pppoptfile = /etc/ppp/options.l2tpd

8. Add PPP configuration to /etc/xl2tpd/ppp-options.xl2tpd file

[codesyntax lang="bash"]

vim /etc/ppp/options.l2tpd

[/codesyntax]

# Do not support BSD compression.
nobsdcomp
passive
lock

# Allow all usernames to connect.
name *
proxyarp
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 10
lcp-echo-interval 5
nodeflate

# Do not authenticate incoming connections. This is handled by IPsec.
noauth
refuse-chap
refuse-mschap
refuse-mschap-v2

# Set the DNS servers the PPP clients will use.
ms-dns 8.8.8.8 # <-- change this to the IPv4 address of your DNS server
ms-dns 8.8.4.4 # <-- add extra entries if necessary

mtu 1400
mru 1400

9. IPsec configuration is done and you can verify it and you must get no errors:

[codesyntax lang="bash"]

ipsec verify

[/codesyntax]

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

10. (re)start openswan and xl2tpd

[codesyntax lang="bash"]

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

[/codesyntax]

How to fix the error: "Not replacing deleted config file..."

Let's assume that when you are trying to install apticron the default config file is not created and when you are trying to execute postinst configure the following error message occurs:

Not replacing deleted config file /etc/apticron/apticron.conf

The fix is:

[codesyntax lang="bash"]

aptitude -o DPkg::Options="--force-confmiss" reinstall apticron

[/codesyntax]

How to export google sites data

First of all we are going to use a nice little tool called Google sites liberation (GSL). If you don't have time to read what is all about this tool I will quote from the User's Guide:

The Sites Liberation import/export tool uses the Sites GData API to allow users to export an entire Google Site as static html pages to a directory on their hard drive.

1. Download GSL locally.
[codesyntax lang="bash"]

wget -c http://google-sites-liberation.googlecode.com/files/google-sites-liberation-1.0.4.jar

[/codesyntax]

2. Execute GSL
[codesyntax lang="bash"]

java -jar google-sites-liberation-1.0.4.jar

[/codesyntax]

3. To export google sites data.
If you do use google apps then you will have to fill the fields as follows:
Host: sites.google.com
Domain: test.org
Webspace: webspace

Username: user
Password: password

If you don't use google apps then you will have to fill the fields as follows:
Host: sites.google.com
Domain:
Webspace: webspace

Username: user@gmail.com
Password: password

Where can you find the webspace? The webspace is usually the latest word in the link. Just take a look at the URL in your browser.
https://sites.google.com/site/webspace/
https://sites.google.com/a/test.org/webspace/