repository Archives - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘repository’

Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet

Wednesday, November 10th, 2021

rkhunter or Rootkit Hunter scans systems for known and unknown rootkits. The tool is not new and most system administrators that has to mantain some good security servers perhaps already use it in their daily sysadmin tasks.

It does this by comparing SHA-1 Hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, commmon backdoors, sniffers and exploits as well as other special tests mostly for Linux and FreeBSD though a ports for other UNIX operating systems like Solaris etc. are perhaps available. rkhunter is notable due to its inclusion in popular mainstream FOSS operating systems (CentOS, Fedora,Debian, Ubuntu etc.).

Even though rkhunter is not rapidly improved over the last 3 years (its last Official version release was on 20th of Febuary 2018), it is a good tool that helps to strengthen even further security and it is often a requirement for Unix servers systems that should follow the PCI DSS Standards (Payment Card Industry Data Security Standards).

Configuring rkhunter is a pretty straight forward if you don't have too much requirements but I decided to write this article for the reason there are fwe interesting options that you might want to adopt in configuration to whitelist any files that are reported as Warnings, as well as how to set a configuration that sets a stricter security checks than the installation defaults.

1. Install rkhunter .deb / .rpm package depending on the Linux distro or BSD

If you have to place it on a Redhat based distro CentOS / Redhat / Fedora

[root@Centos ~]# yum install -y rkhunter
…

On Debian distros the package name is equevallent to install there exec usual:

root@debian:~# apt install –yes rkhunter
…

On FreeBSD / NetBSD or other BSD forks you can install it from the BSD "World" ports system or install it from a precompiled binary.

freebsd# pkg install rkhunter
…

One important note to make here is to have a fully functional Alarming from rkhunter, you will have to have a fully functional configured postfix / exim / qmail whatever mail server to relay via official SMTP so you the Warning Alarm emails be able to reach your preferred Alarm email address. If you haven't installed postfix for example and configure it you might do.

– On Deb based distros

[root@Centos ~]#yum install postfix

– On RPM based distros

root@debian:~# apt-get install –yes postfix

and as minimum, further on configure some functional Email Relay server within /etc/postfix/main.cf

# vi /etc/postfix/main.cf
relayhost = [relay.smtp-server.com]

2. Prepare rkhunter.conf initial configuration

Depending on what kind of files are present on the filesystem it could be for some reasons some standard package binaries has to be excluded for verification, because they possess unusual permissions because of manual sys admin monification this is done with the rkhunter variable PKGMGR_NO_VRFY.

If remote logging is configured on the system via something like rsyslog you will want to specificly tell it to rkhunter so this check as a possible security issue is skipped via ALLOW_SYSLOG_REMOTE_LOGGING=1.

In case if remote root login via SSH protocol is disabled via /etc/ssh/sshd_config
PermitRootLogin no variable, the variable to include is ALLOW_SSH_ROOT_USER=no

It is useful to also increase the hashing check algorithm for security default one SHA256 you might want to change to SHA512, this is done via rkhunter.conf var HASH_CMD=SHA512

Triggering new email Warnings has to be configured so you receive, new mails at a preconfigured mailbox of your choice via variable
MAIL-ON-WARNING=SetMailAddress

# vi /etc/rkhunter.conf

PKGMGR_NO_VRFY=/usr/bin/su

PKGMGR_NO_VRFY=/usr/bin/passwd

ALLOW_SYSLOG_REMOTE_LOGGING=1

# Needed for corosync/pacemaker since update 19.11.2020

ALLOWDEVFILE=/dev/shm/qb-*/qb-*

# enabled ssh root access skip

ALLOW_SSH_ROOT_USER=no

HASH_CMD=SHA512

# Email address to sent alert in case of Warnings

MAIL-ON-WARNING=Your-Customer@Your-Email-Server-Destination-Address.com

MAIL-ON-WARNING=Your-Second-Peronsl-Email-Address@SMTP-Server.com

DISABLE_TESTS=os_specific

Optionally if you're using something specific such as corosync / pacemaker High Availability cluster or some specific software that is creating /dev/ files identified as potential Risks you might want to add more rkhunter.conf options like:

# Allow PCS/Pacemaker/Corosync
ALLOWDEVFILE=/dev/shm/qb-attrd-*
ALLOWDEVFILE=/dev/shm/qb-cfg-*
ALLOWDEVFILE=/dev/shm/qb-cib_rw-*
ALLOWDEVFILE=/dev/shm/qb-cib_shm-*
ALLOWDEVFILE=/dev/shm/qb-corosync-*
ALLOWDEVFILE=/dev/shm/qb-cpg-*
ALLOWDEVFILE=/dev/shm/qb-lrmd-*
ALLOWDEVFILE=/dev/shm/qb-pengine-*
ALLOWDEVFILE=/dev/shm/qb-quorum-*
ALLOWDEVFILE=/dev/shm/qb-stonith-*
ALLOWDEVFILE=/dev/shm/pulse-shm-*
ALLOWDEVFILE=/dev/md/md-device-map
# Needed for corosync/pacemaker since update 19.11.2020
ALLOWDEVFILE=/dev/shm/qb-*/qb-*

# tomboy creates this one
ALLOWDEVFILE="/dev/shm/mono.*"
# created by libv4l
ALLOWDEVFILE="/dev/shm/libv4l-*"
# created by spice video
ALLOWDEVFILE="/dev/shm/spice.*"
# created by mdadm
ALLOWDEVFILE="/dev/md/autorebuild.pid"
# 389 Directory Server
ALLOWDEVFILE=/dev/shm/sem.slapd-*.stats
# squid proxy
ALLOWDEVFILE=/dev/shm/squid-cf*
# squid ssl cache
ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm
# Allow podman
ALLOWDEVFILE=/dev/shm/libpod*lock*

3. Set the proper mirror database URL location to internal network repository

Usually file /var/lib/rkhunter/db/mirrors.dat does contain Internet server address where latest version of mirrors.dat could be fetched, below is how it looks by default on Debian 10 Linux.

root@debian:/var/lib/rkhunter/db# cat mirrors.dat
Version:2007060601
mirror=http://rkhunter.sourceforge.net
mirror=http://rkhunter.sourceforge.net

As you can guess a machine that doesn't have access to the Internet neither directly, neither via some kind of secure proxy because it is in a Paranoic Demilitarized Zone (DMZ) Network with many firewalls. What you can do then is setup another Mirror server (Apache / Nginx) within the local PCI secured LAN that gets regularly the database from official database on http://rkhunter.sourceforge.net/ (by installing and running rkhunter –update command on the Mirror WebServer and copying data under some directory structure on the remote local LAN accessible server, to keep the DB uptodate you might want to setup a cron to periodically copy latest available rkhunter database towards the http://mirror-url/path-folder/)

# vi /var/lib/rkhunter/db/mirrors.dat

local=http://rkhunter-url-mirror-server-url.com/rkhunter/1.4/

A mirror copy of entire db files from Debian 10.8 ( Buster ) ready for download are here.

Update entire file property db and check for rkhunter db updates

# rkhunter –update && rkhunter –propupdate

[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files…
Checking file mirrors.dat [ Skipped ]
Checking file programs_bad.dat [ No update ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ No update ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ No update ]
Checking file i18n/tr.utf8 [ No update ]
Checking file i18n/zh [ No update ]
Checking file i18n/zh.utf8 [ No update ]
Checking file i18n/ja [ No update ]

rkhunter-update-propupdate-screenshot-centos-linux

4. Initiate a first time check and see whether something is not triggering Warnings

# rkhunter –check

As you might have to run the rkhunter multiple times, there is annoying Press Enter prompt, between checks. The idea of it is that you're able to inspect what went on but since usually, inspecting /var/log/rkhunter/rkhunter.log is much more easier, I prefer to skip this with –skip-keypress option.

# rkhunter –check –skip-keypress

5. Whitelist additional files and dev triggering false warnings alerts

You have to keep in mind many files which are considered to not be officially PCI compatible and potentially dangerous such as lynx browser curl, telnet etc. might trigger Warning, after checking them thoroughfully with some AntiVirus software such as Clamav and checking the MD5 checksum compared to a clean installed .deb / .rpm package on another RootKit, Virus, Spyware etc. Clean system (be it virtual machine or a Testing / Staging) machine you might want to simply whitelist the files which are incorrectly detected as dangerous for the system security.

Again this can be achieved with

PKGMGR_NO_VRFY=

Some Cluster softwares that are preparing their own /dev/ temporary files such as Pacemaker / Corosync might also trigger alarms, so you might want to suppress this as well with ALLOWDEVFILE

ALLOWDEVFILE=/dev/shm/qb-*/qb-*

If Warnings are found check what is the issue and if necessery white list files due to incorrect permissions in /etc/rkhunter.conf .

rkhunter-warnings-found-screenshot

Re-run the check until all appears clean as in below screenshot.

rkhunter-clean-report-linux-screenshot

Fixing Checking for a system logging configuration file [ Warning ]

If you happen to get some message like, message appears when rkhunter -C is done on legacy CentOS release 6.10 (Final) servers:

[13:45:29] Checking for a system logging configuration file [ Warning ]
[13:45:29] Warning: The 'systemd-journald' daemon is running, but no configuration file can be found.
[13:45:29] Checking if syslog remote logging is allowed [ Allowed ]

To fix it, you will have to disable SYSLOG_CONFIG_FILE at all.

SYSLOG_CONFIG_FILE=NONE

Tags: access, ALLOWDEVFILE, checking, com, configure, created, default, Fixing Checking, freebsd, howto, Install, installation, Internet, lib, linux?, logging, mirror, pci, postfix, repository, rkhunter, rkhunter add dev, rkhunter.conf, security, shm, something, sourceforge, updates, var, Warnings, whitelist
Posted in Computer Security, Educational, Linux, System Administration | 2 Comments »

Adding proxy to yum repository on Redhat / Fedora / CentOS and other RPM based Linux distributions, Listing and enabling new RPM repositories

Tuesday, September 7th, 2021

yum-add-proxy-host-for-redhat-linux-centos-list-rpm-repositories-enable-disable-repositories

Sometimes if you work in a company that is following PCI standards with very tight security you might need to use a custom company prepared RPM repositories that are accessible only via a specific custom maintained repositories or alternatively you might need the proxy node to access an external internet repository from the DMZ-ed firewalled zone where the servers lays .
Hence to still be able to maintain the RPM based servers up2date to the latest security patches and install software with yumone very useful feature of yum package manager is to use a proxy host through which you will reach your Redhat Package Manager files files.

1. The http_proxy and https_proxy shell variables

To set a proxy host you need to define there the IP / Hostname or the Fully Qualified Domain Name (FQDN).

By default "http_proxy and https_proxy are empty. As you can guess https_proxy is used if you have a Secure Socket Layer (SSL) certificate for encrypting the communication channel (e.g. you have https:// URL).

[root@rhel: ~]# echo $http_proxy
[root@rhel: ~]#

2. Setting passwordless or password protected proxy host via http_proxy, https_proxy variables

There is a one time very straight forward to configure proxying of traffic via a specific remote configured server with server bourne again shell (BASH)'s understood variables:

a.) Set password free open proxy to shell environment.

[root@centos: ~]# export https_proxy="https://remote-proxy-server:8080"

Now use yum as usual to update the available installabe package list or simply upgrade to the latest packages with lets say:

[root@rhel: ~]# yum check-update && yum update

b.) Configuring password protected proxy for yum

If your proxy is password protected for even tigher security you can provide the password on the command line as well.

[root@centos: ~]# export http_proxy="http://username:pAssW0rd@server:port/"

Note that if you have some special characters you will have to pass the string inside single quotes or escape them to make sure the password will properly handled to server, before trying out the proxy with yum, echo the variable.

[root@centos: ~]# export http_proxy='http://username:p@s#w:E@192.168.0.1:3128/'
[root@centos: ~]# echo $http_proxy
http://username:p@s#w:E@server:port/

Then do whatever with yum:

[root@centos: ~]# yum check-update && yum search sharutils

If something is wrong and proxy is not properly connected try to reach for the repository manually with curl or wget

[root@centos: ~]# curl -ilk http://download.fedoraproject.org/pub/epel/7/SRPMS/ /epel/7/SRPMS/
HTTP/1.1 302 Found
Date: Tue, 07 Sep 2021 16:49:59 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Location: http://mirror.telepoint.bg/epel/7/SRPMS/
Content-Type: text/plain
Content-Length: 0
AppTime: D=2264
X-Fedora-ProxyServer: proxy01.iad2.fedoraproject.org
X-Fedora-RequestID: YTeYOE3mQPHH_rxD0sdlGAAAA80
X-Cache: MISS from pcfreak
X-Cache-Lookup: MISS from pcfreak:3128
Via: 1.1 pcfreak (squid/4.6)
Connection: keep-alive

Or if you need, you can test the user, password protected proxy with wget as so:

[root@centos: ~]# wget –proxy-user=USERNAME –proxy-password=PASSWORD http://your-proxy-domain.com/optional-rpms/

If you have lynx installed on the machine you can do the remote proxy successful authentication check with it with less typing:

[root@centos: ~]# lynx -pauth=USER:PASSWORD http://proxy-domain.com/optional-rpm/

3. Making yum proxy connection permanent via /etc/yum.conf

Perhaps the easiest and quickest way to add the http_proxy / https_proxy configured is to store it to automatically load on each server ssh login in your admin user (root) in /root/.bashrc or /root/.bash_profile or in the global /etc/profile or /etc/profile.d/custom.sh etc.

However if you don't want to have hacks and have more cleanness on the systems, the recommended "Redhat way" so to say is to store the configuration inside /etc/yum.conf

To do it via /etc/yum.conf you have to have some records there like:

# The proxy server – proxy server:port number
proxy=http://mycache.mydomain.com:3128
# The account details for yum connections
proxy_username=yum-user
proxy_password=qwerty-secret-pass

4. Listing RPM repositories and their state

As I had to install sharutils RPM package to the server which contains the file /bin/uuencode (that is provided on CentOS 7.9 Linux from Repo: base/7/x86_64 I had to check whether the repository was installed on the server.

To get a list of all yum repositories avaiable

[root@centos:/etc/yum.repos.d]# yum repolist all
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.telecoms.bg
* epel: mirrors.netix.net
* extras: centos.telecoms.bg
* remi: mirrors.netix.net
* remi-php74: mirrors.netix.net
* remi-safe: mirrors.netix.net
* updates: centos.telecoms.bg
repo id repo name status
base/7/x86_64 CentOS-7 – Base enabled: 10,072
base-debuginfo/x86_64 CentOS-7 – Debuginfo disabled
base-source/7 CentOS-7 – Base Sources disabled
c7-media CentOS-7 – Media disabled
centos-kernel/7/x86_64 CentOS LTS Kernels for x86_64 disabled
centos-kernel-experimental/7/x86_64 CentOS Experimental Kernels for x86_64 disabled
centosplus/7/x86_64 CentOS-7 – Plus disabled
centosplus-source/7 CentOS-7 – Plus Sources disabled
cr/7/x86_64 CentOS-7 – cr disabled
epel/x86_64 Extra Packages for Enterprise Linux 7 – x86_64 enabled: 13,667
epel-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 – x86_64 – Debug disabled
epel-source/x86_64 Extra Packages for Enterprise Linux 7 – x86_64 – Source disabled
epel-testing/x86_64 Extra Packages for Enterprise Linux 7 – Testing – x86_64 disabled
epel-testing-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 – Testing – x86_64 – Debug disabled
epel-testing-source/x86_64 Extra Packages for Enterprise Linux 7 – Testing – x86_64 – Source disabled
extras/7/x86_64 CentOS-7 – Extras enabled: 500
extras-source/7 CentOS-7 – Extras Sources disabled
fasttrack/7/x86_64 CentOS-7 – fasttrack disabled
remi Remi's RPM repository for Enterprise Linux 7 – x86_64 enabled: 7,229
remi-debuginfo/x86_64 Remi's RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-glpi91 Remi's GLPI 9.1 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-glpi92 Remi's GLPI 9.2 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-glpi93 Remi's GLPI 9.3 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-glpi94 Remi's GLPI 9.4 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-modular Remi's Modular repository for Enterprise Linux 7 – x86_64 disabled
remi-modular-test Remi's Modular testing repository for Enterprise Linux 7 – x86_64 disabled
remi-php54 Remi's PHP 5.4 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php55 Remi's PHP 5.5 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php55-debuginfo/x86_64 Remi's PHP 5.5 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
!remi-php56 Remi's PHP 5.6 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php56-debuginfo/x86_64 Remi's PHP 5.6 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php70 Remi's PHP 7.0 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php70-debuginfo/x86_64 Remi's PHP 7.0 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php70-test Remi's PHP 7.0 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php70-test-debuginfo/x86_64 Remi's PHP 7.0 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php71 Remi's PHP 7.1 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php71-debuginfo/x86_64 Remi's PHP 7.1 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php71-test Remi's PHP 7.1 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php71-test-debuginfo/x86_64 Remi's PHP 7.1 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
!remi-php72 Remi's PHP 7.2 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php72-debuginfo/x86_64 Remi's PHP 7.2 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php72-test Remi's PHP 7.2 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php72-test-debuginfo/x86_64 Remi's PHP 7.2 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php73 Remi's PHP 7.3 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php73-debuginfo/x86_64 Remi's PHP 7.3 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php73-test Remi's PHP 7.3 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php73-test-debuginfo/x86_64 Remi's PHP 7.3 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php74 Remi's PHP 7.4 RPM repository for Enterprise Linux 7 – x86_64 enabled: 423
remi-php74-debuginfo/x86_64 Remi's PHP 7.4 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php74-test Remi's PHP 7.4 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php74-test-debuginfo/x86_64 Remi's PHP 7.4 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php80 Remi's PHP 8.0 RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php80-debuginfo/x86_64 Remi's PHP 8.0 RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-php80-test Remi's PHP 8.0 test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-php80-test-debuginfo/x86_64 Remi's PHP 8.0 test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-safe Safe Remi's RPM repository for Enterprise Linux 7 – x86_64 enabled: 4,549
remi-safe-debuginfo/x86_64 Remi's RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
remi-test Remi's test RPM repository for Enterprise Linux 7 – x86_64 disabled
remi-test-debuginfo/x86_64 Remi's test RPM repository for Enterprise Linux 7 – x86_64 – debuginfo disabled
updates/7/x86_64 CentOS-7 – Updates enabled: 2,741
updates-source/7 CentOS-7 – Updates Sources disabled
zabbix/x86_64 Zabbix Official Repository – x86_64 enabled: 178
zabbix-debuginfo/x86_64 Zabbix Official Repository debuginfo – x86_64 disabled
zabbix-frontend/x86_64 Zabbix Official Repository frontend – x86_64 disabled
zabbix-non-supported/x86_64 Zabbix Official Repository non-supported – x86_64 enabled: 5
repolist: 39,364

[root@centos:/etc/yum.repos.d]# yum repolist all|grep -i 'base/7/x86_64'
base/7/x86_64 CentOS-7 – Base enabled: 10,072

As you can see in CentOS 7 sharutils is enabled from default repositories, however this is not the case on Redhat 7.9, hence to install sharutils there you can one time enable RPM repository to install sharutils

[root@centos:/etc/yum.repos.d]# yum –enablerepo=rhel-7-server-optional-rpms install sharutils

To install zabbix-agent on the same Redhat server, without caring that I need precisely know the RPM repository that is providing zabbix agent that in that was (Repo: 3party/7Server/x86_64) I had to:

[root@centos:/etc/yum.repos.d]# yum –enablerepo \* install zabbix-agent zabbix-sender

Permanently enabling repositories of course is possible via editting or creating fresh new file configuration manually on CentOS / Fedora under directory /etc/yum.repos.d/.
On Redhat Enterprise Linux servers it is easier to use the subscription-manager command instead, like this:

[root@rhel:/root]# subscription-manager repos –disable=epel/7Server/x86_64

[root@rhel:/root]# subscription-manager repos –enable=rhel-6-server-optional-rpms

Tags: admin user, configured, enable, Enterprise Linux, external internet, linux?, Listing, MISS, passwordless, proxy, repository, rpm, SAMEORIGIN, servers, SRPMS, variables, yum
Posted in Linux, Linux Package Management | No Comments »

Clean up /var/cache/yum constantly filling file system in CentOS and RHEL Linux

Tuesday, November 3rd, 2020

centos-rhel-yum-clean-var-cache-yum
At work recently we hit one of those common system admin problem on a server installed by some colleagues who have weirdly set a very small /var/cache/yum separate partitioned spaced at only 10Gb on a Redhat Enterprise Linux 7.8 Linux. The OS install guys original thinking was that this machine is to be used just for a very simple cluster and to run a Web Hosting services, a Haproxy Clustered service with PCS + Heartbeat and Corosync, but they did not estimated properly, that redhat comes its own rhnsd and updates gets pushed frequently to the machine and the lack of cleaning up the updated / installed rpms would soon leave the system into a full /var/cache/yum partition.

The gradual increase with time even though with few megabytes each and every month is normal behavior as the cache would increase its size based on the frequency of syncing with the yum server.

On this specific machines besides the rhnsd there is also a spacewalk (Free and Open Source systems management) which usually is installed to orchestrate multiple installed systems to centralize installation updates and monitoring of rpm packages.
spacewalk also has its own way to produce its own files in /var/cache/yum with creating a repository clones of defined repository directories.

1. Clean up /var/cache/yum space with yum

The normal way to clean up space as we all know is then to do something with yum:

[user@rhel ~]$ yum clean
Loaded plugins: fastestmirror, langpacks
Error: clean requires an option: headers, packages, metadata, dbcache, plugins, expire-cache, rpmdb, all
[user@rhel ~]$

Usually to clean up a bit of space and get rid of partition full problem you can do:

[user@rhel ~]# yum clean metadata

This cleans up any xml metadata that may have been cached from any enabled repository.

[user@rhel ~]# yum clean all

This should clean up all rpms and metadata.

In cases where this works you should frequently re-run it on the machine or set it on a cron job to periodically reduce space occupied by useless downloaded .rpms.

2. Delete /var/cache/yum directly

If this does not help to clean up space another approach is to directly delete /var/cache/yum dir and recreate it.
To make sure you don't need any of the data that is already in /var/cache/yum for laters make a backup under some directory with free space first.

[user@rhel ~]# mv /var/cache/yum /home/user/
[user@rhel ~]# rm -rf /var/cache/yum
[user@rhel ~]# yum check-update

3. Disable Automatic RPM Updates

However if yum clean all does not work another approach is to completely disable automated updates, so you don't get surprises with unknown times when automatic update is triggered and /var/cache/yum is filled with stuff by the rhnsd or yum-updatesd.

[user@rhel ~]# service yum-updatesd stop
[user@rhel ~]# chkconfig yum-updatesd off

[user@rhel ~]# service rhnsd stop
[user@rhel ~]# chkconfig rhnsd off

4. Delete cache and rpm downloads right after install

By default yum retains the packages and package data files that it downloads, so that they may be reused in future operations without being downloaded again. This feature can be turned off by modifying the /etc/yum.conf file and changing the option "keepcache" to 0.

[user@rhel ~]$ grep -i keepcache /etc/yum.conf
keepcache=0

keepcache if set to 0, removes packages right after installation.
Setting keepcache=1 tells yum to keep the cache of headers and packages after a successful installation.

Tags: admin, after, again, ALL, and, another, ANY, automated, CentOS, cron job, file, installation, installed, machine, metadata, packages, repository, updates, var, yum
Posted in CentOS, Linux, System Administration | No Comments »

Build and install Docker Squid Open Proxy image on Kubernetes cluster

Tuesday, October 30th, 2018

As Docker containerization is starting to become a standard for installing a brand new servers especially servers who live in Self-Made Clusters based on Orchestration technologites like Kubernetes (k8s) (check out – http://kubernetes.io),

Recently, I've had the task to set-up a Squid Cache (Open Proxy) server on a custom Port number to make it harder for internet open proxy scanners to identify and ship it to a customer.

What is Squid Open Proxy?

An open proxy is a proxy server that is accessible by any Internet user, in other words anyone could access the proxy without any authentication.

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP and other protocols.
It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.
Squid has extensive access controls and makes a great server accelerator.
It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

What is Docker?

For those who hear about Docker for a first time, Docker is an open-source software platform to create, deploy and manage virtualized application containers on a common OS such as GNU / Linux or Windows, it has a surrounding ecosystem of tools. Besides its open source version there is also a commercial version of the product by Docker Inc. the original company that developed docker and is today in active help of the project.

Docker components – picture source docker.com

What is Kubernetes?

Kubernetes, in short, is an open source system for managing clusters of containers. To do this, it provides tools for deploying applications, scaling those application as needed, managing changes to existing containerized applications, and helps you optimize the use of the underlying hardware beneath your containers.
Kubernetes is designed to be extensible and fault-tolerant by allowing application components to restart and move across systems as needed.

Kubernetes is itself not a Platform as a Service (PaaS) tool, but it serves as more of a basic framework, allowing users to choose the types of application frameworks, languages, monitoring and logging tools, and other tools of their choice. In this way, Kubernetes can be used as the basis for a complete PaaS to run on top of; this is the architecture chosen by the OpenShift Origin open source project in its latest release.

Kubernetes architecture (shortly explained) – picture source Wikipedia

The Kubernetes project is written in the Google developed Go programming language, and you can browse its source code on GitHub.

Hence, In this article I'll give a brief introuduction on what is Docker and show you, how to easily:

a. Build Docker Image with Ubuntu, Update the system and Install Squid inside the container
using a sample Dockerfile build file

b. Run Docker Image to test deployed Ubuntu Linux and Squid on top of it works fine

c. Push Docker Image to DockerHub (Docker Images Central Official repository)

d. Deploy (Pull and Run) the new built Docker Ubuntu / Squid Open Proxy Image to the Kubernetes Cluster slave nodes – the K8S Cluster was created using Rancher Enterprise Kubernetes Platform (check out Rancher.net – a bleeding edge tool for k8s quick GUI cluster creation / integration)

1. Install Docker Containerization Software Community Edition

Docker containers are similar to virtual machines, except they run as normal processes (containers), that does not use a Hypervisor of Type 1 or Type 2 and consume less resources than VMs and are easier to manage, nomatter what the OS environment is.

Docker uses cgroups and namespace to allow independent containers to run within a single Linux instance.

Docker Architecture – Picture source docker.com

Below docker install instructions are for Debian / Ubuntu Linux, the instructions for RPM package distros Fedora / CentOS / RHEL are very similar except yum or dnf tool is to be used.

a) Uninstall older versions of docker , docker-engine if present

apt-get -y remove docker docker-engine docker.io

! Previously running docker stuff such as Volumes, Images and networks will be preserved in /var/lib/docker/

b) install prerequired packages and add apt repositories for doko

apt-get update
apt-get install -y apt-transport-https ca-certificates wget software-properties-common

wget https://download.docker.com/linux/debian/gpg
apt-key add gpg
rm -f gpg

Create docker.list apt sources file

echo "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee -a /etc/apt/sources.list.d/docker.list

apt-get update

c) check out the docker policy (will list you a multiple installable versoins of docker).

apt-cache policy docker-ce

docker-ce:
Installed: (none)
Candidate: 17.06.0~ce-0~debian
Version table:
     17.06.0~ce-0~debian 500
        500 https://download.docker.com/linux/debian stretch/stable amd64 Packages
     17.03.2~ce-0~debian-stretch 500
        500 https://download.docker.com/linux/debian stretch/stable amd64 Packages
     17.03.1~ce-0~debian-stretch 500
        500 https://download.docker.com/linux/debian stretch/stable amd64 Packages
     17.03.0~ce-0~debian-stretch 500

d) Install and run docker

apt-get -y install docker-ce
systemctl start docker

systemctl status docker

Previously running docker stuff such as Volumes, Images and networks will be preserved in /var/lib/docker/

2. Build Docker image with Ubuntu Linux OS and Squid inside

To build a docker image all you need to do is have the Dockerfile (which is docker definitions build file), an Official image of Ubuntu Linux OS (that is provided / downloaded from dockerhub repo) and a bunch of docker commands to use apt / apt-get to install the Squid Proxy inside the Docker Virtual Machine Container

In dockerfile it is common to define for use an entrypoint.sh which is file with shell script commands definitions, that gets executed immediately after Docker fetches the OS from its remote repository on top of the newly run OS. It is pretty much like you have configured your own Linux distribution like using Linux from Scratch! to run on a bare-metal (hardware) server and part of the installation OS process you have made the Linux to run a number of scripts or commands during install not part of its regular installation process.

a) Go to https://hub.docker.com/ and create an account for free

The docker account is necessery in order to push the built docker image later on.
Creating the account creates just few minutes time.

b) Create a Dockerfile with definitions for Squid Open Proxy setup

I'll not get into details on the syntax that Dockerfile accepts, as this is well documented on Docker Enterprise Platform official website but in general gettings the basics and starting it is up to a 30 minutes to maximum 1h time.

After playing a bit to achieve the task to have my Linux distribution OS (Ubuntu Xenial) with Squid on installed on top of it with the right configuration of SQUID Cacher to serve as Open Proxy I've ended up with the following Dockerfile.

FROM ubuntu:xenial
LABEL maintainer="hipo@www.pc-freak.net"

ENV SQUID_VERSION=3.5.12-1ubuntu7 \
    SQUID_CACHE_DIR=/var/spool/squid \
    SQUID_LOG_DIR=/var/log/squid \
    SQUID_USER=proxy

RUN apt-get update \
&& apt-get upgrade && apt-get dist-upgrade && DEBIAN_FRONTEND=noninteractive apt-get install -y squid=${SQUID_VERSION}* \
&& rm -rf /var/lib/apt/lists/*

COPY entrypoint.sh /sbin/entrypoint.sh
COPY squid.conf /etc/squid/squid.conf
RUN chmod 755 /sbin/entrypoint.sh

EXPOSE 3128/tcp
ENTRYPOINT [“/sbin/entrypoint.sh”]

You can download the Dockerfile here.

c) Create entrypoint.sh and squid.conf files

Apart from that I've used the following entrypoint.sh (which creates and sets necessery caching and logging directories and launches script on container set-up) permissions for SQUID proxy file that is loaded from the Dockerfile on docker image build time.
To have the right SQUID configuration shipped up into the newly built docker container, it is necessery to prepare a template configuration file – which is pretty much a standard squid.conf file with the following SQUID Proxy configuration for Open Proxy

acl SSL_ports port 443
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localhost

http_access allow all

http_port 3128

coredump_dir /var/spool/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

Once, I've created, the proper Dockerfile configuration, I've made a tiny shell script, that can create / re-create my docker image multiple times.
Here is the build-docker-image.sh :

#!/bin/sh
username='hipod';
password='';
docker login –username="$username" –password=""
DOCKER_ACC=hipod
#DOCKER_REPO=squid-3.5.12-1ubuntu7
DOCKER_REPO=squid-ubuntu
IMG_TAG=latest

docker build -t $DOCKER_ACC/$DOCKER_REPO:$IMG_TAG .
docker push $DOCKER_ACC/$DOCKER_REPO:$IMG_TAG

– You can download build-docker-image.sh script here

The script uses the docker login command to authenticate non-interactively to https://hub.docker.com
docker build command with properly set DOCKER_ACC (docker account – which is the username of your hub.docker.com account as I've pointed earlier in article), then DOCKER_REPO (docker repository name) – you can get it either from a browser, after you've logged in to dockerhub or assuming you know your username, it should look like:
https://hub.docker.com/u/your-username-name – for example mine is hipod with repository name squid-ubuntu, my squid-ubuntu docker image build is here, you'll also need to provide the password inside the script or if you consider it a security concern, instead type manually from command line docker login and authenticate in advance before running the script, finally the last line docker push pushes to remote docker hub the new build of Ubuntu + SQUID Proxy with a predefined TAG that in my case is latest (as this is my latest build of Squid – if you need a multiple version number of Squid repository just change the tag to the version tag line number.

d) Use the script to build Squid docker image

Next run the script to make and push into docker your new image:

sh build-docker-image.sh

Please consider that in order to work with docker hub push / pull, you will need to have a firewall that allows connection to dockerhub site repo, if for some reason the push / pull fails, check closely your firewall as it is the most likely cause for failure.

3. Run the new docker image to test Squid runs as expected

To make sure the docker image runs properly, you can test it on any machine that has docker.io installed, this is done with a simple cmd:

docker run -d –restart=always -p 3128:3128 hipod/squid-ubuntu:latest

The -d option tells docker to background process / run in detached mode
-p option tells docker to expose port (e.g. make NAT with iptables from the docker virtual container with Linux OS + SQUID listening inside the container on port 3128 to the TCP / IP 3128 server port).
You can use iptables to check the created Network Address Translation rules.

–restart=always option sets the docker restart policy (e.g. when the container is terminating it tells the container to restart the container (OS) after exit), there, you can use as a resetart policy (no, on-failure[:max_retries] , unless-stopped)

For clarity I've created one liner script run-squid.sh you can download here.

sh run-squid.sh

You can use a

ps aux|grep -i docker

root     13169 0.2 0.4 591300 77984 ?        Ssl 13:50   0:09 /usr/bin/dockerd -H fd://
root     13176 0.0 0.2 408244 34972 ?        Ssl 13:50   0:03 docker-containerd –config /var/run/docker/containerd/containerd.toml
root     20875 0.0 0.0 132348   948 pts/1    S+   14:52   0:00 grep -i docker

to see it running as well as the:

docker ps -a

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                      PORTS               NAMES
d2eb7ab635cf        c5b0f61227cd        "/bin/sh -c 'apt-get…"   12 minutes ago      Exited (1) 3 minutes ago                        trusting_elion
18476f546562        c5b0f61227cd        "/bin/sh -c 'apt-get…"   37 minutes ago      Exited (1) 37 minutes ago                       admiring_wilson

To connect to the running container later you can use docker attach ID_of_container

docker attach d2eb7ab635cf

command to see the new container runs as well as attach to the newly spawned container

**4. Deploying Dockerized SQUID Open Proxy Cache server to Kubernetes cluster**

My task was to deploy the newly built squid doko image to remote K8s cluster which was set as a default cluster via a context in .kube/config/ or manually set via:

kubectl config use-context my.k8s-cluster.net

I've used the following YAML file with kubectl to deploy:

—
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
    app: squid-app-33128
name: squid-app-33128
spec:
replicas: 1
template:
    metadata:
      labels:
        app: squid-app-33128
    spec:
      containers:
        – name: squid
          image: hipod/squid-ubuntu:latest
          imagePullPolicy: Always
          ports:
          – containerPort: 3128
            protocol: TCP
          volumeMounts:
            – mountPath: /var/spool/squid
              name: squid-cache
            – mountPath: /var/log/squid
              name: squid-log
          livenessProbe:
            tcpSocket:
              port: 3128
            initialDelaySeconds: 40
            timeoutSeconds: 4
      volumes:
        – name: squid-cache
          emptyDir: {}
        – name: squid-log
          emptyDir: {}

The task included to deploy two different Open Proxy squid servers on separate ports in order to add them external cluster Ingress load balancing via Amazon AWS, thus I actually used following 2 yaml files.

1. squid-app-33128.yaml
2. squid-app-33129.yaml

The actual deployment command was like that:

# deploys pods and adds services to kubernetes cluster

kubectl create -f squid-app-33129.yaml -f squid-app-33128.yaml -f squid-service-33129.yaml squid-service-33128.yaml

You can download the 2 squid-service .yaml below:

1. squid-service-33129.yaml
2. squid-service-33128.yaml

The service is externally exposed via later configured LoadBalancer to make the 2 squid servers deployed into k8s cluster accessible from the Internet by anyoneone without authorization (as a normal open proxies) via TCP/IP ports 33128 and 33129.

Conclusion

Below I explained a few easy steps to follow to;

– build docker image Ubuntu + Squid
– test the image
– deploy the image into a previously prepared k8s cluster

Though it all looks quite simplistic I should say creating the .yaml file took me long. Creating system configuration is not as simple as using the good old .conf files and getting used with the identation takes time.

Now once the LB are configured to play with k8s, you can enjoy the 2 proxy servers. If you need to do some similar task and you don't have to do it for a small fee, contact me.

Tags: applications, apt-get, brand, bunch, cause, check, cmd, command, configured, created, Creating, definitions, Docker Open Proxy, Docker Virtual Machine Container, download, file, fine, Install Docker Containerization Software Community Edition, kind, line, liner, make, metadata, NAT, necessery, need, number, properly, pull, repository, running, server port, servers, shell script, simple, Squid Cache Open Proxy, standard, system, tag, task, tcp, top, use, username, website
Posted in Cloud services, Docker, Educational | No Comments »

Non-free packages to install to make Ubuntu Linux Multimedia ready / Post install packages for new Ubuntu installations

Monday, January 23rd, 2012

1. Add Medibuntu package repository

root@ubuntu:~# wget --output-document=/etc/apt/sources.list.d/medibuntu.list \ http://www.medibuntu.org/sources.list.d/$(lsb_release -cs).list \ && apt-get --quiet update \ && apt-get --yes --quiet --allow-unauthenticated install medibuntu-keyring \ && apt-get --quiet update
2. Enable Ubuntu to play Restricted DVD
root@ubuntu:~# apt-get install --yes libdvdread4 ... root@ubuntu:~# /usr/share/doc/libdvdread4/install-css.sh

After that VLC will be ready to play DVDs for some programs which was compiled without DVD, source rebuilt is required.

If DVDs hang you might need to set a Region Code with regionset:

# regionset

3. Install non-free codecs

root@ubuntu:~# apt-get install non-free-codecs

4. Install Chromium ffmpeg nonfree codecs

root@ubuntu:~# apt-get install chromium root@ubuntu:~# apt-get install chromium-codecs-ffmpeg-nonfree

5. Install w32codecs / w64codecs

Depending on the Ubuntu Linux installation architecture 32/64 bit install w32codecs or w64codecs

For 32 bit (x86) Ubuntu install w32codecs:

root@ubuntu:~# apt-get install w32codecs

For 64 bit arch Ubuntu:

root@ubuntu:~# apt-get install w64codecs

6. Install ubuntu-restricted-extras meta package

root@ubuntu:~# apt-get install ubuntu-restricted-extras

7. Install cheese for webcam picture/video snapshotting

root@ubuntu:~# apt-get install cheese

8. Install GIMP, Inkscape, xsane,sane, shotwell etc.

root@ubuntu:~# apt-get --yes install sane xsane gimp inkscape gimp-data-extras gimp-plugin-registry \ blender gcolor2 showtwell bluefish kompozer

9. Install multimedia Sound & Video utilities

Install Subtitle editor, video editiking , sound editing, mp3 player, iso mounters, DVD/CD Burners

root@ubuntu:~# apt-get install rhythmbox banshee smplayer mplayer \ realplayer audacity brasero jokosher istanbuk gtk-recordMyDesktop \acetoneisohexedit furiusisomount winff fala audacious dvdstyler lives hydrogen subtitleeditor gnome-subtitles electricsheep k3b

10. Install CD / DVD RIP tools

root@ubuntu:~# apt-get install acidrip sound-juicer ogmrip thoggen
11. Install chat messanger programs, Browsers, mail pop3 clients, torrent, emulators, ftp clients etc.

apt-get install seamonkey thunderbird transmission transmission-gtk gbgoffice kbedic \ pidgin openoffice.org gxine mozilla-plugin-vlc wine dosbox samba filezilla amsn ntp \epiphany-browser ntpdate desktop-webmail alltray chmsee gftp xchat-gnome ghex \gnome-genius bleachbit arista

12. Install Non-Free Flash Player

Unfortunately Gnash is not yet production ready and crashes in many websites …

root@ubuntu:~# apt-get install flashplugin-nonfree flashplugin-nonfree-extrasound swfdec-gnome

13. Install Archive / Unarchive management programs

root@ubuntu:~# apt-get install unace unrar zip unzip p7zip-full p7zip-rar sharutils rar uudeview \ mpack lha arj cabextract file-roller

15. Install VirtualBox and QEmu

root@ubuntu:~# apt-get install qemu-launcher qemu-kvm-extras virtualbox virtualbox-ose \ virtualbox-ose-guest-dkms virtualbox-ose-guest-dkms

This should be enough to use Ubuntu normally for multimedia Desktop just as MS Windows for most of the daily activities.
Am I missing some important program?

Tags: amp, architecture, audacity, Auto, banshee, bit, blender, bluefish, cd burners, Chromium, Draft, editing, editing mp3, ffmpeg, free codecs, gcolor, inkscape, Install, installation, ISO, libdvdread, Linux, linux multimedia, list, lsb, Medibuntu, meta package, org, output document, package, player, plugin registry, regionset, repository, root, sane, shafter, shotwell, showtwell, smplayer, Sound, sound editing, Sound Video, subtitle editor, sudo, Ubuntu, ubuntu linux, Ubuntu Linux Multimedia, video, video utilities, VirtualBox, VLC, wget, WinFF, x86
Posted in Linux, Linux and FreeBSD Desktop, Linux Audio & Video, System Administration | 4 Comments »

Create SVN (Subversion) web statistics on Debian Lenny Linux with mpy-svn-stats and svnstats.sh

Monday, July 5th, 2010

I’ve recently desired to have a visualized statistics on how many commits, imports, people who commit into subversion’s repositories,graphs showing up the most active comitters, commits into the all subversion repositories grouped by month, week etc.
This kind of valuable information can give you insight, on a projects code life cycle. It can also help you to find out who takes most active participation into a certain project code development etc. and therefore could play a vital role in finding out about the work efficiency within your IT company or IT department.

There are plenty of softwares that can generate you some shiny statistics on how often and by whom are commits into your repositories as well as general statistics concerning your repositories accessibility.

Some of the projects suggested by most Linux users online, who had to resolve the same task e.g. (find some decent software to generate them good statistics on the svn use.) are:

1. statsvn

Here is a description on what statsvn is directly taken from its website:

StatSVN retrieves information from a Subversion repository and generates various tables and charts describing the project development, e.g.

StatSVN looks really promising, however what I find personally repulsive about it is that it depends on a Sun Java virtual machine
I have a bad taste for third party software that depends on java and therefore the software uses an XML dump generated from svn log –xml -v path/to/repos > svn-logfile.xml after which it’s necessary to pass the generated svn-logfile.xml file to statsvn, for instance:

statsvn [options] svn-logfile.xml path/to/repos

though a debian of statsvn is available and packaged for Debian in /usr/share/doc/statsvn/README.Debian we read:

Notes to Debian users:

* the jtreemap-based report has been disabled as jtreemap is currently
not packaged for Debian, and Debian cannot ship the applet without
its sources (not included in statsvn’s sources).

— Vincent Fourmond <fourmond@debian.org>, Tue, 4 Mar 2008 21:14:14 +0100

What I understood from statsvn documentation is that jtreemap is absolutely necessary in order to have a running statsvn, regardless if you have or you don’t have a java vm installed.

To take a general idea on what kind of Repo Roadmap does svnstat generates with jtreemap check out the following link

Since jtreemap is not available prepackaged for Debian I decided not to use svnstats though it looked quite superb.

Some further research on the kind of softwares available online able to generate me some statistics from cvs or subversion source repositories led me to,

2. svnplot

svnplot stroke me with it’s perfect looking many graphics generated on the Lines of Code commited, contribution of different authors to the repository, File count, avarage commit file sizes, common activity, author commit activity etc. etc.

I think tt’s worthy to check out some example statistics about a sample repository statistics generated by svnplot to get a better idea what to expect if you choose to install it on your server.

Even though svnplot looked also promising It wasn’t actually my choice because I think it’s not really mature enough as a software, the second reason which hold me back from installing it on my debian server was that I find it too much as a work in progress still.

Since neither svnstast nor svnplot didn’t well match my expectation and lacked a debian package I finally choose:

3. mpy svn stats as a solution to generate and graph information about svn usage

There are few reasons I finally took svn-mpy-stats to be the solution of choice.

1. It is available as a package in Debian Linux and easily installable via apt-get
2. It is written in Python and therefore doesn’t require a java virtual machine or some extra cosmetics to make it work3. It’s really simple and straight forward to configure and already tested and reported that it works well in Debian GNU/Linux

So here is the few simple steps I took to install mpy-svn-stats on Debian Lenny (in Debian Sid / Squeeze I suppose the procedure would be analogous.

– Install mpy-svn-stats via apt-get or aptitude

debian-server:~# apt-get install mpy-svn-stats

Run it for your svn repository with a command like:

debian-server:~# mkdir /var/www/svnstats /usr/bin/mpy-svn-stats -o /var/www/svnstats/ file:///var/svn-repos/repository_name

In the above command substitute /var/www/svnstats/ and /var/svn-repos/repository_name with a directory of choice where you like to generate the html statistics for the svn usage as well as the full path and name of your repository.

Of course it’s a good idea to make mpy-svn-stats run periodically with for instance crontab or at or any other unix task cheduler available for your Linux system.

So far so good. You have probably already noticed that it’s rather inconvenient because you have to execute mpy-svn-stats command to each of your svn repositories individually.
This is absolute madness if your company is creating new svn source repository projects often, like let’s say everyday, because you will have to generate statistics for each of the repositories either manually or add new repositories manually to a script which will be later invoked by a crontab rule.

To get around this constrain, I’ve come up with a tiny shell script svnstats.sh which takes care for everything on it’s own.

It automatically will loop in your main subversion repositories directory through all the sub-repositories and generate individual html statistics in a separate automatically created directory by the script.

So to make your life easier and automate the process of generating stats with mpy-svn-stats consider downloading svnstats.sh and installing it as a separate rule like so:

debian-server:~# crontab -u root -e

Include therein the following:

# generate svn statistics everyday in 05:20 a.m.20 5 * * * /usr/sbin/svnstats.sh >/dev/null >>&1

Now everyday at 05:20 your mpy-svn-stats will generate a nice graphs and statistics for your subversion repository usage in /var/www/svstats, if you consider generating the data into a different location consider editting the head of mpy-svn-stats svnstats.sh script and change according to your likings.

Now let’s create an Alias in Apache to enable the (mpy-svn-stats generated by svnstats.sh) to be visualized via web:

– Edit VirtualHost configuration file of choice and put there, something like:

Alias /svnstats/ /var/www/svnstats/

Lastly it might be a good idea to use htaccess to protect your url with a password, afterwards you can enjoy your mpy svn statistics.

Tags: avarage, Create SVN (Subversion) web statistics on Debian Lenny Linux with mpy-svn-stats and svnstats.sh, Debian Lenny Linux, general idea, general statistics, repositories, repository, software, svn, work efficiency, www
Posted in Linux, System Administration | 2 Comments »

Debian Linux: Installing and monitoring servers with Icanga (Nagios fork soft)

Monday, June 3rd, 2013

There is plenty of software for monitoring how server performs and whether servers are correctly up and running. There is probably no Debian Linux admin who didn't already worked or at least tried Nagios and Mointor to monitor and notify whether server is unreachable or how server services operate. Nagios and Munin are play well together to prevent possible upcoming problems with Web / Db / E-mail services or get notify whether they are completely inaccessible. One similar "next-generation" and less known software is Icanga.
The reason, why to use Icinga instead of Nagios is more features a list of what does Icinga supports more than Nagios is on its site here
I recently heard of it and decided to try it myself. To try Icanga I followed Icanga's install tutorial on Wiki.Icanga.Org here
In Debian Wheezy, Icinga is already part of official repositories so installing it like in Squeeze and Lenny does not require use of external Debian BackPorts repositories.

1. Install Icinga pre-requirement packages

debian:# apt-get --yes install php5 php5-cli php-pear php5-xmlrpc php5-xsl php5-gd php5-ldap php5-mysql

2. Install Icanga-web package

debian:~# apt-get --yes install icinga-web

Here you will be prompted a number of times to answer few dialog questions important for security, as well as fill in MySQL server root user / password as well as SQL password that will icinga_web mySQL user use.

icinga-choosing-database-type

configuring-icinga-web-debian-linux-configuring-database-shot

debian-config-screenshot-configuring-icinga-idoutils

icinga-password-confirmation-debian-linux
….

Setting up icinga-idoutils (1.7.1-6) …
dbconfig-common: writing config to /etc/dbconfig-common/icinga-idoutils.conf
granting access to database icinga for icinga-idoutils@localhost: success.
verifying access for icinga-idoutils@localhost: success.
creating database icinga: success.
verifying database icinga exists: success.
populating database via sql… done.
dbconfig-common: flushing administrative password
Setting up icinga-web (1.7.1+dfsg2-6) …
dbconfig-common: writing config to /etc/dbconfig-common/icinga-web.conf

Creating config file /etc/dbconfig-common/icinga-web.conf with new version
granting access to database icinga_web for icinga_web@localhost: success.
verifying access for icinga_web@localhost: success.
creating database icinga_web: success.
verifying database icinga_web exists: success.
populating database via sql… done.
dbconfig-common: flushing administrative password

Creating config file /etc/icinga-web/conf.d/database-web.xml with new version
database config successful: /etc/icinga-web/conf.d/database-web.xml

Creating config file /etc/icinga-web/conf.d/database-ido.xml with new version
database config successful: /etc/icinga-web/conf.d/database-ido.xml
enabling config for webserver apache2…
Enabling module rewrite.
To activate the new configuration, you need to run:
service apache2 restart
`/etc/apache2/conf.d/icinga-web.conf' -> `../../icinga-web/apache2.conf'
[ ok ] Reloading web server config: apache2 not running.
root password updates successfully!
Basedir: /usr Cachedir: /var/cache/icinga-web
Cache already purged!

3. Enable Apache mod_rewrite

debian:~# a2enmod rewrite

debian:~# /etc/init.d/apache2 restart

4. Icinga documentation files

Some key hints on Enabling some more nice Icinga features are mentioned in Icinga README files, check out, all docs files included with Icinga separate packs are into:

debian:~# ls -ld *icinga*/ drwxr-xr-x 3 root root 4096 Jun 3 10:48 icinga-common/ drwxr-xr-x 3 root root 4096 Jun 3 10:48 icinga-core/ drwxr-xr-x 3 root root 4096 Jun 3 10:48 icinga-idoutils/ drwxr-xr-x 2 root root 4096 Jun 3 10:48 icinga-web/

debian:~# less /usr/share/doc/icinga-web/README.Debian debian:~# less /usr/share/doc/icinga-idoutils/README.Debian

5. Configuring Icinga

Icinga configurations are separated in two directories:

debian:~# ls -ld *icinga*

drwxr-xr-x 4 root root 4096 Jun 3 10:50 icinga
drwxr-xr-x 3 root root 4096 Jun 3 11:07 icinga-web

etc/icinga/ – (contains configurations files for on exact icinga backend server behavior)

/etc/icinga-web – (contains all kind of Icinga Apache configurations)
Main configuration worthy to look in after install is /etc/icinga/icinga.cfg.

6. Accessing newly installed Icinga via web

To access just installed Icinga, open in browser URL – htp://localhost/icinga-web

icinga web login screen in browser debian gnu linux

logged in inside Icinga / Icinga web view and control frontend

7. Monitoring host services with Icinga (NRPE)

As fork of Nagios. Icinga has similar modular architecture and uses number of external plugins to Monitor external host services list of existing plugins is on Icinga's wiki here.
Just like Nagios Icinga supports NRPE protocol (Nagios Remote Plugin Executor). To setup NRPE, nrpe plugin from nagios is used (nagios-nrpe-server).

To install NRPE on any of the nodes to be tracked;
debian: ~# apt-get install –yes nagios-nrpe-server
…

Then to configure NRPE edit /etc/nagios/nrpe_local.cfg

Once NRPE is supported in Icinga, you can install on Windows or Linux hosts NRPE clients like in Nagios to report on server processes state and easily monitor if server disk space / load or service is in critical state.

Tags: apache, apache2, debian linux, Debian Linux Installing, e mail services, Icanga Nagios, known software, Linux, Monitoring, new software, NRPE, php pear, repo, repositories, repository, root password, root root, server root, server services, servers, squeeze, version, web package, xml
Posted in Everyday Life, Linux, Monitoring, System Administration, Various | 1 Comment »

How to install Google Chrome web browser on Debian 7 Wheezy Linux

Wednesday, September 4th, 2013

Just installed Debian 7 Linux and wondered how to install Google Chrome Browser on Debian Wheezy. It took me a while until I figure it out, as direct download from Google after searching for Chrome Linux had library requirements which are missing from Debian 7 Wheezy repositories.
Here is how;

1. Add Wheezy Backports and Google's Chrome Repository to /etc/apt/sources.list

echo 'deb http://ftp.debian.org/debian/ wheezy-backports main contrib non-free' >> /etc/apt/sources.list echo 'deb http://dl.google.com/linux/chrome/deb/ stable main' >> /etc/apt/sources.list

2. Install Google Chrome with apt-get

Here you have few options install Google Chrome Beta (whether you prefer you're an innovator), install unstable – if you prefer latest functionality and don't count on stability or install stable version.

a) Install Google Chrome Beta
apt-get install --yes google-chrome-beta
b) Install Google Chrome Unstable

apt-get install --yes google-chrome-unstable
c) Install Google Stable
apt-get install --yes google-chrome-stable
I personally prefer always to keep stable so prefer to install google-chrome-stable.

Only reason I need Google-Chrome is for testing how websites looks with it. Otherwise I don't recommend this browser to anyone who cares for his security. Obviously as Chrome is product of Google it is almost certainly it keeps complete surveillance on what you do on the net.

That's all happy web development with Chrome on Debian 🙂

Tags: beta, functionality, google, happy web, innovator, library requirements, Linux, repositories, repository, stable version, surveillance, web browser
Posted in Linux, Linux and FreeBSD Desktop, Various | No Comments »

How to install / update Wine windows emulator 1.4 on Debian Squeeze Linux

Monday, April 29th, 2013

Debian Squeeze Linux depending on RC release comes with a Version of WINE Windows emulator 0.9.8 or wine 1.0.1-3.1. This wine version is very out of date already and many of the new win software working well with newer wine releases doesn't work. We all know the down-side of Debian stable releases you always stay a bit outdated.

Thanksfully there is an easy way to upgrade to newer wine version and hence have more Windows software properly running on Squeeze. To do so you need to add custom following wine custom deb repository:

deb http://main.mepis-deb.org/mepiscr/repo/ mepis85cr main

i.e.

debian:~# echo 'deb http://main.mepis-deb.org/mepiscr/repo/ mepis85cr main' >> /etc/apt/sources.list

Then update wine with apt-get:

debian:~# apt-get update .... debian:~# apt-get --yes install wine .... The following NEW packages will be installed: fonts-droid ttf-droid ttf-umefont ttf-unfonts-core wine-gecko The following packages will be upgraded: wine 1 upgraded, 5 newly installed, 10 to remove and 86 not upgraded. Need to get 135 MB of archives.

debian:~# dpkg -l |grep -i wine

rc libwine 1.0.1-3.1 Windows API implementation – library
ii playonlinux 3.7.6-1 front-end for Wine
ii wine 1.4-1mcr8.5+1 Windows Compatibility Layer (Binary Emulator and Library)
rc wine-bin 1.0.1-3.1 Windows API implementation – binary loader
ii wine-gecko 1.4.0-1mcr85+2 Microsoft Windows
Compatibility Layer (Web Browser)

That's all enjoy 🙂

Tags: dpkg, gecko, implementation library, Linux, mepis, Microsoft, microsoft windows, repository, squeeze, stable releases, win software, windows compatibility, windows software, wine releases, wine windows
Posted in Linux, System Administration, Wine - Windows Emulation | 1 Comment »

Install latest WINE – Win Emulator unstable version on Debian stable Linux

Saturday, April 27th, 2013

wine emulator logo install wine on Debian GNU / Linux

Installing latest stable version of wine is only possible and safe via deb repository on 32 bit Debian archtecture.

Whether not sure about your Debian architecture run:

linux:~# dpkg --add-architecture i386 To install latest unstable version of wine which though unstable is often much useful to its stable predecessors add wine-unstable repository linux:~# wget -q -O- http://www.tataranovich.com/tataranovich.asc | apt-key add -

Finally install / update (whether installed) with:

linux:~# apt-get update linux:~# apt-get --yes install wine-unstable:i386

Enjoy ! 🙂

Tags: architecture, latest stable version, Linux, predecessors, repository, unstable version, wine
Posted in Everyday Life, Linux, Wine - Windows Emulation | No Comments »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘repository’

Build and install Docker Squid Open Proxy image on Kubernetes cluster

1. Install Docker Containerization Software Community Edition

2. Build Docker image with Ubuntu Linux OS and Squid inside

3. Run the new docker image to test Squid runs as expected

**4. Deploying Dockerized SQUID Open Proxy Cache server to Kubernetes cluster**

Conclusion

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites