Failover and Load Balancing using HAProxy

HAProxy is open source proxy that can be used to enable high availability and load balancing for web applications. It was designed especially for high load projects so it is very fast and predictable, HAProxy is based on single-process model.

In this post I’ll describe sample setup of HAProxy: users’ requests are load balanced between two web servers Web1 and Web1, if one of them goes down then all the request are processed by alive server, once dead servers recovers load balancing enables again. See topology to the right.
HAProxy sample topology

Installation

HAProxy is included into repositories for major Linux distributions, so if you’re using Centos, Redhat or Fedora type the following command:

yum install haproxy

If you’re Ubuntu, Debian or Linux Mint user use this one instead:

apt-get install haproxy

Configuration

As soon as HAProxy is installed it’s time to edit its configuration file, usually it’s placed in /etc/haproxy/haproxy.cfg. Official documentation for HAProxy 1.4 (stable) is here.

Here is configuration file to implement setup shown at the diagram and described above:

global
user daemon
group daemon
daemon
log 127.0.0.1 daemon

Category: Linux | Comments Off on Failover and Load Balancing using HAProxy

Grub Fallback: Boot good kernel if new one crashes

It’s hard to believe but I didn’t know about Grub fallback feature. So every time when I needed to reboot remote server into a new kernel I had to test it on local server to make sure it won’t panic on remote unit. And if kernel panic still happened I had to ask somebody who has physical access to the server to reboot the hardware choose proper kernel in Grub. It’s all boring and not healthful – it’s much better to use Grub’s native fallback feature.

Grub is default boot loader in most Linux distributions today, at least major distros like Centos/Fedora/RedHat, Debian/Ubuntu/Mint, Arch use Grub. This makes it possible to use Grub fallback feature just out of the box. Here is example scenario.

There is remote server hosted in New Zealand and you (sitting in Denmark) have access to it over the network only (no console server). In this case you cannot afford that the new kernel makes server unreachable, e.g. if new kernel crash during boot it won’t load network interface drivers so your Linux box won’t appear online until somebody reboots it into workable kernel. Thankfully Grub can be configured to try loading new kernel once and if it fails Grub will load another kernel according to configuration. You can see my example grub.conf below:

default=saved
timeout=5
splashimage=(hd0,1)/boot/grub/splash.xpm.gz
hiddenmenu
fallback 0 1
title Fedora OpenVZ (2.6.32-042stab053.5)
root (hd0,1)
kernel /boot/vmlinuz-2.6.32-042stab053.5 ro root=UUID=6fbdddf9-307c-49eb-83f5-ca1a4a63f584 rd_MD_UUID=1b9dc11a:d5a084b5:83f6d993:3366bbe4 rd_NO_LUKS rd_NO_LVM rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=sv-latin1 rhgb quiet crashkernel=auto
initrd /boot/initramfs-2.6.32-042stab053.5.img
savedefault fallback
title Fedora (2.6.35.12-88.fc14.i686)
root (hd0,1)
kernel /boot/vmlinuz-2.6.35.12-88.fc14.i686 ro root=UUID=6fbdddf9-307c-49eb-83f5-ca1a4a63f584 rd_MD_UUID=1b9dc11a:d5a084b5:83f6d993:3366bbe4 rd_NO_LUKS rd_NO_LVM rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=sv-latin1 rhgb quiet
initrd /boot/initramfs-2.6.35.12-88.fc14.i686.img
savedefault fallback

According to this configuration Grub will try to load ‘Fedora OpenVZ’ kernel once and if it fails system will be loaded into good ‘Fedora’ kernel. If ‘Fedora OpenVZ’ loads well you’ll be able to reach the server over the network after reboot. Notice lines ‘default=saved’ and ‘savedefault fallback’ which are mandatory to make fallback feature working.

Alternative way

I’ve heard that official Grub fallback feature may work incorrectly on RHEL5 (and Centos 5) so there is elegant workaround (found here):

1. Add param ‘panic=5′ to your new kernel line so it looks like below:

title Fedora OpenVZ (2.6.32-042stab053.5)
root (hd0,1)
kernel /boot/vmlinuz-2.6.32-042stab053.5 ro root=UUID=6fbdddf9-307c-49eb-83f5-ca1a4a63f584 rd_MD_UUID=1b9dc11a:d5a084b5:83f6d993:3366bbe4 rd_NO_LUKS rd_NO_LVM rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=sv-latin1 rhgb quiet crashkernel=auto panic=5
initrd /boot/initramfs-2.6.32-042stab053.5.img

This param will make crashed kernel to reboot itself in 5 seconds.

2. Point default Grub param to good kernel, e.g. ‘default=0′.

3. Type in the following commands (good kernel appears in grub.conf first and new kernel is second one):

# grub

Category: Linux | Comments Off on Grub Fallback: Boot good kernel if new one crashes

Attach ISO image stored in XenServer local storage

Citrix XenServer is powerful hypervisor that is based on Linux (Redhat/Centos/Fedora family) and competes with Vmware ESXi and offer wide range of virtualization features for data centers. In general you can do a bare-metal installation of XenServer to your hardware server and create multiple virtual machines (VMs) inside XenServer host. Obviously you’ll need to have the possibility to boot VM from DVD-Rom to start installation of, let’s say, Linux Mint. You can do it using hardware DVD-Rom of the host XenServer or attach ISO image and make VM to boot into it.

By default XenServer can attach ISO images and make them available to VMs if ISOs are stored on a separate NFS server. In this post you’ll see how to avoid creation of NFS share and attach ISO image stored on XenServer host locally.

1. Connect to XenServer SSH service via management interface using root password:

ssh root@192.168.1.99 -v

where 192.168.1.99 is IP address of XenServer host.

2. Create directory where you will store ISO images and then exit from XenServer’s SSH.

mkdir /var/opt/xen/iso_import/ISO1
exit

3. Copy ISO images to newly created directory. I assume my readers are Linux users so you can use below command to transfer files via SSH. Btw, command is the same if you’re using OS X:

scp Downloads/your_image.iso root@192.168.1.99:/var/opt/xen/iso_import/ISO1

4. Make local ISO library available for VMs in XenServer:

xe sr-create name-label=ISO1 type=iso \
device-config:location=/var/opt/xen/iso_import/ISO1 \
device-config:legacy_mode=true content-type=iso

5. Make sure ISO_Library is attached to XenServer:

xe vdi-list

In case of success you’ll something like this in the output:

uuid ( RO)                : 025c79f8-02dc-4950-8da5-d60f4675ca77
          name-label ( RW): your_image.iso
    name-description ( RW):
             sr-uuid ( RO): 3caefbd6-8683-cc4b-e642-e3540d0fe13e
        virtual-size ( RO): 168099840
            sharable ( RO): false
           read-only ( RO): true

That’s it, you’ll see new ISO in XenCenter after this step:

XenServer Screenshot

WARNING: When copying ISO images to XenServer’s local filesystem keep an eye on free disk space – XenServer allocates not to much gigabytes for hypervisor itself so three or four ISO images may take all free HDD space and cause problems with systems running in VMs. Use command ‘df -h /’ to get info about free space in root filesystem.


Category: Linux | Comments Off on Attach ISO image stored in XenServer local storage

How to generate strong passwords in linux

passwordHow many times have you bothered about creating a strong password to your account? Be it an email account, server login, ssh or anything and everything that requires authentication. Usually, people create passwords that are easier to remember. But there are cases like database account, ssh accounts and other sensitive type of accounts where you need to create a password that is strong enough to resist any kind of password decryption methods used by hackers. Generating a password so strong can make you go bonkers. So you need something that generates a strong password automatically that is easier to remember as well.

Say hello APG.

It stands for Automated Password Generator. And as name suggests it is tool used to generate random passwords. APG houses two password generation algorithms. One is the Pronounceable Password Generation Algorithm (default) and the other is the Random Character Password Generation Algorithm. While the first generates strong passwords that are easy enough to remember since it provides you some clues on how to remember it, the latter just generates random passwords.

Installing APG

APG is literally available for any *NIX based operating system. In this tutorial, I will tell you how to install it on Ubuntu / Debian and Fedora / CentOS linux operating systems.

In Ubuntu:

In your terminal –

sudo apt-get install apg

In Fedora:

yum install apg

Using APG

Using APG is really simple. Let’s begin with simple password generation that is easy to remember and pronounceable, which is default. It will generated 6 passwords by using the random keyboard data you provide.

In your terminal,

apg

APG will then prompt you to input some random data so that it can generate a password for you (eg. I like noob2geek.com). Do remember that these passwords will be generated randomly no matter who many times you provide the same keyboard input. So passwords won’t be the same every time. And as you can see the bracket, it provides a pronounceable clue to remember them.

OkBazCag4 (Ok-Baz-Cag-FOUR)
TabOgUt6 (Tab-Og-Ut-SIX)
novtarsEst7 (nov-tars-Est-SEVEN)
bowebcojCal5 (bow-eb-coj-Cal-FIVE)
AbrIbgan2 (Abr-Ib-gan-TWO)
eikkotVis0 (eik-kot-Vis-ZERO)

Now to generate random passwords that are not pronounceable, you need to use the -a 1 option. Where -a is the Algorithm and 1 selects random mode.

apg -a 1

This do not require any random keyboard inputs.

%l?b`m^,
OS6}C>kwZn
RI9]VZ.Hk
/1}mYh5)
[>b/s~1:Y
‘*aST9″bZ

And finally to create a password that is really strong, really long (upto 63 characters) and really hard to break it, you need to make use of more options.

apg -s -a 1 -m 63 -n 4

This actually prompts you to enter some random inputs, but just hit “ENTER” key again to output the password.

}_B^kA#!c[g*8utG8″3S|2aHfP(~I_n|r8KEn”Uxq,[wtoSDYNx{K,0q:cXD619
lkSPcTbsP:>_AfQQP-gM)pI”6LXp-8}E0S*B[@jCY(6.X0j]%^9H`NN8e,,X&TH
bG05%ZF4n*ayxl-Rj5~6tV~zqPk6>d+c]_WCS4&sr7Eeq7!n?M2LpXUqjl7/[P.
B^U&@EqJpke6y`h7J?,CK#’Q!%u-`NkwDg5.Wm3ny@rYlii,>%Y0′+’g>!lki8i

This is really hard to remember as well, if you can, you got to be supernatural. To view all APG options, type man apg in your terminal.

Category: Linux | Comments Off on How to generate strong passwords in linux

How to install and configure vsftpd

This tutorial focuses on how to setup vsftpd server on your linux based VPS or a dedicated server. The vsftpd stands for “Very Secure FTP Daemon”. It is not just secure as the name suggests but also delivers excellent performance by consuming less memory. The tutorial also teaches you how to configure by adding ftp users and locking the directory to individual users.

You can install vsftpd on Ubuntu / Debian, CentOS /Fedora and RHEL linux.

Installing vsftpd on Ubuntu or Debian

sudo apt-get install vsftpd

Installing vsftpd on CentOS / Fedora

yum install vsftpd

How to configure vsftpd:

Now that you’ve installed vsftpd, follow this procedure to configure it. These steps applies for both the linux variants.

Before you get started, stop the vsftpd by typing:

service vsftpd stop

Edit the vsftp.conf

In Ubuntu / Debian:

vi /etc/vsftpd.conf

In Red Hat / CentOS

vi /etc/vsftpd/vsftpd.conf

Make the following changes:

We don’t want anonymous login:

anonymous_enable=NO

Enable local users:

local_enable=YES

The ftpuser should be able to write data:

write_enable=YES

Port 20 need to turned off, makes vsftpd run less privileged:

connect_from_port_20=NO

Chroot everyone:

chroot_local_user=YES

set umask to 022 to make sure that all the files (644) and folders (755) you upload get the proper permissions.

local_umask=022

Now that basic configuration is complete, now let us begin with locking / securing a directory to user.

sudo useradd -d /var/www/path/to/your/dir -s /usr/sbin/nologin ftpuser

Setup a password for the user:

sudo passwd ftpuser

In order to enable the ftpuser read and write the data in your home dir, change the permission and take ownership:

sudo chown -R ftpuser /var/www/path/to/your/dir
sudo chmod 775 /var/www/path/to/your/dir

Create userlist file and add the user:

Ubuntu / Debian:
vi /etc/vsftpd.userlist

CentOS / Fedora

vi /etc/vsftpd/vsftpd.userlist

and add the user:

ftpuser

save the file and open the vsftp.conf file again:

vi /etc/vsftpd.conf

Add the following lines at the end of the file and save it:

# the list of users to give access
userlist_file=/etc/vsftpd.userlist

# this list is on
userlist_enable=YES

# It is not a list of users to deny ftp access
userlist_deny=NO

After completing all these procedures it is almost ready to use it, give it a try but you will get a 500 OOPS permission denied error. To fix it you need to add a nologin to the shell set.

vi /etc/shells

The file should look like this:

/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash

Add this line at the end:

/usr/sbin/nologin

Now create a usergroup and add the ftpuser to it:

sudo addgroup ftpusers
sudo usermod -Gftpusers ftpuser

Now start the vsftpd:

service vsftpd start

That’s it. Now you have a secure installation of vsftpd on your server.

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = “//connect.facebook.net/en_US/all.js#xfbml=1”;
fjs.parentNode.insertBefore(js, fjs);
}(document, ‘script’, ‘facebook-jssdk’));

Category: Linux | Comments Off on How to install and configure vsftpd