Homepage of Sudhaker Raj

Suppose we want to extract and see the RPM content without installing it. This is how we do it This should work on any RPM based system like fedora, centos etc.

Example: extract wget rpm bundled with Fedora 9

rpm2cpio wget-1.11.1-1.fc9.i386.rpm | cpio -idmv

Cheers,

Unless you keep your computer disconnected from a network and under a secure lock; there will always be potentials for security compromise.

This article explains an isolated and much secure MySQL setup layout. The container VPS for “database node” was a centos-5-minimal (centos-5-i386-minimal.tar.gz) and not assigned any IP address for added security. Here is the complete solution.

To install mysql inside “database node”

[root@centos ~]# vzyum 103 install mysql-server -y

The article mentioned at OpenVZ Wiki was helpful in whole planning but I did not like the idea of cron-script.

• Expensive polling! it is a wastage of resources.
• There will be a downtime until next cron-run.

So, I kept on experimenting for better solution. I tried mounting /vz/private/103/var/lib/mysql/ into “web node” but it was not working flawlessly. My following attempt with common shared directory worked like charm.

I created a common shared location /vz/shared and had it mounted as /shared in each VPS using mount script (you must chmod them to 755).

Content of /etc/vz/conf/101.mount (web node)
Content of /etc/vz/conf/102.mount (web node)
Content of /etc/vz/conf/103.mount (database node)

#!/bin/bash
# Mount script to bind-mount /var/something into a VPS
# Suggested by Sudhaker Raj (http://sudhaker.com)

[ -f /etc/vz/vz.conf ] || exit 1
[ -f $VE_CONFFILE ] || exit 1

. /etc/vz/vz.conf
. $VE_CONFFILE

echo -n “Mounting shared directory inside $VEID…”
if [[ -d /vz/shared ]]
then
mkdir -p $VE_ROOT/shared
mount -n –bind /vz/shared $VE_ROOT/shared
echo ” done”
else
echo ” failed”
fi

Next step was to change the mysql socket location from /var/lib/mysql/mysql.sock to /shared/mysql/mysql.sock

Content of /vz/private/101/etc/my.cnf
Content of /vz/private/102/etc/my.cnf
Content of /vz/private/103/etc/my.cnf

[mysqld]
datadir=/var/lib/mysql
#socket=/var/lib/mysql/mysql.sock
socket=/shared/mysql/mysql.sock

[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

[client]
socket=/shared/mysql/mysql.sock

And do not forget to make relevant changes into php.ini and other applications using MySQL.

Bingo! Now both “web node” can communicate with the mysql server running inside isolated container as if it was local.

We also need correct permissions so that other processes can access the socket.

[root@vz103 ~]# chmod o+rx /shared/mysql
[root@vz103 ~]# ls -l /shared/
total 8
drwxr-xr-x 2 mysql mysql 4096 Apr 5 15:44 mysql
drwxr-xr-x 2 root root 4096 Apr 3 15:03 tmp

Cheers,
Sudhaker

Unless you keep your computer disconnected from a network and under a secure lock; there will always be potentials for security compromise.

Statement above is not to scare you from connecting your machine to network, but to give you an idea that there is nothing like a “perfectly secured and networked computer”. The best we can do is to harden the security and monitor it actively. Especially when it is a server system running 24×7 and serving your critical data to whole population.

Most part of this article is taken from my setup experience for my first dedicated server, which I tuned for my hosting needs. Thanks to my ISP, they hooked a KVM-IP switch to my box and allowed me to install my own true minimal CentOS with OpenVZ.

After many careful considerations and experiments, I decided to factor my hosting infrastructure into 3 VPS (virtual private server). Two counts of “web node” and one count of “database node” were configured to provide some level of fail-over and high availability.

Both “web node” are totally identical except their IP address. They both has a public IP assigned and run PowerDNS and “Lighttpd + PHP”. PowerDNS is configured for Round robin DNS and will redirect the request to any available “web node”. The “database node” has no IP assigned and provides communication over unix domain socket (or named socket). MySQL can not be reached over TCP hence adding one more layer of security from possible network attack.

Please check followings sub-articles for individual setup details.

• Lighttpd - Lighty setup
• PDNS - PowerDNS with MySQL backend
• MySQL - No network configuration

Cheers,
Sudhaker

This tutorial is about preparing a very secure hosting/computing environment using proven products (i.e. CentOS 5.1 & OpenVZ). This tutorial is prepared based on my own experiences gained during the setup process of my first dedicated server (Celeron-2.8 ghz, 512MB, 80GB).

Step 1: Prepare a very minimal CentOS system.

The only way we can prepare a true ‘minimal centos’ is using graphics-mode manual-install. I have made many attempt to achieve the same using text-mode or kick-start but all resulted into 340+ packages and tons of useless services.

Please seek more guidance from these manuals if your are new to CentOS (or RedHat linux).

So back to topic, my recommendation for partition scheme is:

root (/) use 4GB
swap use 2 * RAM (up to maximum of 2GB)
VZ (/vz) use all remainings

And make sure you pick ‘Customize now’ during package group selection and de-select everything (Yes, I repeat it! Deselect everything including base.)

This should give you a True Minimal CentOS installation with only 148 packages installed (and very few system services).

Step 2: Update the system for OpenVZ support

Nothing much to mention here. Please consult this excellent documentation at openvz.org for details.

Step 3: Install VZ containers (preferably one for each set of applications to keep them secure).

• Lighttpd - Lighty setup
• PDNS - PowerDNS with MySQL backend
• MySQL - No network configuration

Followings are commands to create a test VPS instance on OpenVZ.

vzctl create 101 --ostemplate centos-5-minimal
vzctl set 101 --hostname vz101.sudhaker.com --save
vzctl set 101 --ipadd 192.168.0.101 --save
vzctl set 101 --nameserver 192.168.0.1 --save
vzctl set 101 --onboot yes --save
vzctl start 101

Optional: To install common utilities inside VPS

vzyum 101 install findutils wget jwhois bind-utils -y

Optional: To install yum inside VPS

vzyum 101 install yum -y

Optional: To set bigger disk quota (4GB soft limit, 5GB hard limit)

vzctl set 101 --diskspace 4194304:5242880 --save
vzctl set 101 --diskinodes 80000:100000 --save

Tom is discussing his next venture with his friend Sameer. They have done all the number crunching and are very excited about the opportunity. Everything is finalized and details are worked out. Right, they must be talking about an internet based idea (similar to youtube, orkut, facebook etc).

Next big thing is finding and reserving a perfect domain name for the operation. They started their favorite browser Firefox and jumped on to one of very popular registrar’s website. They started searching their name. They did like some of them but not very catchy. All of sudden someone popped the “perfect name” and got excited to find that it is still available. BINGO! They are happy but still not sure so did not reserve the domain name. They wanted to discuss more and decided to wait for few more days.

After 3 days when they were finally ready to register the domain Guess what? It’s gone! They now see a web-spam there which is trying to sell everything from Viagra to “cheap flight tickets”.

This domain was not taken by anyone for years. What happened all of sudden? YOU LEAKED YOUR IDEA.

It is no longer a trade secret that domain-registrars sell their domain search history to “domain junkies” for a decent subscription fee. These junkies grab any good and catchy names immediately and try to re-sell it for bigger bucks. Many simply add them to their pool of domains engaged in pay-per-click based advertisement.

Moral of story is “never wait after finding your perfect domain, reserve it immediately”. If you still want to go with search and wait policy, do not use any registrar site to perform search queries. This can be also done using “whois” command that comes with most of Linux distributions.

A second piece of advice is “make sure you also reserve any similar domains names”. As an example, if you are planning to launch next cool hot deal site http://x1deals.com ; you should also reserve http://x1deal.com ; There can be a big loss due to typo-traffic (traffic generated by typing mistakes) and junkies are hunting for such opportunities.

Hope this helps in saving your next “million dollar idea”

Cheers,
Sudhaker

Source: WikiPedia

The Yellow dog Updater, Modified (YUM) is a free software/open source command line package management utility for RPM-compatible Linux operating systems. It was developed by Seth Vidal and a group of volunteer programmers, and is currently maintained as part of Duke University’s Linux@DUKE project. Though yum is a command line utility, several other tools provide graphical user interfaces to yum, among them pup, pirut, and yumex. Seth Vidal now works for Red Hat and a number of other Red Hat programmers are involved in the development of yum.

Yum Quickstart

To update system

# yum update

To install package

# yum install pkgname

To un-install package

# yum remove pkgname

To clean yum cache

# yum clean all

To list all package name

# yum list

To search by package name

# yum list pkgname

To search package containing a given file

# yum provides filename
ex: yum provides whois
out: jwhois

To list all software group

# yum grouplist

To install a software group

# yum groupinstall “groupname”
ex: yum groupinstall “Development Tools”

To update a software group

# yum groupupdate “groupname”
ex: yum groupupdate “Development Tools”

Friends,

I am listing steps required for setting up SquirrelMail to work with Gmail IMAP. This is especially useful when you like SquirrelMail or don’t have access to regular http://mail.google.com You can even use it to brand your custom domain hosted at Google Apps and seamlessly integrate it your portal (if you can afford, consider buying Google’s Premium Edition which comes with API access at $50/user/year).

Steps:

Create a place holder for SquirrelMail and unpack the latest distribution

mkdir -p /home/squirrel/data/attachments
cd /home/squirrel/
chown -R apache.apache data
tar zxvf ~/downloads/squirrelmail-1.4.13.tar.gz

Configure the installation (do nothing simply save and quit).

cd squirrelmail-1.4.13
./configure

Append following lines into /home/squirrel/squirrelmail-1.4.13/config/config_local.php

$domain = ‘gmail.com’;
// IMAP settings
$imapServerAddress = ‘imap.gmail.com’;
$imapPort = 993;
$use_imap_tls = true;
$imap_auth_mech = ‘login’;
// SMTP settings
$smtpServerAddress = ’smtp.gmail.com’;
$smtpPort = 465;
$use_smtp_tls = true;
$smtp_auth_mech = ‘login’;
// Special folder setting
$trash_folder = ‘[Gmail]/Trash’;
$sent_folder = ‘[Gmail]/Sent Mail’;
$draft_folder = ‘[Gmail]/Drafts’;
// Attachment
$data_dir = ‘/home/squirrel/data/’;
$attachment_dir = ‘/home/squirrel/data/attachments/’;
// Optional -
$provider_name = ‘Gmail alternative by Sudhaker’;
$provider_uri = ‘http://sudhaker.com/’;

Create an alias in apache /etc/httpd/conf.d/squirrel.conf

Alias /sq “/home/squirrel/squirrelmail-1.4.13″
<Directory “/home/squirrel/squirrelmail-1.4.13″>
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Verify the setup by browsing to ${site_url}/sq/

User Id: example@gmail.com (or user@example.com)
Password: email_password

Please make appropriate changes for cPanel based hosting (shared hosting).

Please follow following step if SELinux is enabled.

[root@centos ~]# setsebool httpd_can_network_connect true

Please drop a comment if you find it useful.

Cheers,
Sudhaker