Backing up Subversion to FTP
Handy little script for backing up Subversion to an FTP server.
# Variables
HOST='server.local.com'
USER='unixbackup'
PASSWD='mypass'
TIMESTAMP=`date +%m%d%Y%H%M`
FILEPRE='egsvn_'
# Backup EG repository
/usr/local/bin/svnadmin dump /usr/home/svn > /home/me/svn_backups/$FILEPRE$TIMESTAMP
# FTP backup to tape server
cd /home/me/svn_backups
ftp -n $HOST > /tmp/ftp.worked 2> /tmp/ftp.failed
<<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
binary
put $FILEPRE$TIMESTAMP
quit
END_SCRIPT
# Remove old files
rm /home/me/svn_backups/*
# Exit
exit 0
Configuring Sendmail
Operating System: OpenBSD 4.4
Sendmail is configured and enabled by default in OpenBSD, but it only allows you to send mail out from the machine itself (on localhost, as it should). These steps will allow you to relay from the server and set relay restrictions.
As root, make a copy of the original localhost config file to one of your own.
cp openbsd-localhost.mc openbsd-myconfig.mc
Open the file you just created and comment out the line:
by adding dnl to the the front to read
Then modify this line so that Sendmail will listen on all interfaces rather than just local:
to read...
Now compile the configuration that you created and make it the default Sendmail config:
Open /etc/mail/relay-domains and add IP addresses/ranges that are allowed to relay through the server. The format used is: 192.168.1 which is equivalent to 192.168.1.0/24. This will allow other hosts on your network to relay mail through this server.
Modify /etc/rc.conf and replace:
with...
This will tell the flags to use our newly created .cf file we compiled earlier. I usually change the q30m (which means keep things in the queue for 30 minutes) to q2d, keeping the queue active for 2 days before ditching it.
Do a clean reboot and make sure the correct configuration comes up. You can test access by using a server with the same subnet as in your "relay-domains" file and telnet-ing to port 25.
You can restart Sendmail quickly by killing the process first...
...and then restarting:
/usr/sbin/sendmail $sendmail_flags
Subversion – Installation, Configuration, and Use
Operating System: OpenBSD 4.4
Installation
First grab the necessary compiled packages from OpenBSD.
pkg_add db-4.6.21.tgz neon-0.26.2.tgz
Then get the Apache source code for the HTTP server, configure and install. Use a 2.2.x version.
http://www.gtlib.gatech.edu/pub/apache/httpd/httpd-2.2.x.tar.gz
tar zxvf httpd-2.2.x.tar.gz
cd http-2.2.x
./configure --with-included-apr --with-berkeley-db=/usr/local --enable-shared=yes --enable-dav --enable-so --enable-rewrite --enable-ssl
make
make install
Next get the newest Subversion source code, configure and install.
wget subversion-1.5.x.tar.gz
tar zxvf subversion-1.5.x.tar.gz
cd subversion-1.5.x
./configure --with-apr=/usr/local/apache2/bin/apr-1-config --with-apxs=/usr/local/apache2/bin/apxs --with-neon=/usr/local
Add the proper user to run the httpd daemon
Configuration
Setup the initial repository with the svncreate command and make the user running the web service the owner, since they will be the user actually modifying the repository files.
svnadmin create /home/svn/myproject
chown -R _apache2:_apache2 /home/svn/
Now edit your main httpd.conf file in /usr/local/apache2/conf/ to read these changes. They're not all in the same place, just scattered throughout the file. The first two changes should already be there after installing the Subversion source, just require slight modification. The last "location" change you'll need to add manually. You'll see the dav_svn* files in there, we'll get to those next.
LoadModule authz_svn_module modules/mod_authz_svn.so
...
User _apache2
Group _apache2
...
<Location /svn>
DAV svn
SVNListParentPath on
SVNParentPath /home/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/svn/dav_svn.passwd
AuthzSVNAccessFile /etc/svn/dav_svn.control
Require valid-user
</Location>
Now we can create the username/password files along with the access files.
touch /etc/svn/dav_svn.passwd
htpasswd -mb /etc/svn/dav_svn.passwd myuser mypassword
Create the access file to your repositories.
And now edit the file. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
[myproject:/trunk/base/code]
myuser = rw
Naturally you'll want to lock this service down with SSL and possibly make it available outside the network. To simply create a self-signed certificate and add it to Apache, do the following.
openssl req -new -key /etc/ssl/private/svnserver.key -out /etc/ssl/private/svnserver.csr
openssl x509 -req -days 365 -in /etc/ssl/private/svnserver.csr -signkey /etc/ssl/private/svnserver.key -out /etc/ssl/svnserver.crt
Now add the lines in the httpd.conf file in /usr/local/apache2/conf/ just about the Location setting.
SSLEngine on
SSLCertificateFile /etc/ssl/svnserver.crt
SSLCertificateKeyFile /etc/ssl/private/svnserver.key
Edit the rc.conf.local file in /etc/ to turn on Apache.
And then edit the rc.local file to auto start Apache.
if [ X"${apache2}" == X"YES" -a -x /usr/local/apache2/bin/httpd ]; then
/usr/local/apache2/bin/apachectl start &
echo -n " apache2";
fi
As well as the shutdown file rc.shutdown to kill the process.
if [ X"${apache2}" == X"YES" -a -x /usr/local/apache2/bin/httpd ]; then
/usr/local/apache2/bin/apachectl stop &
echo -n " apache2";
fi
Now reboot the server and test access; it should start up automatically.
Maintenance and Use
The best way to use SVN over HTTPS is with Tortoise for Windows or some other tool if using Linux, like RapidSVN.
Adding Additional Users
To add more users, just run the htpasswd command linked to your dav_svn.passwd file, same as the initial configuration for users.
And now edit the access file containing the other users and defined in the Apache configuration. You can set users using r and rw access writes. First you list the repository, and then the folder location after that for more fine grained permissions.
myuser = r
newuser = r
[myproject:/trunk/base/code]
myuser = rw
newuser = rw
Backing Up the Repositories
To backup a repository, use the svnadmin dump command which will export the entire database and revisions. You can then tar up and gzip the dump file for compression, and back it up to tape or disk somewhere else. There are also incremental backups that can be done of disk/tape space is an issue.
Restoring the Repositories
Restoring the SVN database is simply rewriting all the revisions from the dump back into a database. The restore process also works well for moving an older repository over to a new one since restoring the dump into a new SVN database will update it to that version.
svnadmin load /home/svn/restoredproject < /home/backups/myproject_dumpfile
OpenVPN – Installation and Configuration
Operating System: Debian Etch 4.0
Install and Key Generation
First we just need to grab the primary packages from the repos and install. Make sure you're root.
Next find the easy-rsa directory, and copy those files over to the OpenVPN configuration directory so we can setup a certificate.
Now in the /etc/openvpn directory open up the vars file and make some edits that suit you. I only made changes to the very end of the file.
Save this file. Then run:
Yeah, there's a dot, a space, and then another dot in there. Then these commands:
./build-ca
You'll be asked the cert questions, but most of the defaults should be filled in for you since you manually entered them in the vars file. Now build the server key:
You'll be asked the same type of questions, but for common name you need to enter something. "Server" is the default. Run this next command, which will take awhile.
Then generate your TLS-AUTH keys:
openvpn --genkey --secret ta.key
Now create a key directory closer to the root folder to stay organized and copy the necessary keys there:
cp ca.crt ../../keys
mv dh2048.pem ta.key myserver.crt myserver.key ../../keys
Server Config File
My server configuration is located in /etc/openvpn/server.conf. It's what worked for me. The 172.21.0.0 subnet is the virtual one used by the VPN. The 10.10.0.0 subnet is the LAN I'm trying to connect to.
port 1194
proto udp
server 172.21.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 10.10.0.0 255.255.255.0"
max-clients 10
user nobody
group nogroup
duplicate-cn
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/myserver.crt
key /etc/openvpn/keys/myserver.key
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
More info on configuration options is here: http://openvpn.net/howto.html. You'll also have to enable packet forwarding so packets can flow from the VPN interface to the ethernet interface. Open the file /etc/sysctl.confand uncomment this line:
Restart the server.
Setup the Revocation List
Now setup a revocation list so you can block certificates and users that you create. Execute your variables again.
. ./vars
I had to modify my openssl configuration and repoint to my openvpn directory.
mv openssl.cnf openssl.cnf.old
ln -s /etc/openvpn/easy-rsa/openssl.cnf openssl.cnf
Edit the config file openssl.cnf at the end and comment out the pkcs11 section if you're not using it, otherwise it will throw errors. Then create your CRL:
openssl ca -gencrl -keyfile ca.key -cert ca.crt -out \ crl.pem
User Configuration
Now create your first user:
Answer the same prompts and give it a password. If you don't want to use a password, just use build-key instead. Restart the OpenVPN server for it to read the config:
Now, on the client machine run the same install commands (assuming you're using an Ubuntu or Debain box) and create a keys directory:
mkdir /etc/openvpn/keys
Copy the keys ca.crt, user1.crt, user1.key, and ta.key into the keys directory and then create a file called client.conf in the /etc/openvpn directory. Be sure you restrict access and lock down the keys directory, since compromise of these files will give someone else access.
Here's my config:
dev tun
proto udp
remote myserver.site.com 1194
nobind
user nobody
group nogroup
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/user1.crt
key /etc/openvpn/keys/user1.key
tls-auth /etc/openvpn/keys/ta.key 1
comp-lzo persist-key
persist-tun
log /var/log/openvpn/openvpn.log
verb 4
ns-cert-type server
You can get more info on the configuration here: http://openvpn.net/howto.html. Now start up the VPN:
You can check the logs for errors, but in a few seconds, if you run an ifconfig, you can see a tun0 device has been created and has one of the virtual IP addresses. You can then ping the remote VPN server's inside address for testing.
Routing Issues
In my situation, my VPN server was not the default gateway on my LAN, so I had to add some permantent routes to my clients so they could find their way back through the tunnel and to my remote client. For Linux boxes use:
And on Windows use:
Adding and Removing Other Users
When you need to add new users or client certificates, simply run:
. ./vars
./pkitool client2
This will generate the keys for the new client to copy down to their machine, just the same as the initial client.
Removing users is easy as well.
. ./vars
./revoke-full client2
You may see a bunch of error 23's at the end, but that's normal and just testing that the certificate does not have access anymore.
Nagios – Installation, Configuration, and Use
Operating System: Debian Etch 4.0
An excellent resource to deploying Nagios is a book by Wolfgang Barth called "Nagios System and Network Monitoring" from No Scratch Press. It goes into nice detail on how to get the basics running or write your own plugins if you wish, plus many 3rd party tools to assist in monitoring.
Installation
First install the essential packages needed to compile and use Nagios as root.
apt-get install build-essential
apt-get install openssl
apt-get install apache2 mysql-server libmysqlclient-dev
apt-get install gcc make autoconf automake libgd ntpdate libperl-dev libnet-snmp-perl libdbd-sybase-perl
Create the users and groups that will be used to run Nagios.
groupadd -g 9001 nagcmd
useradd -u 9000 -g nagios -G nagcmd -d /usr/local/nagios -c "Nagios Admin" nagios
Add the Apache dameon user to Nagios group, which by default in Debian is www-data.
Now setup the initial directories and permissions where we'll keep the files. I chose to create /home/nagios because that's where I'll store the data files since the home partition is the largest on the server.
chown nagios:nagios /usr/local/nagios /etc/nagios /home/nagios
Download the Nagios source and unpack.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/nagios-3.x.x.tar.gz
tar zxvf nagios-3.x.x.tar.gz
Build the source including the location of the directories created previously. The sysconfdir is pretty standard, but localstatedir needs to have a bit more space if you have it.
Observe configuration summary and make sure everything is OK.
General Options:
-------------------------
Nagios executable: nagios
Nagios user/group: nagios,nagios
Command user/group: nagios,nagcmd
Embedded Perl: yes, with caching
Event Broker: yes
Install ${prefix}: /usr/local/nagios
Lock file: /home/nagios/nagios.lock
Check result directory: /home/nagios/spool/checkresults
Init directory: /etc/init.d
Apache conf.d directory: /etc/apache2/conf.d
Mail program: /usr/bin/mail
Host OS: linux-gnu
Web Interface Options:
------------------------
HTML URL: http://localhost/nagios/
CGI URL: http://localhost/nagios/cgi-bin/
Traceroute (used by WAP): /usr/sbin/traceroute
If the config looks OK, compile all:
make install
make install-init
make install-commandmode
make install-config
This will allow Nagios to be started upon boot.
Now download and install the latest batch of plugins so Nagios has something to run. Again, pay close attention to the configure statement so that the directories are the same as those specified for compiling Nagios itself.
wget http://superb-west.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.x.tar.gz
tar zxvf nagios-plugins-1.4.x
cd nagios-plugins-1.4.x
./configure --sysconfdir=/etc/nagios --localstatedir=/home/nagios --enable-perl-modules
make
make check
make install
Test the ICMP plugin since it is a necessary component.
Configuration
Configure the Nagios web interface (Apache):
make install-webconf
/etc/init.d/apache2 reload
Create an htaccess file for simple authentication into the Nagios monitoring site.
htpasswd -c htpasswd.users nagios
chown www-data htpasswd.users
chmod 600 htpasswd.users
Be sure when you add other users that can login, you add them to the cgi.cfg as well.
For easier readability and configuration, set configuration site with a unique name. This will help if you're monitoring multiple sites and will have many config files. Notice the primary and global config files are in /etc/nagios but the primary configurations that need editing can go under it. Nagios will recursively check all files the end with .cfg.
mv objects mysite
Third-party Utilities
These utilities make it easier to manage and gather information from Nagios, especially for reporting reasons.
NDOUtils
Download and install ndoutils for database storage of performance data.
wget http://superb-east.dl.sourceforge.net/sourceforge/nagios/ndoutils-1.4.x.tar.gz
tar zxvf ndoutils-1.4.x.tar.gz
Check to make sure you're using the right versions for compatibility.
define CURRENT_OBJECT_STRUCTURE_VERSION 307 /* increment when changes are made to data structures... */
fgrep CURRENT_OBJECT_STRUCTURE_VERSION ndoutils-1.4.x/include/*/objects.h
include/nagios-2x/objects.h:#define CURRENT_OBJECT_STRUCTURE_VERSION 2
include/nagios-3x/objects.h:#define CURRENT_OBJECT_STRUCTURE_VERSION 307 /* increment when changes are made to data structures... */
./configure --sysconfdir=/etc
make
cd src
cp ndo2db-3x ndomod-3x.o log2ndo file2sock /usr/local/nagios/bin/
Prepare MySQL for ndoutils.
mysql> grant usage on *.* to 'nagios'@'localhost' identified by 'password' with max_queries_per_hour 0 max_connections_per_hour 0 max_updates_per_hour 0;
mysql> grant select, insert, update, delete on 'nagios_perfdata'.* to 'nagios'@'localhost';
mysql> flush privileges;
mysql> quit
cd /usr/src/ndoutil-1.4.x/db
mysql -u root -p nagios_level3 < mysql.sql
Configure ndoutil for use.
cp config/ndo*.cfg /etc/nagios/
cd /etc/nagios
Modify /etc/nagios/ndomod.cfg:
Test the ndoutil daemon and see if it runs.
ls -l /home/nagios/ndo.sock srwxr-xr-x 1 nagios nagios 0 2009-01-02 15:02 /home/nagios/ndo.sock
kill -9 [ndo2db-3x pid]
rm /home/nagios/ndo.sock
Create an inet daemon for ndoutil.
cp skeleton ndo2db-3x
chmod 755 ndo2db-3x
Edit the new ndo2db-3x file:
### BEGIN INIT INFO
# Provides: ndo2db-3x
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: This file should be used to construct scripts to be
# placed in /etc/init.d.
### END INIT INFO
# Author: Ryan Rosiek
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="ndoutil daemon startup for ndo2db-3x"
NAME=ndo2db-3x
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-c /etc/nagios/ndo2db.cfg"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
...
do_stop() {
...
# Remove sock file
rm -r /home/nagios/ndo.sock
...
}
...
Modify the Nagios config to start event broker module.
...
broker_module=/usr/local/nagios/bin/ndomod-3x.o config_file=/etc/nagios/ndomod.cfg
Start the services.
Log into the database and make sure information is being written.
mysql> use nagios_level3
mysql> select * from nagios_objects where objecttype_id=2;
NRPE
NRPE makes it easier to run service checks on remote clients. First add it to the server.
wget http://localhost/nrpe-2.x.tar.gz
tar zxvf nrpe-2.x.tar.gz
cd nrpe-2.x.tar.gz
./configure --sysconfdir=/etc/nagios --localstatedir=/home/nagios --enable-ssl=no
make
make install
Note: SSL was not configured in this case because all monitoring traffic is internal and no access to this network is allowed
NSClient++
The NSClient++ is a great utility to run on Windows servers and for NRPE to check. Download latest client and unzip.
- Create folder C:\Program Files\NSClient
- Copy unzipped files into this folder
- Uncomment these lines in NSC.ini
;CheckSystem.dll
;CheckDisk.dll
;CheckEventLog.d
;allowed_hosts= (under Settings)
;use_file=1
;allow_arguments=1
;port=5666
;use_ssl=0
Comment out:
In a command prompt:
cd "Program Files\NSClient"
NSClient++ /install
Recent Posts
- Bootstrap Typeahead with OnSelect
- SharePoint 2010 Error in Managed Service Accounts
- NIC Teaming on Debian Squeeze
- Nagios Setup on Debian Lenny
- Server path error in vSphere 4.1
Tags
Archives
Photos
